Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 31 : Department of Justice and FBI Tactics in Coreflood Takedown Debated

  • From: The SANS Institute
  • Date: Tue Apr 19 14:55:03 2011

Hash: SHA1

SANS NewsBites                April 19, 2011             Vol. 13, Num. 031
  Hearing to Determine if ACS:Law is Liable for Wasted Legal Costs
  Coreflood Takedown Tactics Questioned
    US Judge Trying to Determine if Google Breached Wiretap Law
    Which Cyber Security Specialists are Most Needed?
    Adobe Patches Flash Reader Vulnerability
    Two-Year Prison Sentence for DDoS Attacks
    Private Industry Wants Better Cyber Threat Information Sharing with Government
    Updates for Mac OS X and Safari
    Guilty Plea in Stolen Credit Card Data Case
    Oracle to Fix 73 Vulnerabilities in Quarterly Update

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011
11 courses.  Bonus evening presentations include Cyberwar or Business
as Usual?  The State of US Federal CyberSecurity Efforts
- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011
23 courses.  Bonus evening presentations include The Emerging Security
Threat Panel Discussion; and Emerging Trends in Data Law and
- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011
8 courses.  Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker and State of the Hack: Stuxnet.
8 courses.
- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011
7 courses.  Bonus evening presentations include SANS Hacklab and Why
End Users are Your Weakest Link
- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011
40 courses.  Bonus evening presentations include Ninja developers:
Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
- -- SANS Boston 2011, Boston, MA, August 8-15, 2011
12 courses.  Bonus evening presentations include Cost Effectively
Implementing PCI through the Critical Controls; and More Practical
Insights on the 20 Critical Controls
- -- Looking for training in your own community? Save on On-Demand training (30 full
courses) - See samples at Plus Barcelona,
Amsterdam, Brisbane, London and Austin all in the next 90 days.
For a list of all upcoming events, on-line and live:

************* SPONSORED BY Raytheon Trusted Computer Solutions ***********

Automatically harden your Linux and Solaris OSs with Security Blanket.
Reduce the time to deploy new systems, or repurpose machines, while
keeping your security posture intact.  Locking down to industry
guidelines like DISA STIGs, CIS or, PCI, or creating a custom profile,
can easily be achieved with Security Blanket.  Click link for FREE demo.


 --Hearing to Determine if ACS:Law is Liable for Wasted Legal Costs
(April 18, 2011)
A judge in the UK has ruled that ACS:Law and its sole solicitor,
Andrew Crossley, may be responsible for wasted costs in the case
involving speculative invoicing of alleged illegal file-sharers.  The
company sent out thousands of letters, threatening people with legal
action if they did not pay GBP 500 (US $813) to settle allegations of
illegal file-sharing.  The court had originally been asked to hear the
cases brought by ACS:Law, but shortly before they came to trial, the
firm sought to have them dismissed.  The judge did not grant that
request.  A hearing has been set for June to determine if ACS:Law and
Crossley are liable for wasted legal costs.

 --Coreflood Takedown Tactics Questioned
(April 15, 2011)
Although people were happy to see the Coreflood botnet go, some have
expressed concern about the tactics used in its recent takedown.
Federal prosecutors obtained a temporary restraining order allowing
them to replace several identified Coreflood command-and-control (C&C)
servers with their own servers, which were then used to send stop
commands to machines that were infected with Coreflood malware.
Electronic Frontier Foundation technology director Chris Palmer said
the method "is not a safe way to go about [disabling malware] and it's
divergent with standard practice." Previously, botnets have been taken
down by taking down the C&C servers, which renders the botnets silent
for a while until new C&C servers are established.  Others are less
concerned about the impact of this specific takedown than they are
about the precedent it sets.  Still others say the technique was not
intrusive because it just told the malware to stop running.
[Editor's Note (Schultz and Paller): Whether or not we like it, the
worsening nature of cybercrime is increasingly dictating that law
enforcement take more austere and severe measures.]

**********************  Sponsored Links: ***********************************

1) New SANS Analyst Program Webcast: Debunking Continuous Monitoring
Myths, May 17, 1PM EDT. Learn what holds organizations back from
implementing continuous monitoring and where to get started. Featuring
Eugene E. Schultz and Steve Johnston.

2) In Case you missed it! Web 2.0 Security: Same Old But Different
FEATURING: Johannes Ullrich & Eric Crutchlow Sponsored By: SONICWALL

3) New Paper in the SANS reading room: Implementing the 20 Critical
Controls with Security Information Event Management Systems, by Senior
SANS Analyst, James Tarala.


 --US Judge Trying to Determine if Google Breached Wiretap Law
(April 18, 2011)
A federal judge presiding over combined lawsuits against Google over its
inadvertent collection of packets sent over unprotected wireless
networks is trying to decide if Google breached the Wiretap Act.  US
District Judge James Ware is seeking a definition of "radio
communication" under the Wiretap Act to determine whether or not home
Wi-Fi networks fall under this purview.  Google says they do, while the
plaintiffs' legal team says that the data were only sent over radio
waves while traveling between a home router and a laptop.  Both parties
agree that eavesdropping on cordless phones is illegal.

