March 17–23, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityMajor vendor updates highlighted vulnerability activity during this time period, including updates from Kerberos, Cisco, VMware, Apple, and Microsoft. MIT released security advisories and updated software to address four previously undisclosed vulnerabilities in MIT's distribution of Kerberos. Three of the four vulnerabilities could allow the attacker to execute code with permissions that are sufficient to take control of the affected system. These three vulnerabilities are detailed in IntelliShield Alerts 15429, 15430, and 15463. Vulnerabilities within authentication systems such as Kerberos are always of significant concern, because the compromise of such a system may result in the compromise of any systems that trust that authority. Cisco released a security advisory and updated software to address a remote code execution vulnerability in Cisco CiscoWorks LAN Management Solution (LMS) Internetwork Performance Monitor (IPM). The vulnerability is described in IntelliShield Alert 15376 and exists because the IPM software creates a command shell on a random TCP port. An unauthenticated, remote attacker could connect to this port and execute arbitrary commands. The vulnerability was introduced in version 2.6, and no other versions are affected. The only identified mitigation for this vulnerability is to apply the vendor-supplied patch. There are currently no other known workarounds for this vulnerability on the affected host. If the patch cannot be immediately applied, administrators should consider using access layer assets to restrict access to vulnerable systems to authorized hosts only. VMware released a security advisory and updated software to address 11 vulnerabilities, including five which had not been previously disclosed. Included in the software updates were fixes for several prominent vulnerabilities in OpenSSL as well as four locally exploitable privilege escalation vulnerabilities. Apple released four security bulletins and updated software to address over 100 vulnerabilities and security issues. These vulnerabilities affect the AirPort Extreme Base Station firmware, Digital Camera RAW Compatibility, the Apple Safari web browser, and various components of the Mac OS X operating system. The updates for Mac OS X and Safari are described in IntelliShield Alerts 15418 and 15419 respectively; many of the individual vulnerabilities have been separately documented by IntelliShield. The update for Safari included the release of the first stable version of the browser for the Windows platform. Users running prior versions of Safari for Windows should consider upgrading immediately. Microsoft responded to public reports of a previously undisclosed vulnerability in the Microsoft Jet Database Engine with a security advisory. The vulnerability is exploitable by convincing a user to open a malicious Microsoft Word document; the vulnerability is detailed in IntelliShield Alert 15469. Reports indicate that targeted attacks have occurred using publicly available exploit code for the malformed header handling arbitrary code execution vulnerability in the Microsoft Excel spreadsheet application. This vulnerability is detailed in IntelliShield Alert 14951. An attacker could use either of these vulnerabilities to execute arbitrary code, potentially taking control of the vulnerable system. Reports of active exploitation of these vulnerabilities are in sync with the trend of using office productivity software as an avenue of attack as opposed to operating system vulnerabilities. IntelliShield published 151 events last week: 65 new events and 86 updated events. Of the 151 events, 143 were Vulnerability Alerts, three were Security Activity Bulletins, one was a Security Issue Alert, one was a Daily Malicious Code Summary, one was a Malicious Code Alert, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for March 17–23, 2008Microsoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. Microsoft has confirmed the vulnerability but software updates are unavailable. Microsoft reports this vulnerability has been exploited to conduct limited, targeted attacks. Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Exploit code demonstrating code execution is publicly available. Reports indicate that attackers are leveraging this vulnerability in targeted, ongoing attacks. The exploit code could be leveraged to conduct larger scale attacks. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to execute arbitrary code with user or elevated privileges, or to cause a denial of service condition. The update corrects flaws within core operating system components as well as third-party packages that are bundled with the operating system. Previous Alerts That Still Represent Significant RiskMicrosoft Windows Vista DHCP Request Processing Denial of Service Vulnerability Microsoft Windows Vista and Microsoft Windows Vista x64 Edition contain a vulnerability that could allow a remote attacker to cause a denial of service condition. Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on March 13, 2008, could indicate exploit attempts. Microsoft confirmed this vulnerability in a security bulletin and released software updates. Microsoft Works File Converter Section Length Header Code Execution Vulnerability Microsoft Works File Converter contains a vulnerability when handling legacy formatted Microsoft Works files that could allow a remote attacker to execute arbitrary code. To exploit this vulnerability, the attacker must convince a user to open a malicious .wps document with a vulnerable product. Exploit code that demonstrates the remote execution of arbitrary code is available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. F5 Networks BIG-IP Web Management Interface Cross-Site Request Forgery Vulnerability F5 Networks BIG-IP contains a vulnerability in the management interface that could allow a remote attacker to conduct cross-site request forgery attacks and make configuration changes to affected devices. Proof-of-concept exploit code is available that demonstrates the creation of additional administrative accounts. Sources indicate that this vulnerability is being actively exploited. F5 Networks has not confirmed this vulnerability, and no updates are available. Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited. Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate that attackers are actively exploiting this vulnerability to compromise affected systems. Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability Adobe Acrobat and Reader contain a vulnerability that could allow a remote attacker to cause the application to crash or execute arbitrary code. The attacker may be able to gain elevated privileges depending on the configuration of the affected system. This vulnerability is currently being exploited in the wild. The vulnerability has been identified as being used by Trojan.Pidief.C, as documented in IntelliShield Alert 14388. Adobe confirmed the vulnerability in a security bulletin and released updated software. Adobe Reader and Acrobat Security Update 8.1.2 Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code. Oracle Critical Patch Update January 2008 Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities spread across Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. PhysicalHospital Prohibits Mobile DevicesRecent concerns over the use of cameras on mobile technology have prompted the Resnick Neuropsychiatric Hospital at the University of California, Los Angeles to ban all cell phones and laptop computers from the hospital. The hospital implemented the ban after pictures of patients were discovered on a social networking website. Due to concerns over the protection of patients' privacy and compliance with California laws, the hospital did not think that hospital workers could enforce a limited ban on only those devices with cameras. As a result, the hospital banned all cell phones and laptop computers. Read More IntelliShield Analysis: Laptop computers, cell phones, digital assistants, and similar devices with multiple media capabilities pose a risk to personal privacy and business concerns. Many of these devices have built in cameras, sound and video recording capabilities, and the ability to transmit files over commercial networks that exceed an organization's monitoring or control capabilities. The strictest of policies is a complete ban on all portable devices, as well as portable media that might be used to transport data. For most business and commercial settings, lesser, but still effective, controls and policies can effectively mitigate the risk. Businesses should address these risks through security policies and employee acceptable use training, policy notification to visitors entering the premises, security monitoring of controlled areas, and the strict prohibition of devices in limited areas where increased security is required. Although similar policies and controls can be implemented on the business network, mobile devices that operate outside the business network must be addressed through physical security policies and controls. LegalThere was no significant activity in this category during the time period. TrustVoting Discrepancies Across the United StatesThe United States (U.S.) Presidential Primary elections have renewed concerns and increased reporting of voting discrepancies. Such reports often focus on voting procedures but also include reports of voting system errors or potential fraud. A report in the U.S. state of New Jersey detailed an election system summary tape that appears to indicate the incorrect calculation of votes cast on the system. Another incident under investigation in the U.S. state of Ohio indicates that multiple systems showed that a candidate was withdrawn from the election and the internal auditing capabilities were disabled. In a related incident, the U.S. state of Pennsylvania took down a voter registration website after it was determined that completed registration forms could be viewed by any person accessing the site. IntelliShield Analysis: Since the introduction of electronic voting systems, the debate over such systems has focused on the wide distrust of them. That some systems have been critically flawed has overshadowed the majority of discrepancies investigated and found to have no merit. As a result, the high level of distrust of these systems has trumped electronic voting system security measures, inspections, testing, and certifications. When users lose trust in the systems, the perception becomes reality. Similar trust issues exist among other current security issues such as popular websites that are infected with malicious code, spam and phishing exploits that appear to be from known sources, and poor business responses to vulnerabilities, breaches, and compromises. User trust is as much a public relations issue as a security one, and it requires the collaborative efforts of a diverse incident response team. Despite the distrust, elections continue and security incidents are rarely reflected in a business' stock price or website activity. However, to attribute these results to user apathy is a high risk. The trust in a name, brand, or entire business vertical must be actively guarded; otherwise, organizations risk becoming an example of what not to do. IdentityData Breach Strikes U.S. GrocerBetween December 2007 and March 2008, an estimated 4.2 million credit card numbers were stolen from Hannaford Bros., a supermarket chain with stores found primarily in the northeastern region of the United States. The company issued a press release on March 17, 2008 to voluntarily alert customers to the intrusion that was detected on February 