The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support.

Vulnerability

During the time period, a slight rise in the number of new events reported accompanied further information on previous events. Wireshark released a security advisory and an updated software version to address three previously undisclosed vulnerabilities in the Stream Control Transmission Protocol (SCTP), Simple Network Management Protocol (SNMP), and Trivial File Transfer Protocol (TFTP) dissectors. The vulnerability in the TFTP dissector affects only Ubuntu systems. In each case, a remote attacker could exploit the vulnerability to cause Wireshark to crash.

The Mozilla Foundation released version 2.0.0.12 of the Thunderbird e-mail client to resolve five known vulnerabilities and one previously undisclosed vulnerability. IntelliShield analysts expect many Linux vendors to release updated packages in response to the Thunderbird fix.

WinCE.Infomeiti, also known as InfoJack, is targeting mobile devices running Windows CE. This worm, documented in IntelliShield Alert 15259, attempts to steal sensitive information from the device and sends the data to a predetermined website that the malware author may be able to access. The worm also disables Windows Mobile application installation security, allowing unsigned applications to be installed on the device without warning. The worm is being distributed with legitimate games, applications for stock trading, and Google Maps, and is reported to be circulating in China. In the past, mobile phone viruses have typically targeted devices running the Symbian Operating System. WinCE.Infomeiti may be one of the first worms to affect devices running Windows CE. Users are advised to install antivirus software on the mobile device and to scan files for viruses before installing any downloaded applications.

IntelliShield published 161 events last week: 56 new events and 105 updated events. Of the 161 events, 139 were Vulnerability Alerts, ten were Security Issue Alerts, five were Daily Malicious Code Summaries, five were Security Activity Bulletins, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day	Date	New	Updated	Total
Friday	02/29/2008	10	20	30
Thursday	02/28/2008	15	27	42
Wednesday	02/27/2008	6	14	20
Tuesday	02/26/2008	12	19	31
Monday	02/25/2008	13	25	38
Weekly Total	—	56	105	161

 

2008 Monthly Alert Totals

Month	New	Updated	Monthly Total
January	178	452	630
February	243	452	695
Annual Total	421	904	1325

Previous Alerts That Still Represent Significant Risk
Microsoft Works File Converter Section Length Header Code Execution Vulnerability
IntelliShield Vulnerability Alert 15063, Version 3, February 14, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0216

Microsoft Works File Converter contains a vulnerability when handling legacy formatted Microsoft Works files that could allow a remote attacker to execute arbitrary code. To exploit this vulnerability, the attacker must convince a user to open a malicious .wps document with a vulnerable product. Exploit code that demonstrates the remote execution of arbitrary code is available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

F5 Networks BIG-IP Web Management Interface Cross-Site Request Forgery Vulnerability
IntelliShield Vulnerability Alert 15150, Version 1, February 13, 2008
Urgency/Credibility/Severity Rating: 3/5/4

F5 Networks BIG-IP contains a vulnerability in the management interface that could allow a remote attacker to conduct cross-site request forgery attacks and make configuration changes to affected devices. Proof-of-concept exploit code is available that demonstrates the creation of additional administrative accounts. Sources indicate that this vulnerability is being actively exploited. F5 Networks has not confirmed this vulnerability and no updates are available.

Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability
IntelliShield Vulnerability Alert 15127, Version 3, February 13, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0009, CVE-2008-0010

The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited.

Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 15128, Version 3, February 15, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0600

The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate attackers are actively using this vulnerability to compromise affected systems.

Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15118, Version 3, February 27, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-5659

Adobe Acrobat and Reader contain a vulnerability that could allow a remote attacker to cause the application to crash or execute arbitrary code. The attacker may be able to gain elevated privileges depending on the configuration of the target system. This vulnerability is currently being exploited in the wild. The vulnerability has been identified as being used by Trojan.Pidief.C as documented in IntelliShield Alert 14388. Adobe confirmed the vulnerability in a security bulletin and released updated software.

Adobe Reader and Acrobat Security Update 8.1.2
IntelliShield Security Activity Bulletin 15115, Version 3, February 27, 2008
Urgency/Credibility/Severity Rating: 3/5/4

Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code.

Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 14951, Version 2, January 17, 2008
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2008-0081

Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Reports indicate that attackers are leveraging this vulnerability in targeted, ongoing attacks. No public examples of exploit code have been observed. Attacks against this vulnerability are not likely widespread, as details of this vulnerability are still not well known. Microsoft has confirmed the vulnerability in a security advisory; however, no updates are available.

Oracle Critical Patch Update January 2008
IntelliShield Security Activity Bulletin 14949, Version 3, January 23, 2008
Urgency/Credibility/Severity Rating: 2/5/3

Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities spread across Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts detailing individual vulnerabilities will be released in the near future as technical details become available.

Microsoft Message Queuing Service Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 14720, Version 5, January 17, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-3039

Microsoft Message Queuing Service contains a vulnerability that can allow an attacker to execute arbitrary code. Exploit code is available that demonstrates this vulnerability on Windows 2000 machines. This exploit code is more automated than the previously disclosed proof-of-concept code that was released. The new exploit code requires only minor modifications by an attacker for each targeted host system. The exploit automatically extracts the FQDN of the host from its Netbios name, making it easier for an attacker to exploit this vulnerability. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Physical

Florida Blackout

In the United States, a substation in Miami, Florida, initiated a blackout to approximately three million people. The power outage caused two distribution lines between Miami and Daytona to fail, resulting in the shutdown of Florida Power and Light's two Turkey Point nuclear plants. The cause of the blackout is still under investigation. Most of the outage was in southeastern Florida, but there were also documented outages in southwestern and northeastern Florida. Power was restored to most cities within two hours. Read more

IntelliShield Analysis: Many businesses have backup generators to facilitate normal operations during an outage. During this outage, reports circulated that hospitals were switching to backup generators, restaurants were giving away food rather than allow it to spoil, that police and fire authorities were working overtime responding to outage-related emergencies and that shoppers were stranded at malls. While individual organizations may be prepared for outages, this incident highlights the need for business continuity planners to plan for power disruptions that affect an entire region.

Legal

German Court Revises Surveillance Law

Germany's highest court has approved a law that allows the State to monitor Internet activity when loss of life might be prevented or in case of an attack on the country. The Constitutional Court ruled that the allowed surveillance would have to be approved by a judge. This decision overturns the controversial North-Rhine Westphalia law, which gave the government an expansive set of powers and extended little protection for the rights of individuals. Read more

IntelliShield Analysis: The legal systems of most countries have had a difficult time keeping pace with the fast advancements of technology, especially in telecommunications and Internet surveillance. The North-Rhine Westphalia law was criticized for taking too many liberties with the rights of the general population. Organizations should continue to take steps to protect networks and proprietary information and expect further legal adjustments as the balance between personal liberty and national security continues to be fine-tuned.

Trust

Stolen FTP Credentials Available for Download

Finjan, Inc., a security vendor, has discovered a database of stolen File Transfer Protocol (FTP) server credentials on a server located in Hong Kong. The information includes server IP address and the usernames and passwords for 8700 distinct accounts, 2600 of them belonging to servers owned by North American companies. While the database is located in Hong Kong, the contents are in Russian.  Read more

IntelliShield Analysis: Russian cyber criminal activity reportedly trades in stolen credit card numbers and other credentials and in selling the designer malcode that can allow a purchaser to harvest this data. This is the first report of a database of stolen FTP server credentials. It is believed that the FTP accounts are being used to break into and pollute corporate web servers with code or links to sites serving malicious code created to infect computers with trojans and keyloggers.

Corporations can better protect themselves from an attack by not allowing remote users FTP access to their web servers.  FTP access can be restricted to internal users, with remote access for those who need it available through a virtual private network (VPN). At minimum, companies are advised to reset FTP passwords on systems that could be reached remotely until further protective measures can be implemented. This action will only provide a temporary safeguard, because hackers are reportedly deploying brute force attacks to break into FTP accounts on systems with exposed FTP access to the Internet.

Identity

Research Paper Tracks Industry Identity Fraud Incidences

Chris Hoofnagle, the Senior Staff Attorney at the University of California at Berkeley School of Law, recently published a report that attempted to measure the frequency of incidents of identity fraud at banks, insurers, mortgage lenders, and other companies. The data for the report came from reports to the United States Federal Trade Commission (FTC) in which customers indicated where fraudulent accounts were established, or where current accounts were affected. Because of the huge amount of data recorded by the FTC, the data used in Hoofnagles report came from a random, three-month sample of 2006.

