June 23–29, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityDuring the time period, vulnerability and threats were focused on web application vulnerabilities, SQL injection attacks, and recently identified malicious software. Microsoft released a security advisory to address SQL injection vulnerabilities in web applications developed using Microsoft ASP and ASP.NET technologies. These vulnerabilities are typically the result of insecure web development practices. A successful exploit could allow an unauthenticated, remote attacker to perform actions such as corrupting a database, executing arbitrary code, or redirecting browsing clients. Microsoft has provided several workarounds to help implement best security practices for web pages to mitigate SQL injection attacks. Workarounds include using the HP Scrawlr scanner to detect vulnerable web sites, the UrlScan tool to restrict malicious HTTP requests, and the Microsoft Source Code Analyzer tool to identify vulnerable ASP code. The Microsoft advisory is detailed in IntelliShield alert 16138. Malicious software that exploits the Apple Mac OS X and OS X Server Apple Remote Desktop Agent (ARDagent) privilege escalation vulnerability is publicly available. This vulnerability is detailed in IntelliShield alert 16117. The OSX/Hovdy-A trojan attempts to exploit the vulnerability in the ARDagent to gain root privileges. The trojan is described in IntelliShield alert 16132. If an exploitation attempt fails, the trojan may try to exploit additional Mac OS X vulnerabilities. OSX/Hovdy-A installs a backdoor on the system to provide remote access. The OSX.Saprilt.C trojan has also been identified in the wild. The trojan is described in IntelliShield alert 16141. The trojan masquerades as a poker game and prompts users to enter the OS X root password to gain elevated privileges. This routine may limit the effectiveness of the trojan because wary users may be able to identify the suspicious activities. Additionally, antivirus companies released virus definitions to detect the OSX.Keylog keylogger component. This trojan may be used as a standalone trojan or as a keylogging component of another trojan. The Asprox botnet received significant media attention. Reports indicate that the botnet has grown to encompass as many as 15,000 infected hosts. Currently, many major antivirus vendors lack detection for the malicious code that is associated with this botnet. Malicious code associated with Asprox appears to be a variant of TROJ_PROXY.AFV, which is reported in IntelliShield alert 13483. Attackers can communicate with infected Asprox hosts via a proxy server on TCP ports 80 or 82. Attackers initially used the botnet to distribute spam and phishing e-mail messages, but recently distributed an attack tool to the compromised systems. This service causes infected systems to use the Google search engine to scan the Internet for .asp pages with certain unspecified features. A SQL injection attack is conducted against each discovered web page in an attempt to inject a malicious iFrame into the site contents. The Asprox botnet is described in IntelliShield alert 16147. Malicious code developers released a toolkit designed to give trojans a self-propagation routine. Attackers could leverage this toolkit to turn any piece of malicious code into a worm with minimal effort. This capability may allow an attacker to easily infect multiple hosts. Once a host is infected, any other system connected to that system may be at risk. Typically, worms developed using this toolkit try to infect any network or removable drive connected to the infected system. IntelliShield published 145 events last week: 39 new events and 106 updated events. Of the 145 events, 125 were Vulnerability Alerts, seven were Malicious Code Alerts, five were Security Activity Bulletins, four were Security Issue Alerts, three were Daily Malicious Code Summaries, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for the Time PeriodApple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability. Previous Alerts That Still Represent Significant RiskAdobe Flash Player Multimedia File Integer Overflow Vulnerability Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, as detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software. Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features and may be easily guessed through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization. Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. The TROJ_MDROPPER.MB trojan, which exploits this vulnerability, is currently active and is documented in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability in a security bulletin and released updates. Oracle Critical Patch Update April 2008 Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities in Oracle products that affect Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Microsoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has been identified as being used by the TROJ_MSJET.C trojan, as described in IntelliShield Alert 15486, and by the Trojan.Acdropper.C trojan described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable. Microsoft Windows GDI File Name Parameter Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by the Trojan.Emifie trojan, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. PhysicalUnited States Department of Homeland Security Assesses Facilities for Risk of Terrorist AttackThe United States (U.S.) Department of Homeland Security (DHS) recently reviewed 32,000 domestic industrial sites and found 7,000 of the facilities posed a high risk if targeted by a terrorist attack. The DHS compiled a list of potential risk factors to assess the facilities, including nearby population centers as well as chemical usage, storage, and handling. The facilities of concern include a broad spectrum of sites, ranging from chemical plants and hospitals to agricultural distribution centers and colleges. The DHS plans to send letters to the sites and assist in security plan preparations. Read more IntelliShield Analysis: Following the September 11, 2001, terrorist attacks in the U.S., there has been a dramatic increase in reviewing homeland security within the U.S. and around the world. Although the U.S. government instituted security measures to attempt to reduce the risk of terrorist attacks, these actions may have given citizens a false sense of security by easing concern but not significantly increasing security protection. The U.S. has tried to improve security by increasing state funding; however, there is a lack of oversight on how funding is spent. Additionally, questions remain on whether chemical plants are targets for terrorists and if an increase in funding will actually reduce risks for an attack. Until the DHS can better assess the vulnerable sites, homeland security may continue at unknown levels of risk for terrorist attacks and funding could be poorly applied. Businesses should carefully follow proven risk management practices to determine risks, assets requiring protection, and actions to apply before determining funding requirements. LegalGoogle and Yahoo Team Up for AdvertisingGoogle and Yahoo announced a four-year, nonexclusive agreement in which Google would pay Yahoo to run advertising on Yahoo search results pages. The deal would make Google the largest Internet advertiser, with the ability to produce advertising material on both Google and Yahoo properties. Yahoo expects the agreement to represent an US$800 million annual revenue opportunity. The two companies are allowing the U.S. Department of Justice to review the deal for three and a half months prior to implementation in hopes of avoiding possible antitrust issues in the future, although the review is not a legal requirement. Read more IntelliShield Analysis: Google has been cited by Stopbadware.org as one of the largest of a number of sites spreading malware in the U.S. This is reportedly due mostly to the blogger service provided by Google. Many Google blogs have been exploited or serve malicious content deliberately. In addition to consumer concerns over Google dominance in Internet advertising, this agreement could include Google paying Yahoo to link to some of the malware serving sites, potentially increasing the spread of malware over the Internet. Details are not clear; however, the possibility of the threat is of serious concern, especially for U.S.