January 14–20, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityOracle released its January 2008 Critical Patch Update that provided patches for 26 vulnerabilities affecting several Oracle Database products, including the Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. IntelliShield Alert 14949 details the Critical Patch Update. Microsoft released a security advisory to address a vulnerability in Microsoft Excel as detailed in IntelliShield Alert 14951. According to Microsoft, this vulnerability has been used to conduct limited attacks against specific targets. Limited technical details are available for this vulnerability. A successful attack could allow the attacker to take control of the vulnerable system. Apple released a security update and patches to address four vulnerabilities in the QuickTime Media player. The vulnerabilities are detailed in IntelliShield Alerts 14952, 14953, 14954, and 14956. These vulnerabilities may also be exploited via Apple iTunes because the product relies on the QuickTime framework to render all video and audio files. A user that retrieves a malicious file from another user's shared folder while utilizing iTunes shared media features may be at risk for exploitation. Due to the widespread use of both the QuickTime media player and iTunes, IntelliShield analysts consider these vulnerabilities to be attractive targets for attackers. US-CERT released a vulnerability note that details insecurities inherent in the Universal Plug and Play (UPnP) collection of protocols, as described in IntelliShield Alert 14968. To exploit this vulnerability, the attacker must have knowledge of the vulnerable device's IP address and convince the user to follow a malicious link using a web browser that contains plug-ins that are capable of executing in the security context of the local system. This issue will affect various vendors of UPnP devices, and products may be affected differently depending on their implementations and default configurations. Proof-of-concept code that demonstrates this vulnerability using an Adobe Flash plug-in is available. In malicious code activity, Spy-Agent, also known as Trojan.Silentbanker, has attacked the 2-way authentication that is commonly used by online banking entities. Spy-Agent.cm, as described in IntelliShield Alert 14967, is a sophisticated trojan that is designed to steal banking information and application passwords. The interception of banking information is a type of man-in-the-middle attack and is difficult to detect because the trojan scans outgoing HTTP requests to known banking sites and manipulates or redirects that traffic. By monitoring this traffic and allowing connections to and from banking websites to continue mostly uninterrupted, the malicious software can steal sensitive information without user knowledge. The trojan can also receive updates from a central command site, allowing attackers to update banking site lists with new additions or make updates to the malicious software that makes up the trojan. The capabilities of the trojan, along with its noninvasive nature, make this malicious software difficult to detect and remove, possibly allowing the trojan to persist over long periods of time and capture large amounts of sensitive information. The upcoming Valentine's Day has prompted another variation of the Storm worm to be widely distributed during the time period. The Storm worm, as documented in IntelliShield Alert 14009, is currently circulating as Valentine's Day theme e-mails that contain a link to a website with an image of a heart. The website contains a click here URL that, when followed, downloads and executes the worm on a user's system. Users should always verify the authenticity of unexpected links within e-mail. IntelliShield published 130 events last week: 54 new events and 76 updated events. Of the 130 events, 115 were Vulnerability Alerts, five were Malicious Code Alerts, four were Daily Malicious Code Summaries, three were Security Issue Alerts, one was an Applied Mitigation Bulletin, one was a Security Activity Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:
Weekly Alert Totals
Significant Alerts for January 14–20, 2008Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Reports indicate that attackers are leveraging this vulnerability in targeted, ongoing attacks. No public examples of exploit code have been observed. Attacks against this vulnerability are likely not widespread as details of this vulnerability are still not well known. Microsoft has confirmed the vulnerability in a security advisory; however, no updates are available. Oracle Critical Patch Update January 2008 Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities spread across Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts detailing individual vulnerabilities will be released in the near future. Previous Alerts That Still Represent Significant RiskClamAV popen() Function Arbitrary Code Execution Vulnerability ClamAV contains a vulnerability that could allow a remote attacker to execute arbitrary code. Exploit code, which is similar to other, much older attacks against other types of systems, is available. An attacker may be able to easily modify the code to conduct multiple attacks. ClamAV has confirmed this vulnerability and released updated software. Microsoft Message Queuing Service Remote Code Execution Vulnerability Microsoft Message Queuing Service contains a vulnerability that can allow an attacker to execute arbitrary code. Exploit code is available that demonstrates this vulnerability on Windows 2000 machines. This exploit code is more automated than the previously disclosed proof-of-concept code that was released. The new exploit code requires only a little modification by an attacker for each targeted host system. The exploit automatically extracts the FQDN of the host from its Netbios name, making it easier for an attacker to exploit this vulnerability. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. Public reports indicate that this vulnerability is actively being exploited. Microsoft has not confirmed this vulnerability, and no updates are available. Cisco Security Agent Windows System Driver Buffer Overflow Vulnerability Cisco Security Agent contains a vulnerability that could allow an attacker to cause a denial of service or execute arbitrary code. A remotely exploitable vulnerability such as this, one that likely affects a large number of highly sensitive systems, is a very attractive target and may garner significant interest from agencies or individuals perpetrating attacks. Public knowledge of the details of this vulnerability may place these sensitive systems at increased risk. Cisco has confirmed this vulnerability and released updated software. Apple QuickTime RTSP Response Content-Type Header Buffer Overflow Vulnerability Apple QuickTime Player contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. With the release of functional exploit code, this vulnerability will likely be exploited in the wild. The vulnerability is triggered during the initial handshake of the RTSP negotiation via a malformed Content-Type header. An attacker is required to send less than 2000 bytes of data to compromise an affected host. Because of the nature of the vulnerability, attackers have a large payload window to leverage. Apple has confirmed this vulnerability in a security bulletin and released updated software. Samba WINS Server Daemon Buffer Overflow Vulnerability Samba contains a vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Only systems configured as WINS server daemons are vulnerable; however, this is a common configuration in environments that use Samba to perform domain authentication. Due to the large number of potential targets, this type of vulnerability could be used to produce malicious code that propagates in an automated manner. PhysicalAT&T Replacing Dangerous BatteriesAT&T has announced plans to replace 17,000 batteries that are utilized to provide backup power for the AT&T U-verse network cabinets. The announcement comes after four fires occurring in 2006 and 2007 were caused by the faulty batteries, two of which involved explosions. An investigation found that the design of the batteries was stable but that manufacturing failures contributed to the battery failures. The latest fire, which occurred in December 2007, prompted AT&T to replace all batteries to ensure that the company's "stringent safety and performance criteria" is met to ensure customer protection. Read more IntelliShield Analysis: Numerous battery-related fires involving computer equipment have occurred in the last two years. In the case of AT&T, the batteries in question are used in outdoor cabinets as a part of the U-Verse Television Network from AT&T. Due to the risk of battery explosions, public safety is at risk and the potential for property damage increases. Although AT&T is moving forward with battery replacement, the replacement process will be time consuming due to the large number of batteries that exist in the installed base. Organizations that rely on AT&T for network services may consider consulting the company to determine the replacement dates and make appropriate additions or adjustments to business continuity plans in the event of network or television service outages. LegalJudge Rules DNS Zone Transfers IllegalThe use of public DNS transfers is a common and well-accepted means of obtaining DNS data. DNS data is required to identify the IP addresses of devices that are based on a DNS name lookup. However, a judge in North Dakota, United States ruled that executing public domain DNS transfers is considered illegal and unauthorized even though such activities leverage publicly accessible data that does not warrant authorization. Read more IntelliShield Analysis: Despite the significant hype surrounding this incident, the judge seems to have ruled in a manner that could benefit information security. The defendant in this case argued that he should be permitted to use the information that he gained from the zone transfer simply because he could access the information. By refuting this argument and requiring that the users obtain authorization before executing public domain DNS transfers, the judge is protecting system owners not only from data loss due to poor configuration or misconstruction but also from software vulnerabilities. However, organizations should not rely solely on the law to protect their information; while the law ruled in favor of the exploited business in this case, the information was exposed and additional risk was introduced. TrustRandomized JavaScript Toolkits Plaguing Anti-Virus ResearchersAn emerging trend in malware authoring has led to JavaScript attack tools and exploits that are randomized and selectively distributed. Malicious files are being distributed one time only under a given filename and may not be sent twice to the same user. Such tactics have created trouble for anti-virus researchers, who are unable to provide signatures that keep up with the vast amount of diversity in the JavaScript malware. Anti-virus vendors are turning to heuristic methods as a means to withstand the onslaught of signature-resistant malcode. Read more IntelliShield Analysis: Malicious code has been deploying at rates that outpace current signature-based defenses, and many administrators have had negative experiences with the performance drain from heuristic anti-virus solutions. While vendors strive to improve their heuristic solutions, organizations may consider alternative measures to protect their systems from this increasing level of malware. As the effectiveness of malware continues to eclipse the effectiveness of current mitigation, solutions previously considered to be suboptimal may soon be more effective and efficient than signature-based solutions. Due to the changing malware threat, malware protection strategy needs to adjust to a more extensive defense-in-depth strategy with less reliance on the signature-based products. IdentityCarphone Warehouse and TalkTalk Disclose Customer InformationCarphone Warehouse and its sister company, TalkTalk, have been issued an enforcement notice by the United Kingdom's Information Commissioner's Office (ICO). Both companies are accused of negligent handling of customer information and incorrectly assigning debt collectors to customer credit accounts. The ICO received hundreds of complaints from customers pertaining to the disclosure of sensitive