The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity levels were higher this period in comparison to the previous time period.  Activity centered mainly on the Cisco updates, monthly Microsoft Security Update, and previously disclosed vulnerabilities that were patched by vendors.

Debian and Ubuntu contain a security issue that could result in the generation of weak cryptographic keys, making brute-force attacks easier to accomplish because of predictable keys.  This issue is described in IntelliShield alerts 15858 and 15871; the Cisco Applied Intelligence group released an Applied Mitigation Bulletin outlining mitigation strategy to protect against attacks.  The primary risk from this issue is that SSH keys and SSL certificates are often generated and distributed throughout an environment without an audit trail of their origin, which may hinder an organization’s ability to determine the risk.  Recreating keys and certificates for an entire organization could be an involved and costly endeavor. As with SSL certificates that have a defined expiration, organizations may wish to create a self-imposed timeline for re-keying SSH systems and perhaps initially only re-key those at the highest risk, such as external-facing hosts.  Other external systems, such as SSL-based VPNs, may require coordination with stakeholders in other departments or at partner organizations, complicating reconfiguration effort. While a significant risk, wholesale correction should not be undertaken lightly.

The monthly Microsoft Security Update was released May 13, 2008.  Of particular importance are the patches released for the msjet40.dll MDB parsing buffer overflow vulnerability in Microsoft Jet Database Engine, described in IntelliShield alert 14568.  Independent security researchers initially released details of this vulnerability in November 2007.  Since that time, reports indicate the vulnerability has been used to compromise user systems.  Microsoft also released patches to address two vulnerabilities in Microsoft Word.  Because of the consistent use of vulnerabilities in productivity applications to propagate malicious code, administrators should consider applying these patches a priority.  The Cisco Applied Intelligence group released an Applied Mitigation Bulletin outlining a mitigation strategy to protect against attacks using these vulnerabilities.  These strategies are outlined in IntelliShield alert 15795.  Independent security researchers released details for the Print Table of Links HTML processing vulnerability in the Microsoft Internet Explorer web browser.  Proof-of-concept code for this vulnerability that starts calc.exe on the targeted system is available.

Cisco released three security advisories and updated software to address vulnerabilities in Cisco Unified Communications Manager, Cisco Unified Presence, and Cisco Content Switching Module.  IntelliShield analysts identified 11 previously undisclosed vulnerabilities that attackers could use to cause a denial of service on the target system.  Additionally, Cisco released a bug ID and updated software to address a cross-site scripting vulnerability in the Cisco Building Broadband Service Manager.  Proof-of-concept URLs are available to demonstrate this vulnerability.

Symantec has released a security advisory and updated software to address four vulnerabilities and one security issue in the Altiris Deployment Solution product.  Two of the vulnerabilities could result in privilege escalation, allowing a local attacker to execute arbitrary code on the system with elevated privileges.  Another vulnerability could allow a local attacker to access, modify, or delete application registry keys, while the fourth vulnerability allows a remote attacker to perform SQL injection attacks.  The security issue exists due to weak encryption for domain authentication credentials, which could allow an attacker to easily decrypt the credentials and use them to gain unauthorized access to the application.

A security researcher from CORE Security Technologies has announced that he will present a proof-of-concept rootkit for Cisco IOS devices on May 22, 2008 at the EuSecWest Conference in London, England.  This announcement was described in IntelliShield alert 15869.  The researcher stated that the proposed rootkit was not designed for any specific version of Cisco IOS and that it could be installed on a number of devices and versions, but this data has not been confirmed. 

IntelliShield published 120 events last week: 65 new events and 55 updated events.  Of the 120 events, 98 were Vulnerability Alerts, eight were Security Issue Alerts, four were Daily Malicious Code Summaries, four were Security Activity Bulletins, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report.  The alert publication totals are as follows:   

Weekly Alert Totals

Significant Alerts for May 12-18, 2008

Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14568, May 13, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-6026

Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code.  Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available.  Public reports indicate this vulnerability is actively being exploited. Microsoft has confirmed this vulnerability in a security bulletin and released updates.

Previous Alerts That Still Represent Significant Risk

Oracle Critical Patch Update April 2008
IntelliShield Security Activity Bulletin 15676, Version 2, April 18, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for April 2008.  This update addresses a total of 41 vulnerabilities in Oracle products that affect Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products.  Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.

Microsoft Jet Database Engine Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15469, Version 4, May 1, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1092

Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system.  The vulnerability has been identified as being used by TROJ_MSJET.C, as described in IntelliShield Alert 15486, and by Trojan.Acdropper.C, as described in IntelliShield Alert 10679.  Microsoft has confirmed the vulnerability but software updates are unavailable.

