June 9–15, 2007The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityA majority of vulnerability and threat activity that occurred during the time period surrounded the release of the June 2008 Microsoft Security Bulletins. IntelliShield analysts reported on 10 previously undisclosed vulnerabilities, and the Cisco Applied Intelligence team released an Applied Mitigation Bulletin in IntelliShield Alert 16045 that outlines mitigation strategies to protect against attacks that utilize these vulnerabilities. Vendors such as Avaya and Nortel also released advisories in responses to the Microsoft security bulletins. The vulnerabilities associated with the MS08-033 security bulletin, which are detailed in IntelliShield alerts 15995 and 16005, are particularly interesting. Exploits of these vulnerabilities, which could allow attackers to take control of target systems, involve convincing a user to access malicious streaming media content. Streaming media content may represent an attractive attack vector due to its popularity. In fact, many variants of malicious code use vulnerabilities in common media formats to propagate. HP also contributed to recent vulnerability activity by releasing a support document that details eight vulnerabilities in the Instant Support ActiveX control (HPISDataManager.dll). The HP Instant Support system is installed by default on a large number of HP systems. Most users are probably unaware that the affected software is installed on their systems. A remote attacker could exploit these vulnerabilities by convincing a user to visit a malicious website that, when viewed within a user's browser, invokes the vulnerable ActiveX control. Exploits could allow an attacker to execute arbitrary code, which may result in a full system compromise. The attacker could also exploit the vulnerabilities to delete any file on the system, download arbitrary files, or create and overwrite files on the system. Only websites from the hp.com domain can access the affected control, but this requirement is trivial to bypass by leveraging various techniques, including cross-site scripting cross-domain, DNS spoofing, or other spoofing attacks. However, many of these scenarios require some form of user interaction. Administrators are advised to use patch distribution systems to distribute the update as well as a Global Policy Object to set the killbit on the affected control throughout the organization. During the time period, US-CERT released a vulnerability note that describes a vulnerability in Citect CitectSCADA and CitectFacilities. This vulnerability is detailed in IntelliShield alert 16071. A remote attacker could exploit this vulnerability to cause a denial of service condition or execute arbitrary code on the system. The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component. Such systems should be contained within their own network and never connected to corporate networks or exposed to the Internet. Attackers who can access the network on which these machines reside must still connect to the TCP port that is used by the ODBC service to exploit this vulnerability. Reports indicate that Citect has released a patch to address this vulnerability, but no public information from the vendor confirms these reports. Another ransomware trojan, which refers to malware that encrypts data on systems and demands a fee or "ransom" to restore the information, was discovered during this past week. Trojan.Gpcoder.F, as described in IntelliShield Alert 9260, uses 1024-bit RSA public key encryption during its routine. Because the largest RSA key ever defeated is 663-bits, it is unlikely that this key will be broken. The antivirus community has launched a project to stop this trojan and has requested assistance from security professionals. If the community succeeds in breaking the key, the attacker will likely respond by creating a new variant and changing the key. The attacker's actions could occur in a matter of minutes, while breaking the key could take years. Performing regular backups and keeping an extra copy of data off-site will greatly reduce the impact of this trojan. IntelliShield published 119 events last week: 58 new events and 61 updated events. Of the 119 events, 108 were Vulnerability Alerts, four were Applied Mitigation Bulletins, two were Malicious Code Alerts, two were Security Issue Alerts, one was a Daily Malicious Code Summary, one was a Security Activity Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskAdobe Flash Player Multimedia File Integer Overflow Vulnerability Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, as detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software. Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features and may be easily guessed through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization. Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. The TROJ_MDROPPER.MB trojan, which exploits this vulnerability, is publicly available and is documented in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability in a security bulletin and released updates. Oracle Critical Patch Update April 2008 Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities in Oracle products that affect Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Microsoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has been identified as being used by the TROJ_MSJET.C trojan, as described in IntelliShield Alert 15486, and by the Trojan.Acdropper.C trojan described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable. Microsoft Windows GDI File Name Parameter Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by the Trojan.Emifie trojan, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The update corrects flaws in core operating system components as well as third-party packages that are bundled with the operating system. PhysicalSales of USB Locks IncreaseRecent sales increases seem to indicate that consumers are being forced to leverage preventions that are similar to the successor of old technology, the floppy disk lock. USB drive locks, which cover USB ports and can be removed with a key, help prevent infections arising from malicious code that automatically executes when USB memory devices, such as flash drives or other mass storage media, are connected to systems. Malicious code authors are taking advantage of the popularity of USB flash drives by increasingly using this vector when designing new forms of malicious code. Although the need for floppy disk drive locks is now non-existent, USB drive locks have become the next logical step in securing physical attack vectors. Read more IntelliShield Analysis: USB memory devices can hold gigabytes of data, and this space could allow users to store large portions of sensitive or confidential information. Employees could also intentionally or unintentionally upload malicious code to business systems. When properly installed on a system that is physically controlled, a drive lock can allow administrators to control which users are capable of connecting USB memory devices to systems. In addition to applying the usual firewall and filters, these locks are an inexpensive and fairly easily installed extra level of security from physical attacks. After installing these locks, IT staff are advised to carefully examine systems and identify unprotected USB drives, such as those used by a modern keyboard or mouse, that employees may use to circumvent the newly added protections. LegalISPs Working to Reduce Proliferation of "Offensive Content"Several Internet Service Providers (ISPs), Sprint, Time Warner Cable, and Verizon, have agreed to restrict access to Usenet, which predates the Internet and is primarily used to host newsgroups, under the direction of New York Attorney General Andrew Cuomo. The Attorney General is attempting to curb the spread of child pornography through the Internet after finding over 11,000 pornographic images involving children posted in 88 Usenet groups. In a similar move, France has decided to create a blacklist of websites that contain "offensive content," such as child pornography, terrorism, and racism. IntelliShield Analysis: Ever since the Internet became a mainstream phenomenon due to its open and community-driven nature, the online distribution of child pornography, terrorist-related material, and racist propaganda has become troublesome. Blacklists have been one solution to filter unwanted messages, but they are difficult to maintain and also require explicit descriptions of what is to be considered offensive without being subjective. United States-based ISPs often cite the 1996 Communications Decency Act as support for not being held liable for content that is posted by users, but more recent actions seem to imply that ISPs are beginning to take some role in policing Internet activity. Other motivations may be involved, considering that prior to Attorney General Cuomo's press release, Time Warner Cable announced they were ceasing Usenet support due to low subscriber usage. Some free speech activists have wondered how this situation will shape future Internet censorship. Verizon has opted to filter Usenet groups based on employee findings and user suggestions, which involves more overhead but does not restrict user access like removing access would. Distributors of "offensive content" have witnessed similar measures in the past and will attempt to adapt as necessary. If they are affected by these decisions, organizations that find Usenet services useful may consider investigating third-party access. TrustVerizon Data Breach StudyVerizon Business Security Solutions has released a study of data breaches that occurred over a four-year period, including hundreds of incidents. The study includes a broad range of statistics, trends, and common faults that led to data breaches, as well as significant details that were uncovered in follow-up investigations. The report also provides additional depth on types of breaches, activity by business verticals, criminals and criminal organizations involved in the data breaches, social networking's impact, and the psychology behind the criminal activity. The report concludes with recommendations for preventing and limiting their exposure to data breaches. Read more IntelliShield Analysis: While many groups have investigated and reported on data breaches, they often focus on a small number of similar breaches or the most recent large compromise; both approaches lack the comprehensiveness of the Verizon study. Its long-term approach provides a depth of data that supports many commonly held theories and also includes solid evidence that disproves other widely held suspicions. While there are some surprises, the report indicates that the majority of attacks are known vectors or human errors that should have been prevented by recommended practices, policies, and procedures. As the report states, best practices are often poorly implemented or forgotten when organizations rush to defend against the most recent threat. The study and data demonstrate that firm security fundamentals and best