October 20-26, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityA vulnerability in Microsoft Windows Server Service was the main focus of both vulnerability and malicious code activity during the time period. The vulnerability, described in IntelliShield alert 16941, could allow a remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with privileges sufficient to take complete control of the target system. Additionally, an attacker may be able to access encrypted user credential information. If decrypted, the user credential information could allow the attacker to access other computers or resources within the compromised domain. Microsoft released an out-of-band security bulletin with updated software to address the vulnerability. Troj/Gimmiv-A, described in IntelliShield alert 16947, is actively exploiting the vulnerability and various antivirus vendors are referring to it as a trojan or a worm. Once installed on the system, the worm attempts to steal confidential information from the system. The worm then encrypts this information and posts it to a remote website that is accessible by the attacker. This information is likely to be leveraged by attackers to launch additional attacks against the system or to perform identity theft attacks against the user. IntelliShield expects additional malicious code attacks to leverage this vulnerability in the coming weeks. IntelliShield strongly encourages administrators to apply the appropriate updates and to consider disabling the Server and Computer Browser services to mitigate the risk of the vulnerability being exploited. Additional mitigations and prevention methods are available at Cisco Security Center and through the Applied Mitigation Bulletin, IntelliShield alert 16944. IntelliShield published 108 events last week: 42 new events and 66 updated events. Of the 108 events, 95 were Vulnerability Alerts, two were Security Issue Alerts, one was a Daily Malicious Code Summary, four were Malicious Code Alerts, two were Security Activity Bulletins, three were Applied Mitigation Bulletins, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for October 20-26, 2008Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available, and the Troj/Gimmiv-A worm is also actively exploiting this vulnerability to install itself on target systems. Additional information on the worm is available in IntelliShield Alert 16947. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised the appropriate updates and to ensure there antivirus definitions are up-to-date. Previous Alerts That Still Represent Significant RiskMicrosoft Windows Internet Printing Protocol Remote Code Execution Vulnerability Microsoft Windows contains a vulnerability in Internet Printing Protocol (IPP) request processing that could allow a remote attacker to execute arbitrary code. Only systems that have IIS installed and which support Internet Printing services are vulnerable. Internet Printing is not supported in default installations of Windows Vista systems and Windows Server 2003 and 2008 systems. When IIS is installed on Windows 2000 and Windows XP systems, Internet Printing is enabled by default. Functional exploit code is available. This vulnerability is being actively exploited. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Multiple Browsers and Adobe Flash Player Mouse Click Hijacking Vulnerability Independent security researchers have discovered a critical flaw affecting multiple, commonly used web browsers and the Adobe Flash Player. If an attacker can convince a user to visit a malicious web page, the attacker could take complete control over the user's mouse clicks, making the user think they are clicking on a legitimate link. If successful, the attacker could control the hidden HTML interaction that is occurring, hiding the invisible hyperlinks that the user is actually following.. This type of exploit is being referred to as "clickjacking." Adobe has released both a security advisory and a security bulletin as well as updated software to address this vulnerability. Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors Independent security researchers developed the sockstress tool, which exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland. The researchers made their presentation but released few details on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland. Cisco has released a Security Response for this activity. Citect CitectSCADA and CitectFacilities ODBC Service Buffer Overflow Vulnerability Citect CitectSCADA contains a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. Exploit code that could allow the attacker to achieve code execution is available. The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component. Such systems should be contained in their own network and never connected to corporate networks or exposed to the Internet. Attackers who can access the network on which these machines reside must still connect to the TCP port that is used by the ODBC service. JustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability JustSystems Ichitaro products contain a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. The vendor is reportedly investigating the issue, but updated software is not currently available. The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield Alert 16543. The attacks occurred before the vulnerability was publicly disclosed. This tactic is commonly known as exploiting a zero-day vulnerability. Microsoft Windows NSlookup.exe Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool. Reports indicate that attackers may be exploiting this vulnerability in the wild. The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available. PhysicalUnited States Banks Receiving Letters Containing White PowderThreatening letters containing a white powder arrived October 22, 2008, at Chase banking institutions across the United States (U.S.) and at the headquarters of The New York Times in the city of New York. According to Federal Bureau of Investigation (FBI) spokesman Ricard Kolko, more than 45 letters have been sent to various financial entities in 11 states since October 20, 2008. Authorities in the U.S. are conducting tests on the white powder but as yet have not identified any harmful substances. Kolko noted that the letters appeared to be from a common source; however, this has not been confirmed. Currently, there are no reports of people being tested for symptoms from exposure to the powder. The U.S. FBI, Postal Inspectors, and local officials are investigating the case. Read More IntelliShield Analysis: Attacks of this type can create commotion and cause setbacks for the affected businesses. Time and resources need to be invested to investigate such cases and to review current policies for handling mail. Shutting down portions of office buildings or removing employees from the affected workplace directly impacts production for the company. Businesses should consider reviewing their mail handling policies and ensure a procedure is available to implement when hazardous materials are received through the mail. Organizations should assess the risks from physical mail threats and consider appropriate mail profiling to detect suspicious or atypical packages that may require special handling. LegalPrioritizing Resources and Organization for Intellectual Property Act Signed into Law by U.S. President BushThe Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) have lobbied the U.S. Congress heavily in the last year for a law that would more effectively curb losses in sales due to peer-to-peer file swapping and sales of pirated copies of movies or music. The Prioritizing Resources and Organization for Intellectual Property Act (PRO-IP Act) passed with overwhelming support in both the House and the Senate. President Bush signed it into law on October 13, 