The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat levels remained elevated for the week of September 15 through 21, 2008. Much of the activity revolved around proof-of-concept code released by independent security researchers without prior notification to the vendors. One such instance was the WRITE_ANDX SMB packet handling denial of service (DoS) vulnerability in Microsoft Windows, as described in IntelliShield Alert 16665. A remote attacker could exploit this vulnerability to cause the target system to crash. Available proof-of-concept code has demonstrated a system DoS condition on Windows Vista SP1 systems. The code could be adapted for use against other systems. Another instance of proof-of-concept code released this week was for the HTTP Server administrative interface cross-site request forgery vulnerability affecting Cisco IOS, as described in IntelliShield Alert 16683. A remote attacker could exploit this vulnerability to execute arbitrary commands on the target device in a privileged security context. To exploit this vulnerability, the attacker would need to convince the user to visit a malicious web page while having an active administrative session open in another tab of the same browser.

Apple released a security bulletin and updated software to address multiple vulnerabilities and security issues in its OS X operating system. This security update covered a total of 18 new and 15 previously disclosed vulnerabilities and security issues in the operating system or its components. Currently, no activity related to any of the vulnerabilities associated with this update has been detected.

Early reports indicate that attackers may be leveraging the arbitrary code execution vulnerability in the Windows Media Encoder ActiveX control to conduct limited, targeted attacks. This vulnerability is described in IntelliShield Alert 16574. Some reports indicate that these attacks may have originated from a new exploit tool. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Administrators are advised to apply the appropriate software updates or may consider setting the kill bit for the ActiveX control.

More than two hundred BusinessWeek.com pages were compromised during this time period as a result of SQL injection attacks. The infected pages contain malicious JavaScript that points to third-party servers containing malware. Once an unsuspecting user visits one of the compromised web pages, the script is executed and malicious software is downloaded and installed on the user's system without the user's consent. Such SQL injection attacks are becoming more common as the majority of websites rely on SQL databases. Users could avoid this particular attack by disabling JavaScript in the browser.

IntelliShield published 132 events last week: 48 new events and 84 updated events. Of the 132 events, 112 were Vulnerability Alerts, one was an Applied Mitigation Bulletin, seven were Security Issue Alerts, five were Daily Malicious Code Summaries, four were Malicious Code Alerts, two were Security Activity Bulletins, and one was the Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Previous Alerts That Still Represent Significant Risk

JustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 16544, Version 1, August 28, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-3919

JustSystems Ichitaro products contain a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vendor is reportedly investigating the issue, but updated software is not currently available. The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield Alert 16543. The attacks occurred before the vulnerability was publicly disclosed. This tactic is commonly known as exploiting a 0-day vulnerability.

Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 8, June 20, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285

Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

Microsoft Windows NSlookup.exe Arbitrary Code Execution Vulnerability
IntelliShield Security Activity Bulletin 16475, Version 1, August 18, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-3648

Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool. Reports indicate that attackers may be exploiting this vulnerability in the wild. The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available.

Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability
IntelliShield Vulnerability Alert 16183, Version 25, September 22, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-1447

DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released. This exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache. Additional exploit code that allows for complete domain hijacking through the modification of SOA records is also available. Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products.

Oracle Critical Patch Update July 2008
IntelliShield Security Activity Bulletin 16276, Version 1, July 15, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for July 2008. The update contains 45 distinct security fixes for various Oracle products. Additional IntelliShield Alerts that detail individual vulnerabilities will be released in the near future as technical details become available.

Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 16117, Version 4, September 19, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-2830

Apple Mac OS X and OS X Server and Apple Remote Desktop contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability.

Physical

The IP for Smart Objects Alliance

Twenty-five companies have formed the Internet Protocol for Smart Objects (IPSO) Alliance, with Geoff Mulligan as the chairman. The IPSO Alliance is designed to encourage the use of IP as the network technology for connecting Smart Objects. Smart Objects report on information pertaining to physical objects, such as the state and condition of that object and the surrounding environment. The IPSO Alliance is attempting to increase flexibility and timeliness when analyzing data from a range of applications located around the world in accordance with the Internet Engineering Task Force (IETF) and the Institute of Electrical and Electronics Engineers (IEEE). Read more

IntelliShield Analysis: Alliances have historically been used to bring companies together to promote a common goal. Businesses could benefit from the IPSO Alliance through collaboration on ideas and research that could generate revenue for those companies' products due to a higher understanding of the communication between multiple products using IP. However, with the increase of products on the network there is an increase to those devices becoming susceptible to an attack, including RFID, automotive systems, and appliances. The concept that one day a multitude of physical devices would be accessing the Internet has been growing in popularity and has been coined the "Internet of Things." As these devices are being adopted into the mainstream market, researchers are urging developers to ensure that security is taken into account from the start, and that products are more useful than detrimental. The IPSO Alliance should proceed with caution and aim to fully understand all of the implications that could derive from using a common network technology, and may consider developing strong educational services on IP networking and connecting with Smart Objects for companies to fully protect their products.

