The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity levels remain elevated from those of similar time periods from the previous year.  Much of the activity from this week centered around vendor responses to previously disclosed vulnerabilities.  Few new vulnerabilities were publicly disclosed during the previous week.  Of the new issues, three vulnerabilities in Adobe PageMaker were of particular interest.  Each of these vulnerabilities could allow a remote attacker to execute arbitrary code with elevated privileges by convincing a user to process a malicious .pmd file.  Vulnerabilities in office productivity applications such as PageMaker are commonly used by attackers to conduct limited targeted attacks against organizations or particular users.

RSA security released the results of its seventh annual wireless security survey of three major cities.  This years survey focused on both the level of adoption of wireless networks and the security of these networks in Paris, New York City, and London.  The results of this survey show that while London has the highest volume of wireless access points, it also has the lowest percentage of secured access points.  New York has the highest percentage of secured networks.  Paris has the highest percentage of growth of wireless networks.  Another interesting result from this survey was that home wireless networks are more likely to use some type of advanced encryption routine than business networks.  This is likely attributed to most home routers and wireless access points including the encryption configuration in the set up.  Read More

Reports indicate that attackers are currently leveraging a cross-site scripting vulnerability in the Yahoo! HotJobs website, hotjobs.yahoo.com.  The attackers are using obfuscated javascript code that redirects users to another website that contains malicious script code.  An exploit could allow the attacker to obtain authentication cookies related to the Yahoo! site, which could expose credentials to other accounts such as Yahoo! mail accounts.  Additional information is available in IntelliShield alert 16957.

In malicious code activity this week, a new worm that is likely a variant of the infamous Koobface worm is targeting the Facebook social networking website using a new social engineering tactic via Google Reader and Google Picasa.  The attackers behind these new attacks are using Google Reader and Picasa accounts to embed links that point to malicious sites owned by the attackers.  These links may arrive as an inbox message on Facebook accounts and possibly on MySpace accounts if this worm is indeed a Koobface variant.  The links may also be embedded in the user comments section of user profiles.  When the user clicks on the links, the user is redirected to the Google Reader or Picasa site, which contains what appears to be a YouTube video.  If the user continues to follow the steps to play the video, the worm is installed on the system.  Additional information on this worm is available in IntelliShield alert 16975.  This new technique has a high chance of success because the links are not only on messages that appear to be left by friends, but they link to Google sites, which users typically trust.  This added trust level is expected to fool many users. 

Facebook continues to grow at a rapid pace with an estimated 161 million visitors per month.  Additionally, there is an increasing number of businesses with Facebook accounts, which may prompt attacks against these accounts and compromise the business systems being used to access the Facebook sites.  Facebook account holders and users are advised to verify the authenticity of unexpected links on their pages.  For assistance in verifying the authenticity of links, users can check the reputation of any URL using the IronPort Security Network E-mail and Web Reputation Tool on the SenderBase website.

IntelliShield published 119 events last week: 30 new events and 89 updated events.  Of the 119 events, 96 were Vulnerability Alerts, seven were Security Activity Bulletins, six were Malicious Code Alerts, five were Security Issue Alerts, two were Applied Mitigation Bulletins, two were Daily Malicious Code Summaries, and one Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

2008 Monthly Alert Totals

Cumulative Alert Totals

Monthly Alert Totals

Previous Alerts That Still Represent Significant Risk

Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability
IntelliShield Vulnerability Alert 16941, Version 3, October 24, 2008
Urgency/Credibility/Severity Rating: 3/5/5
CVE-2008-4250

Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code.  Exploit code is publicly available, and the Troj/Gimmiv-A worm is also actively exploiting this vulnerability to install itself on target systems.  Additional information on the worm is available in IntelliShield alert 16947.  Microsoft has confirmed the vulnerability and released software updates.  Administrators are advised to apply the appropriate updates and to ensure current antivirus definitions are installed.

Microsoft Windows Internet Printing Protocol Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 16798, Version 4, October 20, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-1446

Microsoft Windows contains a vulnerability in Internet Printing Protocol (IPP) request processing that could allow a remote attacker to execute arbitrary code.  Only systems that have IIS installed and support Internet Printing services are vulnerable.  Internet Printing is not supported in default installations of Windows Vista systems and Windows Server 2003 and Windows Server 2008 systems.  When IIS is installed on Windows 2000 and Windows XP systems, Internet Printing is enabled by default.  Functional exploit code is available.  This vulnerability is actively being exploited.  Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Multiple Browsers and Adobe Flash Player Mouse Click Hijacking Vulnerability
IntelliShield Security Activity Bulletin 16770, Version 4, October 28, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-4503

Independent security researchers have discovered a critical flaw affecting multiple, commonly used web browsers and the Adobe Flash Player.  If an attacker can convince a user to visit a malicious web page, the attacker could take complete control over the user's mouse clicks, possibly fooling the user into thinking they are clicking on a legitimate link.  If successful, the attacker could control the hidden HTML interaction that is occurring, hiding the invisible hyperlinks that the user is actually following.  This type of exploit is being referred to as "clickjacking."  Adobe has released both a security advisory and a security bulletin, as well as updated software to address this vulnerability.

Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors
IntelliShield Vulnerability Alert 16773, Version 4, October 17, 2008
Urgency/Credibility/Severity Rating: 2/5/3

Independent security researchers developed the sockstress tool, which exposes vulnerabilities in the TCP stack implementation of multiple vendors.  The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available.  The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland.  The researchers made their presentation  but released few details on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland.  Cisco has released a Security Response for this activity.

Citect CitectSCADA and CitectFacilities ODBC Service Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 16071, Version 3, September 9, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-2639

Citect CitectSCADA contains a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code.  Exploit code that could allow the attacker to achieve code execution is available.  The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component.  Such systems should be contained in their own network and never connected to corporate networks or exposed to the Internet.  Attackers who can access the network on which these machines reside must still connect to the TCP port that is used by the ODBC service.

JustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 16544, Version 1, August 28, 2008
Urgency/Credibility/Severity Rating: 3/4/4
CVE-2008-3919

JustSystems Ichitaro products contain a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code.  The vendor is reportedly investigating the issue, but updated software is not currently available.  The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield alert 16543.  The attacks occurred before the vulnerability was publicly disclosed.  This tactic is commonly known as exploiting a zero-day vulnerability.

Microsoft Windows NSlookup.exe Arbitrary Code Execution Vulnerability
IntelliShield Security Activity Bulletin 16475, Version 1, August 18, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-3648

Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code.  The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool.  Reports indicate that attackers may be exploiting this vulnerability in the wild.  The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available.

Physical

NIPSCO Pole Struck by Motorist Causes Services Disruption

On the morning of Sunday, October 26, 2008, a motorist crashed into a NIPSCO power pole in Chesterton, Indiana, causing the Chesterton wastewater treatment facility to incur disruption to electric service and a power surge that impacted the SCADA computer system used to control the plant operations.  Steve Yagelski, superintendent of the plant, indicated that operators are tending to the plant system and that as of Monday night, no breach had occurred.  The facility did have an alarm system separate from the SCADA system, which notified the staff of the failure.  However, due to the force of the power surge, the SCADA system shut down before activating the backup generators to provide emergency power.  NIPSCO was able to start the generators and subsequently provide electric service to the plant. Read More

IntelliShield Analysis: The actual implications of this incident are not severe due to the backup alarm system notifying staff and the quick response of the NIPSCO crew.  These incident reports often overlook or fail to mention the ability of most plants and similar sites to override and manually control the plant operations when the SCADA systems fail.  In many instances this is a critical backup ability that allows the sites to continue operations without the compromise of data, or as in this case, the uncontrolled release of waste water.  Because these incidents can be rare, organizations should include failover drills to ensure they can continue operations without compromise.  Organizations should include these considerations in their business continuity plans to prepare for interruptions of day-to-day operations.

Legal

Former Employee Sentenced to Prison for Sabotaging Three Servers

A former contract employee of the tool maker Pratt-Read has been sentenced to serve six months in prison for sabotaging three corporate servers on Thanksgiving weekend in 2007.   Priyavrat Patel deleted several system files on the computers, making it so that they would fail to boot properly when turned on or restarted. The servers affected were critical to corporate operations.  The company was unable to function properly for two weeks, and for part of that time it was forced to do business using paper records.  Read More

IntelliShield Analysis: The attack took place a month after Priyavrat had been fired.  Pratt-Reed is a relatively small company of roughly 100 employees.  However, it is always a best security practice to remove all access change administrative passwords once an employee has left the company.   Because Pratt-Reed failed to ensure that access was removed, the attack was possible.   Studies have shown that fired or laid-off employees serve as the greatest risk for this kind of corporate sabotage.  But the legal system is starting to catch up to these kinds of crimes, as evidenced by such punishments enforced by court action.   The courts may also fine the former employee, who has agreed separately to pay Pratt-Read $120,000 in restitution.

