The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity from the previous time period centered around the pre-release announcements of the monthly Microsoft Security Bulletin release and the quarterly Oracle Critical Patch Update. Both updates will be released on Tuesday, October 14, 2008. The Oracle update will contain patches for 36 vulnerabilities. 15 of these vulnerabilities affect the Oracle Database Server, but only one can be exploited remotely without prior authentication. The Microsoft Advance Notification identified 11 bulletins that will be released for October 2008. Microsoft scored four of the bulletins with a maximum severity rating of Critical, six of the bulletins with a maximum severity rating of Important, and one with a maximum severity of Moderate. These vulnerabilities address vulnerabilities in the Microsoft Windows operating system, the Microsoft Office Suite of applications, and other Microsoft Server software.

Adobe issued a response to the mouse click hijacking vulnerability, an activity that is being referred to as "clickjacking," that affects Adobe Flash Player. This vulnerability, which is described in IntelliShield alert 16770, could allow a remote attacker to conduct phishing or malicious code attacks. The Adobe response confirms the vulnerability but does not contain updated software.

In other activity, attacker are leveraging the latest version of the Neosploit 3.1 exploit toolkit to infect over 80,000 websites with malicious code. This toolkit is documented in IntelliShield Alert 1680. After investigating the toolkit and the compromised machines that were used to store stolen information, a security researcher discovered server logs that contained over 200,000 login credentials for well known websites. Over half of the credentials provided administrative access to the sites. As a security best practice, administrators are advised to apply all appropriate patches to user systems and ensure virus definitions are updated appropriately. Website administrators are also advised to regularly change login passwords for all users and to monitor websites to ensure they are not inadvertently hosting malicious software.

Further analysis was also performed on a trojan that was discovered over a month ago. Trojan.Eskiuel is a tool that searches for systems with poorly configured SQL servers and then infects those machines. Once the targeted machine is discovered, the tool performs a brute-force password attack against the server in an attempt to access the sa account and allow Adhoc access. If successful, the tool may download additional malicious code on the infected system. To avoid such a compromise, administrators are advised to configured all SQL servers with strong passwords.

Exploit toolkits and attack tools are becoming more common, and these tools can give less-skilled attackers the ability to perform sophisticated attacks in an automated fashion. The tools' availability ultimately increases the attack population, but their notoriety similarly provides IT and security staff with an awareness of attacks that are likely to be directed against their sites. To ensure their environments are protected, IT and security staffs should familiarize themselves with the tools and their capabilities.

IntelliShield published 107 events last week: 49 new events and 58 updated events. Of the 107 events, 88 were Vulnerability Alerts, seven were Security Issue Alerts, two were Daily Malicious Code Summaries, two were Malicious Code Alerts, six were Security Activity Bulletins, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Significant Alerts for October 6–12, 2008

Multiple Browsers and Adobe Flash Player Mouse Click Hijacking Vulnerability
IntelliShield Security Activity Bulletin 16770, Version 2, October 8, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-4503

Independent security researchers have discovered a critical flaw affecting multiple, commonly used web browsers and the Adobe Flash Player. If an attacker can convince a user to visit a malicious web page, the attacker could take complete control over the user's mouse clicks, making the user think they are clicking on a legitimate link. If successful, the attacker could control the hidden HTML interaction that is occurring, hiding the invisible hyperlinks that the user is actually following.. This type of exploit is being referred to as "clickjacking."

Previous Alerts That Still Represent Significant Risk

Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors
IntelliShield Vulnerability Alert 16773, Version 1, October 1, 2008
Urgency/Credibility/Severity Rating: 2/3/3

Independent security researchers developed the sockstress tool, which reportedly exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland. The researchers plan to detail attacks using these vulnerabilities, referred to as TCP state table manipulation vulnerabilities, on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland.

Citect CitectSCADA and CitectFacilities ODBC Service Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 16071, Version 3, September 9, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-2639

Citect CitectSCADA contains a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. Exploit code that could allow the attacker to achieve code execution is available. The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component. Such systems should be contained in their own network and never connected to corporate networks or exposed to the Internet. Attackers who can access the network on which these machines reside must still connect to the TCP port that is used by the ODBC service.

JustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 16544, Version 1, August 28, 2008
Urgency/Credibility/Severity Rating: 3/4/4
CVE-2008-3919

JustSystems Ichitaro products contain a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. The vendor is reportedly investigating the issue, but updated software is not currently available. The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield Alert 16543. The attacks occurred before the vulnerability was publicly disclosed. This tactic is commonly known as exploiting a zero-day vulnerability.

Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 8, June 20, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285

Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

Microsoft Windows NSlookup.exe Arbitrary Code Execution Vulnerability
IntelliShield Security Activity Bulletin 16475, Version 1, August 18, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-3648

Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool. Reports indicate that attackers may be exploiting this vulnerability in the wild. The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available.

Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability
IntelliShield Vulnerability Alert 16183, Version 25, September 22, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-1447

DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released. This exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache. Additional exploit code that could allow complete domain hijacking through the modification of SOA records is also available. Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products.

Physical

Counterfeit Microchips Threaten United States Military Equipment

Over the past four years, hundreds of counterfeit routers and other electronic parts made in foreign nations were sold to the United States (U.S.) Armed Forces. Several notable incidents have occurred, including a Pentagon investigation that discovered that counterfeit parts led to field failures in BAE Systems products. The states of Texas and Washington have also prosecuted companies that sold counterfeit routers to the military. In fact, over 400 counterfeit routers have been seized by the U.S. Federal Bureau of Investigations. Two aircraft have also been compromised, including one incident that involved the flight computer of an F-15 fighter jet. An investigation led to the discovery of four counterfeit Xicor microchips. Such a chip could include malicious code that facilitates monitoring and tracking, or even causes serious damage during operations. Read More

IntelliShield Analysis: Counterfeit electronics introduce multiple threats to the U.S. military, Department of Defense, and even global businesses. These parts are not made to quality standards, and they can increase the risk of foreign espionage against the U.S. and other countries, which has escalated in recent years. It is increasingly important for businesses in the private sector to be concerned with the increase in counterfeit activity. Because counterfeit chips and products can be very difficult for the end user to detect, government and businesses alike should focus their efforts on prevention during the contracting and manufacturing processes. Requiring rigorous quality controls and testing and verifying the numerous individual parts prior to implementation in operational environments is also advisable.

Legal

Corporate Sabotage Case Leads to Two Indictments

Two European individuals have been indicted in the United States (U.S.) on charges of orchestrating Distributed Denial of Service (DDoS) attacks in 2003. According to the data from the case, these individuals were hired by the owner of Orbit Communications Corp. to target the websites of two U.S.-based competitors in the home satellite market. Both targeted companies lost business as a result of the attacks. One competitor, Weaknees, has estimated their two week loss in October 2003 at US$200,000. Read More

IntelliShield Analysis: Corporate sabotage of this type is not a new practice, but the growth of botnets and their criminal use has raised the risk of this type of activity. The documented cases where an otherwise legitimate business hires attackers to launch DDoS attacks on the websites of the competition is unusual. While an incident like this attracts additional attention, it also raises questions as to how many website DDoS attacks are performed by lone criminal attackers, and how many occur at the behest of a corporate competitor. Businesses that suffer a DDoS attack are advised to pursue prosecution of the perpetrators, if they can be identified. Additionally, investigators should work with the actual perpetrators of the attacks to identify who might have hired them to perform the malicious activities.

Trust

Large Oil Company Notifies Employees of Data Compromise

The Shell Oil Company recently notified employees that a third-party IT contractor stole employee identification information and filed fraudulent unemployment compensation claims with the Texas Workforce Commission in the United States. The information is believed to have been compromised through Shell's corporate database, which the contractor allegedly accessed while working on a data indexing project. Shell immediately removed the suspect and has subsequently terminated their contract with the company that employed the worker. The local police, Shell, and the Texas Workforce Commission are continuing to investigate the theft. Read More

IntelliShield Analysis: Reports indicate that the IT contractor was able to steal information including names, birth dates, and social security numbers of four shell employees from a corporate database that contained the records of both current and former employees. To Shell's credit, they were able to identify the misuse and the individual. Many companies have found the additional security measure of monitoring personal information difficult or have failed to implement it, which makes data leakage and insider threats difficult to detect, prevent, or adequately quantify. Failures may occur when businesses opt to implement technology-heavy solutions, rather than instead attempting to balance people, process, and technology solutions methods to safeguard data.

Identity

Study Finds Reported Data Breaches Continue to Rise in the United States

The Identity Theft Resource Center has released a study that indicates the number of data breaches reported in the first nine months of 2008 has outpaced the 2007 total by 15 percent. Thus far, the 516 reported data breaches have exposed more than thirty million records to potential theft and credit fraud. Approximately 80 percent of the breaches were digital in nature, and the remaining 20 percent were due to lost, exposed, or stolen paper records. Outside attacks and insider theft contributed to almost one-third of the data breaches, and human error comprised another third.
Read More
Additional Information

IntelliShield Analysis: The raw statistics in this report will certainly help organizations in understanding the overall state of data breaches. It is still unclear, however, whether the increase can be attributed to an actual rise in data breaches, an increased acknowledgment of the breaches, or a rise in the discovery of these breaches. The actual number of disclosed records is likely much higher than what the report indicates, as organizations are not required to notify customers in every state. Tracking which organizations are affected can be also difficult, as data is often times shared or contracted out to third-party services. Some businesses may also refuse to comply with disclosure policies to avoid bad public relations. The study also does not indicate how many of these breaches translated into fraud cases. Nonetheless, with 34 percent of data breaches due to lost or stolen records and accidental exposure, organizations must begin making progress to ensure that their operations are secure and safeguards are in place. Businesses are encouraged to review their policies and practices to ensure that access to customer data is limited, sensitive data is encrypted, and employees are reminded of the proper methods of protecting assets against data theft.

