August 17–23, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activities were slightly lower last week than usual. None of the reported vulnerabilities were particularly notable. IntelliShield published 62 events last week: 36 new events and 26 updated events. Of the 62 events, 48 were Vulnerability Alerts, four were Security Activity Bulletins, two were Threat Outbreak Alerts, five were Security Issue Alerts, two were Malicious Code Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskMicrosoft Visual Studio Active Template Library Uninitialized Object Vulnerability Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows. Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability. Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a denial of service condition. Stable updates are not available currently. Proof-of-concept exploit code is publicly available. ISC BIND Dynamic Update Remote Denial of Service Vulnerability ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Apple and Novell have released security advisories and updated software to address the ISC BIND dynamic update remote denial of service vulnerability. Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability. Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Worm: W32/Conficker.worm W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems. PhysicalCenters for Disease Control and Prevention Issue Influenza Season GuidelinesThe United States (U.S.) Department of Health and Human Services (HHS) Centers for Disease Control and Prevention (CDC) released guidelines to U.S. businesses in preparation for upcoming influenza seasons. The report encourages employers to allow workers with influenza symptoms to stay home from work to reduce the potential for spreading disease. Additionally, the guideline recommends developing policies to allow workers to stay home to care for children or other family members who may be sick. The statement stresses the need for timely and clear communication regarding planning, policies, and ongoing events related to outbreaks. Read more IntelliShield Analysis: Planning for influenza outbreaks shares similarities with other types of disaster and incident responses. As part of business continuity plans, businesses will want to institute geographical distribution when possible to avoid localized outbreaks. Businesses can also use remote workers to lessen the chances of influenza transmission or to insulate part of the workforce. Distributing the workforce geographically and allowing employees to work remotely increases business capability and flexibility in any disaster situation. LegalFacebook Users Challenge Privacy and Terms of ServiceA group of users has filed suit against Facebook for violating California privacy laws. The suit charges Facebook with the following issues, among others: that terms of service have been changed without notifying users; that Facebook violates privacy by sharing users data with third parties without providing an adequate explanation of those practices; and that Facebook engages in data mining for commercial purposes and economic benefit. Facebook has responded to the suit with the following statement: "We see no merit to this suit and we plan to fight it." IntelliShield Analysis: The regulation of the storage and use of personal data on social networking sites is still a gray area. At the very least, these sites' business models make use of user data for targeted advertising , which is the primary path to profitability for these social networking services to exist. Enacting real privacy statues, such as opt-in instead of opt-out, will possibly remove the business model that has enabled the existence of social networking. Users are beginning to realize that their data or just their presence on these sites has a business value and that value may come from the exploitation of personal information. While this case may help to further define the privacy requirements, users of social networking sites should be aware of the ways in which their personal information can be used. TrustUnited States Federal Trade Commission Issues Breach Guidance for Online Medical InformationThe United States (U.S.) Federal Trade Commission (FTC) has released guidance for organizations that store personal medical information online that will help determine when and how these organizations should notify affected persons that a data breach has occurred. The rule is separate from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, and some confusion has arisen regarding when the rule should be applied and which organizations are affected.
Read More IdentityUBS Bank to Provide Internal Revenue Service With Bank Account DetailsDetails of a settlement between the U.S. Internal Revenue Service (IRS) and the UBS banking service headquartered in Switzerland were released earlier this week. Account information regarding 4,450 clients of UBS is to be disclosed to the IRS, which is investigating these clients for tax fraud and tax evasion. It is estimated that the accounts in question could total approximately US$15 billion in undeclared assets. Swiss banks have long been relied on for their stability as well as their secrecy, but this agreement may weaken the attraction. Read more IntelliShield Analysis: Tax fraud and tax evasion place a significant burden on other taxpayers, so this settlement could be a win for American taxpayers, assuming certain privacy measures are observed. The U.S. government has not requested information on any of the other 53,000 accounts held by U.S. citizens and it doesn't appear that the Swiss government is entertaining any information requests on accounts without specific knowledge of the accounts in question. Some account holders fear that if account information is made public knowledge, lawsuits could be raised related to divorce settlements and creditors that believe the accounts were uesed to hide money. Businesses need to be aware that the policy of confidentiality and discretion that Swiss bank accounts have afforded in the past may no longer apply. HumanGoogle Reveals Blogger User’s E-mail Address; Blog Writer Faces Defamation ChargeNew York fashion model Liskula Cohen filed a defamation lawsuit after blog author Rosemary Port posted pictures and harsh statements about Cohen online. Port's blog is hosted by Google's Blogger service. A New York State Supreme Court justice ordered Google to reveal account information to Cohen and Google provided Port's e-mail address. Cohen was familiar with the address because she and Port knew each other in the New York fashion community. Cohen proceeded to file her lawsuit, while Port is suing Google for failing to protect her anonymity. IntelliShield Analysis: The New York justice who ordered Google to reveal the blog author's account information stated that there was reason to believe that the blog statements had gone too far. Google stood by its own privacy policy to not reveal this information until compelled to do so by State Court. This decision may bring some unexpected perspective to blog writers who may not have considered the breadth of publicity that can be generated when derogatory remarks are posted online. Social media has given access for anyone with a website to act as a one-person press outlet. While the enabling power of the Internet can benefit society by giving everyone a voice in the public forum, users must be aware of their responsibilities when exercising that power. GeopoliticalAfghan Elections Monitored by Online Reporting SiteAfghanistan presidential elections last week manifested themselves as a test of wills between Taliban militants who sought to derail the vote through intimidation, fraud, and violence, and United States (U.S.) and Afghan officials who sought to demonstrate that credible elections could be held. Various non-governmental organizations monitored the polling, including one, AliveinAfghanistan.org, which aggregates text messages, Twitter, and e-mail to map incidents and track election fraud. The website utilizes an open source platform originally developed by a British engineer to aggregate data for elections in Nigeria and Kenya, according to the BBC, and is based on earlier projects AliveinBaghdad and AliveinGaza, according to the website. IntelliShield Analysis: This sort of volunteer incident reporting system is so problematic that it runs the risk of being futile. Key problems include uneven popular access to texting and e-mail, which may skew results due to the types and locations of users with Internet access, and the potential for fraudulent or coerced reporting. At best, the project may be viewed as part of a larger effort to create a viable real-time, citizen-based Internet incident-mapping system with the potential, at least in theory, to shine a bright international light on elections in emerging democracies. Upcoming Security ActivityGFIRST 2009: August 23–28, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Japan Lower House Elections: August 30, 2009
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