practices are still the key to protecting important business assets, and security teams and managers should find the information in this report useful and possibly enlightening. IdentityGovernment Agency Bans Individuals Who Refuse to Show IDThe United States Transportation Security Administration (TSA) announced that starting June 21, 2008, passengers who refuse to show identification may be denied access to secure airport areas and could miss their flights. This regulation does not prevent cooperative individuals who claim to have lost their IDs from flying, although they may be subjected to additional screening or interviews. Only those who willfully refuse to present identification will be denied access. IntelliShield Analysis: While compliance with officials at security checkpoints is a laudable goal, this decision may not help the TSA improve a historically negative reputation. This new regulation places a burden on honest passengers; terrorists or other dangerous individuals may have no qualms in lying to TSA officials to subvert identification checks. As a result, some passengers may feel that their honesty is questioned or their privacy concerns are downplayed when, prior to this policy, they were able to politely decline producing identification. Organizations that enact policies that are perceived as draconian or frivolous may find themselves in an adversarial relationship with those individuals who would have otherwise cooperated with policy enforcers. Risk analysts should consider the backlash from such policies when determining whether new requirements will generate more, rather than less risk. HumanIronPort Exposes Illegal Pharmaceutical Supply Chains for Using BotnetIronPort Systems recently discovered that certain illegal pharmaceutical companies are using the impressive capability of Storm and other botnets to distribute spam e-mail. Storm is one of the largest botnets and is capable of sending out millions of spam e-mails on a daily basis. The Russian GlavMed organization, which produces counterfeit drugs in Indian and Chinese factories, is one company using the malicious botnet to deliver millions of drug advertisements to unknowingly consumers. IronPort reports that as many as a third of the drugs advertised in these messages indicated an incorrect dosage, and one-third of the medication did not contain any of the advertised ingredients. IntelliShield Analysis: Past rumors seemed to indicate that criminal groups were renting out the Storm botnet, but the IronPort Malware Trend Report is the first public confirmation of this activity. Storm began infecting systems in January 2007 and continues to be one of the most effective trojans in history. Storm continues to use e-mails, which often reference e-cards, natural disasters, sporting events, holidays, and a wide variety of other current events to convince users to follow links that are included in the spam messages. IronPort reported that nearly 80 percent of Storm's botnet spam is being used for advertising online pharmaceuticals, which primarily are counterfeit drugs. To avoid becoming victims of this botnet or other illegal companies, users are reminded to never open unexpected e-mail attachments or executables from untrusted sources. Users should also verify the authenticity of unexpected links prior to following them. As an added measure of protection, before following links, users can check the reputation of any URL using the IronPort Security Network's E-mail and Web Reputation Tool on the SenderBase Website. GeopoliticalChina Denies Hacking Lawmakers' ComputersFollowing recent claims that the Chinese government copied data from the laptop belonging to the United States Trade Secretary, the country is now denying charges that it hacked two United States computers in late 2006. Reportedly, two United State Congressmen, Frank Wolf and Chris Smith, claim to have evidence based on House of Representatives and Federal Bureau of Investigation investigations that attacks on their systems originated in China. Wolf is charging that he and Smith were singled out because of their critical stance on China's human rights record. Wolf suspects that the hackers were seeking information on political dissidents and human rights activists whose identities were being protected. A Chinese foreign ministry spokesman questioned whether China even has the technical capability to perpetrate such attacks. In the past year, Chinese officials have repeatedly denied charges that the government in Beijing supports hacking that is directed against the computer networks of key foreign countries. Despite the growing number of allegations from a wide variety of sources and nationalities, state involvement is difficult, if not impossible, to prove. In a similar practice to how organizations counter network security threats anywhere else in the world, observers can only react to this incident by taking counter-measures based on the sophistication and tenacity of the attacks, as well as their targets. With the Olympics looming, these incidents could become a public relations issue for China. Considering the increase of patriotic feeling following the Tibet crisis and the Sichuan earthquake, foreign companies that conduct business in China now face a more delicate environment than they have experienced in several years. Upcoming Security ActivityCisco Live (previously Networkers): June 22–26, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Independence Day (United States): July 4, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
