February 2–8, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels, which focused on previously undisclosed vulnerabilities and malicious code activity, were lower compared to a similar time period in 2008. IronPort released details for six Threat Outbreak Alerts. Mozilla released security advisories and updated software to address seven vulnerabilities in the Firefox web browser, SeaMonkey web suite, and the Thunderbird e-mail client. Microsoft released the Advanced Notification for the February 2009 security bulletin release. Of the four bulletins scheduled for release on February 10, 2009, Microsoft scored two with a maximum severity rating of Critical and two with a rating of Important. These bulletins address vulnerabilities in the Microsoft Windows operating system, the Microsoft Office Suite of applications, the Microsoft Exchange Server, and the Microsoft SQL Server products. Reports indicate that OpenOffice.org is distributing the OpenOffice suite of applications with an outdated version of Java. The current version of OpenOffice (3.0.1) attempts to install version 6 update 7 of Sun Java products. This version of Java contains numerous confirmed vulnerabilities that were patched in later versions of Java products. Also, this version does not include certain security features, such as Secure Static Versioning. Sun designed this feature to prevent websites from invoking older versions of Java on a user's system. The lack of this feature is dangerous because it could expose the system to a large number of well-known vulnerabilities. During the time period, phpBB acknowledged that an attacker used a vulnerability in the phplist newsletter manager to compromise the database associated with phpbb.com (read more). The vulnerability was publicly disclosed on January 14, 2009, and patched by the vendor on January 29, 2009. The attacker reportedly had unauthorized access to the details of over 400,000 users for approximately a 2-week period of time. These details included usernames, MD5 hashed passwords, and e-mail addresses. The attacker then used a script to access 28,000 of the hashed passwords and posted these user details online. Any affected user that uses the same password across multiple websites could be at risk for further attacks. The attacker may have all the information required to access secure websites as the user, such as banking websites. In malicious code activity, a trojan is attempting to propagate by way of false parking violation fliers. The yellow fliers are being placed on automobiles in parking lots in Grand Forks, North Dakota, United States. The fliers state that the vehicle is in violation of parking regulations and that the recipient must visit the URL printed on the flier to dispute the violation. The website contains several photos of cars in parking lots and instructs the user to click on a provided link that supposedly shows a picture of their vehicle. Instead, the link points to a trojan executable, picturesearchtoolbar.exe. Malware propagation has taken on many innovative avenues as technology advances and as storage exists in USB flash drives, portable media players, GPS receivers, digital photo frames, and other similar electronics. This particular infection was not widespread and is reported to be localized to Grand Forks; however, as social engineering tactics begin to dissolve over time, attackers continue to invent new ways to deceive users in order to infect their systems with malware. Read More Also during the time period, a new eBay phishing scheme emerged. Attackers are sending e-mails to eBay sellers with subject lines that may read "Question for Seller". The e-mail states that there is an active listing on eBay with the same description and photo as the eBay user who has a legitimate listing. The message contains a link to the so-called duplicate auction and then questions the legality of the duplication. The malicious link in the e-mail begins with http://signin-ebay-com-z.by while the legitimate eBay link begins with https://signin.ebay.com. If the user is fooled into following the link provided in the message, they are sent to a page that looks identical to the real eBay login page except for the lack of a SSL certificate. The username and password is sent back to the attacker if entered into the phishing website. Users are advised to verify the authenticity of links. For assistance in verifying links or any other URLs, users can employ the IronPort Security Network E-mail and Web Reputation Tool on the SenderBase website. IntelliShield published 118 events last week: 56 new events and 62 updated events. Of the 118 events, 100 were Vulnerability Alerts, seven were Threat Outbreak Alerts, six were Security Issue Alerts, two were Security Activity Bulletins, two were Malicious Code Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskWorm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. The e-mail messages are configured to leverage interest in current events or holidays to convince users to open their attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. Worm: W32/Conficker.worm W32/Conficker.worm is a worm that is quickly propagating across many networks. The worm has reportedly infected millions of systems. One propagation routine of the worm involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability as described in IntelliShield alert 16941. The worm prevents the system from accessing essential antivirus and security-related websites, which makes diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by the worm and steps to isolate any suspected infected systems until the machine can be fully restored. Weak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate Spoofing Attacks Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI), which is used to issue digital signatures and certificates for secure websites. The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function. Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates. Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm. Root CAs that do not rely on the MD5 algorithm cannot be impersonated using this attack. The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers. Microsoft Internet Explorer XML Parsing Arbitrary Code Execution Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a crash of the browser, resulting in a denial of service condition. Proof-of-concept code is available. Microsoft has confirmed the vulnerability and released updated software. Reports indicate that known websites are attempting to exploit this vulnerability to install malicious software on vulnerable systems. Microsoft Windows WordPad Text Converter File Handling Memory Corruption Vulnerability Microsoft Windows contains a vulnerability within the WordPad Text Converter that could allow an unauthenticated, remote attacker to corrupt memory and execute arbitrary code on the system. Microsoft has confirmed the vulnerability, but updated software is not currently available. Reports indicate that this vulnerability is actively being exploited and several antivirus vendors are detecting exploits that install additional malicious code on the targeted system. Other exploits contain a backdoor trojan, which could provide attackers with unauthorized access to infected systems. This tactic is commonly referred to as exploiting a zero-day vulnerability. Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Acrobat Professional, Acrobat 3D, Acrobat Standard and Adobe Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, as described in IntelliShield Alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail messages. PhysicalThere is no significant activity in this category for the time period. LegalFormer Microsoft Employee Accused of Corporate EspionageMiki Mullor, a former Microsoft employee, has been accused of corporate espionage against Microsoft. Mr. Mullor is accused of trying to determine if Microsoft has been using a patent that he owns as part of his startup company, Ancora Technologies Inc. According to reports, Microsoft caught Mr. Mullor downloading documents that did not apply to his work role and that were related to System Locked Preinstallation (SLP) anti-piracy technology. Because Ancora Technologies owns the SLP patent, reports indicate that Mullor was searching for evidence in which to sue Microsoft for patent infringement. IntelliShield Analysis: Microsoft has done well to monitor and audit records viewed by employees, allowing the company to know when individuals are accessing information they should not be accessing and investigate the activity. Such measures have allowed Microsoft to pursue the case against Mr. Mullor. The degree of controls that Microsoft has applied appears to have allowed the company only to identify the activity but not prevent unlawful access of data. Organizations are advised to control access to sensitive records; however, in some cases, limiting the controls to monitoring and auditing access may be preferred. TrustGoogle Search Engine Labels Sites as MaliciousOn January 31, 2009, the malicious software feature of Google erroneously labeled all sites within its search engine results as dangerous. The sites were labeled with the phrase "This site may harm your computer." Normally, only sites that Google believes contain malicious software are labeled in this way. The condition lasted for approximately 40 minutes. The problem was reportedly caused by human error. Read More IntelliShield Analysis: This incident reveals some of the potential problems and methodology used to determine markup that sites garner within search results. Google partly relies upon the StopBadware.org services to list sites that may contain malicious software. Trusting Google's search results also requires trusting StopBadware.org, along with other information Google may use. Google users are advised to validate site label information from other sources and remain skeptical of third-party labeling efforts. IdentityNomination of Administrator for E-Government and Information Technology of the United StatesPresident Barack Obama has announced plans to nominate Vivek Kundra as administrator of E-Government and Information Technology in the Office of Management and Budget. Mr. Kundra is the current Chief Technology Officer (CTO) for the District of Columbia, United States and has previous work experience in the academic, public, and private sectors. One area Kundra may choose to address is enforcing greater transparency regarding government information. Kundra has stated that public access to information allows for greater oversight for daily government activities. Read More IntelliShield Analysis: Since taking the position of CTO for the District of Columbia, Mr. Kundra has made public all of the government databases of the District of Columbia. Prior to making any similar move at the federal government level, Kundra and his staff will need to make decisions on what types of information could pose a threat to individual citizens or national security. Several state, county, and city governments have faced this similar situation, which in some cases, has resulted in the exposure of sensitive records and personal information. Such a move could also quickly develop into a very complex set of access controls where the potential for errors is high. HumanOne Billion Internet Users OnlineA recent report by comScore indicates that Internet usage has reached one billion users globally. Metrics collected by comScore indicate that the United States (U.S.), once the nation with the highest number of online users, has been surpassed by China. Other highly-populated countries, such as Brazil and India, may also surpass the U.S. in online presence. IntelliShield Analysis: As online usage increases and the demographics, trends, and economies shift to reflect this usage, online threats and risks may also drastically change. Many trends that emerge within communities, such as the proliferation of attacks against China's QQ instant messenger software, may affect general usage if these regional applications or websites gain mainstream adoption. Other technologies may quickly be highlighted as threat vectors or as targets of exploitation based on these population trends. For example, cell phone usage in India is growing rapidly and may be a more appropriate Internet platform there and in other emerging markets. Organizations, especially those doing business globally, may have already noticed some of these trends; further attention is warranted in order to predict future risks to the global online community, particularly regarding trends within these rapidly growing Internet populations. GeopoliticalOutsourcing Industry in India Lives OnIn January, the fourth largest IT services company in India, Satyam Computing, revealed that it had over-reported profits by more than US$1 billion. Satyam's founder admitted to having covered up the company's real financial situation for several years. Although fraud on this scale is always bad news, it comes at a particularly bad time and in a particularly sensitive industry. The Satyam scandal erodes trust in Indian outsourcing which accounts for around a quarter of India's exports at a time when the global economic slowdown is battering the industry's biggest clients in the United States and Western Europe. India's leading software industry group NASSCOM is expected to announce this week that the sector's growth rate will slow dramatically in 2009, after enjoying growth numbers closer to 30 percent per year for most of the past decade. IntelliShield Analysis: The outsourcing industry in India and indeed Satyam itself will live on. Facing elections this spring, the Indian government is keen to save the Satyam's approximately 50,000 jobs and is taking steps to replace the leadership while keeping the company afloat. Industry leaders, embarrassed by the affair, are saying it was an isolated incident but nonetheless are calling for increased corporate transparency and regulatory oversight. With the Indian rupee down sharply against the dollar, software outsourcing in India continues to be a smart option for companies looking to cut costs. For IT industry security experts, the affair serves as a reminder that trust and partnership-based outsourcing in India or elsewhere can be undermined overnight, and companies should be prepared to shift gears quickly if necessary. Upcoming Security ActivityBlack Hat DC 2009: February 16-19, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Israeli Legislative Election: February 10, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
