Cyber Risk Report

May 19–25, 2008

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity for the past week was highlighted by the release of updates to Red Hat Network Satellite Server and the Red Hat Network Proxy Server. Red Hat released three security advisories to address 47 distinct vulnerabilities in the newly released versions of these products. When releasing major version updates for its products, Red Hat commonly releases security advisories to address any vulnerabilities resolved by the new version or by its early updates.

Stonesoft released a security advisory to address the predictable OpenSSL random number generation issue in Debian. This highly public security issue affects the StoneGate High Availability Firewall and VPN, StoneGate IPS, and StoneGate SSL VPN products. As a result of this issue, all SSL certificates, SSH keys, and passwords generated by affected third–party applications may have predictable features and be easily guessed by brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

In malicious code activity this week, TROJ_MDROPPER.MB is exploiting the recently patched Microsoft Jet Database Engine msjet40.dll MDB parsing buffer overflow vulnerability. This trojan is documented in IntelliShield Alert 12562. The trojan has been circulating in e–mails containing a malicious .mdb or.msg file designed to exploit the vulnerability. Attackers could also leverage this flaw by creating a Word document that contains a malicious Jet Database object and convincing a user to open such a file.

An additional Trojan.Mdropper variant has also been circulating during this time period. This trojan arrives in an e–mail using topics related to the recent earthquake in China. Known filenames to be circulating are earthquake information.doc.scr and photos about earthquake of sichuan.exe. Malware authors often take advantage of the wide-spread knowledge of such events for use in their social engineering tactics.

Administrators are advised to apply the appropriate updates to avoid the risks that are associated with these types of trojans. Because malicious code attacks that use latent vulnerabilities in Microsoft Office productivity applications continue to be a threat, administrators should remain diligent in educating users about the dangers of opening documents from untrusted sources.
IntelliShield published 174 events last week: 49 new events and 125 updated events. Of the 174 events, 154 were Vulnerability Alerts, 10 were Security Issue Alerts, three were Security Activity Bulletins, three were Daily Malicious Code Summaries, two were Malicious Code Alerts, one Applied Mitigation Bulletin, and one Cyber Risk Report.

Weekly Alert Totals

Day Date New Updated Total
Friday 05/23/2008 12 32 44
Thursday 05/22/2008 10 27 37
Wednesday 05/21/2008 11 29 40
Tuesday 05/20/2008 11 16 27
Monday 05/19/2008 5 21 26
Weekly Total 49 125 174


Significant Alerts for May 19–23, 2008

Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 6, May 26, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285

Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features and be easily guessed through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14568, Version 6, May 20, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE–2007–6026

Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. TROJ_MDROPPER.MB, which exploits this vulnerability, is publicly available and is documented in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability in a security bulletin and released updates.

Previous Alerts That Still Represent Significant Risk

Oracle Critical Patch Update April 2008
IntelliShield Security Activity Bulletin 15676, Version 2, April 18, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities in Oracle products that affect Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.

Microsoft Jet Database Engine Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15469, Version 4, May 1, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1092

Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has been identified as being used by TROJ_MSJET.C, as described in IntelliShield Alert 15486, and by Trojan.Acdropper.C, as described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable.

Microsoft Windows GDI File Name Parameter Vulnerability
IntelliShield Vulnerability Alert 15561, Version 4, April 24, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1087

Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by Trojan.Emifie, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

CA BrightStor ARCserve Backup ListCtrl ActiveX Control AddColumn() Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15402, Version 3, April 11, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1472

Multiple CA products contain a buffer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. Exploit code that allows for the execution of arbitrary code is available. Reports indicate that attackers are actively exploiting this vulnerability. To exploit this vulnerability, an attacker must rely on user interaction. An attacker may use social engineering tactics to convince a user to visit a malicious website using a browser that supports ActiveX controls, such as Internet Explorer. CA confirmed the vulnerability in a security response, but updates are not available.

Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities
IntelliShield Security Activity Bulletin 15419, Version 1, March 18, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges. The update corrects flaws within core operating system components as well as third-party packages that are bundled with the operating system.

Adobe Reader and Acrobat Security Update 8.1.2
IntelliShield Security Activity Bulletin 15115, Version 4, March 3, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0655

Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. Attackers are using this vulnerability to distribute the Trojan.Pidief family of malicious code.

Physical

There was no significant activity in this category during the time period.

Legal

US Supreme Court Upholds Law Criminalizing the Pandering of Child Pornography

The Supreme Court has upheld a law that makes it illegal to pander or solicit child pornography. The law is commonly known as the PROTECT act. Under the statutes of this law, it is not necessary for a person pandering child pornography to actually have such material in his or her possession. It is enough to knowingly offer to make it available to others. Similarly it is enough for a solicitor to knowingly ask for such material. This law is a replacement for the Child Pornography Prevention Act of 1996 which the supreme court had struck down for being too broad. Read more
 
IntelliShield Analysis: Because the new law does not require the individual offering to make child pornography available to actually possess it, many of the difficulties of the Child Pornography Prevention Act are avoided. It is no longer necessary to prove that the perpetrator has or had actual child pornography. In the summary statement, the court examined the law and found that all the definitions used in it, including what constitutes child pornography, were plainly written, not easily twisted to mean other things, and not too broad in scope.  This law gives law enforcement agents more power to prosecute those who would seek to acquire or distribute child pornography, and in upholding it, the court has strengthened lawmakers’ ability to keep pace with crimes made easier on the Internet.

