July 7–13, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity for this period focused on the release of the July 2008 Microsoft security bulletins. Included in this release was security bulletin MS08-040, which addressed four vulnerabilities in Microsoft SQL Server products. This bulletin may represent a response from Microsoft to multiple recent attacks on SQL-based technology. DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. This vulnerability is described in IntelliShield Alert 16183. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. This is not a new issue to DNS servers, and the ability to spoof DNS transaction IDs has been known and guarded against in many ways in the past. However, it appears that recently released independent research has identified a reliable and effective method of predicting transaction IDs and source port numbers, forcing vendors to fundamentally rethink the method that is used to generate such identifiers. Multiple vendors have confirmed this vulnerability and released updated software. For information about DNS, best practices, network protections, and attack identification for DNS, reference the Cisco Applied Intelligence white paper DNS Best Practices, Network Protections, and Attack Identification. The Storm worm, as described in IntelliShield Alert 14009, is currently propagating with the files Iran_occupation and form.exe. The worm arrives in an e-mail that contains a link to a website that hosts a copy of the worm. The website is related to the conflict between the United States and Iran. If the user follows the provided URL, a copy of the worm is downloaded and executed on the user's system. Users are strongly encouraged to always verify the authenticity of unexpected links within e-mail. As an added measure of protection, before following links, users can check the reputation of any URL using the IronPort Security Network's E-mail and Web Reputation Tool on the SenderBase Website. IntelliShield published 162 events last week: 54 new events and 108 updated events. Of the 162 events, 142 were Vulnerability Alerts, five were Security Issue Alerts, four were Security Activity Bulletins, four were Applied Mitigation Bulletins, three were Daily Malicious Code Summaries, three were Malicious Code Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for the Time PeriodMultiple Vendor DNS Implementations Insufficient Entropy Vulnerability DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Event data from Cisco Remote Management Services has detected activity on signature 4004/0 in relatively small amounts. The data was captured on July 10, 2008. This signature is new and may be triggered by normal network traffic. Because the technical details of this vulnerability are not yet public, it is unlikely that activity on this signature is indicating actual exploits. However, that is likely to change once the technical details become public, which is expected to occur in August 2008 at the Black Hat conference in Las Vegas. Previous Alerts That Still Represent Significant RiskApple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability. Adobe Flash Player Multimedia File Integer Overflow Vulnerability Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, which is detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software. Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could be easily determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization. Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. The TROJ_MDROPPER.MB trojan, which exploits this vulnerability, is currently active and is documented in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability in a security bulletin and released updates. Oracle Critical Patch Update April 2008 Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities that affect Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Microsoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has been identified as being used by the TROJ_MSJET.C trojan, which is detailed in IntelliShield Alert 15486, and by the Trojan.Acdropper.C trojan described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable. PhysicalThere was no significant activity in this category during the time period. LegalGerman Court Rules Phishing Attacks Responsibility of BankA German court has ruled on a case where a family's bank account was compromised by malicious code found on their computer. Although the family had up-to-date antivirus software, there was still a malicious key logger running on the system. The family account was robbed of 4,000 Euros. The German court ruled that the bank is liable to pay the family because they did not authorize the money transfer, leaving the bank to accept the forgery risk. Read more IntelliShield Analysis: This ruling could have significant consequences for banks around the world if other courts follow. Credit card companies have been insuring their customers against fraud for several years and, in many cases, as part of the bank's services. However, for a government to rule that a bank must reimburse customers for money stolen from an account over the Internet is new ground. This case should signal to banks that allow online transactions to occur to review their security features. In this case, the customer was using PIN and TAN secure access, a form of authentication used in e-commerce. However, the attacker was able to use intercepted keystrokes and make a transaction. Further research is needed on creating security systems for online banking transactions, which include bank and user system features, that will make it difficult for an attacker to compromise the system. TrustOnline Companies' Employee Data StolenGoogle, CNET, and other firms have sent mandatory disclosure letters to several state attorneys general regarding potential unauthorized access to personal information due to a break-in that occurred May 26, 2008 at Colt Express Outsourcing Services, a third-party benefits administrator. The employee data retained by Colt and lost due to the theft included names, dates of birth, social security numbers, addresses, and information regarding