October 1–7, 2007The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityCyber vulnerability and threat activity levels continued to decline during this time period. Microsoft released the Microsoft Security Bulletin Advance Notification for October. Of the seven bulletins that are scheduled for release on October 9, 2007, Microsoft scored four with a maximum severity rating of critical and three with a maximum severity rating of important. Affected software includes Microsoft Windows, Outlook Express, Windows Mail, Internet Explorer, Windows Sharepoint, and Office. During this time period, visitors to the Chinese Internet Security Response Team (CISRT) website were served with a malicious iFrame. The iFrame routes the user to a malicious web page that attempts to exploit a buffer overflow vulnerability in the BaoFeng Storm ActiveX control to download a malicious executable file. This file then attempts to download up to 20 distinct trojans on to the system. The attack was limited to random users, which rendered the attack difficult to detect. Technical details regarding how this attack was carried out are not currently available. CISRT reports that the attack was not the result of a vulnerability in the website and, instead, is likely a variation of an ARP storm and injection attack. Until CISRT can locate and remove the source of the attack, users should consider the CISRT website to be insecure and take appropriate measures. IntelliShield published 54 events last week: 19 new and 35 updated events. Of the 54 events, 43 were Vulnerability Alerts, four were Security Issue Reports, four were Daily Virus Reports, two were Security Activity Reports, and one was a Malicious Code Alert. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskMIT Kerberos and librpcsecgss RPC Library RPCSEC_GSS Authentication Buffer Overflow Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. An exploit may result in a full system compromise. Many operating systems and third-party applications use Kerberos and will likely release updated software to address this vulnerability. Oracle JInitiator ActiveX Control Buffer Overflow Vulnerability Oracle JInitiator ActiveX Control contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or execute arbitrary code with the privileges of the user. The systems that are at the most risk are terminal servers and workstations that contain the affected ActiveX control and those systems where users browse to both internal Oracle tools and external sites. Oracle has not confirmed this vulnerability, and no updates are available. Cisco IOS Next Hop Resolution Protocol Buffer Overflow Vulnerability Cisco IOS contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges. Proof-of-concept code that demonstrates the DoS condition is publicly available. Attackers will likely require access to trusted, internal networks to exploit this vulnerability, because the use of NHRP is typically limited to internal or private networks. Cisco confirmed this vulnerability in a security advisory and released updated software. ISC BIND Insecure Default ACL Information Disclosure Issue ISC BIND versions 9.4.0 and 9.4.1 contain an issue that could allow an unauthenticated, remote attacker to access potentially sensitive information or make recursive queries. Proof-of-concept code is available that demonstrates a possible exploit method. ISC BIND Weak DNS Query ID Generation Cache Poisoning Vulnerability
IntelliShield Vulnerability Alert 13831, Version 10, September 26, 2007 ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to poison the DNS cache. Proof-of-concept code for predicting query IDs is publicly available. ISC confirmed this vulnerability in a security advisory and released updated software. IntelliShield Activity Report: Oracle July 2007 Critical Patch Update Oracle has released the July 2007 Critical Patch Update to address 45 vulnerabilities in Oracle products. The vulnerabilities affect the Oracle Database, Application Express, Application Server, E-Business Suite and Applications, and Oracle PeopleSoft and related products. Of the 45 vulnerabilities, 13 are exploitable without any prior authentication by the Oracle product. PhysicalHomeland Security Video Demonstrates Attack on Power SystemA video that shows the destructive results of a research cyber attack on an electrical generator raised concerns about the security of critical infrastructure control systems known as Supervisory Control and Data Acquisition (SCADA) systems. The research attack, conducted and taped by the Idaho National Laboratory, was not intended for public release but was meant to show high-level government officials the potential impact of an attack on SCADA systems. The Department of Homeland Security (DHS) and the Idaho National Laboratory are increasingly focused on the security of the SCADA systems that are used to control electrical, water, and other critical infrastructures. IntelliShield Analysis: Few people are familiar with SCADA systems, and may be disproportionately alarmed by the video and reports. These are critical infrastructure control systems that certainly deserve the increased attention and research of the Idaho National Laboratory. However, the lack of external