November 17–23, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels decreased sharply from the previous week's new events total. During the time period, a cross-site scripting vulnerability was discovered in the CNN.com website that could allow unauthenticated, remote attackers to execute arbitrary server-side scripting code. While there have been no reported attacks, an exploit could allow an attacker to modify content on CNN.com, for example, posting false news stories or performing drive-by download attacks. Attackers could leverage this flaw to aid in spamming and phishing attacks using CNN.com. This vulnerability is documented in IntelliShield Alert 17051. Weaknesses have been found in the Wi-Fi Protected Access (WPA) protocol described in IntelliShield Alert 17092. The flaw resides in the WPA protocol component, Temporal Key Integrity Protocol (TKIP), and could lead to attacks against the network. This attack may be of limited use currently; however, the development of an attack method could lead to additional discovered weaknesses in the WPA and TKIP framework. To avoid attacks, administrators are advised to configure devices to use WPA2 with the AES-CCMP cipher suite. AES is a more robust standard for encryption and there are currently no known weaknesses in AES encryption mechanisms. Cisco has released a security response for this attack. In malicious code activity, a variant of the Mytob family of worms threatened the computer systems of three London hospitals, causing shutdowns and initiating emergency response policies. Mytob, described in IntelliShield Alert 8852, is a mass-mailing worm that allows attackers to gain unauthorized remote access to the compromised system via IRC channels. The worm is likely to cause network congestion and flood e-mail servers. The worm makes numerous modifications to an impacted system and continues to be a serious threat, even though first discovered in 2005. More information regarding this specific compromise can be found in the Physical risk category of this report. Computer manufacturer Lenovo has reportedly shipped software packages that contain malware. The malware was discovered within the Lenovo Trust Key software for Windows XP, a digitally signed driver package available for XP SP2 users. The trojan is capable of downloading and installing additional malicious software, and some antivirus vendors were detecting the trojan as a porn dialer. Lenovo is aware of the issue and has already removed the malicious download from the Lenovo website. IntelliShield published 121 events last week: 31 new events and 90 updated events. Of the 121 events, 104 were Vulnerability Alerts, four were Security Activity Bulletins, six were Security Issue Alerts, five were Malicious Code Alerts, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for October 20-26, 2008Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available, and the Troj/Gimmiv-A worm is also actively exploiting this vulnerability to install itself on target systems. Additional information on the worm is available in IntelliShield Alert 16947. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised the appropriate updates and to ensure there antivirus definitions are up-to-date. Previous Alerts That Still Represent Significant RiskAdobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Acrobat Professional, 3D, and Standard and Adobe Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans described in IntelliShield Alert 14388 is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail. Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available, and the Troj/Gimmiv-A, W32.Kernelbot.A, and W32.Wecorl worms are also actively exploiting this vulnerability to install themselves on target systems. Additional information on these worms is available in IntelliShield Alerts 16947, 16985, and 16994. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Microsoft Windows Internet Printing Protocol Remote Code Execution Vulnerability Microsoft Windows contains a vulnerability in Internet Printing Protocol (IPP) request processing that could allow a remote attacker to execute arbitrary code. Only systems that have IIS installed and support Internet Printing services are vulnerable. Internet Printing is not supported in default installations of Windows Vista systems and Windows Server 2003 and Windows Server 2008 systems. When IIS is installed on Windows 2000 and Windows XP systems, Internet Printing is enabled by default. Functional exploit code is available. This vulnerability is actively being exploited. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Multiple Browsers and Adobe Flash Player Mouse Click Hijacking Vulnerability Independent security researchers have discovered a critical flaw that affects multiple, commonly used web browsers and the Adobe Flash Player. If an attacker can convince a user to visit a malicious web page, the attacker could take complete control over the user's mouse clicks, possibly fooling the user into thinking he or she is clicking on a legitimate link. An exploit could allow the attacker to control the hidden HTML interaction that is occurring, hiding the invisible hyperlinks that the user is actually following. This type of exploit is being referred to as clickjacking. Adobe has released both a security advisory and a security bulletin as well as releasing updated software to address this vulnerability. Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors Independent security researchers developed the sockstress tool, which exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland. The researchers made their presentation, but released few details, on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland. Cisco has released a Security Response for this activity. Citect CitectSCADA and CitectFacilities ODBC Service Buffer Overflow Vulnerability Citect CitectSCADA contains a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. Exploit code that could allow the attacker to achieve code execution is available. The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component. Such systems should be contained in their own network and never connected to corporate networks or exposed to the Internet. Attackers who can access the network on which these machines reside must still connect to the TCP port that the ODBC service uses. PhysicalThree London Hospitals Shut Down After Worm InfectionSt Bartholomew's, the Royal London Hospital in Whitechapel, and The London Chest Hospital in Bethnal Green implemented emergency response policy as a result of a computer worm infection. Reports indicate that the worm, Mytob, described in IntelliShield Alert 8852, overwhelmed the hospitals' network and forced the IT staff to shut down the network to prevent further compromise and damage. As a result, the hospitals had to rely on back-up systems. Staff had to resort to paper in some circumstances. Read More IntelliShield Analysis: Although Mytob prompted the hospitals to shut down the computer systems network, the emergency response procedures played a key role in minimizing the overall impact of the event. The hospitals resorted to using back-up systems and flexible work efforts. Doctors and nurses reverted to manual procedures. Hospital officials stated that the emergency response was well-rehearsed and only minor interruptions occurred, such as ambulances being diverted, and certain non-essential activities that were put on hold. Overall, normal operations were not severely impacted. The event serves as an example of how important it is to have a disaster recovery plan in place. If a well-planned and executed disaster recovery plan had not been in place, the impact of this shut-down may have been far worse, with the lives of patients placed at risk. LegalFormer IBM Executive at Apple Runs Aground Amid Non-Compete Issues Aa former executive at IBM and vice president of Blade Development, Mark Papermaster, accepted a senior vice president position at Apple to head the engineering group responsible for the iPod and the iPhone. On October 22, 2008, IBM filed a complaint in the United States (U.S.) District Court of the Southern District of New York that accused Mr. Papermaster of a breach of his non-compete agreement and cited eminent harm to IBM if Mr. Papermaster is allowed to work for Apple. On November 7, U.S. District Court Judge Kenneth Karas temporarily barred Mr. Papermaster from working for Apple. On November 12, Judge Karas set a $US3 million dollar bond for IBM to keep the case alive. On November 13, Mr. Papermaster filed a countersuit against IBM. Additionally, Mr. Papermaster was required to sign a document with Apple agreeing not to disclose any trade secrets from any other company. As for the non-compete agreement, that may come down to an argument about what state laws will be used in this trial, because non-compete agreements of this type are unenforceable in both Texas, where Mr. Papermaster lives, and in California, where Apple is headquartered. What is most at stake in the dispute is whether a company can assume that a former employee will inevitably disclose information that they have contractually agreed to keep secret. The resolution of this case may offer some insights into how the courts will answer this question during a time with increasing economic issues and employee cut- backs that raise the potential for the transfer of intellectual property to new employers. TrustSpy Discloses United States Classified Data to RussiaIn September 2007, an Estonian defense ministry official, Herman Simm, was arrested on numerous charges of espionage and treason. He allegedly disclosed sensitive information pertaining to the United States missile shield and cyberdefense to the Russian government. Simm had access to most of NATO's Top Secret information, including discussions and documents on protecting secret data flow and cyberattacks against the alliance. Simm's wife, Heete, has also been charged with involvement as being "an accessory to treason." The EU and NATO are currently investigating the scope of the incident and once completed, will formally charge Simm. If convicted, Simm could be sentenced to prison for three to fifteen years. Read More IntelliShield Analysis: Espionage remains one of the greatest threats facing nations. Businesses and governments are required t to keep sensitive data within the organization and must trust employees with that information. Many companies already have extensive security measures for employees with access to sensitive information, including requiring employees to sign agreements to not disclose information pertaining to products or services to outside businesses. Background checks should be mandatory for any new employee, as well as inquiries about methods used for new hires with partner companies, to ensure security practices are adequate. Educating employees on security policies and the appropriate use of corporate