Cyber Risk Report

October 26–November 1, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity was elevated during the period and for the month of October 2009. The past week was highlighted by an important update from Mozilla correcting multiple vulnerabilities in Firefox. Additional updates were released for the Microsoft GDI+ and X.509 vulnerabilities, which were initially released earlier in the month. In threat activity, exploit proof-of-concept code and working exploits continue to be identified for Microsoft and Oracle vulnerabilities released earlier in October.

Alert metrics show that October 2009 was the fourth-highest reporting month for the year, and the highest totals since early in 2009. The elevated metrics are the results of several large vendor announcements throughout the month from Microsoft, Oracle, Adobe and Mozilla. These increased vulnerabilities levels re-emphasize the importance and additional strain being experienced in maintaining updated systems. Several of these vulnerabilities are being actively exploited, further heightening the need for updating systems throughout environments.

IntelliShield published 122 events last week: 49 new events and 73 updated events. Of the 122 events, 101 were Vulnerability Alerts, five were Security Activity Bulletins, three were Threat Outbreak Alerts, eleven were Security Issue Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 10/30/2009 4 5 9
Thursday 10/29/2009 7 21 28
Wednesday 09/27/2007 15 10 25
Tuesday 09/26/2007 10 3 13
Monday 09/25/2007 13 34 47
Weekly Total 49 73 122

 

2009 Monthly Alert Totals

Month New Updated Monthly Total
January 148 382 530
February 227 249 476
March 222 335 557
April 164 206 370
May 218 175 393
June 232 209 441
July 128 167 295
August 176 225 401
September 170 168 338
October 192 275 467
Annual Total 1877 2391 4268


Previous Alerts That Still Represent Significant Risk

Gumblar Malicious Code Adopts Additional Exploit Methods
IntelliShield Vulnerability Alert 19237, Version 1, October 20, 2009
Urgency/Credibility/Severity Rating: 3/4/3

Reports indicate additional activity related to the Gumblar malicious code.

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 7, October 13, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-3103

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability. Microsoft has released a security advisory and updated software to address the Microsoft Windows SMB2 remote code execution vulnerability. Functional exploit code is publicly available.

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 5, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3023

Microsoft IIS versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft has released a security bulletin with software updates to address the Microsoft Internet Information Services FTPd remote buffer overflow vulnerability.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 11, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0901

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 6, October 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1136

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. IntelliShield has re-released this alert to clarify the availability of software updates.

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 10, September 22, 2009
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2009-0696

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. This vulnerability is being exploited in the wild. Exploit code is publicly available. ISC has confirmed this vulnerability and updated software is available.

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 9, September 30, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-2692

The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a DoS condition. Proof-of-concept exploit code is publicly available. Kernel.org has confirmed the vulnerability in a changelog and released updated software.

Physical

United Nations Security Breached by Colonel Sanders Look-Alike

Robert Thompson, an actor resembling the late Harland Sanders who founded the KFC restaurant chain, was recently hired by the chain to perform an advertising effort at the United Nations (UN). Thompson was sent to the UN headquarters to promote KFC's "Grilled Nation," an advertising campaign based around a new menu offering. The fast-food company hoped to raise awareness through efforts aimed at getting the "Grilled Nation" admitted as a member state to the UN. During the trip, which was counter to UN policy that forbids participating in commercial ventures, Thompson was escorted by a UN security guard, shook hands with General Assembly president Ali Treki, and photographed at key locations including the General Assembly hall.
Read more
Additional Information

IntelliShield Analysis: It is clear from statements made by the UN spokeswoman Michele Montas that the UN was not a willing participant in KFC's advertising campaign. With that in mind, Thompson should not have appeared to be officially authorized by perimeter security, nor granted physical access to facilities or to important personnel such as Mr. Treki. The UN also noted that the restaurant chain had sent various correspondence to the Secretary General in the past regarding the "Grilled Nation" campaign, which may have warranted an increased awareness about related activities. Organizations should consider non-threatening incidents such as this one to be instructive about weaknesses in physical security controls, and consider reviewing or enhancing capabilities accordingly to minimize future exposure.

Legal

India's Information Technology Act Amended

The Government of India has recently amended its decade-old Cyber Law, the Information Security Act (2000). The amendments to the act empower the Government of India with unrestricted e-surveillance/traffic interception capabilities and facilitate the blocking of Internet content that the Government deems derogatory or offensive to national security, or negatively impacts international relations. The amendments also allow for on-demand decryption of user data and long-term retention of data with a view to boost the investigative capability of the national security agencies. Additionally, while absolving businesses of any responsibility with regards to the display of third-party content on their websites, the act also requires businesses to have adequate security mechanisms for protecting such third-party data from intentional misuse, with heavy monetary fines imposed for non-compliance of the same.
Read More
Additional Information 
Additional Information

IntelliShield Analysis: The amendments to India's Information Security Act come in the wake of the increased usage of information technology for anti-national activities in recent times. While these amendments appear to be in the best interests of the country, media reports suggest an unclear understanding of conditions that constitute violations of national security, and the qualification of the authorities responsible for the blocking of Internet content. The practicality of third-party data retention and its subsequent lawful interception, in cases of social networks, blogs or forums, given the volume of data generated, may also be of note. Concerns regarding violations of end-user privacy also exist, with legal experts suggesting a more balanced approach towards e-surveillance, rather than drastic modifications. Organizations conducting business in India impacted by these changes are advised to consult legal counsel to ensure mechanisms or procedures to achieve compliance with these Amendments are in place.

