May 26–June 1, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityMay is the first month in 2008 in which IntelliShield responded to fewer than 600 security events. The lower activity levels were related to a decrease in vendor responses to previously disclosed vulnerabilities. The level of newly reported vulnerabilities remained consistent with previous months. Apple released Security Update 2008-003 to address 36 security issues and vulnerabilities in the Mac OS X and OS X Server operating system that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges. The update corrects flaws in core operating system components as well as third-party packages that are bundled with the operating system. Of the 36 vulnerabilities, 17 were previously undisclosed. Included in these were updates for eight vulnerabilities in the embedded Apache web server 2.0.x branch. The Adobe Product Security Incident Response Team reports that attackers are using the multimedia file integer overflow vulnerability in Adobe Flash Player to conduct widespread attacks, as described in IntelliShield Alert 15623. One of the attack methods used to exploit this vulnerability is to compromise legitimate websites using latent SQL injection vulnerabilities. These compromised websites could redirect users to a domain that hosts a malicious .swf file that executes the integer overflow. Both the wuqing17173.cn and woai117.cn domains have been identified as hosting these types of files. One version of this attack uses multiple redirection URLs to direct the user to malicious websites that are specific to the user's browser and Flash Player version. Public reports indicate the number of compromised sites could be between 20,000 and 250,000. These websites attempt to load malicious code files identified as Downloader.Swif.C to the user's system. Downloader.Swif.C is detailed in IntelliShield Alert 15955. Until updated software can be applied, administrators may consider disabling Adobe Flash Player from user's systems or setting the associated kill bit. Either method will mitigate this vulnerability by preventing Flash Player from launching. Users should exercise increased caution when visiting familiar websites because attackers are using compromised legitimate websites to deliver the malicious files. IntelliShield published 103 events last week: 46 new events and 57 updated events. Of the 103 events, 78 were Vulnerability Alerts, 11 were Security Issue Alerts, four were Daily Malicious Code Summaries, four were Security Activity Bulletins, three were Malicious Code Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2008 Monthly Alert Totals
Significant Alerts for the Reporting PeriodAdobe Flash Player Multimedia File Integer Overflow Vulnerability Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges. Downloader.Swif.C, attempts to exploit this vulnerability and is documented in IntelliShield Alert 15955. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software. Previous Alerts That Still Represent Significant RiskDebian and Ubuntu Predictable OpenSSL Random Number Generation Issue Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features and be easily guessed through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization. Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. TROJ_MDROPPER.MB, which exploits this vulnerability, is publicly available and is documented in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability in a security bulletin and released updates. Oracle Critical Patch Update April 2008 Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities in Oracle products that affect Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Microsoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has been identified as being used by TROJ_MSJET.C, as described in IntelliShield Alert 15486, and by Trojan.Acdropper.C, as described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable. Microsoft Windows GDI File Name Parameter Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by Trojan.Emifie, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. CA BrightStor ARCserve Backup ListCtrl ActiveX Control AddColumn() Buffer Overflow Vulnerability Multiple CA products contain a buffer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. Exploit code that allows the execution of arbitrary code is available. Reports indicate that attackers are actively exploiting this vulnerability. To exploit this vulnerability, an attacker must rely on user interaction. An attacker may use social engineering tactics to convince a user to visit a malicious website using a browser that supports ActiveX controls, such as Internet Explorer. CA confirmed the vulnerability in a security response, but updates are not available. Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges. The update corrects flaws in core operating system components as well as third-party packages that are bundled with the operating system. PhysicalAtlantic Hurricane Season Begins June 1June 1 marks the beginning of Atlantic ocean hurricane season and the United States (U.S.) National Oceanic and Atmospheric Administration (NOAA) is warning coastal regions to review and complete emergency plans now. The U.S. Climate Prediction Center predicted a 65 percent probability of an above-normal hurricane season, with a possibility of 12 to 16 named storms in 2008 compared with a prediction of 13 to 17 in 2007. In actuality, there were 14 named storms in 2007, with five lesser hurricanes and two intense hurricanes. Hurricane seasons average 11 named storms annually, with the peak of activity occurring during August through October. Read more IntelliShield Analysis: Natural disasters can cause disruption within the immediate area and also cause a ripple effect to other regions. In 2005, Hurricane Katrina alone affected the population, economy, and political climate of the entire United States. In recent weeks, the earthquake in China has also prompted questions of recovery methods and emergency plans in that nation. There are also broader business implications to consider, such as interruption of or damage to energy resources from hurricanes, which could cause a jump in already high fuel prices. Companies and businesses should review their emergency plans annually and ensure that employees are aware of necessary actions to take during a natural disaster to reduce loss and protect assets. Businesses should also assess their supply chains and operations to identify any areas that are at risk of disruption and develop contingency plans. LegalGoogle Responds to Viacom US$1 Billion LawsuitMedia giant Viacom has again filed suit against YouTube and its parent company Google, now seeking damages of US$1 billion from lost revenue resulting from the viewing of copyrighted content through the YouTube service. Although Google claims to have fulfilled requirements under the 1998 Digital Millennium Copyright Act (DMCA) in the United States by removing restricted material from the YouTube site, Viacom contends that content on YouTube consistently infringes on copyright protections, and that Google has not responded as required by law. Google has responded by denying most allegations leveled by Viacom and stated that the challenge to YouTube and the DMCA threatens the Internet's open communication and free exchange of information. Read more IntelliShield Analysis: The outcome of this case may decide the future behavior of compliance among copyright owners and the Internet media sites and service providers that may unwittingly transmit copyrighted materials. It has become an increasingly difficult technical task to identify, filter, or remove copyrighted material from sites that allow user-submitted content, putting a burden on those sites that attempt to comply with removing copyrighted content. Depending on the outcome of the Viacom v. Google case, new companies that want to allow users to provide content may have little chance to innovate. Instead, they will be working in an environment in which there are no protections from liability in dealing with copyrighted material that is subject to the DMCA. TrustDeutsche Telekom Tracks Upper Management CallsIn a case that echoes the HP "pretexting" case of a year ago, the in-house security division of Deutsche Telekom hired a company in Berlin to track calls between corporate executives and journalists. As in the HP case, the company was trying to pin down suspected data leakage to the media. Also similar to the HP case, the activity was discovered. The upper management was unhappy but the customer base was very unhappy as well, fearing that they might also be subjected to spying. Read more IntelliShield Analysis: The activities seem to have taken place in 2005 and 2006, which would have been before the uproar over the HP pretexting occurred. Unlike in the HP case, in which private investigators misrepresented themselves to telephone companies to gain access to records, in this case the telephone company itself was involved in the investigation. This fact is raising privacy concerns with the customer base. The HP case resulted in charges of four felony counts, which were eventually dropped, against employees. It is unclear whether the persons responsible for these actions at Deutsche Telekom will be brought to trial. In any event, the telephone company has been trying to assure customers that their data and privacy is safe. Considering that the very top executives of the company appear not to have known about this investigation, that position may be difficult to argue. IdentityOlympic Tickets to Incorporate RFID ChipsThe Chinese Olympic Committee has announced that the tickets for each Summer 2008 Olympic event will contain RFID microchips in them, and the chips for the opening and closing ceremonies will contain personal information. Implementing the technology is intended to decrease scalping and counterfeit tickets sales as well as screen out potential troublemakers. Tickets for the opening and closing events will be considered nontransferable because they will be linked to the owner by encoding a photograph and passport data. Because the committee has a little more than two months to implement the system, many are skeptical that it can be brought online in time and that the tickets can be delivered prior to the opening ceremony. Read more IntelliShield Analysis: Incorporating secure, robust, and useful