February 16–22, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels for the week of February 16-22, 2009 were highlighted by several high-profile attacks. Attackers are exploiting an information disclosure vulnerability in the jumpUrl mechanism of the Typo3 content management system (CMS) to compromise websites. This vulnerability could allow remote attackers to access arbitrary files hosted on the Typo3 system. By accessing the file local.conf, an attacker could gain access to the weakly hashed value of the administrator password. The attacker could then use one of the freely available websites dedicated to deciphering hashes, such as hashcrack.com, to gain the plain text version of the password. This tactic was used to conduct several high profile attacks, such as the attack against the website of Germany's Interior Minister. Hashcrack.com has reported a massive spike in the use of their services since the disclosure of the Typo3 information disclosure vulnerability. The vendor has confirmed this vulnerability and released updated software. Attackers are conducting limited attacks to exploit the uninitialized memory corruption vulnerability in Microsoft Internet Explorer. This vulnerability is detailed in IntelliShield alert 17519. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and either deliver the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting on the activity. An attacker must still convince a user to view the Word document, likely by employing social engineering techniques, but users may be more likely to open a Word document because it is often perceived as a safe file type. Attackers could easily modify their tactics to avoid detection by using publicly available and functional exploit code. Adobe released a security advisory and updated software to address a buffer overflow vulnerability in its Acrobat and Reader products. This vulnerability is detailed in IntelliShield alert 17665. A remote attacker could exploit this vulnerability to cause a denial of service condition or execute arbitrary code, potentially with privileges sufficient to compromise the target system. The attacker could exploit this vulnerability by convincing the user to open a malicious .pdf document. Due to the widespread use of this file type, users may consider .pdf documents safe. This vulnerability is actively being exploited in the wild by the Trojan.Pidief.E trojan. Additional information about this trojan is available in IntelliShield alert 14388. Also in malicious code activity this week, W32/Conficker.worm continues to cause havoc as it infects German military systems. According to the Defense Ministry in Berlin, the worm has compromised hundreds of systems and several German armed forces sites had to be disconnected temporarily as a result. W32/Conficker.worm's propagation routine is very effective. Among the methods the worm is using to spread is by exploiting the Microsoft Windows Server service RPC request handling code execution vulnerability, which is described in IntelliShield alert 16941; this vulnerability is also being exploited by Troj/Gimmiv-A, W32/Kernelbot.A and W32.Wecorl. W32/Conficker.worm also affected British and French defense systems just a few weeks ago. Administrators are advised to apply the appropriate updates and to ensure that current antivirus and IPS signatures are installed. On February 13, 2009, Microsoft offered a $250,000 (US) reward for information leading to the arrest and conviction of those responsible for W32/Conficker.worm. This is not the first time Microsoft has offered a reward for information regarding malicious code authors. W32/Conficker.worm is documented in IntelliShield alert 17121. IntelliShield published 126 events last week: 37 new events and 89 updated events. Of the 126 events, 96 were Vulnerability Alerts, nine were Security Issue Alerts, seven were Security Activity Bulletins, seven were Threat Outbreak Alerts, three were Applied Mitigation Bulletins, three were Malicious Code Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for February 16–22, 2009Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader and Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield alert 14388. Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router issuing routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield alert 17670. OpenBSD has fixed a similar flaw, as described in IntelliShield alert 17658. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in an XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and delivering the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity. Previous Alerts That Still Represent Significant RiskWorm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open their attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. Worm: W32/Conficker.worm W32/Conficker.worm is a worm that is quickly propagating across many networks. The worm has reportedly infected millions of systems. One propagation routine of the worm involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability, which is described in IntelliShield alert 16941. The worm prevents the system from accessing essential antivirus and security-related websites, which makes diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by the worm and to take steps to isolate any suspected infected systems until they can be fully restored. Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Reader, Acrobat Professional, Acrobat 3D, and Acrobat Standard contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, described in IntelliShield alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail. Weak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate Spoofing Attacks Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI), which is used to issue digital signatures and certificates for secure websites. The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function. Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates. Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm. Root CAs that do not rely on the MD5 algorithm cannot be impersonated using this attack. The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers. Microsoft Internet Explorer XML Parsing Arbitrary Code Execution Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a crash of the browser, resulting in a denial of service condition. Proof-of-concept code is available. Microsoft has confirmed the vulnerability and released updated software. Reports indicate that known websites are attempting to exploit this vulnerability to install malicious software on vulnerable systems. Microsoft Windows WordPad Text Converter File Handling Memory Corruption Vulnerability Microsoft Windows contains a vulnerability in the WordPad Text Converter that could allow an unauthenticated, remote attacker to corrupt memory and execute arbitrary code on the system. Microsoft has confirmed the vulnerability, but updated software is not available. Reports indicate that this vulnerability is actively being exploited and several antivirus vendors are detecting exploits that install additional malicious code on the targeted system. Other exploits contain a backdoor trojan, which could provide attackers with unauthorized access to infected systems. This tactic is commonly referred to as exploiting a zero-day vulnerability. PhysicalSecurity Researchers Discover Flaw in Facial Recognition SystemsThe senior researcher of Bkis in Vietnam, Duc Nguyen, along with other researchers, demonstrated how to bypass biometric security technology using a photograph at the Washington DC Black Hat conference. By altering a photo, or simply using a color copy image, Nguyen could trick the face-recognition technology installed on Asus, Lenovo, and Toshiba laptops. The laptops each have a unique algorithm; however, the method used to create the biometric login remains the same. IntelliShield Analysis: Biometrics have been introduced into security technology not only to increase security protection on the system, but also as a convenience for users. However, Facial Cognitive Biometric Systems and the application in user authentication should not be the sole means of authentication to a system. With the technology available, an attacker could easily use an image or photograph to fool a facial recognition-protected system. Companies using the facial biometrics for authentication purposes are encouraged to use a two-tier authentication method until the technology can securely and consistently distinguish an image from an actual face. LegalCVS Caremark Fined By United States Federal Trade Commission and Department of Health and Human Services for Failure to Protect Customer DataCVS Caremark, which operates the largest chain of pharmacies in the United States, agreed to fines to settle coordinated investigations by both the Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS). The FTC investigated reports that CVS Caremark failed to properly dispose of customer information. CVS-operated pharmacies were reportedly disposing of customer pill bottles with personal information, medical instructions sheets, employment applications, and computer order information into openly accessible dumpsters. This practice exposed credit and insurance card information, social security numbers, drivers licenses, payroll information, and medical information to anyone who searched dumpsters behind a pharmacy. The HHS investigated violations to the Health Insurance Portability and Accountability Act (HIPAA). IntelliShield Analysis: This case represents an example of the United States government increasing its enforcement of regulatory compliance. The case may be indicative of a trend by the federal government of closer scrutiny of company practices with regards to protecting both the personal and financial information of customers and employees. Companies should establish a routine to continually review their processes to ensure complete regulatory compliance. Part of this process should include accepting feedback from customers that express their concerns regarding how their information is handled. TrustFacebook Modifies Their Terms of Service and Then Reverts BackOn February 4, 2009, Facebook changed their terms of service to state that any content that is uploaded to Facebook can be used by Facebook indefinitely, regardless of whether the content has been removed or the account has been deleted. The terms of service originally read that if the user chooses to remove their user content or delete their account, the license would automatically expire; however, Facebook may retain archived copies of the content. This portion of the terms of service was removed and did state that Facebook has full rights to the content even after an account is deleted. This modification caused a major debate across online message boards, forums, and blogs regarding whether or not Facebook should own user content indefinitely. In response to the controversy, Facebook has reverted to the previous terms of service as of February 17, 2009. IntelliShield Analysis: It is not uncommon for terms of service agreements to state that content uploaded to social networking or third-party sites can potentially be reused by the site owner. The original Facebook terms of service agreement clearly stated that Facebook can use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works, and distribute any user content. It also stated that if the content was removed or the account was deleted, the license would automatically expire. The recent modification caused outrage among the Facebook community because of the