employment benefits. Colt informed their clients that on Monday, May, 26, 2008, the Walnut Creek, California offices of Colt were burglarized. Computer equipment was taken that contained the human resources data of several Colt clients, affecting approximately 6,500 individuals. Read more IntelliShield Analysis: Third-party human resources services can be helpful in providing a high level of service to employees but may open another vector of risk to employee data. No evidence of identity theft has been detected, and it may be likely that the thieves were more interested in the hardware than the actual information on the stolen computers. Important to note is that Google employees were still affected by the theft although the company had been using a different benefits administrator since 2006. This scenario highlights the need for businesses to be very thorough when protecting employee or customer data, and examining retention requirements or following through with service terminations diligence. Sensitive data that is transmitted to and stored by a third-party vendor should be adequately protected during the life of the information. IdentityData Disclosure Over P2P File Sharing ApplicationFiles that contain names, social security numbers, and other personally identifiable information have been disclosed on the LimeWire P2P file sharing network. The files appear to have been shared over the network as the result of an installation of the LimeWire file-sharing application by an employee of the Wagner Resource Group. Among the roughly 2,000 individuals affected by this information disclosure is United States Supreme Court Justice Stephen G. Breyer. Read more IntelliShield Analysis: This high-profile information disclosure illustrates the danger of P2P file sharing within corporate networks. Along with legal issues surrounding intellectual property and copyright laws, the exposure of sensitive data as the result of P2P applications use remains a very high risk. Sites that have a business need to use such applications are advised to monitor usage and audit information that is shared through those applications. User education concerning the safe use of P2P applications, including its dangers, should be part of any application implementation. Sites without a need to use P2P software may consider blocking or restricting the use of P2P applications within internal networks. HumanSecurity Report on Wireless Internet UsersTelework Exchange and Sprint Nextel recently conducted a report on wireless Internet usage among United States government employees. Of the 310 employees questioned, 11 percent of IT executives and 33 percent of teleworkers were not familiar with security guidelines for using wireless Internet, and 40 percent of IT executives were actually prohibited from using it. One promising find indicated that 76 percent of IT executives claimed that their agencies complied with Department of Defense Mandate 8100.2. This mandate demands that data must be encrypted when transmitted over wireless networks. Read more IntelliShield Analysis: There has been a dramatic increase in wireless Internet usage since laptops and handheld devices have become mainstream, so it is not surprising that the industry has begun conducting surveys about wireless security. This study found that the majority of government employees, almost 80 percent, use wireless technology on a daily basis. Despite the constant reports of wireless security breaches, attacks continue to increase, including the physical theft of laptops that are left in plain sight and the failure to encrypt data. Failing to encrypt data, as 24 percent of government workers appear to be doing, can allow attackers to easily capture and view information. As businesses trend toward an increase in laptop usage, which can lower costs by allowing employees to work from remote locations and increase business productivity, they must make employee education a priority. Proper training on securing laptops is essential to protecting sensitive business assets. In addition to providing employees with the necessary wireless security tools, organizations must consider government or industry standards and general best practices like encrypting data on laptops and data that is transmitted over the Internet. GeopoliticalSecurity Lesson From Colombian Hostages RescueThe rescue of 15 hostages being held by Colombian rebel group FARC in early July holds lessons for Internet security specialists, according to an article by Bruce Schneier published in the July 2008 issue of Wired magazine. The rescue was made possible by deceiving FARC interlocutors into thinking they were talking to one another, when in fact both were talking to Colombian intelligence. The daring Man-in-the-Middle (MITM) operation carried out by the Colombian military with the support of the United States took advantage of the fact that the various FARC rebel groups were not personally acquainted with one another. The hostages' captor, known as Cesar, was tricked into believing that he was passing the hostages through an intermediary to the rebel groups' new leader following the high-profile death of FARC leader Raul Reyes in March 2008. Read more IntelliShield Analysis: In trusted communications, as in the case of the FARC operation, the lack of a contextual, known face-to-face or voice confirmation puts the entire onus for authentication on the electronic connection. If electronic attackers insert themselves unseen between two parties, they can simply act as a middle agent by passing requests for passwords or other information between the parties and change the information if they choose. This method bypasses two-factor authentication controls and is therefore gaining popularity in identity theft. One way for administrators to ensure against MITM attacks in encrypted exchanges is to check the public key fingerprint of remote users, a short and easily-checked hash of the key. Upcoming Security ActivityThe Last HOPE: July 18–20, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Beijing 2008 Summer Olympics: August 6–24, 2008
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
