September 22–28, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.. VulnerabilityVulnerability and threat activity levels during the time period focused on security advisories and updated software released by multiple vendors. Cisco released its semi annual advisory and software bundle for Cisco IOS products. Cisco released a summary of this bundle at the following link: Semi-Annual Cisco IOS Advisory Bundled Publication Apple released a security update with updated software to address 27 distinct vulnerabilities in its Java plug-in. Of the 27 vulnerabilities, two had not been previously disclosed and reside only in the plug-in distributed by Apple. A remote attacker could exploit these vulnerabilities by convincing the user to visit a website that loads a malicious Java applet in a user's browser session. This action could allow an attacker to execute arbitrary code on the user's system. Over the course of the previous year, IntelliShield has reported on a large number of vulnerabilities in various implementations of Java. Due to the large number of vulnerabilities, attackers may start using Java as the attack vector of choice when attempting to compromise users' systems. Mozilla released updated versions of its Firefox and SeaMonkey products on September 23 and an updated version of Thunderbird on September 25. These updated versions resolve numerous cross-site scripting, information disclosure, and memory corruption vulnerabilities. Since many attacks originate in the user's browser, IntelliShield recommends keeping browser patch levels current. Many browsers are equipped with an automatic update routine which should be enabled whenever possible. IntelliShield published 139 events last week: 58 new events and 81 updated events. Of the 139 events, 125 were Vulnerability Alerts, one was an Applied Mitigation Bulletin, four were Security Issue Alerts, three were Daily Malicious Code Summaries, two were Malicious Code Alerts, three were Security Activity Bulletins, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskCitect CitectSCADA and CitectFacilities ODBC Service Buffer Overflow Vulnerability Citect CitectSCADA contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. Exploit code that could allow the attacker to achieve code execution is available. The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component. Such systems should be contained within their own network and never connected to corporate networks or exposed to the Internet. Attackers who can access the network on which these machines reside must still connect to the TCP port that is used by the ODBC service. JustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability JustSystems Ichitaro products contain a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vendor is reportedly investigating the issue, but updated software is not currently available. The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield Alert 16543. The attacks occurred before the vulnerability was publicly disclosed. This tactic is commonly known as exploiting a 0-day vulnerability. Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization. IntelliShield Security Activity Bulletin 16475, Version 1, August 18, 2008 Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool. Reports indicate that attackers may be exploiting this vulnerability in the wild. The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available. Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released. This exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache. Additional exploit code that allows for complete domain hijacking through the modification of SOA records is also available. Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products. Oracle Critical Patch Update July 2008 Oracle has released the Critical Patch Update advisory for July 2008. The update contains 45 distinct security fixes for various Oracle products. Additional IntelliShield Alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability Apple Mac OS X and OS X Server and Apple Remote Desktop contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability. PhysicalSecond Pacific Typhoon Heading for Taiwan and ChinaTyphoon Hagupit was downgraded to a tropical storm Friday, September 26, after causing 8 deaths in the Philippines as well as 18 in China. Floods and mudslides caused by the typhoon have affected North Vietnam as well. Floodwaters have damaged farms in Taiwan, with an estimated loss of US$9.9 million in crops. Businesses and schools in southern China have re-opened after being evacuated. Typhoon Jangmi is expected to cause significant rainfall in both Taiwan and China and a third Typhoon, Mekkhala, is expected to close in on the southern coast of China on Tuesday, September 30. Read more IntelliShield Analysis: Typhoon Hagupit has caused considerable damage to portions of several southern Chinese provinces, causing 50,000 ships and fishing vessels to be called back to port, schools and businesses to close, and the evacuation of 28,000 people. The destruction to farmland could drive food prices up even higher and businesses that were damaged could take more time to recover. Employees should be aware of fraudulent charity sites and phishing emails that could use this event to capitalize on the generosity of others. LegalRequest for Legal Guidelines Regarding ISPs Using Deep Packet InspectionOn July 2008, the Canadian Internet Policy and Public Interest Clinic (CIPPC) requested the Privacy Commissioner of Canada to develop guidelines for the use of Deep Packet Inspection (DPI) by ISPs. The CIPPIC also requested an investigation into whether some ISPs are illegally using DPI to gather information that is then used to perform targeted advertising on their customers. On September 9, 2008 the Privacy Commissioner of Canada replied to CIPPIC saying that the commissioner's department was consulting with other countries such as the European Union (EU) and the United States (U.S.) as well as consulting with a number of experts on the associated topics with the goal of formulating a policy for using DPI in targeted advertising. IntelliShield Analysis: The use of deep packet inspection by ISPs and Telecommunications companies is gaining the attention of privacy advocates worldwide. In Canada, the CIPPIC is a major privacy watchdog organization. Although the CIPPIC is not filing an official