fact that Facebook could have rights to their data forever, regardless of whether the account had been deleted. Media attention and user feedback prompted Facebook to revert back to the original terms of service. Businesses are encouraged to openly communicate any change that affects the user's rights, roles, and experience to avoid distrust. Facebook has since opened a public discussion on the bill of rights and responsibilities and has encouraged users to give feedback on how the new terms of service should read. IdentityWyndham Hotels and Resorts Breach May Have Exposed Credit Card Information of 21,000Florida Attorney General Bill McCollum issued a news release warning of a data breach of Wyndham Hotels and Resorts' systems. The breach exposed the credit and debit information of 21,000 customers. The incident occurred in late July or early August 2008 and was discovered in September of the same year. The breach occurred through the system of one particular Wyndham franchisee. IntelliShield Analysis: The breach only exposed consumer credit and debit card information. Other information, such as addresses, dates of birth, and social security numbers remained secure. Wyndham Hotels and Resorts notified affected customers of the breach and also provided credit companies with lists of affected credit card numbers. Currently, there are no reports of identity theft activity resulting form this breach; however, affected customers should continue to closely monitor their credit reports for a period of at least one year. Apart from the risk to consumers, such incidents expose affected companies to negative publicity, as the public is becoming increasingly wary of identity theft. Companies with established procedures for responding to these types of incidents can minimize the effects of any related publicity. HumanPoll Reveals Policy Avoidance Behavior in Senior ManagementThe results of a poll conducted by The National Computing Centre (NCC) and Erudine may indicate widespread avoidance of policies designed to ensure the protection of customer data. The poll focused on the actions of senior managers. The majority of managers polled regularly bypass policies, as the policies are viewed as barriers to job performance. These employees report regularly disregarding policies, although a large majority understand the risks of customer data loss to company reputation and potential fines. Read More IntelliShield Analysis: It is not uncommon for employees to bypass security policies because they are perceived to be too strict. The continued avoidance of policies by senior managers is of great concern, as those employees may have access to particularly sensitive data. Policies are established to help guide users to make safe choices when handling customer data rather than hinder employees. Sites should review policies to ensure relevance and seek employee feedback on policies viewed as impediments to job duties. Businesses may be able to reach compromises and modify policies to ensure safe operation while allowing employees to perform job responsibilities quickly. GeopoliticalGovernment Computer Attacks Point to State ActorsNew data from the U.S. Computer Emergency Readiness Team (US-CERT) shows that attacks on U.S. government computers rose 40 percent last year. Reported incidents of unauthorized access to government computer systems and planting of malicious software increased from 3,928 incidents in 2007 to almost 5,500 in 2008, according to the data provided to USA Today. The malware hack that brought down U.S. GovTrip.com last week is only one well-publicized, timely example. U.S. government systems are not the only ones being targeted either, as evidenced by the Conficker virus, which has afflicted government systems in France, Britain, and Germany as well (as reported above). IntelliShield Analysis: The fact that most incidents involving government systems appear to target information of national security as opposed to commercial value suggest that state-backed actors may be responsible. Moreover, the complexity and sustained nature of attacks such as the Conficker virus also suggest highly organized and well-funded sponsors. While some of US-CERT's reported 40 percent increase in incidents is likely an outgrowth of increased vigilance and more aggressive reporting, the data also sends a clear message that governments and the companies that are charged with their security must redouble efforts to protect their networks if they are to avoid massive, crippling attacks during a time of crisis. OtherMisconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet ServicesOn Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates, as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router issuing routing announcement updates that contained overly long Autonomous System (AS) paths. Service providers can affect routing decisions by prepending their AS path one or more times in their routing announcement. This technique can be used by operators to alter the paths to reach their destination when passing information. SuproNet included their AS path (47868) a total of 252 times in their routing announcements. This situation could prevent routers running legacy software from processing the full AS path due to insufficient memory allocations. As a result, large numbers of routers where unable to process BGP updates for a brief period, which temporarily disrupted Internet services. The disruption to services, although limited in duration, were global in scale. Vendors such as Cisco and OpenBSD have released workarounds and updated software to address flaws that could allow this incident to occur. Upcoming Security ActivityFinancial Cryptography and Data Security '09: February 23–26, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