Trust

Google Website Warning Sparks Revenge Charge from Chinese Official Newspaper

The Chinese official newspaper, the People's Daily, has accused Google of acting out of vindictiveness in flagging the People's Daily website for containing malware when searched for using a Google search engine. Google claims that it uses a very reliable scanner to identify websites that could contain malware and that there was no vindictiveness involved in flagging the website. Read More

IntelliShield Analysis: Tensions have increased over the last week when Chinese authorities made a complaint about the Google Books settlement case, saying they were not happy with how the settlement would deal with Chinese authors, who might receive as little as 60 dollars compensation per book. This is presumably the reference for the malicious revenge accusation against Google. However, it is possible for malicious code to appear on websites without the knowledge of the owners of the site, but detected by external scanning. The malicious code could be placed there by advertisers or other third parties who are permitted to post to the website. These types of scanning services have been accused of misidentifying websites that do not contain malware, but the complaint is likely to further complicate the Google Books settlement case.

Identity

There was no significant activity in this category during the time period.

Human

Internet Phone Systems become the Roadster's Tool

Internet Phone systems are becoming a popular method to launch scams. Poorly chosen passwords have allowed cybercriminals to use these systems to contact customers of smaller banking institutions and play pre-recorded messages compelling them to enter account numbers and ATM passwords. User credentials for Facebook, Twitter and e-mail services Hotmail, Gmail and Yahoo! Mail are now a hot commodity among cybercriminals, leading to compromised information used in social engineering and the installation of the ZeuS banking trojan on users' machines. A criminal phishing group known as Avalanche is behind nearly a quarter of all phishing attacks, according to a recent report released by the Anti-Phishing Working Group. More than 30 financial institutions have been spoofed by this group, along with numerous job search companies and other online services.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Each of these schemes relies on one constant in the world of fraud attempts: the ease of convincing the human victim that the scam is legitimate. Even though only a fraction of a percentage of these fraud attempts are successful, when the scam is multiplied by hundreds of thousands, millions or tens of millions, the financial rewards to the thieves become very real. The financial gains for cybercriminals ensure that these types of attacks will persist. Users should be aware of these kinds of scams and always verify any type of contact with a financial institution via an outside channel when passwords are involved.

Geopolitical

Sourcing Secure Chips for Military Systems Getting Harder

Only two percent of semiconductors used in U.S. military systems are manufactured in secure, U.S.-run facilities, according to the New York Times. This is the case despite establishment in 2005 of a trusted foundry access program by the U.S. Department of Defense (DOD), meant to ensure supply of domestically-produced chips for use in sensitive military systems components. According to 2007 data, the U.S. is tied with South Korea as the world's third-largest producer of chips, behind Taiwan as the second-largest and Japan in the lead with 24 percent of the market. China is the fourth-largest producer with around 9 percent of the market, but its manufacturing and technical capabilities are increasing quickly as many multinational chip makers, forced to cut costs, outsource manufacturing.
Read more
 
Additional Information
Additional Information

IntelliShield Analysis: U.S. semiconductor manufacturing market share has been declining for decades, and DOD planners are probably right in recognizing that, however deep their pockets, they can neither control global market share nor single-handedly finance a cutting-edge domestic foundry industry. Military planners cannot, however, leave the issue to chance. So-called trojan horses, which can be remotely manipulated, are almost impossible to detect among potentially more than a billion transistors on a single chip. Off-the-shelf components, which are sometimes regarded as relatively safe because of their anonymity in the vast global sourcing pool, could contain mass-produced trojans, each of which phones home upon activation, notifying the remote home base of its location and function. Information technology professionals acquiring chips for commercial products or enterprise systems would be wise not to assume that sourcing locally is a panacea for these security concerns. The best strategy may be rigorous due diligence on supply chain sourcing, regardless of location, and vigilance over data crossing company firewalls.

Miscellaneous

Nokia Files Patent Suit on Apple iPhone

Nokia has filed suit in U.S. Federal court in Delaware, claiming Apple's iPhone violates ten of Nokia's patents regarding wireless data communications that enable phones to run on GSM and 3G or wifi networks. The filing requests an injunction on the sale of iPhones and unspecified damages. The claim includes all iPhones sold by Apple since the original introduction in 2007. Reports have estimated Apple's payment to Nokia of license fees past use of these patents at between $200 and $400 (US) million. Read More

IntelliShield Analysis: According to the filing, these same patents have been licensed by at least 40 other vendors, but Apple has thus far refused to negotiate on "reasonable" licensing terms. This filing appears to be an attempt by Nokia to add pressure to Apple to move forward in reaching a licensing agreement, rather than a serious attempt to enjoin additional sales of the iPhone. With the additional international emphasis on intellectual property rights and the continued economic pressures, licensing cases are expected to increase, and could include large financial claims. Organizations are advised to carefully manage their licenses and proactively engage with license holders to avoid potential legal issues.

Upcoming Security Activity

Interop New York: November 16–20, 2009
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Election Day (U.S.): November 3, 2009
The Hajj: November 25–30, 2009
Copenhagen Climate Change Summit: December 7–18, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top