Microsoft Windows GDI File Name Parameter Vulnerability
IntelliShield Vulnerability Alert 15561, Version 4, April 24, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1087

Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user.  This vulnerability is currently being exploited in the wild by Trojan.Emifie, which is documented in IntelliShield Alert 15642.  Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

CA BrightStor ARCserve Backup ListCtrl ActiveX Control AddColumn() Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15402, Version 3, April 11, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1472

Multiple CA products contain a buffer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code.  Exploit code that allows for the execution of arbitrary code is available.  Reports indicate that attackers are actively exploiting this vulnerability.  To exploit this vulnerability, an attacker must rely on user interaction.  An attacker may use social engineering tactics to convince a user to visit a malicious website using a browser, such as Internet Explorer, that supports ActiveX controls.  CA confirmed the vulnerability in a security response, but updates are not available.

Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities
IntelliShield Security Activity Bulletin 15419, Version 1, March 18, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server.  This update addresses vulnerabilities that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges.  The update corrects flaws within core operating system components as well as third-party packages that are bundled with the operating system.

Adobe Reader and Acrobat Security Update 8.1.2
IntelliShield Security Activity Bulletin 15115, Version 4, March 3, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0655

Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms.  The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2.  Independent security researchers have released the technical details of several vulnerabilities corrected by this update.  Attackers are using this vulnerability to distribute the Trojan.Pidief family of malicious code.   At least one has been used to distribute malicious code.

Physical

Southwest China Suffers Massive Earthquake

 
On May 12, 2008, a magnitude 7.9 earthquake struck the Sichuan province and surrounding areas.  The death toll has reached 34,000. There are 30,000 people missing and an estimated 5,000 still buried under debris.  Reports indicate that 159,000 people are injured and 4.8 million people are homeless.  Aftershocks have continued to plague the area, hampering the efforts of rescue workers.  President Hu Jintao pledged that the search for survivors is the highest priority.  There is some concern that the existing infrastructure has been severely damaged, including a dam within the Sichuan province.  Aid and support has been offered and accepted by China. Read more
 
IntelliShield Analysis:  China hasn't suffered an earthquake of this magnitude since 1950, and the mounting relief operation is being hailed as one of the largest and most efficient in China's history.  Civilian flights have been canceled and priority has been given to restoring power and removing debris from roads.  With such massive physical destruction, current business impact is estimated at US$9.6 billion.  It will be some time before normal business operations can resume and workers return to their jobs.  Businesses not directly affected by the temblor in China are encouraged to assess their own natural disaster plans and the risks posed by major damage to critical infrastructure.  Organizations need to carefully consider site locations along with suitable locations for redundancy of business critical operations during disasters, including personnel.  Business continuity plans and failover equipment are important, but having the right people in place should be a priority.

Legal

Digital Signature Used in Wire Fraud Case

A museum director has been indicted on wire fraud in a case that involves the use of electronic, or digital, signatures.  The director, Roxanna Brown apparently divulged the credentials to her electronic signature to persons with whom she worked.  Her signature was used to authenticate museum piece appraisals that reportedly included inflated values.  The motivation for this action was to allow contributors of the art pieces to claim a larger donation value for tax purposes.  Ms.Brown has since died of a heart attack while in custody. 
Read more 
Additional information

IntelliShield Analysis.  A digital signature is legally binding and is treated as a physical signature by the law.  While it may be common practice to authorize others, or to mechanically sign some documents, a person should never give out the credentials for their digital signature.  The individuals who used Ms. Brown's signature to make fraudulent appraisals are not being indicted in this case.  The person held legally responsible is the owner of the signature.  With Ms. Brown's death, it may never be known if she willingly allowed the use of her digital signature.

Trust

Pfizer, Inc., Exposes Unencrypted Data

In the United States (U.S), Pfizer, Inc., a global pharmaceutical company headquartered in New York City, New York, has reported another data exposure.  This incident involves the theft of an encrypted laptop computer and an unencrypted flash drive containing various types of personal employee and business information.  A Pfizer spokesperson said the laptop did not contain social security numbers and was encrypted, but the unencrypted flash drive contained employee information and potentially sensitive business information.   This stolen laptop report follows multiple data compromises over the past year, including two other stolen laptops, a P2P-related exposure, and an incident involving unauthorized access and downloading of information by a former employee.  Read more

IntelliShield Analysis:  Because the stolen laptop was encrypted, it seems Pfizer has made some limited improvements, but serious data, physical, and operational security concerns remain.  Although the employee identity information was limited, sensitive global business information is reported to be on the unencrypted flash drive.  In the highly competitive global pharmaceutical market, the business information could cost the company millions or billions of dollars in intellectual property, competitive advantage, and strategic execution.  Pfizer's experience demonstrates the need for a broad, holistic, risk-based security approach. Reactionary security that responds to incidents as they occur will often result in an endless string of continuing incidents, fire-drill responses, and a position of always playing catch-up with the current risks. An effective security policy must include monitoring and enforcement to prevent the type of incidents that Pfizer has previously reported as unauthorized, yet occurring.

