The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity levels decreased slightly between August and September 2008. Activity levels were also lower than last week's alert totals, mostly because of the semi-annual Cisco IOS Software advisory and software bundle that was released in the last time period.

Independent security researchers announced the sockstress tool during this time period, which reportedly exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. IntelliShield expects this tool to receive considerable attention during the next couple of weeks because the vulnerabilities are said to affect Microsoft, Linux, and UNIX systems as well as firewalls, intrusion prevention systems (IPSs), and other Internet-enabled systems and devices. Attackers can reportedly use the tool to cause a denial of service (DoS) condition, which could prevent legitimate users from establishing new connections with any resources that rely on the TCP stack of the targeted system. This vulnerability is described in IntelliShield Alert 16773.

Also receiving media attention this time period is the mouse click hijacking vulnerability documented in IntelliShield Alert 16770. The vulnerability affects most web browsers and the Adobe Flash Player. An attacker could exploit this vulnerability to take control of a user's mouse clicks, which is being referred to as clickjacking. The attacker must convince a user to visit a malicious web page to perform this attack. The unsuspecting user appears to be clicking a legitimate link; however, the attacker is controlling the hidden HTML interaction behind the scenes and hiding the hyperlinks that the user is actually following. This type of attack is likely going to be used for phishing scams and malware distribution attacks. Technical details have not yet been released.

Proof-of-concept code was released for the Microsoft GDI VML gradient buffer overflow vulnerability described in IntelliShield Alert 16578, which results in a DoS condition only. Attackers may be able to modify this exploit code to achieve code execution; however, this capability has not been proven.

Citrix released a security advisory and updated software to address the privilege escalation vulnerability in the Citrix Presentation Server this week. To exploit the vulnerability, the attacker must be authenticated and able to create a file in a directory that is normally restricted. No further information has been provided. This vulnerability is described in IntelliShield Alert 16756.

Also during this time period, there was a script injection vulnerability discovered in the MySQL Enterprise and Community Server. The vulnerability allows authenticated, remote attackers to inject arbitrary HTML or other script code into a database that may later be included in a user's browser. An attacker could use this vulnerability to perform cross-site scripting or cross-site request forgery attacks, which could lead to further attacks against the user. This vulnerability is documented in IntelliShield Alert 16766. MySQL has confirmed the flaw and a patch is available.

IntelliShield published 112 events last week: 33 new events and 79 updated events. Of the 112 events, 93 were Vulnerability Alerts, seven were Security Issue Alerts, four were Daily Malicious Code Summaries, four were Malicious Code Alerts, three were Security Activity Bulletins, and one was the Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

2008 Monthly Alert Totals

Cumulative Alert Totals

Significant Alerts for This Time Period

Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors
IntelliShield Vulnerability Alert 16773, Version 1, October 1, 2008
Urgency/Credibility/Severity Rating: 2/3/3

Independent security researchers developed the sockstress tool, which reportedly exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland. The researchers plan to detail attacks using these vulnerabilities, referred to as TCP state table manipulation vulnerabilities, on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland.

Previous Alerts That Still Represent Significant Risk

Citect CitectSCADA and CitectFacilities ODBC Service Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 16071, Version 3, September 9, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-2639

Citect CitectSCADA contains a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. Exploit code that could allow the attacker to achieve code execution is available. The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component. Such systems should be contained in their own network and never connected to corporate networks or exposed to the Internet. Attackers who can access the network on which these machines reside must still connect to the TCP port that is used by the ODBC service.

JustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 16544, Version 1, August 28, 2008
Urgency/Credibility/Severity Rating: 3/4/4
CVE-2008-3919

JustSystems Ichitaro products contain a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. The vendor is reportedly investigating the issue, but updated software is not currently available. The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield Alert 16543. The attacks occurred before the vulnerability was publicly disclosed. This tactic is commonly known as exploiting a zero-day vulnerability.

Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 8, June 20, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285

Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

Microsoft Windows NSlookup.exe Arbitrary Code Execution Vulnerability
IntelliShield Security Activity Bulletin 16475, Version 1, August 18, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-3648

Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool. Reports indicate that attackers may be exploiting this vulnerability in the wild. The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available.

Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability
IntelliShield Vulnerability Alert 16183, Version 25, September 22, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-1447

DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released. This exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache. Additional exploit code that could allow complete domain hijacking through the modification of SOA records is also available. Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products.