Human

Middler Attack Tool Released

Man-in-the-middle attacks that exploit flaws in web-based applications or other client-server software are frequently complex to accomplish. A new tool, however, may bring such attacks to a more casual group of attackers. Middler, an upcoming open-source attack tool that was recently demonstrated at the SecTor security convention in Toronto, Canada, may make such attacks easier. The tool can perform automated attacks and can also be adapted to incorporate other tools that may allow attackers to stage multifaceted attacks. Read More

IntelliShield Analysis: Although this new attack tool may cause an increase in attacks against vulnerable applications, users can protect themselves in a number of ways. First, users should be aware that Middler includes exploits for Gmail, Facebook, LiveJournal, and LinkedIn, and be particularly cautious when using these applications. Additionally, organizations can require secure transports, such as HTTP with SSL/TLS. Users should also be aware of browser warnings, such as SSL certificate errors, that may indicate an exposure or ongoing man-in-the-middle attack. Finally, users are advised to log out of applications after use.

Disgruntled Former Employee Allegedly Causes Millions of Dollars in Damages

A former employee of CSG Services allegedly caused millions of dollars of damages after an act of sabotage. The former employee was originally hired to operate computer systems for the Northern Territory government in Australia. David Anthony McIntosh resigned from his position citing stress due to perceived mistreatment and a poor work location. After resigning, the McIntosh used a former co-worker's password and home computer to establish a VPN connection to the government systems. He used this connection to delete records associated with 10,475 public servants and cause a denial of service on multiple government servers, including those associated with the Supreme Court, Berrimah Prison, and the Royal Darwin Hospital. Reports indicate that he may have also stolen the authentication credentials of other public servants. Read More

IntelliShield Analysis: While multiple failed control measures may be involved in this case, it also highlights the need for organizations to account for recovery from internal attacks when they are forming business continuity plans. Initial estimates indicate that this attack could require months of recovery work and cost millions of dollars. The attacker circumvented normal measures to prevent former employees from accessing systems by using the authentication credentials and home system of a former colleague. Although prevention of these threats is the primary objective, the ability to efficiently recover from an attack must be planned for accordingly and measures must be in place prior to an incident.

Geopolitical

Indian Militants Learn Hacking Skills From Foreigners

Police in India recently arrested alleged members of the Indian Mujahideen group, which has claimed responsibility for a string of terrorist incidents in India in 2008. According to police, the militants used the technique of war-driving, where attackers search neighborhoods for unsecured Wi-Fi hotspots and then use them to gain unauthorized access to vulnerable networks. One suspect has been identified as a software engineer employed at Yahoo!, who traveled to the United States (U.S.) during his time with the company. Reports indicate that two other suspects were also software engineers. In another recent attack that was attributed to the Indian Mujahideen, an e-mail account belonging to a U.S. national working in India was hijacked; as a result of intense police scrutiny over the incident, the individual left India briefly. Once they were able to gain unauthorized access, the militants sent anonymous e-mails from the hijacked accounts and claimed responsibility. Some reports indicate that militants have admitted to learning hacking skills through an "ethical hacking" course or from foreigners.  
Read more
Additional Information

IntelliShield Analysis: These revelations may be of interest to information security professionals for a number of reasons. First, they serve as reminders that companies can be affected by attacks not only on corporate networks, but on the unsecured home networks of employees. IT security professionals may consider using these recent incidents to remind employees of the importance of securing home networks. War-driving is a relatively simple technique, and it will likely be used again by extremists with entry-level technical knowledge. These events appear to be indicative of an unfortunate trend in rapidly industrializing economies where the intersection of technology and social upheaval leaves individuals and businesses at risk. This phenomenon may occur in fully industrialized countries just as easily, and it may only be aggravated if the current global credit crisis worsens.

Upcoming Security Activity

National Cyber Security Awareness Month: October 1–31, 2008
T2 2008: October 16–17, 2008
Cisco IT Security Forum: November 12, 2008
Computer Security Institute 2008: November 15–21, 2008
Government Information Group Security IT Conference & Exhibition: November 20–21, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top