27, 2008. Thus far, the company has reported approximately 1,800 reports of fraud involving store customers who used credit or debit cards between December 7, 2007 and March 10, 2008. According to news reports, the attackers are believed to have captured card data during the card verification transmission process. Such attacks occurred despite Hannaford Bros. asserting that the company met, and perhaps exceeded, the requirements of the Payment Card Industry Data Security Standard (PCI-DSS). IntelliShield Analysis: Merchant security plays an important role in securing sensitive customer data, but the increase in frequency of these attacks shows that the PCI-DSS will not solve this problem alone. Merchant organizations should ensure that not only has the minimum standard of PCI-DSS compliance been met, but also understand that significant weaknesses may remain unaddressed by the standard, which could impact the organization. The Payment Card Industry must also consider updating payment card technology, verification processes, and transmission protocols to be inherently resistant to eavesdropping, duplication, and other such attacks. Most of all, cardholders, merchants, and the payment card companies should ensure that the perpetrators of these attacks, and not the victims, pay for these crimes. HumanMillennial Generation Activities Pose Increased Corporate RiskSymantec has released the results of a study that it conducted with Applied Research-West to identify the levels of risk associated with workers born before 1980 and those born after 1980. The study's findings were summarized under three key messages. The first message suggests that millennial workers approach new technology with a more open attitude than those of earlier generations. The second one found that IT managers believe that current policy education is sufficient, but those receiving the education do not feel adequately trained. The last message indicates that the younger workforce, coupled with new technologies, is forcing IT departments to use different means to mitigate the elevated risk. Although new technologies, such as instant messaging clients, blogs, photo sharing applications, podcasts, voice over IP clients, and social networking applications are risky, they may prove useful and aide in collaboration as well as information management. IntelliShield Analysis: Although the study's findings cannot report on specific behavior, they can be useful in identifying paradigms and differences in perspectives among groups. Coping with the advancement of technology has always been a challenge for IT departments, but the ease of access and its proliferation are forcing security professionals to reexamine how much control should be leveraged on systems and how much freedom users should be given. When companies hire new employees, they risk the introduction of new vulnerabilities to the network by the installation of unsupported software, and new attack vectors may be introduced that could allow malicious code as well as phishing attacks to bypass existing protective measures. As new employees learn what is culturally acceptable within their organization and the organization learns to interact with these employees, a greater understanding for the company's culture and adoption of new technologies may occur between both parties. Appropriate training and mentoring can expedite this transition. IT departments may consider monitoring their networks for the introduction of potentially dangerous activity as well as maintain open dialogue with employees to identify their needs and work to meet those needs when possible. GeopoliticalUnrest in Tibet Highlights CensorshipAs China's central government took steps to contain violent confrontations between demonstrators and police forces in Tibet, journalists in China reported that major media sources, including CNN, BBC, Google News, and YouTube, had been blocked. From within China, only official reports on the situation in Tibet emanating from China's state-owned media organization, Xinhua, were accessible. Authorities in Beijing, so far, have not changed plans for the Olympic torch to travel through Tibet on its way to Beijing. Last week, U.S.-based Human Rights Watch announced the impending release of a code of conduct detailing recommendations for foreign Internet service providers and portals in China that are faced with Internet censorship. According to Human Rights Watch, all of the major foreign Internet companies that are operating in China were taking part in creating the code of conduct. IntelliShield Analysis: For Beijing, the unrest in Tibet comes at a time when its overriding priorities include maintaining stability and a positive image among world opinion leading up to the 2008 Olympics in August. It is likely that other groups in China will be tempted to use the spotlight of the Olympic games to call attention to their causes in coming weeks, putting not only the government in Beijing in a difficult position but also foreign communications companies operating in China. A code of conduct might give foreign companies the ability to function legally in a country with different laws and expectations than exist outside of China, while allowing these companies to highlight Internet access as a force for positive political change. Still, it is likely that during the summer season, foreign communications companies doing business in China may need to consider their ability to balance expectations and any impact recent events may have on their brands. Upcoming Security ActivityBlack Hat Europe: March 25–28, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following events: China's 11th National People's Congress: March 15–25, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30–day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
||||||||||||||||||||||||||||||||||||||||||
