October 15–21, 2007The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels continued to rise from those of September and early October. This week, levels increased due in part to security advisories and updated software that was released by Oracle, Mozilla, and Nortel. Nortel released five security advisories to address vulnerabilities in their IP phone and E-LAN Telephony Server products. These vulnerabilities could allow an attacker to cause a denial of service condition, eavesdrop on IP phone conversations, or execute arbitrary code. Mozilla released eight security advisories to address ten vulnerabilities in their Firefox, SeaMonkey, and Thunderbird products. Three of the vulnerabilities were previously disclosed. Oracle also released the October 2007 Critical Patch Update during the time period. IntelliShield reported the update in alert 14327. The update includes software to address 51 vulnerabilities across Oracle Database, Application Server, E-Business Suite, Enterprise Manager, Collaboration Suite, and PeopleSoft Products. Independent security researchers have released information about several of these vulnerabilities. IntelliShield analysts created alerts for five previously undisclosed vulnerabilities that were addressed by the Critical Patch Update. During this time period, W32/Skyper.B, which is described in IntelliShield Alert 14341, began masquerading as a legitimate security plugin for the Skype application. Upon execution, this trojan displays a false Skype login window in an attempt to steal authentication credentials associated with the application. Skype recently partnered with MySpace, which will greatly increase their user base. IntelliShield expects malware authors to target this partnership more often in their social engineering attacks. The Storm worm also continued to circulate in the wild. Recent reports indicate that portions of the Storm botnet are being sold to certain groups for spamming purposes and possibly denial of service attacks. Recent variations are also including an encryption key to secure traffic that is used to command the worm. The Storm family of worms is described in IntelliShield Alert 14009. IntelliShield published 159 events last week: 60 new events and 99 updated events. Of the 159 events, 129 were Vulnerability Alerts, 18 were Security Issue Reports, three were Daily Virus Reports, five were Security Activity Reports, and four were Malicious Code Alerts. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for October 15-21, 2007IntelliShield Activity Report: Oracle Critical Patch Update October 2007 Oracle released the October 2007 Critical Patch Update to address 51 vulnerabilities across Oracle products. Oracle does not publicly release technical details concerning specific vulnerabilities. IntelliShield analysts expect independent security researchers to release details regarding individual vulnerabilities as they confirm the patch does address them. Previous Alerts That Still Represent Significant RiskMicrosoft Word Memory Corruption Vulnerability \Microsoft Word and Office for Mac contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with user privileges. Malicious code exploiting this vulnerability is circulating in the wild. IntelliShield reported this malicious code as a variant of the Mdropper trojan in Alert 12562. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user. Depending on the privileges of the user, the attacker could create new accounts, install programs, or view, change, or delete data. MIT Kerberos and librpcsecgss RPC Library RPCSEC_GSS Authentication Buffer Overflow Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. An exploit may result in a full system compromise. Many operating systems and third-party applications use Kerberos and will likely release updated software to address this vulnerability. Oracle JInitiator ActiveX Control Buffer Overflow Vulnerability Oracle JInitiator ActiveX Control contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or execute arbitrary code with the privileges of the user. The systems that are at the most risk are terminal servers and workstations that contain the affected ActiveX control and those systems where users browse to both internal Oracle tools and external sites. Oracle has not confirmed this vulnerability, and no updates are available. Cisco IOS Next Hop Resolution Protocol Buffer Overflow Vulnerability Cisco IOS contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges. Proof-of-concept code that demonstrates the DoS condition is publicly available. Attackers will likely require access to trusted, internal networks to exploit this vulnerability, because the use of NHRP is typically limited to internal or private networks. Cisco confirmed this vulnerability in a security advisory and released updated software. ISC BIND Insecure Default ACL Information Disclosure Issue ISC BIND versions 9.4.0 and 9.4.1 contain an issue that could allow an unauthenticated, remote attacker to access potentially sensitive information or make recursive queries. Proof-of-concept code is available that demonstrates a possible exploit method. ISC BIND Weak DNS Query ID Generation Cache Poisoning Vulnerability ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to poison the DNS cache. Proof-of-concept code for predicting query IDs is publicly available. ISC confirmed this vulnerability in a security advisory and released updated software. 