October 29–November 4, 2007The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityVulnerability and threat activity levels remained high for this time period. Independent security researchers released information regarding a SQL injection vulnerability in the Oracle Database Server Workspace Manager. Exploit code is publicly available that could allow a remote attacker to gain database administrator (DBA) privileges using this vulnerability. To exploit this vulnerability, the attacker must first authenticate to the vulnerable system. During this time period, OSX.RSPlug.A, described in IntelliShield Alert 14441, has been receiving considerable media attention. This trojan is among the few pieces of malware that are targeting Mac OS X machines. OSX.RSPlug.A masquerades as a free video codec for the QuickTime Media player on Mac OS X. The trojan is known to be hosted on pornographic websites and on forums and other legitimate websites that are known to be frequented by Mac users. These sites contain a link to video-related content. When the user attempts to launch the video, an error message is generated, prompting the user to download a video codec. This codec is actually the trojan. After the trojan is installed on the system, it modifies the user's DNS setting to use the attacker-controlled DNS servers. The attacker could use these malicious DNS servers to conduct phishing attacks or cause the user to download additional, more damaging malicious code. Although malware authors previously did not target Mac OS X users, these types of attacks are expected to rise because more people are using Mac OS X systems. Some components of the OSX.RSPlug.A trojan can easily be ported to attack other operating systems. Sources indicate that the authors of this threat also created Zlob, which has had a damaging effect on Windows systems. Also circulating during this time period was Trojan.Captchar.A, which is documented in IntelliShield Alert 14428. This trojan attempts to defeat the Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) system. This security measure attempts to prevent people from automating a certain task to perform it many times. The system generally displays a graphic that contains distorted text. To interact with a system that uses CAPTCHA, the user must enter the text that is shown in the graphic. Trojan.Captchar.A allows a remote attacker to bypass CAPTCHA tests by capturing user input from infected systems. The trojan does not actually decipher the text within the image; it relies on the human to decipher the CAPTCHA image. However, the user does not realize that the response will be used maliciously. The trojan captures the user's response and sends it to a remote server on which an attacker can access the recorded keystrokes. The attacker could use this capability to perform such actions as registering a large number of e-mail accounts for spam purposes. IntelliShield published 141 events last week: 43 new events and 98 updated events. Of the 141 events, 116 were Vulnerability Alerts, nine were Malicious Code Alerts, five were Security Issue Alerts, five were Daily Malicious Code Summaries, three were Security Activity Bulletins, one was an Applied Mitigation Bulletin, one was a Geopolitical Security Alert, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2007 Monthly Alert Totals
Previous Alerts That Still Represent Significant RiskMicrosoft Internet Explorer ShellExecute() URL Handling Vulnerability Microsoft Internet Explorer contains a vulnerability that may allow an attacker to execute arbitrary commands with the privileges of the user. If the user possesses sufficient privileges, an exploit could allow the attacker to gain full control over the affected system. This vulnerability was originally disclosed in July 2007. Exploit code is now publicly available, and attackers are actively exploiting this vulnerability in the wild. Microsoft has confirmed this vulnerability in a security advisory, and third-party vendor updates are available. RealNetworks RealPlayer ierpplug.dll ActiveX Control Arbitrary Code Execution Vulnerability RealPlayer contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the user. Exploit code is publicly available, and reports indicate that active exploitation is currently ongoing. RealNetworks has confirmed this vulnerability and released updates. Microsoft Word Memory Corruption Vulnerability Microsoft Word and Office for Mac contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Malicious code that exploits this vulnerability is circulating in the wild. IntelliShield reported this malicious code as a variant of the Mdropper trojan in alert 12562. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user who started the affected application. Depending on the privileges of the user, the attacker could create new accounts; install programs; or view, change, or delete data. Security Activity Bulletin: Oracle Critical Patch Update October 2007 Oracle released the October 2007 Critical Patch Update to address 51 vulnerabilities across Oracle products. Oracle does not publicly release technical details concerning specific vulnerabilities. IntelliShield analysts expect independent security researchers to release details regarding individual vulnerabilities as they confirm that the patches address these vulnerabilities. MIT Kerberos and librpcsecgss RPC Library RPCSEC_GSS Authentication Buffer Overflow Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. An exploit may result in a full system compromise. Many operating systems and third-party applications use Kerberos and will likely release updated software to address this vulnerability. Oracle JInitiator ActiveX Control Buffer Overflow Vulnerability Oracle JInitiator ActiveX Control contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or execute arbitrary code with the privileges of the user. The systems that are at the most risk are