October 13–19, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels were elevated by major security releases from Adobe, Microsoft, and Oracle. Adobe released security advisory APSB08-18 and an updated version to address multiple vulnerabilities in the Adobe Flash Player. Included among the enhancements in the new version is a fix for the click hijacking vulnerability, as described in IntelliShield Alert 16770. Microsoft published its monthly security bulletins for October 2008. Of particular concern was the Internet Printing Protocol (IPP) vulnerability affecting Microsoft Windows. Only specific versions of Windows are affected by this vulnerability. Only systems that have Microsoft Internet Information Services (IIS) installed and support Internet Printing services are vulnerable. Internet Printing is not supported in default installations of Windows Vista and Windows Server 2003 and 2008. When IIS is installed on Windows 2000 and Windows XP, Internet Printing is enabled by default. Functional exploit code is available for this vulnerability, and reports indicate that attackers are exploiting this vulnerability in the wild. Also of concern from the Microsoft security bulletins is the RPC processing command execution vulnerability affecting the Microsoft Host Integration Server. A remote attacker could exploit this vulnerability to execute arbitrary commands on the targeted system. Functional exploit code has been publicly released as part of the Metasploit Framework. The attacker could use this code as part of automated attacks to completely compromise the system. Of the 36 vulnerabilities patched in Oracle's October 2008 Critical Patch Update, one vulnerability received a CVSS base score of ten. This score indicates that a remote attacker could exploit the vulnerability to take complete control of the targeted system without any type of authentication or user interaction. This vulnerability is described in IntelliShield Alert 16899. A variant of the Facebook and MySpace worm, Koobface was discovered during this time period. The new worm, W32/Koobface.BM, targets users of the MySpace and Facebook online social networking sites. Like the Koobface variant, W32/Koobface.BM searches infected systems for browser cookies that are related to the Facebook and MySpace websites. When an appropriate cookie is found, the worm manipulates the settings and embeds links to malicious sites in a user's profile. This latest variant differs from the Koobface variant in that it uses new messages and filenames as part of its routine, which may increase the likelihood of another round of infections. Users of these social networking sites are strongly advised to always verify the authenticity of links, even those in a friend's profile. For assistance in verifying the authenticity of links, users can check the reputation of any URL using the IronPort Security Network E-mail and Web Reputation Tool on the SenderBase website. IntelliShield published 139 events last week: 67 new events and 72 updated events. Of the 139 events, 124 were Vulnerability Alerts, four were Security Issue Alerts, two were Daily Malicious Code Summaries, one was a Malicious Code Alert, four were Security Activity Bulletins, three were Applied Mitigation Bulletins, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for October 13-19, 2008Microsoft Windows Internet Printing Protocol Remote Code Execution Vulnerability Microsoft Windows contains a vulnerability in Internet Printing Protocol (IPP) request processing that could allow a remote attacker to execute arbitrary code. Only systems that have IIS installed and which support Internet Printing services are vulnerable. Internet Printing is not supported in default installations of Windows Vista systems and Windows Server 2003 and 2008 systems. When IIS is installed on Windows 2000 and Windows XP systems, Internet Printing is enabled by default. Functional exploit code is available. This vulnerability is being actively exploited. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Previous Alerts That Still Represent Significant RiskMultiple Browsers and Adobe Flash Player Mouse Click Hijacking Vulnerability Independent security researchers have discovered a critical flaw affecting multiple, commonly used web browsers and the Adobe Flash Player. If an attacker can convince a user to visit a malicious web page, the attacker could take complete control over the user's mouse clicks, making the user think they are clicking on a legitimate link. If successful, the attacker could control the hidden HTML interaction that is occurring, hiding the invisible hyperlinks that the user is actually following.. This type of exploit is being referred to as "clickjacking." Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors Independent security researchers developed the sockstress tool, which exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland. The researchers made their presentation but released few details on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland. Cisco has released a Security Response for this activity. Citect CitectSCADA and CitectFacilities ODBC Service Buffer Overflow Vulnerability Citect CitectSCADA contains a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. Exploit code that could allow the attacker to achieve code execution is available. The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component. Such systems should be contained in their own network and never connected to corporate networks or exposed to the Internet. Attackers who can access the network on which these machines reside must still connect to the TCP port that is used by the ODBC service. JustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability JustSystems Ichitaro products contain a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. The vendor is reportedly investigating the issue, but updated software is not currently available. The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield Alert 16543. The attacks occurred before the vulnerability was publicly disclosed. This tactic is commonly known as exploiting a zero-day vulnerability. Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization. Microsoft Windows NSlookup.exe Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool. Reports indicate that attackers may be exploiting this vulnerability in the wild. The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available. PhysicalPipeline Bombings in British Columbia, CanadaTwo bombings have been perpetrated against the EnCana Corporation pipeline, located in northern British Columbia, Canada. The first attack occurred on October 12th, 2008, against a sour gas pipeline, and the second one occurred on October 16th, 2008, against a natural gas pipeline. The attacks did not rupture the pipelines; however, insulation along the pipeline was damaged. The Royal Canadian Mounted Police is conducting investigations that indicate the bombings were deliberate. Both bombings occurred following a letter that was sent to local media outlets threatening the oil and gas companies. The pipeline was immediately shut down until further notice. Read More IntelliShield Analysis: The Canadian pipeline is generating positive and negative feedback within the area. According to an EnCana spokesperson, some community members are concerned with the sour gas facilities but added that the company is working to allay security fears; the company claims to have bolstered the security of the affected areas. The safety and security of residents in proximity to the pipeline is a major concern and raises questions about how quickly technicians can respond to remote portions of the pipeline in case of an attack or other emergency. Providing security on pipelines and similar structures that extend over hundreds of miles is a serious challenge for critical infrastructure organizations. A combination of sensors, closed-circuit television security cameras, and physical security measures are required, with particular focus in high risk areas. In addition, in-depth background checks should be mandatory for all personnel that come in contact with the project. Although the pipeline could prove to be a target of interest for terrorist groups, the most recent bombings appear to be of a local nature. LegalUnited States Presidential Candidate Political Ad Copyright ComplaintsThe campaign for United States presidential candidate John McCain has sent a letter to YouTube's parent company, Google, Inc. complaining that some of its campaign advertising videos were removed from the website based on meritless copyright infringement complaints. The complaints were made to YouTube by CBS, Warner Music Group, Fox News, and other media companies. YouTube responded to the letter stating that they do not possess the resources to fully investigate every complaint that is made based on copyright infringement and that they have a general policy of immediately removing the offending videos. IntelliShield Analysis: Although the McCain campaign letter presents a case for fair use and freedom of speech, especially in a political campaign, YouTube has been affected by previous issues related to the Digital Millennium Copyright Act. As a result, when faced by complaints from major media companies, it is not surprising that YouTube took this course of action under the law, which is to immediately take down the offending material and allow for legal review by the posting party at a later date. Both U.S. presidential campaigns for John McCain and Barack Obama have had videos removed in this manner. This situation highlights the leverage that companies have to protect their copyrighted material as well as the responsibility of organizations and individuals to obtain legal permission to use such material. As these laws continue to develop, businesses and organizations must stay up-to-date on any changes in order to continue operating within the legal requirements. TrustEnhanced Password Recovery Software ReleasedElcomsoft Co. Ltd. announced the release of its Distributed Password Recovery software that uses graphic processing unit technology to accelerate the recovery of lost passwords and other applications that require password authentication. The announcement included specific information on the ability to break Pre-Shared Key (PSK) authentication, which is used in Wi-Fi Protected Access (WPA), WPA2, and some VPN technologies, 100 times faster than other PC processors. This software release has ignited wide-spread discussion of the