knowledge about these unique systems, along with numerous other mitigating factors, makes the probability of a successful malicious cyber attack on SCADA systems low. A successful attack would likely require in-depth insider knowledge and access and assistance, all of which have numerous security controls. And like most sensitive control systems, humans monitor these computer-controlled systems and can override the computers and take manual control when necessary. Most security and risk assessments show that the greater risk to the critical infrastructure is from physical attack. Operators of these sensitive systems should be closely coordinating security activities with the DHS and industry groups. LegalCompanies Weigh Cost of Compliance Ahead of PCI DeadlineCompanies that operate within the scope of Payment Card Industry Data Security Standard (PCI DSS), both merchants and card brokers, are approaching the upcoming deadline for compliance with mixed views. Most companies are expected to be lagging behind, except for the largest and most security-conscious organizations. Several smaller companies may be considering intentionally failing their first audit to get a clear view of what is required of them prior to expending limited resources in preparation. Further, some Chief Information Officers from larger companies are debating whether to comply at all, on the assumption that financial penalties do not significantly outweigh implementation costs. Read More IntelliShield Analysis: While regulatory compliance is rarely easy or welcome, it is especially scrutinized at the outset, and it would be preferable for more institutions to be well prepared to meet compliance goals earlier than later. Unfortunately, resistance to PCI DSS seems to be easier for companies than other compliance standards, such as the Sarbanes-Oxley Act, which carry criminal repercussions. The response by some smaller companies to fail first and address problems after the initial audit is a concern but could be viewed as a reasonable reaction or short-term approach to a standard that could carry high costs for a small enterprise. This approach is also much more beneficial than that of larger companies that debate whether to cover compliance at all. It is essential that entities consider not only their own financial concerns, but also the care and handling of customer information. Customers may consider pushing card brokers and merchants to ensure compliance, but without significant motivation, some companies may opt for penalties at the expense of protecting sensitive financial data and transactions. TrustRestrictive Whois Policy for .name Top-level DomainThe .name registry has reached a compromise between the Internet Corporation for Assigned Names and Numbers (ICANN) Whois lookup policy and the European Union's Data Protection Act. ICANN is responsible for regulating top-level domains (TLD), including .com and .net. The compromise between the two organizations allows the Global Name Registry (GNR) to create tiered levels of access to the Whois lookup policy. Previously, ICANN required that companies who sell domain names must provide publicly available information. However, GNR now requires security researchers who need more than basic information to pay for each .name TLD. The GNR provides five passwords that are valid for 24 hours for US$2. Security researchers can still access minimal information for free, but will be required to pay for additional detailed information. The compromise also allows high volume requestors to have a contract with GNR. IntelliShield Analysis: The compromise between ICANN and the European Union's Data Protection Act is causing frustration for those security professionals who work with registrars to prevent the spread of malicious code or attacks. The new policy may allow attackers to take advantage of the system to hide their identity from those unwilling to pay. Researchers may want to report thousands of domains, which, at US$2 per name, could become a significant cost. Companies may be able to pressure the GNR into changing their approach, but if further attacks originating from within the .name namespace go unstopped, many companies may choose instead to block access to the entirety of the domain. In the meantime, traffic to and from the .name domain may deserve further scrutiny. IdentityComputer Stolen from GapGap, Inc. announced the compromise of sensitive data of an estimated 800,000 job applicants from the United States and Canada. The data was compromised when a laptop was stolen from a third-party vendor. The CEO of Gap released a statement saying that the agreement with the third-party vendor called for the encryption of sensitive data. Nevertheless, Gap has begun notifying impacted persons and is providing credit monitoring. Reports indicate that the company is not aware of any illegal use of the data. Read more IntelliShield Analysis: Gap, Inc. is only the latest company to experience a sensitive data compromise event. Such events highlight the continuing challenges of securing mobile users and systems, encrypting data, and ensuring the security procedures of third-party vendors. Due to continuing data compromise, multiple security solutions have been