 --Which Cyber Security Specialists are Most Needed?
(April 18, 2011)
While no one would dispute that cyber security specialists in government
are in short supply, there is disagreement about which areas of cyber
security are the most necessary and therefore merit higher pay.  The US
needs between 20,000 and 30,000 cyber security specialists to
effectively protect cyberspace.  Competitions (like the US Cyber
Challenge initiative's Cyber Quests - see below) aim to draw those with
raw talent into the field of cyber security and provide them with
specialized technical training.  Some say that those who specialize in
network operations and penetration testing are the greatest need.
Others maintain the need is higher for information assurance analysts,
auditors and administrators.  The second group currently has higher
average salaries than the first group, but the balance may shift as
auditors and administrators are increasingly seeing their work
Cyber Quests:

 --Adobe Patches Flash Reader Vulnerability
(April 15 & 16, 2011)
Adobe has released a fix for a zero-day vulnerability in Flash Player
that was disclosed last week.  The flaw is being actively exploited in
targeted attacks with maliciously-crafted Excel and Microsoft Word
documents.  The updated version of Flash Player for Windows, Mac OS X,
Linux and Solaris is  A fix for Flash Player on Android
smartphones is expected by the end of the month.  The flaw has already
been fixed in Google's Chrome browser.
[Editor's Note (Honan): As many Adobe applications are usable across
many different platforms they are a very attractive target to cyber
criminals.  Adobe really need to do a root and branch analysis of their
applications and implement better security within them.]

 --Two-Year Prison Sentence for DDoS Attacks
(April 15, 2011)
Bruce Raisley has been sentenced to two years in prison for launching a
series of distributed denial-of-service (DDoS) attacks against nine
websites. and other sites published accounts of an
online affair Raisley had with a fictitious woman.  Raisley had been
part of a vigilante Internet group that posed as children online to trap
sexual predators in sting operations.  Raisley had a falling out with
the group's leader, who then proceeded to fabricate an online identity
for the fictitious woman with whom Raisley engaged in the online affair.
Raisley was also ordered to pay more than US $90,000 in restitution.
[Editor's Comment (Northcutt): I would not have thought you could have
an affair with a fictitious woman, but I read the other day about cloud
girlfriends, so I suppose it is possible, call me silly, but I think I
prefer holding hands and long walks along the beach:,2817,2383485,00.asp ]

 --Private Industry Wants Better Cyber Threat Information Sharing with Government
(April 15, 2011)
In testimony before the US House Committee on Homeland Security,
representatives from private sector companies such as AT&T, the North
American Electric Reliability Corporation, and the Financial Services
Sector Coordinating Council said they need the government to be more
forthcoming with information about cyber security and cyber threats.
Timely information sharing and collaboration between agencies and
private sector companies that own and operate elements of the country's
critical infrastructure is critical to protecting vulnerable systems.
The companies want to share information with DHS, too.  They say there
should be a standard protocol to streamline the alert and information
sharing processes.
[Editor's Note (Honan): There is a European project currently looking
into the setting up of trusted networks to facilitate information
sharing amongst groups of stakeholders.  Have a look at the NEISAS
website, which is an EU funded project, for more

 --Updates for Mac OS X and Safari
(April 15, 2011)
On Thursday, April 14, Apple released updates for Mac OS X, Safari and
several other products, including the iPhone and iPad.  The update for
Mac OS X (Security Update 2011-002) affects versions 10.5 and 10.6 of
the operating system and addresses issues related to digital
certificates attackers were able to obtain fraudulently.  The
certificates were added to a blacklist so they will be recognized as
untrustworthy.  The updated version of Safari (5.0.5) addresses a pair
of vulnerabilities that could be exploited to cause unexpected
application termination or arbitrary code execution.'
OS X Security Update Information:
Safari Update Information:

 --Guilty Plea in Stolen Credit Card Data Case
(April 13, 14 & 15, 2011)
A Malaysian man has pleaded guilty to access device fraud and has
admitted that he broke into a US Federal Reserve Bank computer network
and installed malware.  Prosecutors say Lin Mun Poo made a living by
breaking into networks at financial institutions and other
organizations, and selling data he stole from those networks.  Lin was
arrested last October in New York after law enforcement agents observed
a transaction in which Lin sold credit card information for US $1,000.
His "heavily encrypted" laptop was seized, but agents were apparently
able to break the encryption.
[Editor's Comment (Northcutt): This article has additional information,
most of the news sites are rehashing each other: ]

 --Oracle to Fix 73 Vulnerabilities in Quarterly Update
(April 14, 15 & 18, 2011)
On Tuesday, April 19, Oracle plans to release fixes for 73 security
flaws in a variety of products.  Some of the vulnerabilities affect
multiple products.  Six of the patches address flaws in Oracle's
flagship database software; two of those flaws are rated critical.
Oracle releases fixes, called Critical Patch Updates, every quarter.;content

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses ( and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.