June 2–8, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityThreat levels remained relatively low for the time period, with peak vulnerability activity surrounding the release of the Microsoft Security Bulletin Advance Notification for June 2008. Microsoft released this bulletin on June 5, 2008. Of the seven bulletins scheduled for release, Microsoft scored three with a maximum severity rating of critical, three with a maximum severity rating of important, and one with a maximum severity rating of moderate. These bulletins address vulnerabilities in the Internet Explorer web browser and in various components of the Windows Operating system. Microsoft released a security advisory to address a vulnerability in Apple's Safari for Windows web browser. A remote attacker could exploit this vulnerability to place and execute arbitrary files on an affected system. If the affected user has elevated privileges, the system could be completely compromised. To exploit this vulnerability, the attacker will likely need to convince a user to visit a malicious website that contains crafted HTML code. Alternately, the attacker could compromise legitimate websites to inject the crafted HTML. Both attack scenarios are common and have proven effective for exploiting other vulnerabilities. Apple has not confirmed this vulnerability, and no updates are available. Functional exploit code has been released for the HP StorageWorks Storage Mirroring software buffer overflow vulnerability as detailed in IntelliShield Alert 16009. A remote attacker could exploit this vulnerability to execute arbitrary code with elevated privileges. A successful exploit may result in a complete system compromise. The HP StorageWorks application is a redistributed version of Double-Take Software's DoubleTake. Double-Take Software was formerly known as NSI. The vulnerability may affect versions distributed by Software DoubleTake or additional vendors. This information has not been confirmed. Cisco released a security advisory to address five distinct vulnerabilities in Cisco PIX and Cisco ASA software. These vulnerabilities could allow a remote attacker to cause a denial of service condition or bypass control-plane access control lists. It is unclear whether there are any specific conditions under which the control-plane ACLs will not function properly. However, because they may fail to operate at any given time, administrators are advised to assume that functionality will cease and to take measures to protect affected devices from possible attacks. The Storm worm, as described in IntelliShield Alert 14009, is currently circulating love-themed e-mails that contain a link to a website that initiates a download of the malicious file, loveyou.exe. Storm continues to be a threat, and users are advised to always verify the authenticity of unexpected links within e-mail. Users should also check the reputation of the URL on SenderBase before following the link. IntelliShield published 121 events last week: 52 new events and 69 updated events. Of the 121 events, 107 were Vulnerability Alerts, four were Security Issue Alerts, three were Security Activity Bulletins, three were Daily Malicious Code Summaries, three were Malicious Code Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskAdobe Flash Player Multimedia File Integer Overflow Vulnerability Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, as detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software. Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features and may be easily guessed through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization. Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. The TROJ_MDROPPER.MB trojan, which exploits this vulnerability, is publicly available and is documented in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability in a security bulletin and released updates. Oracle Critical Patch Update April 2008 Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities in Oracle products that affect Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Microsoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has been identified as being used by the TROJ_MSJET.C trojan, as described in IntelliShield Alert 15486, and by the Trojan.Acdropper.C trojan, as described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable. Microsoft Windows GDI File Name Parameter Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by the Trojan.Emifie trojan, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. CA BrightStor ARCserve Backup ListCtrl ActiveX Control AddColumn() Buffer Overflow Vulnerability Multiple CA products contain a buffer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. Exploit code that allows the execution of arbitrary code is available. Reports indicate that attackers are actively exploiting this vulnerability. To exploit this vulnerability, an attacker must rely on user interaction. An attacker may use social engineering tactics to convince a user to visit a malicious website using a browser that supports ActiveX controls, such as Internet Explorer. CA has confirmed the vulnerability in a security response, but updates are not available. Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The update corrects flaws in core operating system components as well as third-party packages that are bundled with the operating system. PhysicalInvestigation of U.S. Trade Secretary Laptop CompromiseUnited States (U.S.) Agencies are investigating a possible data compromise of the laptop of U.S. Trade Secretary, Carlos Gutierrez, during a visit to Beijing, China last year. Investigators suspect the laptop hard drive may have been copied and that the compromise may be related to multiple electronic attacks conducted against U.S. government networks. Due to the on-going investigation, officials are not commenting about what information may have been compromised, if the information was encrypted, or other security details related to subsequent attacks. Read more IntelliShield Analysis: Although an official investigation is being conducted, the underlying importance of the investigation is the real risk to travelers' electronic devices and data. This risk is not limited to China or the recent reports of electronic device searches at U.S. borders. The risk is a global one that should be recognized and mitigated by government and global businesses travelers. Organizations that have recognized this risk have implemented travel policies and procedures that include the sanitization of devices and laptops for travelers, full encryption requirements, and advising travelers against or prohibiting travelers from taking electronic devices to high risk areas. Additionally, organizations are advised to account for legal considerations when transporting devices with encryption software or products installed to restricted countries. Although some government officials may be able to implement a policy of positive control at all times, this is not realistic for most business travelers who do not have diplomatic protections. All travelers should be familiar with general risks associated with travel, including itinerary stopovers and electronic risks. Security teams can assist travelers with policies and procedures and travel briefings and prepare individuals for the physical and electronic risks of international travel. LegalThere was no significant activity in this category during the time period. TrustWindows XP SP3 Installs Vulnerable Flash PlayerMicrosoft publicly released Windows XP SP3 on April 29, 2008 and is scheduled to be the final service pack release for Windows XP. The update includes all critical and recommended updates that have been released since the initial launch of XP in October 2001. The service pack contains only minor operating system features and enhancements unlike the features and enhancements provided in Windows XP SP2. The release also includes an out-of-date version of Adobe Flash Player 6, which is affected by several vulnerabilities that are detailed in Adobe Security Bulletin APSB06-11. Microsoft originally addressed these vulnerabilities in Microsoft Bulletin MS06-069. This bulletin has since been revised to make note that Windows XP SP3 is affected. Read more IntelliShield Analysis: Aggregate security packages, such as fix packs and service packs, are released by vendors to provide users with the latest available updates in a single installation. However, with Windows XP SP3, users received a vulnerable version of the Adobe Flash Player that rendered systems vulnerable to multiple attacks. To protect important business resources from these threats, the Flash Player should be uninstalled or the latest version of Flash Player should be installed immediately after applying Windows XP SP3. Administrators should always use caution when installing any update, specifically updates that contain multiple fixes along with additional functionality. Organizations should consider service packs as a reference point for updating systems and should never assume that all problems have been resolved once installed. A thorough security review should be performed when installing new images and package updates to ensure that no regressions that could impact the overall security of the patched system have been missed. Telecommunications Company Information DisclosureTelecommunications company Verizon has reported selling over 12,000 unlisted and non-published telephone numbers and addresses to Ogden Directory Inc. The information was printed in the annual Washington County Phone Book for 2008-09 and was in the process of being distributed when officials stopped the full release to the public. This information included phone numbers and addresses of city, county, and state officers, judges, lawyers and prosecutors located in Washington County. Verizon has offered to change the affected telephone numbers free of charge and waive the US$1.89 monthly fee for unlisted or non-published numbers for a year. Union officials are meeting to determine whether legal action will be taken against Verizon. Read more IntelliShield Analysis: The publication of unlisted or non-published telephone numbers and addresses is not uncommon. In December 2007, DigitalLanding.com leaked unlisted telephone numbers and addresses. This type of incident can be a risk to those who need to be discreet for general privacy concerns or personal safety. Although Verizon offered to change telephone numbers free of charge, victims will likely spend time and experience frustration while notifying businesses and personal contacts of the change. Businesses should be wary of the loss of customer trust despite any corrective actions following an incident. IdentityBank Loses Personal Data of CustomersThe Bank of New York (BNY) Mellon Corporation has announced that unencrypted data tapes holding personal information of 4.5 million customers have been lost. The tapes were being transported to a remote location by Archive America, a document management company, when they were lost. The circumstances surrounding the transport proved even more suspect when a few tapes from the same shipment were delivered successfully. The Connecticut