March 3–9, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityMicrosoft released the Microsoft Security Bulletin Advance Notification for March 2008. Microsoft scored each of the four bulletins scheduled for release on March 11, 2008 with a maximum severity rating of Critical. Three of the bulletins address vulnerabilities that affect the Microsoft Office suite of applications. The remaining bulletin addresses a vulnerability in Microsoft Office Web Component software. During the time period, SymbOS/Kiazha.a began circulating in the wild in parts of China. This trojan is designed to operate on Symbian OS devices and is being distributed as part of a mobile phone malware package via SymbOS.Multidropper.A. SymbOS.Multidropper.A installs SYMBOS_COMWAR.C, SymbOS/Beselo, and SymbOS.Kiazha.A on mobile devices. It appears that the malware author has carefully packaged these particular pieces of malware together as part of a money-making scam. Each piece of malware plays a significant role in this scam. SYMBOS_COMWAR.C and SymbOS/Beselo are the malicious payloads, and SymbOS/Kiazha.A is used to convince the infected user to send money to the malware author in order to restore normal functionality of the phone. These types of malware are known as ransomware and have primarily targeted Windows systems in the past. SymbOS/Kiazha.a and SymbOS.Multidropper.A are documented in IntelliShield Alert 15307. SYMBOS_COMWAR.C is documented in IntelliShield Alert 9870, and SymbOS/Beselo is documented in IntelliShield Alert 14994. Another type of ransomware is Trojan.Monagrey, as described in IntelliShield Alert 15295. Trojan.Monagrey also attempts to coerce users into paying a fee to remove the trojan. Once installed on the system, the trojan makes itself known by displaying a pop-up message upon system reboot. The message states that the machine is infected with a trojan called MonaRonaDona and is an attempt to convince users to conduct a search for solutions online. When the user searches for a solution, Unigray Antivirus may be among the search results. Unigray is a misleading application that appears to be a legitimate antivirus application that claims to disinfect machines that contain the MonaRonaDona trojan. If the user chooses to download Unigray, the application finds several false infections that involve the MonaRonaDona malware. After the scan, the user is then asked to pay a fee to remove the trojan. The application does remove the virus; however, this is the only piece of malware the application is designed to remove. Users are advised to install only trusted applications and to contact an administrator if such an infection occurs. With the upcoming St. Patrick's day celebration on March 17, 2008 and the Easter holiday on March 23, 2008, malware authors will likely take advantage of these holidays and include them in their social engineering tactics in the following weeks. In addition to holidays, weather events will be attractive to malware authors. Massive snow storms that have impacted a significant portion of the United States' population during this time period may attract malware authors that want to exploit this situation via social engineering e-mails. In particular, the Storm worm often takes advantage of users during media events and holiday periods to mass distribute copies of itself in enticing e-mails. All users should be cautious when opening e-mail messages, especially during holiday periods. Users should verify the authenticity of the e-mail before opening it and verify unexpected links within e-mail before following them. IntelliShield published 147 events last week: 35 new events and 112 updated events. Of the 147 events, 132 were Vulnerability Alerts, four were Security Issue Alerts, four were Daily Malicious Code Summaries, four were Security Activity Bulletins, two were Malicious Code Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskMicrosoft Works File Converter Section Length Header Code Execution Vulnerability Microsoft Works File Converter contains a vulnerability when handling legacy formatted Microsoft Works files that could allow a remote attacker to execute arbitrary code. To exploit this vulnerability, the attacker must convince a user to open a malicious .wps document with a vulnerable product. Exploit code that demonstrates the remote execution of arbitrary code is available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. F5 Networks BIG-IP Web Management Interface Cross-Site Request Forgery Vulnerability F5 Networks BIG-IP contains a vulnerability in the management interface that could allow a remote attacker to conduct cross-site request forgery attacks and make configuration changes to affected devices. Proof-of-concept exploit code is available that demonstrates the creation of additional administrative accounts. Sources indicate that this vulnerability is being actively exploited. F5 Networks has not confirmed this vulnerability, and no updates are available. Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited. Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate that attackers are actively exploiting this vulnerability to compromise affected systems. Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability Adobe Acrobat and Reader contain a vulnerability that could allow a remote attacker to cause the application to crash or execute arbitrary code. The attacker may be able to gain elevated privileges depending on the configuration of the affected system. This vulnerability is currently being exploited in the wild. The vulnerability has been identified as being used by Trojan.Pidief.C, as documented in IntelliShield Alert 14388. Adobe confirmed the vulnerability in a security bulletin and released updated software. Adobe Reader and Acrobat Security Update 8.1.2 Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code. Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Reports indicate that attackers are leveraging this vulnerability in targeted, ongoing attacks. No public examples of exploit code have been observed. Attacks against this vulnerability are not likely widespread as details of this vulnerability are still not well known. Microsoft has confirmed the vulnerability in a security advisory; however, no updates are available. Oracle Critical Patch Update January 2008 Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities spread across Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. PhysicalSocial Engineering Security Highlight of Recent PublicationJohnny Long, a personality among white hat hackers and penetration testers, recently released his latest book "No Tech Hacking - A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing". The book discusses the use of various non-technical and social attacks against physical resources and warns that with the increased focus of attacks on electronic resources, established low-tech attacks may be more obscure but just as dangerous. Long writes that these attack methods are easier to use and may have greater success rates than higher profile electronic attacks. Read more IntelliShield Analysis: Long's book rightly proposes that although a great deal of energy has been expended on securing electronic assets, companies should continue to invest in, adapt, and employ protections against physical and social engineering attacks. Despite the marketing efforts surrounding this book release, the subject matter is timely and appropriate for strategic planning. If not properly secured, expensive equipment can often be defeated through the simplest of means, such as entering secured areas behind authorized users at a high traffic entrance, or using common objects to trigger door releases. As companies secure their networks and technologies, criminals may find it more productive to focus on the more mundane aspects of security that many tend to ignore. This may be particularly true in the wake of this book release. Organizations may see an increase in physical probes against security systems as curious readers act on new information, but the book is unlikely to disclose any new ideas or attacks to professional attackers. A properly executed security strategy will attempt to cover any weak links whether physical, electronic, or human. User education and securing physical resources should still be priorities even as more business operations focus on electronic realms. LegalFBI Director Concerned About Relationship With Telecommunications CompaniesDuring a United States (U.S.) Senate Judiciary Committee hearing, Robert Mueller, Director of the U.S. Federal Bureau of Investigation, expressed concerns about the relationship between the U.S. government and the telecommunications industry. A debate in the U.S. Congress has focused on lawsuits against telephone companies. The lawsuits allege that the companies may have issued illegal wiretaps. U.S. President Bush and his administration have insisted that this sort of cooperation is necessary in order to collect actionable intelligence that is related to the war on terror. Senator Arlen Specter suggested an amendment that would substitute federal lawyers as defendants in place of the telecommunications companies. Mueller is concerned that anything short of removing all liability would hamper any further collaboration. Read more IntelliShield Analysis: Telecommunications companies continue to be the focus of debate surrounding domestic spying as it relates to the Foreign Intelligence Surveillance Act (FISA). With the U.S. government divided for its support of retroactively removing all liability from the telephone companies and supporting the lawsuits, the telecommunications industry may find itself in court proceedings for a long period of time unless Congress can make a swift decision. The Senate attempted to pass an amendment to FISA, but it was not approved by the House of Representatives. Organizations that are affected by this impasse should continue to utilize encryption and other means of protecting sensitive information as well as remain current with any legal reform that may impact the confidentiality, integrity, and legal requirements of their business. TrustTSP Program Identifies First Outsource CompanyThe National Communications System Telecommunications Service Priority (TSP) program has designated the first information outsourcing company for priority restoration and telecommunications services. The company, PHNS, provides IT services to a large number of hospitals. The TSP is a program that is designed to qualify companies and organizations for priority telecommunications provisioning and restoration in support of national security and emergency preparedness. The prioritization is designed to expedite the critical telecommunications services in response to an emergency or crisis situation. IntelliShield Analysis: The TSP program is regulated by the United State's Federal Communications Commission (FCC). The program allows information technology in federal, state, local, and foreign governments, as well as commercial service providers, to be qualified and designated for priority restoration and provisioning for 3-year periods. The program is focused on emergency and crisis response for natural disasters. TSP has a lengthy qualification process and procedures for services; however, service providers that support critical services during