RFID controls is no easy task. If implemented poorly, the controls could introduce some serious complications. Security researchers have commented that strong RFID security could create a bottleneck at entry points to various events, but a weak RFID implementation could make it trivial for data stored on the RFID to be retrieved by unauthorized individuals. An individual could carry a device that is designed to collect the stored personal information of tickets held in the queue. Similarly, it may also be possible for protesters and other groups to disrupt ticketing by introducing counterfeit tickets. Resources shifted to assist in RFID processing would be diverted from other security-related tasks that may have higher priority, which would weaken overall security. As with all RFID implementations, individuals who attend the games should be aware of their surroundings, protect their tickets as well as their passports physically and electronically, and allow extra time for processing. HumanE*TRADE, Schwab.com, and Banks Scammed for US$50,000According to reports by Wired.com, Michael Largent of Plumas Lake, California has been charged with four counts of computer fraud, four counts of wire fraud, and four counts of mail fraud related to illegally collecting micro-deposits from both E*TRADE and Schwab.com. The brokerage websites use a control that deposits a small amount of cash to a bank account specified by the user to verify that the correct account information was entered. Largent exploited this control mechanism by writing a script that opened approximately 58,000 accounts and moved the micro-deposits to specified bank accounts, which were then transferred to pre-paid debit cards. Largent's activities were discovered when Schwab.com audited their accounts as required by the Patriot Act and learned that someone had opened over 5,000 accounts with false information. Read more IntelliShield Analysis: If proven true, Michael Largent's fraud is a new exploit on an old concept that was popularized by the Office Space and Superman III movies. These sorts of crimes continue to become more commonplace as businesses find their customers online and electronic payment methods become more popular. Firms that rely on user-created accounts for e-business must ensure proper checks are in place to guard against these newer types of frauds. Largent used popular fictitious names to easily generate a certain amount of identities, and companies should consider comparing account names to lists of well-known aliases. Any questionable accounts should be investigated for further evidence of fraud and turned over to the appropriate authorities. Businesses will need to continually assess and adjust their controls as new exploit techniques are developed and identified. GeopoliticalChina Telecommunications Restructuring Precedes 3G LicensesChina has announced a long-awaited restructuring of the country's telecommunications operators, consolidating the current four operators into three and offering both fixed and mobile services, largely according to expectations. When the restructuring is complete, a process China's official Xinhua News Agency estimates will take at least a year, China will issue 3G licenses to the three new companies. Also in the news this week, China Mobile's closely watched commercial trials of its homegrown TDS-CDMA 3G standard are reportedly going badly, leading many to suspect that Beijing will not be able to deliver on its long-standing promise to provide 3G services in time for the Olympic Games in August. Read more IntelliShield Analysis: The restructuring of China's telecommunications operators is an attempt to rebalance assets following the explosive growth of China's wireless phone market. While China Mobile grew over the past few years into the world's largest wireless carrier, its domestic competitors have largely been prevented from offering mobile services. Bureaucratic infighting among powerful ministries has long delayed the industry rebalancing, which may finally be moving forward because of a bureaucratic restructuring this spring and the impetus of the Olympic Games. A timetable for restructuring and issuance of licenses means that non-Chinese telecom companies will have to wait another year before getting into China's huge telecommunications market. However, plans for this access appear to be on track and contain no big surprises. The delay in issuing 3G licenses is a different matter and is believed to have been an attempt by Chinese authorities to hold off foreign competition while China Mobile brought the domestically developed TDS-CDMA standard up to speed. The poor performance of the TDS-CDMA commercial trials seems to provide further evidence that the protective hothouse strategy has failed. It remains to be seen whether China's three new carriers will be allowed to use the time-tested 3G standards already deployed elsewhere. Upcoming Security ActivityMicrosoft Security Bulletin Update for June 2008: June 10, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Atlantic Hurricane Season: June 1–November 30, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 6-month trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
