The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity levels rose sharply from the previous week's totals, as Sun, SUSE, VMware, and many other vendors responded to previously disclosed threats with advisories and updated software. Additionally, IBM, Novell, and Wireshark were among another group of vendors that released advisories and updates to address multiple undisclosed vulnerabilities that affect their products.

During the time period, Microsoft also released the Advance Notification for the September 2008 Security Bulletin release. Microsoft scored all four bulletins scheduled for release on September 9, 2008 with a maximum severity rating of Critical. These bulletins address vulnerabilities in the Microsoft Windows operating system, Microsoft SQL Server, Microsoft Office Suite, Visual Studio, and the .NET framework.

IntelliShield published 126 events last week: 43 new events and 83 updated events. Of the 126 events, 114 were Vulnerability Alerts, seven were Security Issue Alerts, two were Daily Malicious Code Summaries, two were Security Activity Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Previous Alerts That Still Represent Significant Risk

JustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 16544, Version 1, August 28, 2008
Urgency/Credibility/Severity Rating: 3/5/4

JustSystems Ichitaro products contain a vulnerability that could allow an remote attacker to cause a denial of service condition or execute arbitrary code. The vendor is reportedly investigating the issue, but updated software is not currently available. The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield Alert 16543. The attacks occurred before the vulnerability was publicly disclosed. This tactic is commonly known as exploiting a 0-day vulnerability.

Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 8, June 20, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285

Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

Microsoft Windows NSlookup.exe Arbitrary Code Execution Vulnerability
IntelliShield Security Activity Bulletin 16475, Version 1, August 18, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-3648

Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool. Reports indicate that attackers may be exploiting this vulnerability in the wild. The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available.

Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability
IntelliShield Vulnerability Alert 16183, Version 22, August 19, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-1447

DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released. This exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache. Additional exploit code that allows for complete domain hijacking through the modification of SOA records is also available. Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products.

Oracle Critical Patch Update July 2008
IntelliShield Security Activity Bulletin 16276, Version 1, July 15, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for July 2008. The update contains 45 distinct security fixes for various Oracle products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.
Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 16117, Version 3, August 1, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-2830

Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability.

Physical

Sony VAIO Laptops Recalled

Sony has recalled the TZ-series VAIO laptops due to reports of overheating. The recall affects approximately 73,000 laptops in the United States and a total of 440,000 laptops worldwide. Reports indicate that the overheating has been linked to faulty wiring or or a dislodged screw, both of which can cause a short-circuit. In addition to free inspections, Sony is offering to repair affected laptops at users' homes. Users also have the option of shipping laptops to the Sony service center. Read more

IntelliShield Analysis: The incidents surrounding the Sony laptop recall have the potential to affect personal and business information that is stored on affected systems. Organizations that are impacted by this recall should address the required activities in policy and procedure messaging and coordinate appropriately with IT teams and users. Employees are advised to perform data backups and erase sensitive information prior to having affected laptops serviced, regardless of whether the desired method involves an on-site or service center repair. Once a malicious person has local, physical access to the device, information on the system is fairly trivial to obtain. IT teams may be better equipped to handle the task of wiping disks before they are repaired by Sony representatives.

Legal

McKinnon Loses Appeal to to Avoid Extradition to United States

Gary McKinnon lost his appeal to the European Court of Human Rights and may be extradited and tried in the United States (U.S.) on charges of unauthorized access to 90 computers, including those owned by NASA, and the U.S. Pentagon, Army, Navy, and Air Force. McKinnon is being charged with eight counts of unauthorized access and could receive up to 80 years in a U.S. maximum security prison. McKinnon claims he was searching for evidence that the U.S. had extraterrestrial technology and only took advantage of major security flaws in the system. U.S. officials claim that in addition to causing nearly US$1 million damage to systems, McKinnon left threatening notes and rendered weapons station computers inoperable just after the terrorist attacks of September 11, 2001. Read more

IntelliShield Analysis: The extradition has been ongoing since July 2006, and McKinnon has been able to avoid and appeal thus far. His legal council originally hoped to bypass the extradition entirely, claiming that the trial and sentence should be carried out in the United Kingdom (UK) because it is the location that the alleged crimes took place. McKinnon has also been recently been diagnosed with Asperger's syndrome, and some experts argue that the syndrome explains his addiction to computers and initial obsession of finding evidence linking the United States to alien technology. However, the courts ruled that the medical evidence was not enough to block the extradition. If the UK Home Secretary does not intervene, he will face extradition by mid-September.

