March 10–16, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityIndependent security researchers released proof-of-concept code to demonstrate a memory corruption vulnerability in the RealNetworks RealPlayer rmoc3260.dll ActiveX control. This vulnerability could allow a remote attacker to execute arbitrary code to take control of an affected system. RealPlayer may not be a standard application on most corporate systems; however, IT departments that have a liberal policy of allowing individuals to install software may need to be aware of this vulnerability. RealPlayer is a popular application for multimedia content and may be installed by users to handle common media files as well as RealMedia-specific files. The Microsoft Monthly Security Update was released March 11, 2008. The security update consisted of four bulletins that address vulnerabilities in components of the Microsoft Office Suite applications. Attackers have focused increased attention on vulnerabilities in Microsoft Office productivity application as a means to distribute malicious code and in phishing attacks. IntelliShield analysts reported on 11 new and one previously disclosed vulnerabilities. The Cisco Applied Intelligence group released an Applied Mitigation Bulletin outlining mitigation strategy to protect against attacks using these vulnerabilities. These strategies are outlined in IntelliShield alert 15330. Of particular interest were the Microsoft Office Excel patches for the malformed header handling arbitrary code execution vulnerability described in IntelliShield alert 14951. This vulnerability has been used for distribution of a variant of the Mdropper family of trojans. In malicious code activity this week, Trojan.Mdropper.AA is known to be circulating and is documented in IntelliShield alert 12562. When this trojan was first discovered, the Excel vulnerability had not been addressed by Microsoft; however, Microsoft issued a patch in the update released on Tuesday. The trojan was circulating in e-mails containing a malicious Excel document that was designed to exploit the vulnerability, arriving as the files olympic.xls and schedule.xls. Administrators are advised to apply the appropriate update to avoid the risks that are associated with these types of trojans. Because malicious code attacks that use latent vulnerabilities in Microsoft Office productivity applications continue to be a threat, administrators should remain diligent in educating users about the dangers of opening documents from untrusted sources. Also circulating this week is WORM_SOCKS.D. This worm, documented in IntelliShield alert 15367, propagates by spamming e-mail messages that attempt to entice users to download a 3D-screensaver application. The download link that is embedded within the e-mail message redirects users to a download site that appears to be legitimate; however, a copy of the worm is installed instead of the screensaver application. The IronPort Threat Operations Center reported a virus outbreak of this worm on March 12, 2008. Distribution of WORM_SOCKS.D relies on heavy user interaction, reducing the likelihood of successful attacks. After reporting on website compromises in Sweden, Trend Micro's malware analysis pages were also infected by a similar iFrame attack. Reportedly, 32 pages were compromised. Once users visited the compromised pages, the iFrame attack used JavaScript code to infect the victim with a trojan dropper as well as a backdoor component. This attack was not targeted specifically at Trend Micro, because criminals often scan the Internet for websites that contain coding errors. Even so, the attack was estimated to affect over 20,000 websites. The vector used to infect the sites may have been derived from a bug in Microsoft's Active Server Page technology, which the Trend Micro servers were running. A similar attack last month against AVSoft Technologies involved a malicious iFrame that lead to additional malicious code being installed on the system. Businesses and organizations should ensure their web servers are secure and regularly patched and monitored for suspicious activities such as traffic redirection. As demonstrated by the repeated exploitation of commonly trusted websites, users cannot rely on a single method for protection from attack. Read more IntelliShield published 159 events last week: 78 new events and 81 updated events. Of the 159 events, 136 were Vulnerability Alerts, six were Security Issue Alerts, five were Malicious Code Alerts, four were Daily Malicious Code Summaries, three were Security Activity Bulletins, three were Applied Mitigation Bulletins, one was the Cyber Risk Report, and one was an updated Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for March 10-16, 2008Microsoft Windows Vista DHCP Request Processing Denial of Service Vulnerability Microsoft Windows Vista and Microsoft Windows Vista x64 Edition contain a vulnerability that could allow a remote attacker to cause a denial of service condition. Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on March 13, 2008, could indicate exploit attempts. Microsoft confirmed this vulnerability in a security bulletin and released software updates. Previous Alerts That Still Represent Significant RiskMicrosoft Works File Converter Section Length Header Code Execution Vulnerability Microsoft Works File Converter contains a vulnerability when handling legacy formatted Microsoft Works files that could allow a remote attacker to execute arbitrary code. To exploit this vulnerability, the attacker must convince a user to open a malicious .wps document with a vulnerable product. Exploit code that demonstrates the remote execution of arbitrary code is available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. F5 Networks BIG-IP Web Management Interface Cross-Site Request Forgery Vulnerability F5 Networks BIG-IP contains a vulnerability in the management interface that could allow a remote attacker to conduct cross-site request forgery attacks and make configuration changes to affected devices. Proof-of-concept exploit code is available that demonstrates the creation of additional administrative accounts. Sources indicate that this vulnerability is being actively exploited. F5 Networks has not confirmed this vulnerability, and no updates are available. Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited. Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate that attackers are actively exploiting this vulnerability to compromise affected systems. Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability Adobe Acrobat and Reader contain a vulnerability that could allow a remote attacker to cause the application to crash or execute arbitrary code. The attacker may be able to gain elevated privileges depending on the configuration of the affected system. This vulnerability is currently being exploited in the wild. The vulnerability has been identified as being used by Trojan.Pidief.C, as documented in IntelliShield Alert 14388. Adobe confirmed the vulnerability in a security bulletin and released updated software. Adobe Reader and Acrobat Security Update 8.1.2 Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code. Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Reports indicate that attackers are leveraging this vulnerability in targeted, ongoing attacks. No public examples of exploit code have been observed. Attacks against this vulnerability are not likely widespread as details of this vulnerability are still not well known. Microsoft has confirmed the vulnerability in a security advisory; however, no updates are available. Oracle Critical Patch Update January 2008 Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities spread across Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. PhysicalResearchers in United Kingdom Defeat Tamper Controls on PIN Entry DevicesA team of researchers from the University of Cambridge have demonstrated a way to circumvent the tamper controls on the two most common European PIN Entry Devices (PEDs) used in smartcard payment systems. The devices, which read smartcard data and accept cardholder PINs, are designed to meet tamper-resistant criteria to resist attacks to compromise transactions or steal cardholder data. As a result of this research, the devices are shown to be easily tapped, allowing an attacker to covertly duplicate card information, record PINs, and commit fraud. The researchers have provided recommendations to improve the future design and implementation of similar devices. Read more
LegalEuropean Union Agency Security Economics Study and RecommendationsThe European Network and Information Security Agency (ENISA) released Security Economics and the Internal Market, a paper based on a study conducted by researchers who applied economic principles to information security. The study examined issues that prevent or enable information security improvements related to e-commerce and its dependence on network communications. The research methodology is based on the growing field of security economics, and provides 15 policy proposals to the European Commission. Read more IntelliShield Analysis: Security Economics and the Internal Market expresses a unique perspective that is well-supported by the study data. Most of the researchers policy recommendations have been previously debated in the European Union (EU) and elsewhere and likely will continue to be debated. Many recommendations are controversial, such as proposed 'incentives' to improve vendor software and products and the performance of Internet service providers. (Throughout the paper, 'incentive' is used to indicate punitive actions and liability, measures that will probably be met with strong opposition and the argument that innovation will be negatively impacted.) Several of the recommendations appear to favor punishing the victim; whether it is the vendor software that is breached, the service provider that is abused, or the exploited end-user. Only the final two of the 15 recommendations address the rapidly growing criminal activity that is the cause of most of the issues addressed by the first 13 recommendations. TrustIndia Seeks Rights to Intercept Encrypted E-mail Sent Via Blackberry DevicesThe government of India is planning to block the use of all Blackberry communication devices in India unless an agreement can be reached that will allow the government to intercept e-mail communications sent using the Research In Motion (RIM) Blackberry service. A meeting is scheduled that will involve representatives from RIM, the Indian government, and multiple telecommunications providers. Part of the disagreement may involve access to e-mail messages that have been encrypted, which may require RIM to provide the access to the encryption algorithms used for the Blackberry services. Read more IntelliShield Analysis: The Indian government wants to intercept e-mails sent via Blackberries because officials believe that terrorists are using the devices to communicate with one another. However, if this access requires RIM to provide India with access to their encryption algorithms, then this could create privacy concerns for worldwide users of Blackberries. Monitoring terrorist communications is a hot topic, as evidenced by the ongoing battle in the United States (U.S.) government regarding the use of wiretapping by U.S. telecommunications companies, as well as recent court decisions in Germany and elsewhere. If India obtains a backdoor to read encrypted Blackberry e-mails, then that same information could be used to decrypt the e-mail messages sent outside of India. Providing a government with this kind of information could be argued as a safe thing to do; however, the possibility that this information could be misused or find its way into the wrong hands would raise concerns in the minds of anyone sending confidential information using the Blackberry email service. IdentityBadge and Identification Card Policies Under ScrutinyA news investigation into the United States (U.S.) Federal Aviation Administration (FAA) has revealed that 122 inspector badges have been lost or stolen or are otherwise unaccounted for over the past five years. The badges could be used to access the same areas open to the inspectors, including secure areas of the airport. as well as the cockpits of airplanes, even when in flight. In the United Kingdom (U.K), the Ministry of Defence (MoD) reported that over 11,000 identification cards have been lost or stolen in the last two years. Both the FAA and the MoD have issued assurances that they are reviewing their policies and taking steps to protect against similar failures in the future. IntelliShield Analysis: Although the loss of these badges and identification cards poses a risk, there is no evidence that these cards have been misused. The FAA has pledged to track down the missing badges, as well as take steps to protect against badge loss in the future. The