Trust

States File Suit Against LifeLock After CEO’s Identity is Stolen

Three states, Maryland, New Jersey and most recently West Virginia, have filed lawsuits against identity theft protection firm, LifeLock, alleging that the company misled customers. The suit in West Virginia alleges that LifeLock’s CEO, Richard Todd Davis, has advertised the firm’s service by openly sharing his own Social Security number but has been unable to prevent his own identity from being stolen. As a result of the alleged failures in LifeLock’s service, the CEO’s identity has been used to forge twenty drivers licenses in Davis’ name, make a cash advance of five hundred dollars and to change his birth date on official records. Details currently available on LifeLock’s website list services for protecting credit with the three major credit reporting agencies, helping customers when they lose their wallet, and watching for evidence that a customer’s identity is being sold or traded. Read more

IntelliShield Analysis: Regardless of the particular outcome of these cases, they do bring up an important point about the current focus of consumers and consumer protection offerings for identity theft. While many services focus on the credit and financial impacts of identity theft, consumers must be aware of what they are purchasing and the limitations of these services. Identity is a very broad concept, trusted to authenticate and authorize all manner of transactions, not just financial ones. Protecting against credit fraud may limit the financial impacts of identity theft, but there can be significant impacts to reputation, false entries on a victim’s criminal record, or other areas that are difficult to recover. Consumers should be educated and protected from this criminal trend; the outcome of these cases may produce a positive result for victims of identity theft.

Identity

US Federal Government Offering Discounted Encryption

The General Services Administration office of the United States has created a successful new program named Data at Rest (DAR), aimed at providing cost–effective commercial encryption technology to local, state, and federal agencies. The DAR program provides a number of different solutions to meet the needs of its intended customers at a drastically reduced price, making the decision to implement encryption on mobile computing and storage devices non-dependant on budgetary constraints. To date, the DAR program has provided over 800,000 encryption licenses to qualified agencies. Read more

IntelliShield Analysis: The use of encryption on mobile devices is rapidly becoming a standard for both governmental and commercial sectors. While the addition of encryption to the standard images of these devices is a step in the right direction, encryption itself is not a solution to every security challenge. In the mobile space, encryption plays a critical part of keeping data secure, as such devices are commonly lost, stolen, or utilized in an uncontrolled space; however, organizations should carefully weigh the impacts of the implementation of encryption of both data at rest and data in transit on other security policies and technologies that are currently in place prior to making a purchase decision.

Human

China Earthquake Used As Scam Bait

Scammers have used the recent earthquake in China to profit from the generosity of others, first by hacking the Red Cross website, as well as through phishing attacks. An undisclosed amount of funds that contributors had donated through the Red Cross website had been deposited into the bank accounts of hackers instead of going to the charity as intended. The FBI has issued warnings that phishing e-mail messages have been circulating in order to entice donors to give money to fake charities. Read more

IntelliShield Analysis: It is not uncommon for scam-artists to capitalize from disasters, and potential donors need to be wary. Steps to protect against these sorts of scams include forgoing the links included in e-mail messages and instead typing in the full, trusted address to access a website. Users should be sure to certify that any contributions donated are going to legitimate charities through the Federal Trade Commission and the Better Business Bureau, or their international equivalent. Organizations collecting relief aid should ensure that websites that accept donations have the latest patches installed and have adequate security controls in place, and monitor for phishing attacks. Such organizations should make contact with the appropriate authorities and anti–phishing groups to ensure that direct lines of communication are open and effective response procedures are followed.

Geopolitical

Blackberry Won't Provide Encryption Keys to Indian Authorities

Canada-based Research in Motion (RIM), maker of the popular wireless handheld Blackberry, is resisting pressure from the Government of India to provide private encryption keys for Blackberry users amid protracted negotiations between RIM and India's Department of Telecommunications. RIM is arguing that the encryption architecture for enterprise customers is designed so that it cannot be accessed by RIM for any reason, as there is no "master key" or "back door" capability. RIM has been reluctant to lower its 256-bit encryption standard in India in order to facilitate government eavesdropping; Indian government officials were also reportedly pressuring RIM to place servers in India. Indian authorities say they need to be able to intercept communications between money launderers and militant groups who use the devices.
Read more
Additional information
Additional information

IntelliShield Analysis: Rumors last week pointed toward a compromise agreement between RIM and the Indian Telecommunications Department wherein RIM would provide encryption keys for non-enterprise customers only. However, this latest statement on RIM's part appears to dim prospects for a compromise, suggesting that RIM may be willing to gamble the entire Indian market, including the enterprise customers that make up the majority of RIM's Indian customers, in order to safeguard its reputation as a secure device. The agreement points to future quandaries for technology companies and governments alike, as powerful, low-cost communications devices that were once out of reach of most consumers are now not only affordable, but often beyond the ability of governments to control.

Upcoming Security Activity

PH–Neutral 0x7d8: May 23–25, 2008
APWG 2008 CeCOS: May 26–27, 2008
EC–Council Hacker Halted USA: May 29–June 4, 2008
Shakacon 2008: June 9–13, 2008
RECON 2008: June 13–15, 2008
Cisco Live (previously Networkers): June 22–26, 2008
FIRST: June 22–27, 2008
The Last HOPE: July 18–20, 2008
USENIX: May 28–August 1, 2008
Black Hat: August 6–7, 2008
DEFCON 16: August 8–10, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top