security levels of wireless networks and VPN products. Read More IntelliShield Analysis: This software may be very useful for the too frequently needed administrative recovery of lost or forgotten passwords; and, the incorporation of the accelerated graphics card processing does technically make the recovery relatively faster. However, the software does not substantiate claims that WPA, WPA2, or VPN technologies based on PSK schemes are necessarily threatened. What is threatened by this accelerated brute force password breaking product are weak passwords. This threat is not related to the multiple weaknesses of the Wireless Equivalent Privacy (WEP) algorithm, which allowed attacks that could break the encryption within minutes. Instead, the release of this software reinforces the need for strong passwords, both in complexity and length. The WPA and WPA2 encryption remains the recommended encryption scheme for wireless networks. IdentityIndonesian Students' Information Publicly Disclosed on InternetThe Indonesian Ministry of Education has published Microsoft Excel files on the Internet that include personal information of Indonesian students. This information includes the names, birthdays, places of birth, and addresses of 36 million Indonesian students. Although the downloadable file is public, an individual must know a student's name in order to obtain the file. However, if an individual has knowledge of one student's name, they could find this file and obtain information on every student. Read More IntelliShield Analysis: Although the Indonesian Ministry of Education released the files with good intent, they failed to consider issues of privacy and security for students. This disclosure of information may aid criminals in identity theft or social engineering attacks against the students. These files have been available for some time and have likely been downloaded by numerous people. Any future action must account for the likelihood that this information will remain public even after the files are removed from the website. HumanAirport Baggage Screener Charged With TheftPythias Brown, an airport baggage screener for the United States (U.S.) Transportation Security Administration (TSA), has confessed to stealing electronic goods valued in excess of US$200,000 from passengers' baggage. The TSA agent was removing items from travelers' baggage at the Newark Liberty International Airport and selling the stolen goods on the eBay website. When investigators searched Brown's home, they found hundreds of items including laptops computers, cell phones, camera equipment, jewelry, global positioning system devices, and entertainment devices. IntelliShield Analysis: According to Pythias Brown, these items were stolen at a rate of 2-3 per week over an extended period of time. Due to passenger restrictions against locking luggage and suing airports for lost luggage, travelers have limited protection against theft from their luggage. This type of theft could be especially damaging if a business laptop that contains sensitive information is stolen. Travelers may consider alternate methods of transporting devices that contain sensitive information. These methods include keeping these devices as part of their carry-on luggage or using a third-party shipping company. Regardless of the method, travelers should take care to encrypt sensitive information on devices. GeopoliticalEgyptian GPS Device Ban Under PressureSince 2003, Egypt has maintained a ban on commercial Global Positioning System (GPS)-enabled devices, a law that is increasingly being scrutinized as GPS-enabled mobile phones flood global markets. Only three countries currently outlaw the commercial use of GPS: Egypt, Syria, and North Korea. Advocates of lifting the ban argue that the ban is ineffective because many Egyptians purchase them abroad and smuggle them into the country. They also note that a group of tourists that was recently kidnapped near the border between Egypt and Sudan used GPS-enabled phones to communicate their location to authorities. Egyptian authorities say they are reviewing the law, but no timetable has been provided for when it might be amended. IntelliShield Analysis: Many emerging market economies maintain laws that restrict new technologies. Such restrictions could slow economic growth, discourage foreign investment, and limit innovation. Egypt originally banned satellite dishes only to rescind the ban in the 1990s when it became apparent that it was ineffective. Voice Over Internet Protocol (VoIP) restrictions have been imposed and discarded in a variety of countries, including the United Arab Emirates, Israel, and India, citing public security concerns, regulatory or tax ambiguity, and lost telecom revenues. Some governments have come to recognize that these bans tend to be counter-productive, as in the case of India where VoIP is now a key low-cost advantage for outsourcing call centers. The desire of emerging markets to compete in the global marketplace is strong, but cultural cohesion, perceived public safety benefits, and profits for state-run organizations may temper that desire. Upcoming Security ActivityNational Cyber Security Awareness Month: October 1–31, 2008
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