FAA now forbids employees to keep badges in personal vehicles, from which badges are most often stolen. It is difficult to foresee how this rule may be enforced or how such a rule will affect employee behavior. The FAA is also altering the way it issues the badges and will not be using the U.S. Postal Service, because badges could be intercepted before deliver, an example of how a protective measure can be circumvented even before it can be put into practice. The MoDefence identification card carries the picture of the person to whom it was issued, which should assist in deterring misuse of the card. Some of the MoD cards were replaced because they were worn out, but it was not reported if the original cards had been turned in to authorities. Individuals whose day-to-day activities involve interaction with badged personnel should continue to follow the maxim to trust, but verify. Businesses using badges, access cards or other forms of identification should educate owners in proper security usage and management. Cards that belong to employees who have left an organization, or that become worn, damaged, or stolen should be deactivated, recovered and destroyed. Because identification cards and badges (smartcards) are developed to hold more information, control policies and procedures should be updated to reflect the increased risk if the cards are lost. One best practice for areas requiring a high degree of security is to require employees to use a combination of identification credentials with an access card. The credentials can be carried off site and exchanged for the access card when entering the secure location. This best practice includes a high amount of overhead, but provides a high degree of control and security for sensitive areas requiring this level of precaution. HumanGirl Scout Troop Leader Involved in Tax and Identity TheftA callous Girl Scout troop leader created a "Girl Scout Medical Release" form to collect sensitive information, including Social Security numbers, from the members of her troop and used the information to file electronic tax forms to the U.S. Internal Revenue Service (IRS) to obtain tax refunds. The troop leader capitalized on her position of trust and used the children's personal information to invent false information on income and employment to submit federal tax returns, then received the resulting tax refunds. By using the identities of troop members, the troop leader was able to prepare and file bogus tax claims for more than US$187,000 resulting in refunds of more than US$87,000 that were deposited in five different bank accounts. IntelliShield Analysis: With the deadline for filing taxes in the U.S. less than a month away, phishing e-mails purporting to be from the IRS, spurious advice from unscrupulous tax preparers, and documents such as the one created by the malicious Girl Scout troop leader are actively attempting to exploit tax payers and are likely to be associated with identity theft. The IRS has taken steps to combat tax fraud against the government. An IRS agent testified to Congress during the time period that the IRS "significantly understates the size of the problem and the number of tax payers hurt" when scammers file false returns with information gained by identify theft. In most cases, human interaction is required to obtain the sensitive information required to file a fraudulent return. To prevent these types of phishing attacks, users are reminded that the IRS does not send unsolicited email to consumers regarding tax matters. An e-mail purportedly from the IRS that advises a user of a refund obtainable by clicking a crafted link or submitting personal or financial information is likely to tempt even the most sensible tax payer. User education about social engineering schemes can protect identity, assets, and information. Organizations are strongly encouraged to emphasize education at all levels to protect against social engineering tactics designed to personal identification information. GeopoliticalChina's New Information Super-Ministry to Streamline TelecomsAs part of a major ministerial reorganization in China, the ministry that governs telecommunications and the IT industry will enjoy expanded powers. Under the plan, which will create five new super-ministries in an attempt to streamline China's huge bureaucracy, the Ministry of Information Industry (MII) will take over some administrative oversight and decision-making functions previously enjoyed by the powerful National Development and Reform Council (NDRC). The MII will also incorporate the State Council Informatization Office (SCITO) and the military IT research arm Commission of Science, Technology, and Industry for National Defense (COSTIND). MII, which will be known as the Ministry of Industry and Information, regulates telecom carriers, sets IT industry standards, and oversees electronics manufacturing. High on the list of priorities for the new super ministry is the long-awaited reorganization of China's telecommunications carriers. The existing companies are expected to be re-apportioned into three entities, each providing fixed-line and mobile offerings. It is also hoped that the new ministry will issue licenses for 3G mobile phone services, an event that has been delayed for years as a result of bureaucratic squabbling. Read more IntelliShield Analysis: It remains to be seen whether the reorganization will succeed in streamlining decision-making in the IT sector, as the implementation timeline is unclear and most offices affected by the reorganization are merely being moved around, rather than eliminated. Up to now, both foreign and domestic Chinese companies have been hard-pressed to navigate overlapping and sometimes contradictory regulations imposed by competing authorities. Moreover, regional governments have been able to play various central government agencies off of each other in order to achieve their individual agendas, so a central decision-maker could be good news. At the same time, China's telecommunications carriers will continue to be closely guided by the central government, providing a continued domestic advantage, and a more nimble IT sector may well empower global players such as Huawei and ZTE. Upcoming Security ActivityBlack Hat Europe: March 25–28, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following events: Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 6-month trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