developed to address each of these issues; however, many companies are still evaluating, budgeting, and preparing implementations of the measures appropriate for their environments. While related identity legislation continues to be debated and implemented in some locations, national and international identity protection laws will likely soon establish guidelines and deadlines. Security managers are advised to address these issues internally and extend the requirements to third-party vendor and partner agreements prior to mandatory requirements. HumanStorm Worm Continues to Prey on UsersThe Storm worm continues to deceive users even after a nine-month period. The worm remains strong because its authors update and tailor the diversely formatted e-mails to seemingly address current natural disasters, sporting events, and other world events. Some e-mails have file attachments that contain a copy of the worm, while others simply have a URL that links to a website hosting the worm. Read More IntelliShield Analysis: IntelliShield expects these e-mail variations to continue as long as infection rates remain high. Expect to see a number of e-mails during the United States holiday season, specifically during Halloween, Thanksgiving, and Christmas. Consumers can no longer rely on software applications to keep up with the variations and maintain the security of their systems. Organizations are encouraged to educate and train business users on the methods to avoid the Storm worm and other malicious code attacks as the primary means of prevention. Restricting file formats is also a good step in reducing the amount of Storm worm variants arriving as an executable file attachment. Spam filtering software should also be used in blocking the known Storm e-mails. Administrators should warn users promptly of these attacks and emphasize the impact of this worm. GeopoliticalMusharraf's Future Still in DoubtAlthough Pakistan President Pervez Musharraf was reelected Saturday, his fate is still in doubt as the country's Supreme Court will not rule on the validity of his candidacy until after October 17, 2007. This date coincides with the planned return to Pakistan of exiled former Prime Minister Benazir Bhutto. Bhutto is seeking a power-sharing deal with Musharraf, who recently cleared her of legal charges. The last minute court ruling prolongs Musharraf's and Pakistan's political interregnum. If the power-sharing agreement goes forward, there is hope that the political crisis will subside. However, the situation is far from being resolved. A validly-elected Musharraf is facing parliamentary elections next spring and contending with the recent uptick in violence in the rural provinces along with continued negative popular sentiment following his harsh crackdown at Islamabad's Red Mosque this past summer. Read more IntelliShield Analysis: Although the situation remains fragile, there is reason to believe that street violence may quiet following establishment of Musharraf as a civilian president, especially if a deal can be struck with Bhutto. A stable Pakistan may allow the military to better suppress extremism in the northwest, reassure Pakistan's neighbors in India, and get Islamabad's budding telecom businesses back to work. However, if Musharraf tries to hold onto his military position or declares martial law due to increased street violence, the situation may yet deteriorate. Bain/Huawei's 3Com Acquisition Makes United States UneasyA national security review of American firm Bain Capital's proposed acquisition of networking company 3Com is underway due to Chinese IT giant Huawei's proposed 16.5 percent stake in the deal. Privately-held Huawei has long had image problems in the U.S., mostly due to its alleged close ties to the Chinese People's Liberation Army. United States officials are concerned because of 3Com's networking infrastructure business with the Pentagon. Huawei's part in the deal also raises concerns because Huawei recently sold back to 3Com its stake in a joint venture between the two companies. Read more IntelliShield Analysis: Huawei probably views a stake in 3Com as a foothold in the US market, as well as an important technology acquisition. Such an acquisition will likely cause the United States Department of the Treasury to scrutinize and possibly block the acquisition. 3Com makes multiple security products that are widely deployed throughout the United States government and commercial environments. Huawei rival ZTE signed a deal with Cisco Systems, broadening ZTE's potential American reach at a time when the two Chinese IT giants are involved in an intense competition to expand their international business. Given the size of the American market, Huawei probably sees the United States as must-win territory. Regardless of whether the 3Com deal goes forward, Huawei has some brand-image work in the United States. Upcoming Security ActivityUnited States National Cyber Security Awareness Month: October 2007 Because of the potential for increased risk on multiple vectors, organization's security teams should be aware of and consider making special preparations for the following dates: Ramadan: September 13–October 11, 2007 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