2:21 PM 10/19/2007 PhysicalCopper Theft Causes 911 Outage180 feet of copper wire was stolen from a phone line that provides 911 service for residents in part of Dallas, Texas. The theft resulted in an outage for several days. The Dallas Police Department responded by creating an emergency command post that will provide 911 service until regular phone service is restored. Read more IntelliShield Analysis: Copper theft has been occurring for over a year, ever since the price of the raw material doubled. As opportunists continue stealing the material, the physical threat against infrastructure increases. Although this particular breach only affected a small population in Dallas, individual lives were still at risk during the 911 outage. Organizations that use large quantities of copper are advised to increase the levels of physical security to avoid such risks. LegalUnited States SPIES Act to Counter Espionage ThreatThe initial Supporting Prosecutions of International Espionage Schemes (SPIES) Act bill was introduced in the United States (U.S.) in response to a Congressional belief that foreign espionage activity is a growing threat. The bill calls for increased efforts to prevent espionage and strengthen the prosecution and penalties of such cases. The bill, which is an expansion of previous laws to include terrorist organizations as well as foreign governments, also expands the existing Arms Export Control Act and the Export Administration Act of 1979 efforts to control the exportation of sensitive information and technologies. IntelliShield Analysis: The SPIES Act is only in the introduction phase in the U.S. Congress and will undoubtedly undergo several modifications during debate. The final version will likely strengthen the existing export laws and increase the Departments of Homeland Security, Justice, and Commerce focus on this activity. U.S. businesses are advised to closely monitor these developments and prepare themselves for increased investigative activity. Espionage activity is likely to be a major government focus area in the coming new year and will likely require increased internal attention by businesses that are involved in related activity. Read More TrustMan Hacks California 911 to Send SWAT to False Hostage SituationA Washington state man has been arrested in connection with a false call to 911. The suspect used an online service for the deaf and other Internet spoofing techniques to impersonate a hostage from a California residence. The Orange County, California SWAT team responded to the residence of an unsuspecting California family during the night. Although the homeowner armed himself with a kitchen knife against what he thought were criminal intruders, the incident ended without violence. Read More IntelliShield Analysis: Critical systems must find methods to gauge the trustworthiness of input. Traditionally, 911 operators have used conversational cues to alert officers to prank calls. The Internet accessibility of 911 systems, in this case through online call relaying for the hearing-impaired, abstracts one of the primary methods of assessing trustworthiness. It is impossible for police departments to close 911 service to the public or to deny services to the hearing-impaired, so authorities are forced toward reactive measures. Officer training was likely instrumental in assessing this situation and preventing harm to the innocent victims. If the risks of further exploits in the 911 system warrant it, the departments may consider flagging calls from unverified locations to help officers to respond appropriately. Likewise, other organizations should consider categorizing trustworthy and untrustworthy inputs and adjusting procedures and responses accordingly. IdentityUnited States Transportation Security Administration Requires Encryption on LaptopsThe United States (U.S.) Transportation Security Administration (TSA) recently reported a breach in security to Congress. Two laptops were that contained the information of approximately 3,930 U.S. truck drivers were stolen from a TSA contractor. This information included names, addresses, commercial driver's license numbers, and social security numbers. Although the information had been deleted from the system, the TSA performed a forensic investigation and found that the data could be retrieved by a skilled attacker. The TSA has since addressed the situation by requiring contractors to encrypt all information stored on laptops. Read more IntelliShield Analysis: This incident is another instance of an exploit that was directed at the TSA's data. In May 2007, the TSA reported the loss of a hard drive that