resources, restricting access to sensitive data, and blocking the use of personal storage devices are primary steps to securing business data and customer information. IdentityThe British National Party Data BreachThe British National Party (BNP) discovered an information breach when Party members started receiving unexpected mail. The information is believed to have been stolen from the BNP, as the membership list was password-protected and encrypted, requiring the person who accessed this list to have had the necessary privileges. Reports indicate that the list of the BNP members include names of people who have never been members, along with current and former members of the BNP. The BNP has filed complaints to the Dyfed Powys police force regarding this issue. Read More IntelliShield Analysis: It has been reported that a dissatisfied former employee posted details of more than 10,000 members and supporters of the BNP. The information that is believed to have been compromised includes names, postal addresses, and e-mail addresses. Other information that may have been compromised includes details on members' hobbies, professions, and the names of their children. Even though the information was access-controlled and encrypted, data leakage continues to be an ongoing issue for many organizations. Organizations have found the additional security measure of monitoring personal information difficult, or they have failed to implement the level of security required, both of which make data leakage and insider threats hard to detect, prevent, or measure. In this case, the compromise is not necessarily a threat to identity theft or fraud, but a compromise of privacy. Many organizations have a policy of maintaining closed or secret membership lists for various reasons, and a compromise of this type can have a serious impact to the members and the organization. Regardless of the organization, violations of these policies may open the membership to harassment and the organization to legal liabilities. HumanSocial Networks Cited for Rise in Web-based Scams The United States Federal Bureau of Investigation (FBI) and National White Collar Crime Center have reported that web-based scams and fraud are on the rise, including scams and frauds that involve social networks. Compromised accounts have been cited in an Australian case in which a Facebook user was approached through an existing friend account. The friend claimed to be stranded in Lagos, Nigeria, and in need of money for a plane ticket. Facebook believes that the account may have been compromised through a phishing scheme. IntelliShield Analysis: Con-artists, fraudsters, and scammers are taking advantage of the growing popularity of the social networking sites. Social networks provide ample opportunity combined with trust relationships and rich media capabilities. This opportunity opens the door for traditional scams such as the Nigerian 419 advance-fee fraud, a well-known scam involving the sending of e-mails suggesting that the recipient needs to help some wealthy or royal person by sending money. The social networks could advance the spread of malicious or fraud-related applications that post advertisements or spam messages under the identity of the infected victim's profile. Organizations can use the same kinds of awareness messages that address e-mail viruses and spam: trust, but verify. Polite inquiry can go a long way toward ensuring that a user really knows the person behind the message, and that the person intended to send the e-mail to the user. GeopoliticalMicrosoft Anti-piracy Measure Backfires In an effort to combat software piracy in China, a recent Microsoft Windows XP Professional update caused desktop backgrounds on computers running unlicensed Microsoft software to go black every hour. The patch does not disable PCs, but causes an onscreen message to be displayed that reads, "You may be the victim of pirated software." Chinese users reacted angrily, posting hundreds of thousands of online complaints and filing several lawsuits against Microsoft. China's National Copyright Administration is staying on the sidelines; it issued a statement supporting Microsoft's right to protect its intellectual property, but publicly criticizing the company's methods. IntelliShield Analysis: Between 80 and 90 percent of Windows software running in China is estimated to be pirated, creating losses of more than $US6 billion annually, so the issue is serious to Microsoft. The tactic seems to have backfired, however, given the angry response, the lawsuits, and a QQ.com poll indicating that 66 percent of respondents strongly disapproved of the program, while only 15.6 percent planned to buy authorized software as a result. This is not the first time that consumers have made companies regret anti-piracy measures: in 2005, Sony created substantial online anger in the United States and elsewhere by using copyrighted CDs to surreptitiously install digital rights management software onto users' computers. Companies considering anti-piracy measures that could anger users, even those using pirated media, may wish to consider first whether the potential damage to brand image outweighs the potential benefits. Upcoming Security Activity Government Information Group Security IT Conference & Exhibition: November 20–21, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Thanksgiving (United States): November 27, 2008
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
