September 8–14, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels during the time period centered around multiple security advisories and updated software releases from Microsoft, Apple, and Sun Microsystems. Exploit code was released for the ODBC service buffer overflow vulnerability in CitectSCADA and CitectFacilities.A remote attacker could leverage the exploit code to execute arbitrary code with privileges sufficient to take control of the target system. Systems most at risk are those that are exposed to untrusted users on the network. Citect has confirmed this vulnerability and released updated software. In malicious code activity, PWS-Banker.cs is receiving significant media attention. The associated e-mails that are circulating link United States presidential election candidate Barack Obama to an alleged sex tape. The trojan, described in IntelliShield Alert 13430, is an alias of Infostealer.Banker.E. The malicious e-mails contain subject lines such as Barack Obama sex story with Ukrainian girl! The message body states a video exists that can be downloaded and viewed by clicking on the supplied link. If the user clicks on the supplied link, malicious software is installed on the user's system while the fake video is playing. More information about these types of scams and mitigation methods can be found in the human risk category of this report. A hacking tool that allows malicious users to create false YouTube websites was discovered during the time period. The websites created using this tool look legitimate and will aid attackers in distributing malicious code. Users should be aware of the existence of suspect websites and try to verify the authenticity of any website before interacting with the content. For assistance in verifying the authenticity of sites and to learn when domains were registered, users can employ the IronPort Security Network's E-mail and Web Reputation Tool on the SenderBase website. Reports indicate that the Rock Phish group has upgraded its botnet infrastructure to an advanced fast-flux botnet. RSA researchers believe that the botnet may be the Asprox botnet described in IntelliShield Alert 16147. IntelliShield analysts expect to see an increase in activity as a result of the partnering of the Rock Phish group and Asprox botnet. IntelliShield published 132 events last week: 47 new events and 85 updated events. Of the 132 events, 112 were Vulnerability Alerts, seven were Applied Mitigation Bulletins, seven were Security Issue Alerts, two were Daily Malicious Code Summaries, two were Malicious Code Alerts, one was a Security Activity Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for September 8-14, 2008Citect CitectSCADA and CitectFacilities ODBC Service Buffer Overflow Vulnerability Citect CitectSCADA contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. Exploit code that could allow the attacker to achieve code execution is available. The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component. Such systems should be contained within their own network and never connected to corporate networks or exposed to the Internet. Attackers who can access the network on which these machines reside must still connect to the TCP port that is used by the ODBC service. Previous Alerts That Still Represent Significant RiskJustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability JustSystems Ichitaro products contain a vulnerability that could allow an remote attacker to cause a denial of service condition or execute arbitrary code. The vendor is reportedly investigating the issue, but updated software is not currently available. The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield Alert 16543.The attacks occurred before the vulnerability was publicly disclosed. This tactic is commonly known as exploiting a 0-day vulnerability. Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization. Microsoft Windows NSlookup.exe Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool. Reports indicate that attackers may be exploiting this vulnerability in the wild. The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available. Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released. This exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache. Additional exploit code that allows for complete domain hijacking through the modification of SOA records is also available. Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products. Oracle Critical Patch Update July 2008 Oracle has released the Critical Patch Update advisory for July 2008.The update contains 45 distinct security fixes for various Oracle products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability. PhysicalLondon Equipment Theft Causes Services OutageBritish Telecom customers in central London suffered a service outage after a theft of equipment from a telephone exchange. Several thousand business and residential customers lost service and servers hosted at the location were down through lost connectivity or theft. Although investigations are still in progress, reports indicate up to GB£2 million worth of equipment may have been taken. Repair efforts are ongoing. Read More IntelliShield Analysis: Information is not available regarding how the thieves breached the British Telecom exchange facility. Statements indicate the facility was not staffed overnight. Few measures can prevent determined intruders from gaining access to an unmanned facility; however, physical controls such as locks, alarms, monitoring, and lighting can deter would-be thieves. Additionally, the location of the exchange, next to a noisy night club, may have played an unintentional role in covering the theft. LegalHIPAA Enforcement Leads to a Resolution AgreementThe Health Insurance Portability and Accountability Act (HIPAA) of 1996 that went into effect in April 2005 has finally lead to public news of corrective action being taken. The Seattle-based Providence Health and Services has entered into a resolution agreement with the United States Department of Health and Human Services (HHS).The agreement requires Providence to pay a US$100,000 fine, as well as implement a corrective action plan that requires the use of data encryption and other security improvements. IntelliShield Analysis: According to the press release issued by HHS, the incidents that led to the agreement were the loss of backup tapes and laptops with unencrypted personal health information data by the Providence company, along with complaints filed against Providence. Other health care companies are certain to take note of this resolution agreement and what led to it being signed by Providence. The agreement might indicate that companies who lose unencrypted health care data are at the highest risk for corrective action from HHS. However, it should also be noted that a security audit was reportedly initiated in March, 2007, at the Piedmont Hospital in Atlanta. This audit was unannounced and no further news has come of that event. The press release from HHS stated:"[HHS has] successfully resolved over 6,700 Privacy and Security Rule cases by requiring the entities to make systemic changes to their health information privacy and security practices." The statement may indicate that audits are occurring privately and that changes are being requested and agreed to by affected parties. Companies in the health