May 25–31, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability levels remained consistent throughout this period that included the United States Memorial Day holiday on Monday, May 25. Activity was highlighted by an out-of-cycle Microsoft security advisory for a DirectShow vulnerability. DirectShow does not properly handle QuickTime media files. An attacker could exploit the vulnerability by convincing a user to view a malformed QuickTime media file that could be hosted on a malicious website. An exploit could allow the attacker to execute arbitrary code with the privileges of the user, which may allow the attacker to completely compromise an affected system. This vulnerability is described in IntelliShield Alert 18366. Previously reported vulnerabilities in Adobe Reader and Flash Player, as well as Microsoft PowerPoint, continue to show exploit activity. Patches are available for these vulnerabilities. Additionally, the Gumblar malicious code and botnet continue to show increased activity, exploiting websites to infect visitors to those webpages. The Gumblar activity is described in IntelliShield Alert 18286. IntelliShield published 86 events last week: 56 new events and 30 updated events. Of the 86 events, 32 were Vulnerability Alerts, 39 were Security Activity Bulletins, six were Threat Outbreak Alerts, five were Security Issue Alerts, two were Malicious Code Alerts, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for May 25–31, 2009Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are not available, and Microsoft has indicated that limited, active attacks are occurring. Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability. Previous Alerts That Still Represent Significant RiskWorm: W32/Conficker.worm W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems. Adobe Reader getAnnots Function Buffer Overflow Vulnerability Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided an official workaround. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail or host them on website's. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalBuckingham Palace Infiltrated by Reporters Posing as BusinessmenTwo reporters posing as wealthy businessmen bypassed proper credential checks to access areas of the grounds at Buckingham Palace. The reporters said they bribed a chauffeur with US$2,000, who then allowed the supposed businessmen to sit in one of the Queen's cars. The chauffeur reportedly told the businessmen the code names for the Palace's entire fleet of cars and details of the Queen's travel plans. Read More IntelliShield Analysis: Physical security controls are crucial to maintaining security for information systems and dignitaries alike. In this case, there were security protocols in place (visitors must present proper identification and must have proper clearance to enter the grounds); however, these requirement were clearly bypassed. Had the breach involved individuals with malicious intent rather than undercover reporters, the results could have been tragic. The incident highlights the risks of a trusted insider who circumvents established security protocols. LegalEuropean Union Sues Sweden Over Data Retention LawsSweden has not implemented laws to require Internet service providers (ISPs) to store network data, as required under the Data Retention Directive 2006/24/EC. The European Union (EU) has initiated court proceedings to force the member nation to comply. Although reports indicate the Swedish government is preparing to introduce laws requiring data retention, they did not meet the deadline of April 1, 2009, that was set forth in the EU directive. The laws are designed to ensure that ISPs store data that may be of use to police in criminal cases related to some online activity. Read More IntelliShield Analysis: Sweden's delay in the data retention law enactment may be indicative of the complexities of creating laws that govern the storage and protection of potentially confidential user information. The ISPs must store data for certain periods of time and remove that data after an expiration date, making data retention operations difficult to manage and time sensitive. Part of Sweden's delay in passing a data retention law could be related to a strong intellectual property movement within the country, as well as the politically unpopular nature of data retention governance. While Sweden has thus far not passed such a law into effect, it is unlikely that such a case brought by the EU would go to trial, as the initiation of legal action may be sufficient to quicken the Swedish government's efforts toward enacting a new law. TrustMerrick Sues Savvis, Alleges Certification Was In ErrorThird-party payment processor CardSystems (now owned by Pay By Touch) discovered a large breach of payment information in May 2005. Less than a year prior to the breach disclosure, Merrick, a bank that accepts payments on behalf of merchants, contracted with Savvis to certify that CardSystems complied with Visa and MasterCard security requirements. Since the breach, Merrick has allegedly suffered $16 million in penalties from Visa and MasterCard for using CardSystems, a provider that did not meet their standards. Merrick hopes to recoup their losses from Savvis on the grounds that CardSystems was not compliant with security regulations at the time and that Savvis had assured Merrick otherwise. IntelliShield Analysis: This incident highlights the importance of managing risk by transferring it to a third-party. Merrick contends that they performed due diligence, in part by paying Savvis to investigate security at CardSystems. The contract between Merrick and Savvis serves to transfer the risk of breaches at CardSystems to Savvis, pending the outcome of this legal case. Organizations in a position to use outside vendors for high-risk activities should similarly consider contracts that allow risk to transfer to a third-party. Providing security assurance as a contractual obligation is itself a high-risk activity, as there can never be a complete assurance of security. For companies in a position similar to Savvis, it is important to ensure that security reviews are completed and aligned with industry best practices, due care, and without an overly broad obligation that provides a guarantee of security. IdentityThere was no significant activity in this category during the time period. HumanThere was no significant activity in this category during the time period. GeopoliticalNorth Korea Nuclear and Missile TestsNorth Korea conducted its second underground nuclear test on May 25, 2009, followed by official threats from Pyongyang and the test-firing of at least six short-range missiles. The Democratic People's Republic of Korea (DPRK) also is believed to have restarted production of weapons-grade plutonium at the nuclear complex at Yongbyon and satellite imagery suggests activity around a ballistic missile facility. All five permanent members of the United Nations Security Council, including China, the DPRK's closest ally and biggest trading partner, condemned the test and are expected to issue a resolution and tighten sanctions in the near future. The United States and South Korea have raised the alert for their troops in South Korea to its highest level since the DPRK's 2006 nuclear test, given the threat of impending regime change in Pyongyang, and/or escalating tit-for-tat military responses that have the potential to destabilize the entire East Asian region. IntelliShield Analysis: Military planners, and government and business leaders around the world are being careful not to underestimate the volatility of the current situation. Despite North Korea's economic weakness, its military is powerful. South Korea's capital, Seoul, is within artillery range of the demilitarized zone, and North Korea's recent erratic actions suggest it would be unwise to discount the potential for the regime to go on the offense. Border countries China and South Korea are concerned that a collapse of the regime could spark refugee flows over the borders from north and south. Japan is precariously close to North Koreas missiles. There could be a repeat of the North-South military skirmishes in waters off the northwestern coast that have been seen twice in the past decade. From an information security perspective, North Korea claims to have built a powerful cyber offense capability, and may have successfully hacked into South Korea and U.S. networks in the past. Complicating a diplomatic solution to the problem, North Korea's motivations and therefore its end game are unclear. For businesses with assets in Asia, the situation heightens risk of disruption to continuity, sales, and supply chain in South Korea, Japan, and China.
|
 |