Legal

Candidate Sarah Palin's E-mail Exposed

Sarah Palin, vice presidential candidate of the United States' Republican party, has recently made headlines as the victim of an online intrusion. The Federal Bureau of Investigation and Secret Service are investigating the incident. Several news sources have identified one suspect as David Kernell, a 20-year-old student at the University of Tennessee-Knoxville and son of State Representative Mike Kernell (D-TN). An anonymous forum post initially disclosed the contents of Palin's Yahoo mail account, as well as credential information, on September 17, 2008. Reports indicate that password reset security questions were brute forced using publicly available information about Sarah Palin.
Read more
Additional information

IntelliShield Analysis: As Internet culture continues to embrace social networking, online profiles and greater access to personal data, organizations should rethink the methods to verify identity, including allowing customers to define their own questions. Consumers, too, should rethink whether they should give honest answers to security questions like "What is your mother's maiden name?" or whether they should use memorable but undiscoverable alternatives. Further, some sources have alleged that one motivation involved in breaking into this particular account was that Governor Palin had used non-government e-mail accounts to conduct official business. Beyond the legal ramifications that this would entail for a government official, organizations not bound by such legal restrictions should still consider strict policy controls prohibiting the use of publicly accessible services for official business.

Trust

Cybersquatters Buy Domains in Advance of Bank Mergers

With the purchase of Merrill Lynch by Bank of America, cybersquatters were quick to purchase domain names that either would be desirable by the newly merged bank company or could appear to be legitimate to its customers. So far it has been confirmed that bankofamericamerrilllynch.com and bofaml.com have been registered to outside parties. Similar cybersquatting is occurring based on projected purchasers of Lehman Brothers.  Read more
 
IntelliShield Analysis: For some time now cybersquatters have purchased domains that a company or celebrity might want to own, such as www.CorporateName.com, with the intent of making money from the sale. However, in this case there are banks involved in the duplicitous activity. Sites like bankofamericamerrilllynch.com could be set up as spoof sites from which phishing could take place.  This could happen more easily at the point in time in which changes are taking place and customers are expecting new, and unfamiliar domain names to come into use.  Such attacks could be used to steal authentication credentials from the customers of these institutions. Corporations facing a situation like this are advised to send its customers proper communication regarding any changes to their official website. This information could be posted on the current website and physical, postal mail may be preferred to e-mail due to the difficulty for a user to confirm that e-mail is legitimate.

Identity

There was no significant activity in this category during the time period.

Human

Risk Management Systems Skewed on Wall Street

In light of the recent market drop caused in large part by mismanaged mortgage securities, Wall Street firms are realizing that their computer models may have been skewed to assume an optimistic posture and relate data in simplified terms. Qualitative analysts, or "quants," are hired from the economic, mathematic, and computer fields in order to assemble a financial risk model to help predict potential losses in a myriad of circumstances. Some risk models were not giving the telling signs soon enough and firms were either not setting aside enough money to cover there riskier investments or not reducing the amounts invested. Once the investments began to show signs of weakening it was too late for several firms. Read more

IntelliShield Analysis: It would seem that some of the models were overly simplified in order to give the appearance of stability to assist trading, which hid some of the risk that could have been adequately taken into account. Models that do not give accurate results are not useful, and some auditing may be required to ensure that the models are responding accurately and the data provided and received is of the appropriate fidelity. Organizations should take this opportunity to revisit audit and accountability policies, as well as corporate ethics initiatives. In addition, auditing should be handled by an organization that has no stake in the results provided and has the power to spot-check the system at random intervals. Employees should be provided with resources to equip them to handle ethical challenges, as well as escalate ethical concerns without fear of reprisal.

Geopolitical

Implications of Financial Meltdown for Tech Companies

Central banks pumped billions into distressed financial markets late last week as the credit crisis that began a year ago entered uncharted waters. Hopes that the crisis would be limited to a few over-reaching U.S. financial firms dwindled, even as stock markets recovered some losses recently. Trading was halted two days in a row in Moscow, where plummeting Russian stocks already in decline have lost more than half of their value since May. Xinhua reported that Japan's major banks had significant exposure to the Wall Street firms that went under last week, and other Asian powerhouses, including China, eased lending rates. Tech stocks have not been spared either, and many technology company executives are putting on a brave face, pointing to cash reserves and innovative technologies that cut costs and emissions.
Read more
Additional information

IntelliShield Analysis: It looks increasingly unlikely that the technology sector will be able to avoid being impacted by the financial crisis. Companies will feel the pinch first as credit dries up, making it more expensive to borrow money for acquisitions and capital upgrades. Companies cutting staff will face security risks as disgruntled employees exit, possibly with intellectual property or physical assets in hand. Longer term, new tech spending by the full range of consumers, companies and possibly even governments will pause. One bright spot for those following techpress reports noted that the high-tech data centers belonging to Lehman Brothers and Bear Stearns comprised a sizeable portion of their value, underscoring the residual value of high-tech data centers even during extreme circumstances.

Upcoming Security Activity

Oracle OpenWorld 2008: September 21–25, 2008
OWASP NYC AppSec 2008: September 22–25, 2008
OARC Workshop 2008: September 24–25, 2008
Kiwicon 2k8: September 27–28, 2008
SANS Network Security 2008: September 28–October 6, 2008
BA-Con Argentina 2008: September 30–October 1, 2008
Virus Bulletin 2008: October 1–3, 2008
ekoparty Security Conference: October 2–3, 2008
Critical Infrastructure Protection Congress: October 6–8, 2008

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Ramadan: September 1–31, 2008
Rosh Hashanah: September 29–October 1, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top