December 31, 2007–January 6, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityVulnerability and threat activity levels rose sharply from the previous time period despite a decrease in activity on January 1, 2008. IntelliShield published 140 more alerts in December 2007 than in December 2006 and published 225 more alerts in 2007 than in 2006. For additional annual trends and review, please see the Cisco 2007 Annual Security Report posted on the Cisco Security Center at www.cisco.com/security. Microsoft released the Microsoft Security Bulletin Advance Notification for January 2008. Of the two bulletins that are scheduled for release on January 8, 2008, Microsoft scored one with a maximum severity rating of Critical and one with a maximum severity rating of Important. Both bulletins address vulnerabilities that are associated with the Windows operating system. Independent security researchers released technical details for vulnerabilities in the Georgia SoftWorks Secure Shell (SSH2) Server. An attacker could exploit these vulnerabilities to cause the SSH2 server to crash or to execute arbitrary code. Proof-of-concept code that demonstrates a DoS condition exists for each vulnerability. The affected product is often deployed within heavy industry and is utilized for inventory control in many sectors. Most of these installations are likely to be secured at a higher level than the typical SSH services found on general purpose servers. A higher level of security on the installations mitigates the risk to a small degree. Malicious code activity for the time period includes TROJ_RANSOM.B, as detailed in IntelliShield Alert 14876. TROJ_RANSOM.B attempts to lock a system and convince a user to pay a fee to obtain the code required to unlock the affected system. To obtain this unlock code, the targeted user must dial a premium rate phone number. This type of trojan is commonly known as ransomware, which is malicious software that performs a malicious action on a system and attempts to coerce victims into paying a fee to recover the system. Ransomware trojans first appeared in 2006 with TROJ_SKOWR., A, as described in IntelliShield Alert 11089. This trojan encrypted several file types on a system and held these files for ransom. The victim was instructed to send a payment to the attacker in exchange for the decoder that would decrypt the files and grant the user access to the files. IntelliShield published 145 events last week: 26 new events and 119 updated events. Of the 145 events, 136 were Vulnerability Alerts, two were Malicious Code Alerts, four were Security Issue Alerts, one was a Daily Malicious Code Summary, one was a Security Activity Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2007 Monthly Alert Totals
Previous Alerts That Still Represent Significant RiskClamAV popen() Function Arbitrary Code Execution Vulnerability ClamAV contains a vulnerability that could allow a remote attacker to execute arbitrary code. Exploit code, which is similar to other, much older attacks against other types of systems, is available. An attacker may be able to easily modify the code to conduct multiple attacks. ClamAV has confirmed this vulnerability and released updated software. Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. Public reports indicate that this vulnerability is actively being exploited. Microsoft has not confirmed this vulnerability, and no updates are available. Cisco Security Agent Windows System Driver Buffer Overflow Vulnerability Cisco Security Agent contains a vulnerability that could allow an attacker to cause a denial of service or execute arbitrary code. A remotely exploitable vulnerability such as this, one that likely affects a large number of highly sensitive systems, is a very attractive target and may garner significant interest from agencies or individuals perpetrating attacks. Public knowledge of the details of this vulnerability may place these sensitive systems at increased risk. Cisco has confirmed this vulnerability and released updated software. Apple QuickTime RTSP Response Content-Type Header Buffer Overflow Vulnerability Apple QuickTime Player contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. With the release of functional exploit code, this vulnerability will likely be exploited in the wild. The vulnerability is triggered during the initial handshake of the RTSP negotiation via a malformed Content-Type header. An attacker is required to send less than 2000 bytes of data to compromise an affected host. Because of the nature of the vulnerability, attackers have a large payload window to leverage. Apple has confirmed this vulnerability in a security bulletin and released updated software. Microsoft Internet Explorer Script Error Handling Memory Corruption Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an attacker to execute arbitrary code. Attackers cannot exploit this vulnerability directly and instead must convince a user to visit a malicious website. The Cisco Remote Operations Services organization has detected activity that indicates public attempts to exploit this vulnerability. Microsoft has confirmed this vulnerability in a security bulletin and released updates. RealNetworks RealPlayer ierpplug.dll ActiveX Control Arbitrary Code Execution Vulnerability RealPlayer contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the user. Exploit code is publicly available, and reports indicate that active exploitation is ongoing. RealNetworks has confirmed this vulnerability and released updates. Samba WINS Server Daemon Buffer Overflow Vulnerability Samba contains a vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Only systems configured as WINS server daemons are vulnerable; however, this is a common configuration in environments that use Samba to perform domain authentication. Due to the large number of potential targets, this type of vulnerability could be used to produce malicious code that propagates in an automated manner. PhysicalEx-Restaurant Employee Accused of Credit Card FraudLisa Swopes, a former employee of Wendy's fast food restaurant in Plainfield, Illinois, United States (U.S.), has been charged with several counts of identity theft. While taking customer orders, Ms. Swopes covertly swiped customers' credit cards using her personal card reader. She then retrieved the card information from her reader and made duplicate credit cards, charging thousands of US dollars to unsuspecting customers. Authorities believe that Swopes collected information from upwards of 40 people. Read more IntelliShield Analysis: Swopes used a device commonly known as a "skimmer." Although the use of a skimmer is illegal throughout most of the U.S., ownership of the device is legal. With the cost of purchasing or assembling a skimmer being less than US$100 and the acceptance of credit cards in even the most miniscule of transactions, this type of crime is likely to increase. Roughly the size of a pager, the skimmer brings back all the issues that were assumed vanquished when carbon receipts were made obsolete last century. Users must compare the benefit of convenience with the risk of theft. In this case, enough victims came forward to allow law enforcement to identify the common denominator and arrest Swopes. Keeping the credit card in sight at all times is the simplest way to deter this sort of crime. Also, closely monitoring account activity for unauthorized charges or overcharges can assist victims and law enforcement