emergency or crisis situations should consider TSP as it could be a significant service when incorporated with a robust business continuity and disaster recovery program. IdentitySafeguards Assisting in Protecting User Data on Stolen LaptopsTwo laptops stolen from the Telford and Wrekin Primary Care Trust (PCT) in Shropshire, United Kingdom and the American Veterans Affairs Department (VA) have demonstrated that renewed efforts in securing mobile technologies are effective. Both laptops used encryption to protect the data stored on the hard drives if an unauthorized user tried to access it. The laptop stolen from the VA has been recovered. The PCT laptop is still missing but was outfitted with a tracking device. A flash drive was stolen along with the laptop and was not encrypted. The flash drive contained the records of 238 patients. IntelliShield Analysis: Many organizations have been impacted by lax procedures for securing laptops, and the result was a large number of exposures as a result of thefts over the past few years. With awareness rising, thieves are finding it more difficult to steal unprotected machines. The VA laptop used a locking mechanism, encryption, and required authentication. The PCT laptop also used encryption. Protecting laptops is a first step in keeping sensitive data secure, but other storage devices need the same protection in order to maintain a cohesive defense. Beyond technical solutions, employees should be trained to appropriately transport, store, and control devices to limit the risk from attacks of opportunity against unattended devices, or those stored in plain sight or obvious locations. HumanUSAF Sends Emails to Tourist BusinessUnited States Air Force (USAF) personnel inadvertently sent e-mail messages that were intended for the USAF personnel stationed at Royal Air Force Base RAF Mildenhall in Suffolk, England to a tourist website with a similar e-mail address. The maintainer of the site, which was intended to promote tourism in Mildenhall, notified the USAF several times about the e-mails but was told not to be concerned. However, when flight plans for a presidential visit were received and the Air Force was notified of this, officials became alarmed. Read more IntelliShield Analysis: Email address errors are common; however, this problem should not be allowed to cause sensitive information to be sent to the wrong people. Organizations should monitor all outgoing mail for identifiers that a company may use to filter email that contains confidential information. Then such mail being sent to non-authorized addresses could be blocked before being allowed to leave the outbound mail server. Another technique could be to require employees to verify addresses before using them and then storing them in a corporate address book to help avoid confusion about what an address should be when there may be two that are very similar in nature. Organizations may also consider disabling auto-completion routines for addresses, or requiring encryption before sending sensitive data to addresses outside the corporation or trust domain. These safeguards and others like them can be used to help prevent organizations from making costly and embarrassing mistakes. GeopoliticalLatin American Tensions Exacerbated by Data on Captured LaptopColombian officials say that data retrieved from a laptop belonging to a slain Revolutionary Armed Forces of Colombia (FARC) leader offers proof of Venezuelan President Hugo Chavez's financial support of the militant group. The laptop was seized during a Colombian raid, which created a diplomatic crisis by penetrating into Ecuadorian territory. According to Colombian police officials, the laptop data provides evidence of Chavez's financial support for FARC, which is considered a terrorist organization by the United States (U.S.). In response to the raid and Colombia's accusations, Chavez has moved Venezuelan forces to the border with Colombia, and FARC bombed a pipeline in Colombia's Putumayo region, putting it out of service for several days. Chavez, calling Colombian President Uribe a puppet of the U.S. and a liar, threatened disruptions in the US$5 billion annual bilateral trade relationship and implied he would consider nationalization of Colombian assets on Venezuelan soil. IntelliShield Analysis: Following a civil handshake between Chavez and Colombian President Uribe at the Rio Group summit in the Dominican Republic, the diplomatic crisis appeared headed toward resolution. Chavez's motivation for deepening the crisis may have been to deflect domestic attention from accusations that he is squandering Venezuela's oil wealth, but fortunately, he was reluctant to back up his harsh words with military action. For now, the primary concern for Western businesses is whether lingering tensions will have an impact on regional economies or on oil prices as crude oil prices hovered around US$105 per barrel during the time period. The laptop capture could remain more than an interesting side-story, if there is independent verification of Colombia's claims that Chavez lent FARC money to get them started in the oil business and that FARC was attempting to obtain uranium. Such evidence may cause concern for those Latin and Central American nations that are supporting President Chavez. Upcoming Security ActivityMicrosoft Security Bulletin Update for March: March 11, 2008 Internet Engineering Task Force Conference: March 9-14, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following events: 11th National People's Congress Convenes: March 15-25, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30-day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