contained the sensitive information of 100,000 government personnel. The findings of this report and similar instances demonstrate why encryption should be employed to protect personal or sensitive information that is stored on a system. Businesses are advised to use a number of different methods to ensure that deleted information is not retrievable through the use of utilities, shredders, and additional open source utilities or software. HumanAirport Security Fails Bomb Detection TestUSA Today recently claimed to have a classified report that detailed the results of recent tests of United States airport security. Investigators smuggled fake bomb parts and other contraband through the checkpoints to test screeners at Los Angels International Airport (LAX), O'Hare International Airport (ORD), and San Francisco International Airport (SFO). Transportation Security Administration (TSA) agents failed to detect the simulated explosives 75-percent of the time at LAX and 60-percent of the time at ORD. SFO, whose security is maintained by a private company, failed the test approximately 20-percent of the time. Agents who were unsuccessful in detecting the explosives were forced to take remedial training. Read more IntelliShield Analysis: This report will not bolster any confidence in the TSA, who struggles with a highly critical public opinion. Constant testing is an appropriate and logical part of auditing a security program, and it is assumed that the test itself is an accurate representation of current attempts to circumvent the screening process. Results were more positive for the private company who works for SFO, but 20-percent is not a level that most will accept. Although the TSA is beginning to correct deficiencies, it appears that initial training and remedial steps have not been effective. Either the training programs will need to be reevaluated and adjusted, or TSA agent equipment may need to be replaced or complimented with additional technologies. IntelliShield analysts expect additional screening equipment in checkpoints and a more thorough examination of luggage and persons during the upcoming United States holiday season. GeopoliticalBhutto's Return to Pakistan Marred by ViolenceAs many as 136 people were killed on October 18, 2007 when a suicide bomber attacked the homecoming motorcade of former Pakistan prime minister Benazir Bhutto. Bhutto, who had just returned from exile and was unharmed in the blast, intends to lead her political party in parliamentary elections in the coming months. Bhutto has established a tentative power sharing agreement with President Musharraf, but many obstacles remain before Pakistan can return to normalcy. Pakistan's supreme court has yet to rule on the legitimacy of Musharraf's recent reelection or on a constitutional challenge that could affect corruption charges against Bhutto. Read More IntelliShield Analysis: The primary risk to Western business in Pakistan remains the threat of political upheaval that could halt the economy and increase the risk of further violence. It is unclear how Musharraf will react to the bombing of Bhutto's motorcade, but the violence could provide an excuse to tighten military controls and postpone his resignation from the army. A court ruling that invalidates Musharraf's reelection may also prompt him to impose martial law. Pakistan is an extension of India's growing IT outsourcing, and turmoil in this region could also impact India, physically increasing the threat levels in the adjacent country. Turk Telecom Strike Affects Communications and TravelEmployees at Turkey's primary telecommunications company, Turk Telecom, began a strike during the time period. At the onset of the strike, the Turk Telecom reported that fiber optic lines were damaged at 13 locations. The labor union denied any involvement in the sabotage but also refused to repair the damage while the strike continued. The cut lines and the work stoppage are hampering international communications with Turkey and slowing Internet and voice connectivity in Turkey's major business centers, including Ankara, Istanbul, and Izmir. IntelliShield Analysis: The strike occurred, in part, to Turkey's recent privatization of the telecommunications provider and a declaration by Turkish authorities that the company was not essential to national security. The privatization has forced the company, who was accustomed to state monopoly conditions, to fend for itself in a newly competitive sector. The labor union is likely using the strike to demonstrate the strategic importance of telecommunications. The outage already affected airline flights in and out of Istanbul during the last week. If the strike continues, Internet data, fixed-line access, and mobile access may be affected. The strike may become a reminder to Turkey and other countries that telecommunications continuity is a national imperative. Upcoming Security ActivityUnited States National Cyber Security Awareness Month: October 2007 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