complaint against ISPs for using DPI in targeted advertising, they are hoping to persuade the office of the Privacy Commissioner, which is responsible for helping to interpret and enforce the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), to set official guidelines for targeted advertising and DPI. Judging from the response by the Commissioner's office, it seems that Canada is interested in creating a policy for targeted advertising that would have much in common with similar policies in other countries. Companies who are using information that is obtained through DPI should do so with extreme care, because although the potential revenue stream for targeted advertising is high, the legal precedents have not yet been set regarding what will be permitted by law and what will not be permitted. TrustMemorandum Issued for DNSSEC on United States .gov WebsitesThe U.S. Executive Office of the President's Office of Management and Budget (OMB) issued a memorandum to the government's chief Information Officers stating that the Domain Name System Security Extensions (DNSSEC) would be deployed to the top level .gov domain by January 2009. The memorandum also requires plans to achieve fully operating DNSSEC .gov sub-domains by December 2009. The DNS deployment follows two significant events: the identification of the DNS vulnerability earlier this year, and the government's Trusted Internet Connection initiative to reduce the number of external Internet connections the government operates. The memorandum does not directly impact the other top level domains (TLD) such as .com, .net, .org and others, but many believe the U.S. government's deployment will encourage other TLDs to deploy DNSSEC. IntelliShield Analysis: The U.S. Government's deployment of DNSSEC indicates their willingness and confidence that they can successfully handle a large-scale deployment of DNSSEC across their entire domain. The deployment of DNSSEC has several challenges that have delayed it's adoption despite the fact that most experts are in agreement that it is essential. The difficulties include key management, upgrading servers and clients, and training administrators. The National Institute of Standards and Technology (NIST), as well as many other organizations have documented trials, deployment guidelines, and tools in order to assist in the deployment. In addition to the costs and complexities of deploying DNSSEC, many have not taken a serious look at the specifications to better understand DNSSEC. While it does provide integrity of the DNS information to protect against spoofing and cache poisoning exploits, it does not provide confidentiality of the information or prevent denial of service attacks. As the government deployment of DNSSEC in 2009 is likely to encourage other TLDs to consider deployment, business and organizations are advised to understand, prepare and coordinate with their service providers for these deployments. Additional information on DNS vulnerabilities, DNSSEC specifications, and recommendations for deployment are available at the links: Cisco DNS Best Practices, Network Protections and Attack Identification and NIST DNSSEC Deployment Guide (PDF). IdentityThere was no significant activity in this category during the time period. HumanInternet Study Shows Users Immune to Popup MessagesPsychology researchers at North Carolina State University in the United States are preparing to release a study that shows computer users generally pay little attention to computer popup messages. The study showed that even faced with messages that looked like browser popups and not trusted system messages, many users simply clicked through to get the messages out of the way. Data also indicated that very little time was spent evaluating the meaning of these messages. IntelliShield Analysis: Operating systems that allow programs to customize visual elements, including frames and titles, will have a very difficult time preventing other applications from mimicking those elements. Users also contend with numerous popup messages from various applications, and in many cases clicking through these messages without much thought typically causes little harm, especially in an environment where the user has little or no investment in the computer being used. Organizations should certainly explore user awareness programs to curb this behavior, but the best results might come from limiting the annoyance from security applications and operating system messages. Administrators should minimize or eliminate the number of high-impact decisions left to the fate of a dialog box, which can be clicked by accident, malice or frustration. GeopoliticalChina Takes Next Step in Space TechnologyChina successfully completed its first extra-vehicular spacewalk this weekend, passing an important milestone on the path to China's stated goal of landing an astronaut on the moon by 2020. The Shenzhou-7 spacecraft is China's third manned space mission since it first launched a person into space in 2003. The primary goal of the 3 to 4 day mission was completing the short spacewalk, which was directed by Russian experts. Underscoring the high-stakes political nature of the mission, Chinese President Hu Jintao was featured on live television bidding the astronauts luck, and the Associated Press reported that China's official news agency, Xinhua, released a news story describing the launch in sharp detail, hours before it took place. IntelliShield Analysis: Space remains a highly sensitive stage for the drama of super power politics. The United States excluded China from the international consortium which manages the international space station, in part out of doubts about China's military intentions. This has had the unintended effect of spurring China to launch its own space station, with Russian assistance. At the same time, NASA is sounding the alarm that the U.S. will become dependent on Russias Soyuz spacecraft to ferry astronauts to the Space Station when the U.S. retires its space shuttle fleet in 2010. Given the rapid development of communications and military technology in space, security specialists may wish to closely monitor this re-energized super power space race. Upcoming Security ActivityOracle OpenWorld 2008: September 21–25, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Ramadan: September 1–31, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