Oracle Critical Patch Update July 2008
IntelliShield Security Activity Bulletin 16276, Version 1, July 15, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for July 2008. The update contains 45 distinct security fixes for various Oracle products. Additional IntelliShield Alerts that detail individual vulnerabilities will be released in the near future as technical details become available.

Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 16117, Version 4, September 19, 2008
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2008-2830

Apple Mac OS X and OS X Server and Apple Remote Desktop contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability.

Physical

Naval Research Laboratory Computer Equipment Breach

System administrator Victor Papagno, Jr. pled guilty on Wednesday, October 1, 2008 to charges of stealing almost 20,000 items of Naval Research Laboratory computer equipment. The equipment included obsolete computers, hard drives, zip drives, and floppy disks, valued at over US$1.6 million. Papagno admitted to stealing the equipment during 1997 through 2007. It is unclear if sensitive technological data was obtained, but Papagno was able to gather personal information of 14 employees and contractors. Papagno was arrested in August 2007 after a call to Navy officials from his ex-wife on domestic violence accusations, where authorities discovered the stolen equipment. Papagno entered into a plea bargain and is expected to serve between 12 and 18 months in prison when sentenced on December 22, 2008. Read more

IntelliShield Analysis: The primary concern here is how easily the administrator was able to take the equipment without raising concerns. Most likely, after employees had left for the day, the stolen equipment remained physically unsecured and was easily removed from the premises. Much of the equipment was either smaller data media or equipment that was considered obsolete. The targeted organization appears to have failed to control its assets, primarily due to a lack of employee oversight. Businesses that wish to overcome these challenges should implement equipment-management systems that track equipment through its life cycle to final disposition.

Legal

United States Congress Passes Broadband Data Improvement Act

The United States (U.S.) Senate has passed a bill that would require the Federal Communications Commission (FCC) to issue an annual report of the available broadband access around the U.S. The new bill requires the FCC to conduct surveys about the availability of broadband access, speed, quality, and price. The FCC will compare the results to 25 other countries to analyze where the U.S. stands compared to other countries in availability and quality of service. Studies have found the U.S. lags behind other developed countries in full broadband access to its citizens and this bill is intended to assist the U.S. in advancing its broadband capabilities. This bill also allows the state governments to create maps to illustrate where broadband is available and where it is not.
Read more
Additional information

IntelliShield Analysis: The FCC currently collects information about broadband use; however, many of its measurements may be misleading or antiquated. This piece of legislation is a good first step because it creates a more accurate picture of which parts of the United States need improved service. The legislation does not provide a budget for improvements or next steps for expanding broadband services. Broadband service improvement across the country is not something that can happen overnight, and there is no one approach that resolves the problem. The findings provided by the surveys should assist governments, educators, and other organizations in planning how broadband services can best be deployed.

Trust

Skype Service Identified in Chinese Privacy Breach

Researchers at Citizen Lab have uncovered a breach of privacy for Skype users in China and for those interacting with such users. Nart Villeneuve of Citizen Lab initially discovered the monitoring when he noticed that when he sent a particular profane word, additional encrypted traffic was generated and sent to an unidentified IP address. He was able to locate and access the cluster of eight monitoring machines due to a misconfiguration. The logs themselves were encrypted, but the key was located on the system as well. Skype operates in China through a joint venture with TOM Online. As the acting local partner in China, TOM is required to follow the regulations laid out by the Chinese government, which includes monitoring and blocking instant messaging traffic that the government deems offensive. Josh Silverman, President of Skype, has acknowledged the findings and is reportedly working to resolve the issue of why these log files were stored, which was not the originally agreed-upon protocol.
Read more
Skype response

IntelliShield Analysis: China's censorship and monitoring practices are well known and it should come as no surprise that they are monitoring the text communication included in Skype. It should be noted that it is not the international version of Skype that is available worldwide that is being monitored, but the clients available in China. Skype is claiming that its core technology is not at fault and it is an administrative layer on the TOM Online servers that is sending the data to the logging servers. Even so, black box encryption and obfuscation included in commercial applications should never be confused with true security and privacy. Although Skype has increased in popularity as a low-cost voice, text, and file sharing collaboration tool, businesses should be aware that it and other web 2.0 products have security considerations for transmitting sensitive or private data.