Because of the size of the sample and the origin of the data, the report may not allow for seasonal or incidental reasons for alterations in patterns of identity theft, and the age of the data may not indicate recent trends. Finally, incidents are indexed against the total deposits of a given corporation, as the amount of customer information is not publicly available. Thus, the incident value is number of reports per billion dollars of deposits, a relative indicator of number of customers affected at a given corporation by identity theft or fraud.  Read more

IntelliShield Analysis: Potential customers may find it difficult to choose a bank or mortgage based on the relative security of an institution. Little information exists publicly that allows customers to make an informed choice. Although Hoofnagles report may be inexact, it clearly illustrates the relative lack of reporting by financial entities of the frequency of fraud affecting those groups. Customers, including businesses that use the services of financial institutions, are advised to request information on the frequency of identity fraud from a potential service provider as part of the process of choosing a financial services company. Currently, these institutions have no mechanism for self-reporting.

Human

Unwarned Students and Faculty Surprised by Security Test

A security drill at Elizabeth City State University in North Carolina did not go as planned when an undercover police officer entered a classroom and pretended to hold the students and professor hostage. The event was part of an emergency e-mail alert system drill, and e-mail notifications,with no specifics given, had been sent a few days prior to the event. Moments before the drill began, an e-mail alert was sent stating that a gunman would be in the campus Moore building and that he would be detained by police. Unfortunately, only about half the campus population had signed up to be part of the notification service. Although several students were frightened, no one suffered any physical harm.  Read more

Intellishield Analysis: Since the Virginia Tech shootings, many schools, campuses, and institutions are focusing their attention on improving physical security. Emergency threat procedures need to be tested on a regular basis and require careful advance planning. Creating a realistic emergency test situation may produce the same panic, fear, and reactionary responses as would occur during an actual attack. Outside factors, such as lack of communication with city and state emergency personnel or the actions of unsuspecting bystanders, could escalate the incident beyond the control of the planners. This test demonstrates that communication remains the weakest link when it comes to emergency response.

Geopolitical

India's Choice

United States (U.S.) Defense Secretary Robert Gates visit to India last week occurred shortly after a major New Delhi sales fair featuring global weapons suppliers competing for a share of Indias largest-ever military upgrade budget. Gates visit also came just prior to the Indian militarys original March 3, 2008, deadline on bids for fighter jet contracts worth some $10 billion. The deadline was unexpectedly (and without much explanation) extended to April 28, 2008, immediately after the U.S. Defense Secretarys departure. Gates visit has intensified speculation over U.S. efforts to move India away from its past reliance on military systems from Russia. U.S.-India relations have not been without challenges, as evidenced by a proposed U.S.-India nuclear cooperation agreement that is currently languishing in Indias parliament. At the same time, Russia, increasingly assertive in its relations with the West, has frustrated Indian clients by delaying delivery of aircraft carrier the Admiral Gorshkov, which Russia had promised to India, and by raising the previously agreed price.
Read more
Additional information
Additional information

IntelliShield Analysis: India faces several complicated choices in the coming weeks that will have far-reaching implications. It is possible that the Indian government obtained new information from Secretary Gates that changed their calculations and necessitated the deadline extension.
From a tactical point of view, acquisition of military equipment from suppliers of diverse nationalities is likely to create interoperability issues. Moreover, software and hardware compatibility may become more important now, given Indias plans to expand military cooperation with the U.S. and Australia. At the same time, decision-makers in India may be seeking to balance the strategic influences of Russia and the U.S. There is a significant contingent within Indian political circles that is cautious about becoming too dependent on the U.S. for its security. Adding to these concerns is the rising influence of China, and the concern that it could potentially control key Indian Ocean sea lanes. This changing security environment, as well as more tactical considerations, will no doubt play a major role in Indias choice on the new fighter jets.

Upcoming Security Activity

Internet Engineering Task Force Conference: March 9–14, 2008
Microsoft Security Bulletin Update for March: March 11, 2008
Black Hat Europe: March 25–28, 2008
CanSecWest: March 26–28, 2007

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following events:
11th National People's Congress Convenes: March 15–25, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free, 6-month trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

---

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top