2008. IntelliShield Analysis: The new law increases the maximum penalties that can be brought to bear against those found guilty of breaking copyright laws. The penalties do not need to be tied to any proven damages that are suffered by the copyright holder. If suspected of copyright infringement, a person could have their computer or related equipment confiscated by law enforcement officials and used as evidence. A national Intellectual Property Czar will be appointed to coordinate the investigation and prosecution of violations in the sphere of intellectual property. One of the tasks of the Intellectual Property Czar will be to advise the President regarding international thefts or piracy of copyright protected materials. TrustPreliminary Research Demonstrates Wired Keyboard SnoopingResearchers have released videos demonstrating the ability to wirelessly snoop on wired keyboard input to computer systems. The researchers captured electronic radiation using several different antennas and were able to translate the signals into the text input of the keyboard device. The new work is similar to former U.S. government initiatives in signals intelligence and other research in electronic radiation monitoring. Read More IntelliShield Analysis: While the researchers demonstrated the ability to snoop wirelessly on wired keyboard input, an attack in an actual environment is considerably more difficult. Primarily, an attack requires reception equipment such as an antenna that an attacker must conceal and transport within range of a target. Additionally, it may be very difficult to separate a stream of signals from a single target; most sites will be bathed in electromagnetic radiation that is emanating from other devices in range of the antenna. The work of the researchers depends on collecting all electromagnetic radiation within range, a large amount of data from many sources, to sort through in the typically signal-filled environment of an office or other work site. Physical security practices could prevent potential attacks by controlling access to work spaces. This type of research and attack on various electronic devices has been known for several decades, remains very difficult, and poses an unlikely risk. Sites most at risk are those that are isolated or exposed to uncontrolled physical spaces. IdentityOhio's Secretary of State Website Attacked and Temporarily DisabledIn the United States (U.S), the office of the Ohio Secretary of State announced that functionality of their website has been limited to protect records and data following the discovery of repeated attempts to breach the site. The attacks on the Secretary of State systems coincide with the court case regarding the disclosure of potentially fraudulent registered Ohio voters. As this case proceeded through the courts to the U.S. Supreme Court ruling in the state's favor, the Secretary of State information systems and office have been under siege with menacing messages and threats, including the delivery of a package containing an unidentified powder. The incidents are under investigation. IntelliShield Analysis: These incidents indicate the high level of tension and emotions around the upcoming U.S. election. The challenge to election officials is to safeguard the records, data, and validity of the election. Disabling the functionality of a website is an extreme measure that was apparently considered necessary in this case. In addition to the safety, security, and data risks, the political implications are also high. Business implications would need to be considered in similar decisions. While limiting the functionality of a website may not be an option for some businesses and organizations, information technology and risk managers can expect to be faced with similar decisions of whether confidentiality, integrity, or availability is their highest priority. In the case of the Ohio Secretary of State website, confidentiality and integrity were chosen over availability. Organizations should consider these exceptional situations in their business continuity planning, and determine their plans and priorities prior to the events occurring. HumanThe Broadband Data Improvement Act Educates Student on Web SafetyThe U.S. Senate has passed a bill that would require the Federal Trade Commission to begin a national public awareness program to ensure that all students are educated on safe and responsible Internet use. The bill requires all educational facilities that receive e-Rate funds to provide education to their students about risks, dangers, and safe practices for use of the Internet. Read More IntelliShield Analysis: This bill was merged with the Broadband Data Improvement Act that required the Federal Communications Commission (FCC) to conduct surveys about the availability of broadband access, speed, quality, and price. The education requirement was added by the Senate to heighten awareness of the presence of sexual predators, online bullying or other Internet dangers, and how to avoid such situations. With the increase of Internet access and use in schools and at home, the addition of the education requirements addresses the growing concerns of parents, schools, and legislators. Students will be taught safe practices, rather than attempting to address the issues with only technologies and controls that have limited the value of the Internet access. This program should establish an awareness that will benefit students at home and later, when they enter the workforce. GeopoliticalGlobal Slowdown Hits Technology SectorIt did not take long for technology companies to feel the effects from the global economic slowdown. The past several weeks have brought reports of layoffs, industry consolidation, stock price losses, and trimmed earnings forecasts. Yahoo will lay off 1500 employees, for example, while EBay is cutting 10 percent of its workforce. Silicon Valley technology startups in the United States (U.S.) report a sharp slowdown in venture capital funding; VC firm Sequoia Capital delivered a presentation to its portfolio companies with a picture of a tombstone reading "Rest In Peace Good Times." The losses are not limited to the U.S. technology sector; major technology companies in India, China, Japan, and Europe are also reporting grim news. The economic carnage has even begun to manifest itself in the world of cybercrime, according to Panda Security. The firm reports that malware attacks are sharply up. The firm attributes the phenomenon to phishers who traditionally prey on electronic financial transactions being forced to repurpose themselves given the rapid consolidation of the financial industry and slowdown in transaction volume. IntelliShield Analysis: Despite the gloomy statistics, optimism in the tech sector remains strong. Gartner, Inc., the information technology research and advisory company, cut its technology sector earnings forecast during the time period, but continues to predict positive growth overall, arguing that technology has matured into a mission-critical component of global business. Continued strong demand from emerging markets will be crucial to the recovery of industrialized countries, so slowdowns in India, China, and Brazil are of particular concern and should be watched perhaps even more closely than the situation in the U.S. and Europe. China's GDP growth is down from double-digits to nine percent, while India's technology bellwethers Infosys and Tata announced slowing growth. India's Sensex stock index is down 50 percent for the year; China's benchmark CSI Index is down 67 percent for the year, according to Bloomberg. Technology companies around the world will be sorely tested if these numbers continue to fall. Upcoming Security ActivityNational Cyber Security Awareness Month: October 1–31, 2008
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
