November 5–11, 2007The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityVulnerability and threat activity levels have remained consistent over the last three weeks. Multiple vendors released security advisories and updated software to address three vulnerabilities affecting XPDF-based applications. In each case, a successful attack could allow the attacker to cause a denial of service condition or execute arbitrary code. To exploit any these vulnerabilities, the attacker must convince the user to process a malicious PDF document with a vulnerable application. IntelliShield expects that multiple vendors will release updates over the next few weeks. Apple released QuickTime version 7.3 to address seven vulnerabilities that affect Mac OS X and Windows platforms. An attacker could exploit these vulnerabilities by convincing a user to process a malicious media file using QuickTime. In the most severe cases, the attacker may be able to execute arbitrary code with the permissions of the user. The common user configurations on Mac OS X systems should limit the impact of successful code execution because typical configurations limit user and administrative account privileges. Because QuickTime is bundled with numerous applications such as iTunes, the application exists on numerous systems, making the vulnerabilities attractive targets for attackers to compromise numerous systems. Cisco Remote Operations Services detected malicious activity that attempts to exploit the script error handling memory corruption vulnerability in Microsoft Internet Explorer. IntelliShield reported this vulnerability in Alert 1423. The malicious activity may indicate a new round of web-based attacks that attempt to create zombie system networks or place trojans or data hijackers to steal sensitive user data. Microsoft released the Microsoft Security Bulletin Advance Notification for November. Of the two bulletins that are scheduled for release on November 13, 2007, Microsoft scored one with a maximum severity rating of critical and one with a maximum severity rating of important. Both bulletins affect the Microsoft Windows operating system. IntelliShield published 139 events last week: 53 new events and 86 updated events. Of the 139 events, 128 were Vulnerability Alerts, three were Malicious Code Alerts, four were Security Issue Alerts, three were Daily Malicious Code Summaries, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for November 5-11, 2007Microsoft Internet Explorer Script Error Handling Memory Corruption Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an attacker to execute arbitrary code. Attackers cannot exploit this vulnerability directly and instead must convince a user to visit a malicious website. The Cisco Remote Operations Services organization has detected activity that indicates public attempts to exploit this vulnerability. Microsoft has confirmed this vulnerability in a security bulletin and released updates. Previous Alerts That Still Represent Significant RiskMicrosoft Internet Explorer ShellExecute() URL Handling Vulnerability Microsoft Internet Explorer contains a vulnerability that may allow an attacker to execute arbitrary commands with the privileges of the user. If the user possesses sufficient privileges, an exploit could allow the attacker to gain full control over the affected system. This vulnerability was originally disclosed in July 2007. Exploit code is now publicly available, and attackers are actively exploiting this vulnerability in the wild. Microsoft has confirmed this vulnerability in a security advisory, and third-party vendor updates are available. RealNetworks RealPlayer ierpplug.dll ActiveX Control Arbitrary Code Execution Vulnerability RealPlayer contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the user. Exploit code is publicly available, and reports indicate that active exploitation is currently ongoing. RealNetworks has confirmed this vulnerability and released updates. Microsoft Word Memory Corruption Vulnerability Microsoft Word and Office for Mac contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Malicious code that exploits this vulnerability is circulating in the wild. IntelliShield reported this malicious code as a variant of the Mdropper trojan in Alert 12562. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user that started the affected application. Depending on the privileges of the user, the attacker could create new accounts, install programs, or view, change, or delete data. Security Activity Bulletin: Oracle Critical Patch Update October 2007 Oracle released the October 2007 Critical Patch Update to address 51 vulnerabilities across Oracle products. Oracle does not publicly release technical details that concern specific vulnerabilities. IntelliShield expects independent security researchers to release details regarding individual vulnerabilities as researchers test and verify the Oracle patches. MIT Kerberos and librpcsecgss RPC Library RPCSEC_GSS Authentication Buffer Overflow Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code. An exploit may result in a full system compromise. Many operating systems and third-party applications use Kerberos and