Identity

Ohio Woman Alleges Identity Was Stolen from County Public Records Published on the Internet

An Ohio woman who received a speeding ticket in 2003 found in 2004 that two large purchases had been made in her name. She contends that the identity thieves who made the transactions had obtained the needed identity information from an image of her speeding ticket that had been made publicly available on the Internet due to a policy of putting public records online. The original ticket contained an incorrect digit in her driver's license number, and the license presented for the fraudulent transactions had the same mistake. Read more

IntelliShield Analysis: Many county and other government offices have initiatives in place to make public records available online. These projects can help businesses that have legitimate needs to obtain this data quickly and easily. However, even though the records are considered public, the ease of obtaining access to these records by anyone opens the door to potential identity theft when private data is included in the public records. Ohio has a privacy law against posting certain private information, such as Social Security numbers, on public websites. California and Florida go a step further and require a redaction of sensitive private data in all records before making them publicly available online. However, many counties continue to treat complete records as simply "public records," and for that reason they do not hesitate to put them online. A court case filed by the Ohio woman with the speeding ticket was dismissed by two courts, but an appeals court upheld the right of the woman to bring forward charges on the identity theft case. This case could raise the awareness of other county employees, and as a result sensitive identity information may become harder for thieves to obtain.

Human

Cisco User Behavior and Data Loss Study

Cisco has released the findings of a study, based on a survey conducted by InsightExpress, of 2000 employees and IT professionals from ten countries. The study focused on identifying users' behavioral risks in the current business environments, the effect of cultural and regional differences, and the resulting data loss impact. The study's findings included these results: seven of ten reported data loss incidents resulted from employee access of unauthorized applications and websites, nearly half of employees responded that they shared work devices, and two of three used their work computers daily for personal use. The study also identified cultural impacts in which users in specific countries are more likely to perform specific risky behaviors. The study materials also include recommendations for addressing the risky behaviors from a local and global perspective. Read more

IntelliShield Analysis: The global nature of this study and reporting of regional findings may be the most interesting aspect to security and IT professionals. Although the risky behaviors and dynamic business environments are common to many, this study looks at why users take these risks and how the behaviors are related to culture and region. The study data allows security and IT professionals to consider the global findings in development of high-level strategies and policy, while focusing the critical user education, awareness, and procedures at a local level tailored to those users, the culture, and region.

Geopolitical

Undersea Cable Is Reminder of Vulnerabilities and Interdependence

The first undersea fiber optic cable directly linking the United States (U.S.) and China is up and running, according to press reports. The US$500 million investment pooled the talents of a consortium of international telecommunications companies led by China Telecom and including China Unicom, Chungwha Telecom, Japan's NTT, Korea Telecom, AT&T, and Verizon. The first phase connects two points in China, Chongming and Qingdao, with Nedonna Beach in the U.S. state of Oregon. This phase also provides further connectivity to other southern Asian points. The second phase of the project, called the Trans-Pacific Express (TPE), will include a northern route to Japan. The fiber optic cable will eventually be some 18,000 km long and carry 2.56 terabits per second.
Read more
Additional information

IntelliShield Analysis: The new TPE is both a badly needed new highway for communication routes between Asia and the U.S., and a reminder of increasing global interdependence and vulnerability. Although the cable provides welcome redundancy, it also will increase dependence on high-bandwidth services, which are rapidly becoming mission-critical mainstays of international business. Companies that are involved in offshoring and outsourcing will recognize that while total blackouts are unlikely when redundancies are in place, even sluggishness due to cable outages can spell major losses. In late January 2008, several undersea cables linking the Middle East and India with Europe were simultaneously disabled, causing total outages to some regions and sluggishness in others. It is easy to forget that our virtual world is connected with physical lines, which are not only vulnerable to natural forces such as weather, but also have the potential to become geopolitical bargaining chips and targets for terrorism.

Upcoming Security Activity

SANS Network Security 2008: September 28–October 6, 2008
National Cyber Security Awareness Month: October 1–31, 2008
ekoparty Security Conference: October 2–3, 2008
Critical Infrastructure Protection Congress: October 6–8, 2008
T2 2008: October 16–17, 2008
Computer Security Institute 2008: November 15–21, 2008
Government Information Group Security IT Conference & Exhibition: November 20–21, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top