Identity

Dave & Buster's Packet Sniffer Logged Payment Cards

Three people, Maksym Yastremskiy, Aleksandr Suvorov, and Albert Gonzalez, have been charged with computer fraud and hacking into register terminals.  The three men installed packet sniffing software onto point-of-sale servers in 11 Dave & Buster's  U.S. restaurant locations.  Gonzalez wrote the software and Yastremskiy and Suvorov sold the stolen data to other attackers.  The packet sniffing software obtained credit and payment information from thousands of cards.  In one instance, a restaurant located in Islandia, New York, disclosed data from 5000 payment cards.  The attack was conducted from April to September of 2007.  Read more

IntelliShield Analysis:  Because of the distributed nature of retail computing networks, physical security is much harder to control. Physical security controls for these networks may be more important than technical controls, owing to the systems' location and function.  While detecting packet sniffing software can be difficult because of the passive nature of the technology, the accused were able to infiltrate the physical server locations of the restaurants and install the software on the systems.  A flaw in the packet capture tool made it necessary for the attackers to repeatedly gain physical access to the compromised systems. This repeated activity eventually led to the capture of the perpetrators.  Point-of -sale locations are the frontlines in the retail business, with additional exposures and risks.  Security teams should consider the differences in the risks of these locations and address them appropriately.   

Human

Internal Revenue Service Charges Five Employees with Unauthorized Tax Access

The United States Internal Revenue Service (IRS) recently charged five employees at a processing center in Fresno, California, with accessing tax return information without authorization.  The employees actions were exposed as a result of internal auditing.  Employees may attempt to access the returns of family members or public figures to indulge personal curiosity or to gather information for potential fraud.  The IRS regularly investigates such events, reporting up to 500 cases per year.  Read more

IntelliShield Analysis:  Few technical solutions exist to defeat human curiosity.  The relatively high number of cases of unauthorized access within the IRS demonstrates the extent of the problem. In addition to addressing external security risks, internal policies must take into account human nature.  Policies that include strong penalties for violations remain the most effective deterrent for preventing employees from accessing information without authorization.  To limit internal risks, sites are advised to consider layers of access controls, education and training, and frequent reminders. As with external attackers, the physiological factors and multiple motivations of employees should be considered in accessing these risks.

Geopolitical

Lebanon Situation Underscores Strategic Significance of Communications

Violence and instability have crippled Lebanon following a skirmish over the control of media and telecommunications.  On May 9, Hezbollah gunmen forced the pro-government Future TV station off the air and set the offices of a pro-government newspaper on fire.  The government responded by declaring Hezbollah’s private fiber-optic communications network illegal, precipitating armed clashes and the closing of major roads.  By the end of last week, both Future TV and Hezbollah's fiber optic network were back online, raising hopes that a deeper crisis has been averted for now.  These latest activities are part of a broader leadership struggle that has paralyzed Lebanon for months, pitting the Western and Arab League-backed government of Fouad Siniora, a Sunni Muslim, against Iran- and Syria-backed Shia Hezbollah. 
Read more
Additional information

IntelliShield Analysis:  The struggle for Lebanon is in many respects a struggle for influence across the wider Middle East, so it is significant that Siniora’s government, following mediation by an Arab League delegation, gave in to Hezbollah’s demands.  As the influence of Iran and Syria in the region strengthens, the influence of Saudi Arabia, Egypt and Western countries is weakening.  From an IT perspective, this weakening, if it continues, points to a downgrade in the environment for investment in the region.  This is particularly true for companies involved in communications if struggles continue to play out on phone lines, Internet cafes, and at television stations.

Upcoming Security Activity

AusCERT 2008: May 18–23, 2008
EUSecWest 2008:  May 21–22, 2008
PH-Neutral 0x7d8: May 23–25, 2008
APWG 2008 CeCOS: May 26–27, 2008
EC-Council Hacker Halted USA: May 29–June 4, 2008
Shakacon 2008: June 9–13, 2008
RECON 2008: June 13–15, 2008
Cisco Live (previously Networkers): June 22–26, 2008
FIRST: June 22-27, 2008
The Last HOPE: July 18–20, 2008
USENIX: May 28–August 1, 2008
Black Hat: August 6–7, 2008
DEFCON 16: August 8–10, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top