will likely release updated software to address this vulnerability. Oracle JInitiator ActiveX Control Buffer Overflow Vulnerability Oracle JInitiator ActiveX Control contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The systems that are at the most risk are terminal servers and workstations that contain the affected ActiveX control and those systems on which users browse to both internal Oracle tools and external sites. Oracle has not confirmed this vulnerability, and no updates are available. PhysicalCI Host Chicago Co-location RobberyThe CI Host web hosting company was recently robbed for the fourth time in two years. In the most recent incident, two masked intruders cut through a datacenter wall with a power saw, attacking the night manager and stealing approximately twenty servers. Damages are estimated to cost hundreds of thousands of US dollars. Previous break-ins included perpetrators cutting through a third-floor wall and an armed robbery where an employee was overpowered. IntelliShield Analysis: Co-location facilities are selected with security as a primary concern. With four physical breaches of CI Host in two years, the facility has been facing significant pressure from thieves. The chief corporate counsel of CI Host suggested that the theft may have been an inside job because the thieves exhibited extensive knowledge of the facility layout, technology, and operations. Organizations seeking a co-location provider should consider not only the physical security and environmental controls for equipment, but also personnel controls that limit exposure to disgruntled current or former employees. Further, if facilities experience an uncommonly high number of breaches, customers may raise expectations of the provider to ensure that security improvements are implemented to reduce future impact. LegalP2P User Pleads Guilty to Identity TheftGregory Kopiloff has pleaded guilty to one count of mail fraud, one count of accessing a protected computer without authorization, and one count of aggravated identity theft. Kopiloff could face 20 years in prison and up to US$250,000 in fines. Kopiloff used peer-to-peer (P2P) applications to locate documents containing personal information within shared directories of computers. He used this data along with other stolen documentation to apply for and obtain credit cards to purchase and resell over US$73,000 in merchandise. Read more IntelliShield Analysis: This is the first case brought against an individual for using a P2P application to commit identity theft. Although Kopiloff is charged with illegally accessing a protected computer without authorization, he likely accessed the P2P application legally due to a misconfiguration on the targeted system, which resulted in the sharing of personal documents. With the vast majority of P2P traffic consisting of illegal media file sharing and the United States (U.S.) Congress pushing for more action by the U.S. Department of Justice against P2P pirates, organizations and users can expect a greater push to reign in copyright infringement and an eventual shift in technologies by P2P users who continue to share media files. TrustFake Identity Ring Seized at Chicago O'Hare AirportTwo employees of Ideal Staffing Services Inc., a company that staffs food service and cargo workers at Chicago's O'Hare airport, have been arrested for allegedly providing fake security clearance badges to the firm's employees. Mary Gurin and Norinye Benitez have been accused of misusing U.S. social security numbers and deactivating security badges to provide security clearance to illegal immigrants that were employed by the staffing firm. As a result, the unauthorized workers were employed under false identities and had significant access to restricted areas of the airport without undergoing background checks. Read more IntelliShield Analysis: Organizations should take note of the failures highlighted by this pervasive, prolonged security breach. Not only were the fake badges not recognized by human or electronic means, but administrators did not oversee the required background checks of subcontractors or ensure that background checks occurred at all. Although the goal of the breach appears to be simply filling jobs with illegal immigrants, a more serious physical threat could have been targeted at the airport and the airlines that use O'Hare. A combination of oversight on background checks, validation of credentials during day-to-day operations, and other appropriate controls could prevent illegal hiring practices and ensure proper security, thus protecting both organizations and the general public. IdentitySalesforce.com Exploited by Targeted Phishing AttackAfter being the victim of targeted e-mail phishing attacks, Salesforce.com has had its customer database stolen. This database contained the full names, email addresses, and phone numbers of an unspecified number of customers. Recent reports indicate that some Salesforce.com customers have been receiving falsified invoices that appear to come from Salesforce.com. Read more IntelliShield Analysis: The use of targeted e-mail phishing is on the rise, posing an increased risk for businesses that store