in prosecuting these crimes. LegalAir Travel Restrictions on Lithium BatteriesJanuary 1, 2008 marked the date that restrictions on traveling with lithium ion batteries go into effect as announced by the United States Department of Transportation (US DOT). The safety rule places the batteries on the hazardous materials list and requires travelers to install lithium batteries in the intended device if included in checked baggage, or to pack the battery in its original packaging or within plastic bags if part of carry-on luggage. Only two spare batteries are allowed per person. IntelliShield Analysis: The announcement by US DOT and subsequent enforcement by the Transportation Security Administration appears to be a safety concern and not a security issue. Recent tests conducted by the Federal Aviation Administration (FAA) in response to a fire onboard a cargo plane demonstrated that fire suppression equipment is not capable of adequately containing a fire that is started by lithium ion batteries of a particular size or quantity. This rule affects individuals who tend to carry additional batteries for their electronic equipment, especially those in the audio/visual industry. Travelers should ensure that any extra batteries are in good condition and that contacts are undamaged before packing batteries in accordance with FAA requirements. TrustLarge Retailer Accused of Hiding Tracking Software from CustomersHarvard Business School assistant professor and spyware researcher Benjamin Edelman have accused Sears Holding Co. of installing tracking software from comScore without appropriately disclosing the nature of the software. Edelman claims that the software tracks all Internet usage, including login credentials and email, and enables customer purchases to be viewed by others on Sears' Manage My Home website. Edelman states that not disclosing this actvity violates the requirements of adequate consent set forth by the Federal Trade Commission (FTC). Sears Holding Co. vice president, Rob Harles, has released a rebuttal to Edelman's findings and has turned off the feature that allows users to view the purchases of customers. IntelliShield Analysis: Sears adamantly denies violating the FTC requirements for full disclosure; however, the company has altered its website, which may indicate that the current FTC policies had not been fully considered. Current reports do not cite user comments regarding how well they understood what would be tracked through the comScore software, and such information may be a moot point if Sears continues to alter data tracking unless an actual theft occurs. Most users forego reading extensive licensing agreements, which places users at risk of exposing personal information. Few have questioned whether Sears' activity was legal, but the coverage of the critical reports may have already damaged the company's credibility. IdentityPersonal Information Theft Soars to New Levels in 2007Statistics released by Theft Resource Center (TRC) and Attrition.org demonstrate that personal data theft grew by a wide margin in 2007. TRC released data showing that data theft in the United States has quadrupled as compared to 2006. Attrition.org's statistics indicate that data theft increased by three times worldwide. Both non-profit organizations collect their data from media sources deemed reputable. Read more IntelliShield Analysis: These results should not be surprising because identity theft has become a prevalent topic among the media and information technology industry. A major contribution to these statistics from 2007 was the TJX customer data theft, in which TRC estimated that 46 million records were stolen, and Attrition.org estimated that 94 million records were compromised. Both organizations obtain their data from public sources and admit that not all sources may have acknowledged or are aware of all cases of identity theft. It is worth noting that a great deal of data is lost by improper handling and not by theft due to hackers. Although the amount of stolen or lost data is high, the number of people who have experienced related identity theft is relatively low. As more laws are put into place, a clearer picture of identity theft overall will likely emerge. Companies that handle sensitive customer data are advised to annually review their policies and the policies of partners who access the same data as well as update appropriate data destruction protocols. HumanMalicious Code Locks Computer Until User PaysReports of a trojan that locks users out of infected systems until a ransom is paid have started circulating. TROJ_RANSOM.B, as detailed in IntelliShield Alert 14876, poses as a security update that users must render payment for before they can resume use of an affected system. A payment of US$35 returns control to the user after dialing a 1–900 telephone number, which connects the victim to a payment collection agency commonly used by pornographic websites. Read more IntelliShield Analysis: The occurrence of ransomware malicious code has not significantly increased since its initial appearance, in part due to law enforcement's ability to follow the money trail to the culprits. The extortionists most likely collect money over a short period of time and then abandon their efforts. The money collection agencies that are used are often found in regions of the world that maintain financial anonymity and a lax degree of financial security. Victims are advised against contacting the attacker or sending money because it does not guarantee that the attacker will comply with the agreement and unlock the system. Such trojans have yet to pose a large threat and do not utilize unique propagation or exploit methods. Often, anti-virus vendors release detailed steps on restoring an infected system. Users that practice safe browsing and e-mail habits are unlikely to be affected by these types of trojans. GeopoliticalTechnology Export Policy QuestionedAn independent watchdog foundation issued a report that questions United States (U.S.) export policy on potential dual-use technologies to China. The Wisconsin Project on Nuclear Arms Control is critical of the 2007 decision to clear five Chinese companies to purchase certain technologies from U.S. companies without an export license. The technologies include aircraft navigation systems, telecommunications equipment and high-end composite materials. The report alleges that two of the five validated end-user companies, Shanghai Hua Hong NEC Electronics and BHA Aero-composite Parts, have ties to the Chinese Peoples Liberation Army. The report further argues that these companies have been known to sell sensitive technologies to Iran and Syria. Read more (PDF) IntelliShield Analysis: The release of this report confirms that 2008 will serve as a political arena regarding the risks and payoffs of increased high-technology trade with China. While the U.S. is eager to facilitate lucrative bilateral trade opportunities, the report indicates how easy it is—even with U.S. government approval—for sensitive technology to fall into unfriendly hands. It is likely that this report will prompt further review of the validated Chinese companies. To protect themselves, companies should pursue their own due diligence before agreeing to a sensitive sale. Upcoming Security ActivityInternational Consumer Electronics Show: January 7–10, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30–day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