Trust

Cisco Global Security Study Part 2:  The Effectiveness of Security Policies

A second set of findings from a global security study on data leakage revealed that many companies do not have security policies and that security policies that are in place are often ineffective. This analysis provides additional justification for the initial survey findings, which reported that employees around the world are putting corporate and personal data at risk.
The survey was commissioned by Cisco and conducted by InsightExpress, a U.S.-based market research firm. It included more than 2000 employees and information technology professionals in 10 countries that Cisco selected because of the differences in their social and business cultures. The new findings offer insight into how the use and effectiveness of security policies affect data leakage.  Read More

IntelliShield Analysis:  This is the second part of a three-part study commissioned by Cisco looking at the causes of data leakage.  The first part was focused on user mistakes, and reasoning for why users performed these risky actions.  The second part focuses on security policies, and reasoning for why the policies may or may not be effective in preventing data loss.  The most significant findings may be the lack of policy awareness both by users and IT staff, and the limited training provided to raise their awareness of the policies.  The study also includes recommendations for improving the policies, and user and IT awareness to improve the overall effectiveness of the policies.

Identity

U.S. Government Releases Identity Theft Study

The U.S. Government has released the annual Identity Theft Task Force Report, which includes 31 recommendations that range from small steps to dramatic changes in policies regarding identity theft and fraud.  The report showed that in 2007 2,470 criminals were charged with identity theft-related crimes, with 1,943 actually convicted.  The report recommended the U.S. government should consider reviewing their civil monetary penalty programs to ensure they sufficiently prosecute criminals who are convicted of Identity Theft and fraud.
Read More (PDF)
Additional Information

IntelliShield Analysis: The report findings show that there has been a 27 percent increase in identity theft conviction from 2007.  In addition to the many other practices and compliance requirements, this also plays a large role in reducing the likelihood of the theft of identity.  Despite the efforts of businesses and law enforcement, the current risk reward still heavily favors the criminals' ability to make large profits from these crimes with a low probability of prosecution.  A comprehensive approach to the problem beginning with the individual's awareness, to businesses security, to the prosecution by law enforcement and international cooperation is needed.  There are many signs of progress, but cooperation and reporting to law enforcement for the successful prosecution of the crimes remains behind.

Human

High School Student Arrested for Accessing Bus Driver Identity Details

A 15-year old student at Shenendehowa High School in Clifton Park, NY has been charged with three felony counts for accessing identity information on his school's network. The student is alleged to have located a file containing identity details for around 250 past and current bus drivers in the school district, using his own credentials and the credentials of one other student, and alerting the school principal via e-mail as "A Student". School officials assert that the computer intrusion was not the student's first citation for improperly using school technology and that his intentions were not benign. Read More

IntelliShield Analysis: The Shenendehowa school district is facing considerable pressure in the court of public opinion regarding this incident, with many bystanders claiming that the student is being unjustly punished. The district maintains that the student's actions were not benign and demonstrated clear malicious intent. Still, the decision to pursue legal action is a strict response, making positive public relations and an environment of trust much harder to maintain. Future incidents that are benign may not be brought to the administration's attention if the discoverer fears criminal prosecution. In addition to ensuring that technical controls are in place to keep trusted and untrusted networks separate, and files protected against access by unauthorized users, organizations should have strong acceptable use policies in place. All of these controls assist the organization to respond appropriately and properly frame their public relations responses.

Geopolitical

Proposed Giant Information Database Draws Fire in the UK

Officials in the United Kingdom are drafting a bill, known as the Data Communications Act, which would allow the government to gather communications data for policing and national security purposes.  The bill would create a central Call Data Record (CDR) database containing times and dates of all messages sent over the Internet and mobile phones in the UK, but would not include the content of those communications.  Currently, such data is obtained piecemeal by authorities from service providers in the course of legal investigations.  Critics are calling the bill another step toward the creation of a surveillance society in Britain, along with separate but related plans to require all mobile phone purchasers to register personal information at the time of purchase.  Advocates say that the relatively high threat of terrorism in the UK, and the dramatic increase in the use of communications data in prosecutions, make the database practical and necessary.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The data security implications of such a massive database are immense, given the risk of the information being compromised or altered.  A mobile phone registry database is particularly vulnerable: with 72 million mobile phones currently in use in the UK, this effectively would create a single database of the entire adult population of around 50 million.  Given the UK government's recent track record with data protection, UK citizens perhaps can be forgiven for having doubts; the Ministry of Defense recently admitted that information on as many as 1.7 million individuals who had made inquiries about serving in the armed forces was lost on an unencrypted hard drive, and a classified report on Al Qaeda was discovered on a London train this summer. The proposed legislation is also of interest as part of what appears to be a trend, particularly in Western Europe, toward increasing surveillance and data monitoring in the name of national security.

Upcoming Security Activity

United States Presidential Election: November 4, 2008
Cisco IT Security Forum: November 12, 2008
PacSec 2008: November 12–13, 2008
Computer Security Institute 2008: November 15–21, 2008
Government Information Group Security IT Conference & Exhibition: November 20–21, 2008
RUXCON 2008: November 29–30, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top