valuable information or assets. Recent trends indicate that attackers are moving from massive, untargeted phishing attacks to small-volume targeted attacks. Users should be cautious when handling e-mails and should investigate links or file attachments before following links or opening files, even if the e-mail was sent from a trusted source. Organizations should review e-mail-based communication systems to ensure that internal policies are not ambiguous or easily exploitable by forgeries from phishing perpetrators. HumanMalware and Exploits Hosted on Fake U.S. Presidential Candidate WebsitesMalware authors and hackers have taken advantage of the high volume of traffic that is dedicated to researching the websites of U.S. presidential candidates by serving malware and various exploits on fake election sites. Users may inadvertently visit these malicious sites by mistyping a candidate's web address or by following an untrusted link from a search result. The sites appear to be legitimate and attempt to infect users' systems by hosting screensavers or videos on the site. If the user attempts to download the screensaver or launch the video, a trojan is installed on the user's machine. Reports indicate that the Zlob trojan is known to be hosted on these sites. Read more IntelliShield Analysis: Attackers often target popular events, especially events that elicit significant emotional response. Presidential candidate websites are easily targeted because the website names are not standardized from one candidate to another and are not as long-lived as commercial or governmental sites. As the U.S. presidential elections approach, malicious sites are expected to increase in quantity, as are the amount of exploits and malware hosted on such sites. Instead of trusting links that are advertised in e-mail messages and listed on untrusted websites, users should independently verify the address of official sites and use only verified sites for making financial contributions. GeopoliticalRumored e-Jihad Cyber Attack Fails to Spook Security ExpertsReports indicate that terrorists were planning a cyber attack against Western, Israeli, and apostate Muslim targets using a malware kit called e-Jihad 3.0. The attack was to take place on 11 November and consist of Distributed Denial of Service (DDoS) attacks against an initial 15 unnamed sites. Although security experts generally agree that e-Jihad 3.0 is of minimal concern, they also admit that terrorists, like criminals, are getting better at staying one step ahead of law enforcement authorities. Read more IntelliShield Analysis: The e-Jihad malware has been around for several years, and security experts consider this malware to be fairly rudimentary. This malware relies on many participants to generate enough attacks simultaneously to bring down targeted servers. While most networks are protected against DDoS attacks, brute force remains a threat, and terrorists appear to be taking advantage of that in cyberspace. For technology companies, such attacks are a reminder that although some of our adversaries are working with blunt instruments, they still are capable of doing real damage to networks. Yahoo Questioned for Cooperating with Chinese GovernmentThe U.S. House of Representatives Foreign Affairs Committee lambasted Yahoo CEO Jerry Yang and his General Counsel last week for their role in the jailing of two Chinese dissidents. Political activist Wang Xiaoning and journalist Shi Tao were arrested and imprisoned after Yahoo China, then a unit of Yahoo, provided user information to Chinese authorities. Yang apologized to the families of the two men and argued that a company doing business in a foreign country cannot ignore the laws of that country. Yang, himself an immigrant from Taiwan, also expressed his belief that the West's growing business engagement in China is, in the long run, better for human rights and democratic reforms in China than refusing to do business there. Read more IntelliShield Analysis: The U.S. Congressional hearing underscores the risks for Internet technology companies seeking to expand in emerging markets where legal structures and human rights standards are at odds with the West. Of particular concern, Congress is considering a bill that would criminalize cooperation by U.S. technology companies with foreign governments that seek to obtain information for the persecution of activists. Regardless of whether this bill gains support, companies could face damage to their reputations at home when doing business with governments which are perceived as repressive or undemocratic. Companies that are balancing both U.S. congressional expectations and local laws in emerging markets have pursued various strategies. Strategies include becoming minority investors in ventures run by local partners, or maintaining all user information on servers that are based offshore where local privacy laws are more compatible with U.S. expectations. Upcoming Security ActivityMicrosoft Security Bulletin Update for November: November 13, 2007 Oracle OpenWorld: November 11–15, 2007 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30-day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