-based users of the Internet. TrustICANN Considers New Naming Rules for DomainsThe Internet Corporation for Assigned Names and Numbers (ICANN) met in Paris last week to discuss rule changes for domain name registrars. One proposed rule for domain name registrars could allow for non-Latin characters in domain names that would permit Arabic, Chinese, or Cyrillic usage. A second proposal would allow for top-level domains to be self-assigned names, up to 64 characters in length. Read more IntelliShield Analysis: Relaxing the rules for domain names and approved character sets could open up new opportunities for Internet adoption, spur business opportunities in an already-crowded domain namespace, and internationalize DNS infrastructure, but there are also many potential pitfalls. According to a recent report from KnujOn, a site devoted to reducing unsolicited commercial e-mail, 90 percent of illicit domains share the same 20 registrars. ICANN is also grappling with security issues related to wildcard resolutions of mistyped domains. If characters from different character sets can coexist in a domain name, those that are visually similar (such as the Latin numeral 3 and the Cyrillic character ZE) could allow attackers to register domain names that appear to be trusted domains. Likewise, customizable top-level domain names could lead to more misleading domain names. While the proposed rules have merit, mounting evidence that ICANN is having trouble reigning in offending registrars makes relaxing the rules and creating new opportunities for illicit use seem poorly timed. IdentityUnited States Businesses Must Report All Electronic Transactions to the GovernmentUnited States (U.S.) Senator Charles Grassley, a member of the U.S. Senate Finance Committee, is sponsoring a bill that could affect the privacy and operations of almost all small businesses in America, including eBay sellers. The bill, which proposes that businesses nationwide report all electronic transactions to the government, has raised concerns regarding identity theft, since all sensitive information reporting could be centralized in one location. The bill also includes legislation to create a national fingerprint registry for mortgage brokers. Read more IntelliShield Analysis: Senator Grassley's bill would require every U.S. business that processes credit cards, including those that use eBay's Paypal, Amazon, and Google checkout options, to track and report information on every electronic transaction to the federal government. This requirement raises concerns on security and privacy reporting and on access and storage. If all the sensitive information is stored in a centralized location, it could be easier for attackers to target and exploit. The bill would also require that all mortgage brokers register their fingerprints. Unlike credit cards or accounts that can easily be deactivated, or cancelled and created anew, compromised biometric identity information cannot be replaced. With the increased risk of a biometric compromise, individuals and organizations requiring them should be extremely cautious with the use and security of these identification measures. HumanRecent Surveys Indicate Increasing Workforce GlobalizationTwo recent surveys from Manpower, Inc., a global employment services provider, highlight the trend of workers who are willing to relocate, temporarily or permanently, to find employment. The survey highlights the desire of increasing numbers of workers, in both manual and knowledge work roles, to travel in order to find work, indicating the increasing trend of mobile workers in many markets. Read more IntelliShield Analysis: Workers who are willing to relocate provide new opportunities for businesses who wish to attract talent from globally available sources. While the trend provides a much larger talent pool from which to seek employees, business should be aware of potential challenges that may arise when hiring from foreign nations. Employers may consider adapting hiring procedures to include background checks for both foreign and domestic hires, and adjust human resources practices to address diversity and cultural in the workplace. Security policies and user education initiatives may have to be modified to stay relevant to a newly diverse workforce. In addition, employers should be aware of possible legal restrictions on foreign hiring practices and the potential danger of new hires who gain employment to access insider information or intellectual property for malicious use. GeopoliticalSaudi Arabia Steps Up Attempts to Smother ExtremismIn the past year, police in Saudi Arabia have arrested more than 700 suspected militants in a major effort to thwart attacks on public buildings and oil installations within the Kingdom. According to press reports, evidence used to track down suspects included Internet communications. Al Qaeda's propaganda arm, As Sahab, is reportedly posting two new videos per week to the Internet, compared to six per year in 2002. In an effort to stem this flood of information, governments worldwide have increased monitoring efforts and passed new laws to clear the way. Some U.S. lawmakers have pressured Internet companies such as Google, the owner of YouTube, to police hosted content and remove offensive material. Read more IntelliShield Analysis: As Al Qaeda and their affiliates excel at manipulating the Internet to spread their views while eluding capture, it may be futile to try to stop these communications. The time-honored strategy of winning hearts and minds by making a more convincing argument than the extremists may be more effective. Saudi King Abdullah, among others, appears to be attempting to do that with his recent efforts to encourage interfaith dialogue and tolerance. From the perspective of Internet companies that host content, so long as the legal structure for policing the Internet remains in flux, the risk of bad publicity and damage to brand reputation on the sites remains significant if extremist material is identified to have traversed a company's networks, is hosted on its site, or even if a link to extremist content is placed on a company's website. Upcoming Security ActivityThe Last HOPE: July 18–20, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Independence Day (United States): July 4, 2008
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