Trust

New Phishing Websites Take Advantage of Hurricane Charity

Similar to websites that gathered fraudulent donations following Hurricane Katrina in 2005, new phishing websites are attempting to leverage the recent hurricanes in the Atlantic and Caribbean Oceans. Several sources, including the SANS Storm Center, have published lists of suspected false or unverified websites. The websites claim to collect donations for victims of Hurricanes Gustav and Hanna, but they are not linked to any recognized charitable organization and may in fact be owned by criminal groups. Along with the fraudulent stolen funds, these websites may attempt to deliver malicious code that could compromise user systems or steal personal information. Read more

IntelliShield Analysis: These latest attempts demonstrate the still-effective practice of preying on human nature to defraud victims. Organizations may consider blocking access to known fraudulent websites and directing individuals who wish to donate to well-known and established organizations. Organizations should also be aware that URLs to fraudulent sites may be delivered in spam e-mail messages to victims, although these tactics can be mitigated through anti-spam methods. Additionally, education and messaging that raises awareness on avoiding e-mail from unknown sources may prevent individuals from being victimized by these attacks.

Identity

Emergency Summit to Protect Consumer Information Held in Germany

German business and political leaders met recently to discuss methods to control the illegitimate collection, misuse, and sale of personal information. This summit was held in response to recent events in Germany that involved personal data misuse by the the financial and call-center industries. In the most recent incident, a phone marketing company is accused of using bank account information to charge customers for a subscription service regardless of whether the customer agreed to the service.
Read more
Additional Information

IntelliShield Analysis: The summit allowed German leaders to discuss measures to protect citizens from the misuse of their personal data. Some proposed measures include restricting business from using personal information unless customers have specifically given permission to do so, forcing companies to indicate the source of personal information used in advertising campaigns, or preventing businesses from using of personal information altogether. Also discussed were punitive measures against companies that abuse personal information, including the seizure of profits gained using illicitly-gained information. Any legal measures that may originate from this summit will be limited in scope because they will not affect foreign businesses; however, these discussions could prompt similar actions in other countries and organizations.

Human

Google Enters Browser Market

Google recently deployed a beta version of their new web browser, Chrome. Chrome features several design decisions that are unique in mainstream web browsers, some of which are intended to mitigate security risks in traditional designs. Even though it is in a pre-production version, the browser has been very well-received by experts. Similarly, Chrome has also been investigated by security researchers, and some have uncovered flaws. Google, who released Chrome's code under an open source license, hopes that other browsers will adopt some or all of their architectural changes to improve web standards.
Read more
Additional Information

IntelliShield Analysis: According to a paper that describes Chrome's security architecture, Chromium, many modular design decisions were validated by an analysis of common flaws in other browsers. Chrome's design showed significant improvement, especially in relationship to arbitrary code execution flaws. Other flaws, such as phishing, are difficult to solve via technology, but many browsers take steps to assist users in the decision-making process. As more user activity centers on the browser, application security becomes more important. Whether through using Chrome, or through other browsers that adopt similar strategies, users will benefit from technology that helps them stay safe online.

Geopolitical

Taliban Kidnaps Two Chinese Telecom Engineers

Two employees of the large Chinese telecommunications organization ZTE went missing after servicing a mobile phone tower in a remote area of northwest Pakistan. Taliban militants have claimed responsibility for the kidnapping, and Beijing has asked the government of Pakistan to secure the safe release of the engineers immediately. This incident is not the first time Taliban militants have posed a threat to mobile phone operators in the region; earlier in 2008, the Taliban threatened to destroy mobile phone infrastructure in Pakistan if carriers did not comply with their demand to suspend services at night. The militants reportedly feared that authorities could use telephone signals to pinpoint their location. Read more

IntelliShield Analysis: It is unclear why the ZTE engineers were targeted. There is some press speculation that the Taliban is opposed to the sale of mobile phone ring tones, which the Taliban find objectionable for religious reasons. Kidnapping for ransom is also a fairly common occurrence in the particular location of Pakistan, and militants may believe they can secure more ransom money from foreign workers. In addition, militants could use the kidnappings to bargain for the release of jailed Taliban members, similar to a 2007 incident that involved 21 kidnapped South Koreans. Regardless of the reasons, businesses that send employees into dangerous areas should be aware of the risks and develop contingency plans accordingly. Security professionals are also advised to monitor this situation in an attempt to determine whether telecommunications employees are being targeted.

Upcoming Security Activity

sec-t: September 11–12, 2008
IT Security World: September 13–18, 2008
OWASP Israel 2008: September 14, 2008
Oracle OpenWorld 2008: September 21–25, 2008
OWASP NYC AppSec 2008: September 22–25, 2008
OARC Workshop 2008: September 24–25, 2008
Kiwicon 2k8: September 27–28, 2008
SANS Network Security 2008: September 28–October 6, 2008
BA-Con Argentina 2008: September 30–October 1, 2008
Virus Bulletin 2008: October 1–3, 2008
ekoparty Security Conference: October 2–3, 2008
Critical Infrastructure Protection Congress: October 6–8, 2008

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Ramadan: September 1–31, 2008
Rosh Hashanah: September 29–October 1, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top