terminal servers and workstations that contain the affected ActiveX control and those systems on which users browse to both internal Oracle tools and external sites. Oracle has not confirmed this vulnerability, and no updates are available. PhysicalThief Steals Laptops from Multiple Corporations by Appearing OrdinaryEric Almly has been arrested in connection with a multiple-laptop theft at the Outback Steakhouse corporate office in Miami. Subsequent searches of Almly's residence have uncovered evidence that appears to tie him to several similar thefts in five states. Almly is believed to have taken advantage of lax physical security to penetrate corporate offices by dressing in business casual attire, following employees through security doors near closing time, loitering until employees left for the day, and then stealing several laptops left on users' desks. The suspect in similar thefts in Milwaukee was dubbed the "Khaki Bandit" because his primary tactic seems to have been that he arrived in khaki trousers to blend in among employees. Almly is suspected of reloading the stolen laptops and selling them on eBay; he does not appear to have been interested in data that was contained on the devices. Read more IntelliShield Analysis: The suspect was apprehended after security software installed by Outback parent company OSI Restaurant Partners alerted authorities to its location. The tracking software is one positive aspect to this story that is otherwise filled with physical security failures. The thief's primary successes were attributed to his capability to appear ordinary and otherwise go undetected. This allowed him to be admitted through secured entrances and to loiter in office spaces without effective questioning about his identity, authorization, or activities. After employees had left for the day, the laptops remained physically unsecured on top of desks and were easily removed from the premises. Each of the targeted organizations failed to control their assets, primarily because of employee oversight. Businesses that wish to overcome these challenges will need to spend a significant amount of effort addressing the human and social elements of physical security controls. LegalJudge Allows Copyright Infringement Lawsuit Against GoogleAn attempt to dismiss a copyright infringement lawsuit brought against Google by American Airlines was denied by United States (U.S.) District Judge John McBride. American Airlines filed the lawsuit, claiming that it is illegal for Google to advertise competitor links for trademarked American Airline terms when users search for these terms using Google's search engine. Read more IntelliShield Analysis: Google is no stranger to these types of lawsuits, having won a similar case brought by Geico. Although the judge did not dismiss the lawsuit outright, this should not be considered an indicator of the final outcome. Google has large coffers and the burden of proof will remain with American Airlines. If American Airlines wins, there could be drastic changes to the way online marketing is conducted because a significant portion of Google's revenue is brought in by sponsored advertising. Such a result would affect other online businesses that use similar practices as well as companies that rely on this form of marketing to attract new customers. Vonage and Verizon Settle Patent Infringement SuitVonage has reached an agreement with Verizon Communications, which had filed a suit claiming that Vonage had infringed on three patents that Verizon holds. Vonage has agreed to pay up to US$120 million, with US$2.5 million going to charity and the rest of the funds to Verizon. A U.S. appeals court will decide the actual amount. Vonage has worked out litigation issues with Sprint Nextel, but still has one final issue to be resolved with AT&T. Read more IntelliShield Analysis: This is good news for Vonage, and its stock has responded positively to the outcome. With just one more patent infringement case to sort out, Vonage may be able to stop defending itself and focus on its business. These cases may help to direct the future of IP phone companies as well as define the somewhat difficult decisions that arise when interpreting patent law and licensed technology in the IP phone world. Other IP phone startup companies would do well to learn from the Vonage saga and ensure that their technologies and services do not infringe patents held by other organizations. TrustList of Anonymous Whistleblowers Disclosed by U.S. House Judiciary CommitteeA clerk for the U.S. House Judiciary Committee has compromised the names of potential whistleblowers. The committee made a mistake when sending a notice to individuals who have anonymously submitted information to this committee regarding potential abuses in the U.S. Justice Department. The clerk sent a notice specifying a change in access conditions regarding this information to all individuals who had made reports, about 150 people. Because all e-mail addresses were included in the To: field of the message, each recipient could see the e-mail addresses of all the other submitters. Also available in this message was the e-mail address of U.S. Vice President Cheney. Read more IntelliShield Analysis: Although this seems to have been a careless mistake, it should have been avoided. Companies as well as government should anticipate these kinds of situations and should establish a procedure for communicating with a group of individuals whose identities are sensitive information. Because there was a lack of preparation for handling such a case, the clerk assigned the task of sending the memo without considering the potential consequences of sending a single memo to all members of the list, resulting in a loss of anonymity. IdentityFalse Profiles Discovered on InternetPilar Stofega of Waterford, Connecticut has been charged with second-degree harassment and breach of peace for attempting