information or unwarranted visits from debt collectors. Numerous customers were listed with incorrect credit records, and thousands of customers were listed under the wrong profile, allowing customers access to other customers' personal information, including e-mail, names, addresses and phone numbers. Read more IntelliShield Analysis: As government regulation increases regarding the appropriate use of personal customer information, organizations will face greater pressure to properly implement systems. Customer backlash will likely increase, not only because of several high profile identity breaches but as more information is stored by more organizations, the number of exposures will likely increase. Organizations seeking to streamline business processes and improve customer experience through automation and data collection should pay careful attention to the technical and regulatory requirements for protecting customer information. If the problems that resulted in the exposure at Carphone Warehouse and TalkTalk were related to significant demand for TalkTalk's newly-introduced free broadband, businesses should also ensure that their systems can perform even when in high demand. HumanCriminal Impersonates Armored Car Driver to Rob BanksSix individuals have been arrested in connection with two bank robberies in Washington, D.C. and Wheaton, Maryland, United States. Dressed in a uniform similar to that of an armored car driver, one of the culprits entered each bank and informed the employees that he was there for a scheduled pickup of cash. When questioned, he explained that he was substituting for the usual driver. In both cases, the banks did not realize or report the theft until after the legitimate driver arrived for the pick-up. Police were suspicious of one of the bank employees and searched that person's home. IntelliShield Analysis: This crime preyed on a few common aspects of human psychology. The fake security driver counted on his simple cover story to distract from any inconsistencies in his appearance. Police reports indicate that the uniform was plain, and no one remembered seeing any company logos or other accoutrements that would have identified the suspect as a legitimate driver. Employees are reminded to be discriminating when circumstances vary from the norm or seem suspicious. Most security companies carefully monitor the availability of their uniforms, patches and identification, but such measures are a moot point if employees are not aware of such details. Examining the guard closer, asking for identification, calling the security company, or even looking outside for the armored car would have alerted employees to the robbery much sooner. Because most people do not want to cause disruption by asking questions, people's trust can easily be exploited by robbers, hackers, and malicious code. A streamlined, simple confirmation process will encourage employees to take a few moments to confirm the identity of a person before engaging in any potentially sensitive activity. Macsweeper Labeled Rogue SoftwareAn application called MacSweeper has been labeled as a scam by experts in the security industry. The application claims to remove security flaws and unnecessary files from machines that run Macintosh operating system (Mac OS). The MacSweeper website purportedly scans the system and then attempts to sell the MacSweeper solution for around US$40. Users that investigated the service found that the website copies text from the Symantec anti-virus vendor website and does not differentiate between a Mac OS or a Windows operating system. Users have complained that their web browsing is constantly redirected to the MacSweeper website after they attempt to use the software. Read more IntelliShield Analysis: Until recently, users of the Mac OS have had few concerns about scamware, but with Apple's increased market share and the increased number of reported security flaws, such schemes have become more common. This increase in security flaws does not necessarily mean that the Mac OS is any less secure, but rather that the public may become easier to manipulate since fears of insecurity circulate faster than security education. Educating users about system security may help people from falling victim to social engineering tactics as well as assist users in purchasing credible software from trusted vendors. GeopoliticalDavos Forum to Attract Attention and ActivistsWorld political and business leaders will converge in Davos, Switzerland on January 23rd for the World Economic Forum (WEF), drawing more than 2,500 people from 88 countries. Attendees will include former United States (U.S.) Vice President Al Gore, U.S. Secretary of State Condoleezza Rice, former United Nations Secretary General Kofi Annan, and Japanese Prime Minister Yasuo Fukuda. Discussions will be dominated by the specter of global economic slowdown and concerns about global warming. In addition to dignitaries, the forum also attracts protestors. The forum in 2000 was marred by clashes between Swiss police and anti-globalization protestors. In 2001, hackers compromised WEF computer systems and stole conference registration information. Read more (PDF) IntelliShield Analysis: International conferences that attract broad press coverage are natural targets for traditional and cyber activists. This week's forum in Davos will be no exception. While undoubtedly security will be tight, activists have found that they can do more damage, requiring fewer supporters, by using a laptop than by hitting the streets. Fortunately for security specialists, inexperienced perpetrators of this sort of mischief often leave a trail. If an experienced state actor is involved, and this is always a possibility, the damage could be far greater and the perpetrator would likely never be identified. Upcoming Security ActivityFinancial Cryptography and Data Security Conference: January 28–31, 2008 Because of the potential for increased risk on multiple vectors, organization's security teams should be aware of and consider making special preparations for the following dates: World Economic Forum: January 23–27, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30-day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