Attorney General's office is dissatisfied with the 3-month delay in announcing the data loss. The lost information includes names, social security numbers, and birth dates. Read more IntelliShield Analysis: Transporting unencrypted data tapes to an offsite location is a high risk operation. It is not uncommon for tapes to be lost in the mail or en route to an offsite location. As a result, corporations should strongly consider encrypting all data tapes despite the expense associated with encryption. The potential impact of data loss is a greater expense. In addition to considering legal action against the bank, the Connecticut Attorney General's office is cooperating with the New Jersey and New York Attorneys General offices regarding this incident. Additionally, victims of the data loss are filing a class action lawsuit against the bank. Presumably BNY Mellon delayed the announcement in hopes that the tapes would be found; however, if the data has been compromised, such a delay has given criminals more time to use the data without victims being able to protect against the risks. HumanOnline Social Networking Popularity Causing FrictionDuring the time period, several stories have embroiled Facebook, an online social networking website, into controversy. In North America, the privacy group Canadian Internet Policy and Public Interest Clinic (CIPPIC) has filed a complaint that accuses Facebook of 22 counts of personal information and protection law violations according to Canadian law. The CIPPIC claims that Facebook is disclosing more personal information than what is described in the member agreement and that personal information is being shared through various applications and associated networks. In North Africa, the Egyptian government is considering banning Facebook. In April 2008, a large scale protest and strike took place against rising food prices and in support of the textile worker respectively. This event was largely organized using Facebook services. IntelliShield Analysis: Typically, social networking sites sought to target students as their primary users, providing a small set of tools geared towards various methods of communication. As these networks became more popular, the user base matured and expanded as did the services offered by the sites. An increased number of people and organizations are finding the tools useful for political and activist-related networking, including world governments. Post-earthquake China saw the addition of an account that is allegedly owned by Chinese Premier Wen Jiabao. Users and privacy-focused groups are learning that there are leaks in the system where information is being gathered unexpectedly by third parties. Such information could be sold or used for illicit activity. The services offered by social networking organizations are not necessarily new, but they do offer users greater search capabilities, a wider audience, strong coordination capabilities, and enhanced methods of organizing the flow of information. Employers should be aware that younger workers will likely use these networking applications within the business environment and must weigh the positive and negative aspects of this activity. Due to increased usage, new vulnerability vectors may be introduced into the environment and employees may leak sensitive information. In contrast, increased usage may also result in the services increasing productivity and collaboration on a global scale. Corporations may consider monitoring employee social networking services for activities that may impact their business on a local level. GeopoliticalCommunications Monitoring on the RiseAccording to press reports, proposed legislation is being considered by the Swedish Parliament that would allow the government to monitor all e-mail and telephone traffic traversing the country. The proposed legislation is aimed at countering terrorism, but privacy advocates are concerned it would compromise more than Swedish communications, given the large volume of Internet traffic, including Voice Over Internet Protocol (VoIP), that crosses networks in Sweden. Similarly, the German cabinet passed controversial legislation last week that would allow domestic police to monitor electronic communications and conduct video surveillance of homes. Comments by China Mobiles CEO at the World Economic Forum last year appeared to confirm suspicions that the Chinese government monitors mobile phone activity. As we reported recently, India has been pushing hard to obtain encryption keys for Blackberry mobile device transmissions. The United Kingdom made headlines two years ago for its unprecedented video monitoring of British streets; the United States has been grappling with its own so-called warrantless wiretapping controversies since at least 2001. IntelliShield Analysis: The existence of similar controversies in a wide variety of countries and political systems highlights the growing friction at the intersection of security and privacy in electronic communications. It is of particular note that these issues are playing out now in Western Europe, which is known for the strength of its privacy laws. For information security specialists, as well as anyone with information to protect, the persistence of these issues suggests that the scales likely will continue to lean more toward security, at the expense of privacy. Upcoming Security ActivityMicrosoft Security Bulletin Update for June 2008: June 10, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Independence Day (United States): July 4, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