to exploit the wife of an ex-boyfriend that she had dated eight years prior. Stofega posted fake profiles of the ex-boyfriend's wife on adult websites. The postings included the wife's home and work phone numbers. Earlier this year, several men attempted to contact the wife after seeing the profile on the websites. The Waterford Police said the husband performed online investigations and was able to determine that Stofega, whom he dated in 1999, posted the fake profiles. Waterford Police were able to obtain a court order of Stofega's Internet records before her arrest. Stofega consented to a written statement admitting to the crime and is scheduled to appear in New London Superior Court on November 5. She is currently released after posting a US$2500 bond. Read more IntelliShield Analysis: This is an example of how easy it can be to exploit a person's identity. These types of attacks are usually for vengeance. Stofega admitted that the attack motive was "to be vindictive, knowing that the profiles would create marital problems," referring to her ex-boyfriend and his wife. Stofega failed to hide the evidence that allowed her ex-boyfriend and the Waterford Police to track her attack, which eventually led to her arrest. HumanCalifornia Wildfire Donation E-mail ScamReports are circulating of fraudulent e-mails that purport to be asking for donations for the victims of the recent wildfires in California. The U.S. Internal Revenue Service (IRS) has received reports that one of these e-mails appears that it is being sent by the IRS itself. People who receive one of these "IRS" e-mails should forward it immediately to phishing@irs.gov. Read more IntelliShield Analysis: Phishing attempts through e-mail are certainly not a new concept, and the presence of e-mail phishing does not appear to be subsiding anytime soon. Users of e-mail should be continually made aware of these types of attempts and it should be part of ongoing Internet user education programs. When large-scale physical disasters occur, users should also have a heightened awareness because there tends to be a surge in these types of phishing e-mails. The Anti-Phishing Working Group (http://www.antiphishing.org) is a good contact for anyone who receives any type of e-mail phishing attempt; these messages can be reported to: reportphishing@antiphishing.org. GeopoliticalRussian Bulletproof ISP Seems UnstoppableThe St. Petersburg-based Russian Business Network (RBN) has been identified as a worldwide center for spamming, phishing, child pornography, and identity theft. Security experts estimate that RBN servers alone hosted about half of last year's phishing activity worldwide. RBN provides so-called "bulletproof" website hosting to individuals engaged in criminal activity, insulating such sites from attempts to eliminate them. For its work, it charges as much as ten times the standard market price for hosting services. Efforts to stop RBN's activity have been unsuccessful because RBN is hard to trace and does not engage directly in illegal pursuits. RBN has no official website and no street address, and its owners have not publicly identified themselves. Moreover, RBN-hosted cybercriminals target victims outside Russia, removing the possibility of local pressure for action. Western law enforcement officials must work with Russian police, who to date have not been cooperating. Read more IntelliShield Analysis: With little prospect for a shutdown of RBN, the best defense for system administrators may be to block traffic that originates from RBN's IP addresses. However, even blocking IP addresses is no guarantee because cybercriminals who use RBN servers increasingly appear to be routing traffic through intermediary servers to obscure the origin of the activity. Lists of RBN IP addresses are available on the Internet on such sites as The Spamhaus Project or badmalweb.com. Google Users in China Diverted to BaiduIn October, many users in China who tried to access Google, Yahoo!, and Microsoft search engines reported that their requests were automatically redirected to Baidu, China's largest domestic search engine. Others reported a prolonged inability to access YouTube. Google, Microsoft, and Yahoo! representatives would not discuss their theories about the source of the problem, but they did confirm the disruptions. Speculation is widespread in the media and in tech blogs that the Chinese government participated in the redirection of this traffic. Most analysts appeared to agree that Baidu itself probably could not redirect traffic at the ISP level, but nothing is certain. It is possible that the hijackings originated from independent hackers or offshore sources. Search Engine Roundtable analysts further speculated that the redirections from popular U.S. websites may have been an expression of Chinese government anger regarding the U.S. president's recent respectful treatment of the Dalai Lama. IntelliShield Analysis: Whatever the source, if the disruptions continue, they could have real implications for the Internet search market in China. An early shareholder in Baidu, Google has been losing ground to the domestic Chinese search engine steadily. Baidu now holds more than 60 percent of China's Internet search market, compared to Google's 23 percent. Users in China over time may simply discontinue the habit of using Google and the other popular U.S. websites and learn to favor domestic alternatives. Indeed, this may be a lucky break not only for Baidu, but also for the home-grown YouTube rival, Tudou. The redirection of Internet traffic for potentially political purposes raises additional concerns for businesses that are already heavily invested or considering investment in the rapidly growing Chinese economy. Upcoming Security ActivityCSI 2007 Exhibition: November 3–9, 2007
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30-day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