care industry are advised to review HIPAA conformance in preparation for unexpected audits. Particularly, steps must be taken to secure health data to prevent incidents such as the one that occurred at Providence Health and Services. TrustUnited Airlines Stock Price Falls Due to Six-Year-Old News StoryOn September 8, 2008, the stock price for United Airlines fell from the previous week's closing price of US$12.30 to a low of US$3 before rebounding to US$10.92. The fall of the stock price is attributed to the circulation of a December 10, 2002, news story by the Chicago Tribune that was hosted in the archives section of the South Florida Sun-Sentinel, a news outlet owned by the Tribune Company. According to the Chicago Tribune, a single visit to a web page hosting the news story during a period of low traffic caused the news story to be included in the website's list of Most Popular news stories. After another user viewed the story, an automated search agent, Googlebot, located the story and it became available on the Google News website. From there, a reporter for the Income Securities Newsletter saw the new story and published a summary of the article to the Bloomberg news wire. IntelliShield Analysis: This incident demonstrates the dangers of reliance on automated processes and tools without proper human oversight. Although the story did not contain the date, both the URL of the original story and comments posted along with the story included 2002 dates. Human oversight may have been able to identify the age of the story before it was recirculated as current news. Additionally, had the authors of the Income Securities Newsletter researched the article prior to acting on it, this incident may have been averted. London Stock Exchange Trading Halted Because of Connectivity FaultThe London and Johannesburg Stock Exchanges halted trading on September 8, 2008, because of an inability to complete transactions on the trading systems. At the time, the markets were in a strong rally, with the FT-100 up 4 percent early in the trading day in response to the United States (U.S.) mortgage actions. The problem was reported as a connectivity fault. Trading remained halted until 1500 Greenwich Mean Time (GMT) in London and for a similar period at the Johannesburg Stock Market in South Africa. According to the British Press Association, the event marked the longest period of time that the London market has been down. The incident has raised serious reliability concerns with traders who risked losing millions during the rally if unable to trade on other markets. IntelliShield Analysis: The details of the connectivity issue have not been released. Reports indicate the problem may have been an overload of the SETS trading platform that appears to have impacted London and Johannesburg Stock Exchanges. Traders on other markets around the world were able to continue trading and most markets were rallying, following the U.S. mortgage news. In addition to the monetary impact, competition between the exchanges is high and could cause traders to move to other exchanges because of reliability concerns with London. For many businesses, the availability and reliability of their information systems are directly tied to their brand, reputation, and ability to conduct business transactions. The loss of critical systems can have similar impacts on financial, e-commerce, news, and other market verticals if customers lose confidence in the systems and move to competitors. As business and the volume of information system activity continues to grow, the demand on customer-facing systems can spike to unexpectedly high levels when the potential impact is at its peak. An inability to handle spikes in demand can cause serious damage to businesses. Investment, architecture, and administration of systems should contain the ability to adjust to large volume changes when the highest impact may occur. IdentityThere was no significant activity in this category during the time period. HumanUnited States Presidential Election Phishing and Scamming AttacksThe upcoming United States presidential election on November 4, 2008, has prompted a number of phishing attacks and spam e-mails attempting to distribute malicious code. As noted in the malicious code portion of this report, attackers are currently sending e-mails containing a link to a pornographic video supposedly involving Barack Obama. While the flash video is playing, malicious software is installed on the user's system. Phishing scams related to the presidential election campaign and voter registration forms e-mails are also circulating and attempt to trick users into disclosing sensitive information. IntelliShield Analysis: High-profile political events are easy targets for scam artists and aid attackers in distributing malware. Attackers are particularly skilled at crafting legitimate looking e-mails to entice users. The e-mails are often timely, interesting, appear legitimate, and may contain a small amount of truth. Numerous users fall victim to these scams on a daily basis, as demonstrated a few months ago with the Beijing Olympic ticketing phishing scams. To avoid political e-mail scams, administrators are advised to educate users in recognizing these types of e-mails. Users should also exercise caution when opening e-mails involving the upcoming election, verifying the authenticity of unexpected links within e-mail messages. Entering sensitive information online can be risky and users should do extensive research on the website in question to avoid being victimized by phishing scams. Malicious code authors often register fake campaign sites for phishing purposes several months before an event occurs. For assistance in verifying the authenticity of sites and to learn when domains were registered, users can employ the IronPort Security Network's E-mail and Web Reputation Tool on the SenderBase website. GeopoliticalCoca-Cola Takeover Bid will Test China's Anti-Monopoly LawU.S. beverage maker Coca-Cola's proposed takeover of Huiyuan Juice of China has sparked popular opposition within China and is set for review under China's new anti-monopoly law. The deal to take over China Huiyuan, a popular national brand, is worth US$2.4 billion and is said to be part of Coca-Cola's strategy to become competitive in healthier drinks in the world's single biggest market. The Huiyuan brand is well known in China. The state-run news agency, Xinhua, has reported negative backlash from Chinese citizens who resent the sublimation of a popular national brand by a foreign one. IntelliShield Analysis: The takeover bid is being closely watched as a test of Beijing's stance on foreign acquisitions of major Chinese companies because several attempted foreign takeovers recently have been blocked, delayed, or diluted. Because of its monetary size and market share implications, the Huiyuan deal requires review under China's new anti-monopoly law that went into effect in August, 2008.Given that there is no basis for a national security case in the beverage industry, it would be noteworthy if the proposed deal were blocked or delayed as a result of government concern over popular opposition. Upcoming Security Activity IT Security World: September 13–18, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Ramadan: September 1–31, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
