Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 33 : Iranians say another worm (beyond STUXNET) targeted government systems

  • From: The SANS Institute
  • Date: Tue Apr 26 14:15:34 2011

Hash: SHA1

SANS NewsBites                April 26, 2011             Vol. 13, Num. 033
  Apple Facing Lawsuit Over Location Tracking Data
  Iranian Investigator Alleges Another Worm Targeted Government Systems
    Internet Still Disconnected at Oak Ridge
    FBI Raids Home of Suspected Illegal Filesharer
    Sony Has No Estimate for Restoration of PlayStation Network
    Google Releases Data Center Security Video
    Seattle Police Investigating Reports of Wardriving
    Quiet Progress in Securing Federal Systems
    Software Company Acknowledges Customer Database Breach
    Hiding Files on Hard Drives Without Encryption
    ACLU Seeks Documents Regarding Michigan Police Use of Data Extraction Devices
    Expert Commentary on the FBI Takedown of CoreFlood by Hugh Murray

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011
23 courses.  Bonus evening presentations include The Emerging Security
Threat Panel Discussion; and Emerging Trends in Data Law and
- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011
8 courses.  Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker and State of the Hack: Stuxnet.
8 courses.
- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011
7 courses.  Bonus evening presentations include SANS Hacklab and Why
End Users are Your Weakest Link
- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011
40 courses.  Bonus evening presentations include Ninja developers:
Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
- -- SANS Boston 2011, Boston, MA, August 8-15, 2011
12 courses.  Bonus evening presentations include Cost Effectively
Implementing PCI through the Critical Controls; and More Practical
Insights on the 20 Critical Controls
- -- Looking for training in your own community? Save on On-Demand training (30 full
courses) - See samples at Plus Barcelona,
Amsterdam, Brisbane, London and Austin all in the next 90 days.
For a list of all upcoming events, on-line and live:

*********************** SPONSORED BY MANDIANT ********************

Be part of something more! MANDIANT is building a world-class threat
detection and response organization and needs a few good men and women
to join the Product Development and Professional Services teams in our
DC, New York, Los Angeles and San Francisco offices.

Check out open positions online at


 --Apple Facing Lawsuit Over Location Tracking Data
(April 25, 2011)
Two people have filed a lawsuit against Apple over location tracking
data that are stored on iPhones without users' consent.  The suit was
filed in the US District Court for the Middle District of Florida.  The
plaintiffs are seeking an injunction that would require Apple to disable
the tracking mechanism.  They allege that Apple violated the Computer
Fraud and Abuse Act because the company is aware that the majority of
users do not pore over the details of user license agreements.  In a
separate but related story, independent testing shows that the iPhone
stores location data even after location services are turned off.

 --Iranian Investigator Alleges Another Worm Targeted Government Systems
(April 25, 2011)
The Iranian investigator looking into the Stuxnet attack that infected
systems at a nuclear power plant there says Iran was also the target of
another attack, a worm called Stars, which has been described as an
"espionage virus." The attack appears to have been aimed at specific
computer systems at Iranian nuclear facilities.  The same investigator
last week blamed Siemens for the Stuxnet attack, asking that the company
"explain why and how it provided the enemies with the information about
the codes of SCADA software and prepared the ground for a cyber attack
against" Iran's nuclear program.  Some experts are still trying to
determine if Stars is a legitimate targeted attack, or simply an
ordinary Windows worm.
[Editor's Note (Schultz): Whether or not this particular worm was part
of a targeted attack, one thing is clear--we are just on the tip of the
iceberg when it comes to targeted worm attacks.]

**************************  Sponsored Links: *******************************
1) In case you missed it! Web 2.0 Security: Same Old But Different
FEATURING: Johannes Ullrich & Eric Crutchlow Sponsored By: SONICWALL

2) REGISTER NOW for the upcoming webcasts with Oracle: Thursday, 4/28/11
at 1:00pm EDT Transparent Data Encryption for Oracle Databases and don't miss RSA Attacked: "Strong"
Authentication Is Not The Solution, Wednesday, 5/4/11 at 1:00pm EDT

 --Internet Still Disconnected at Oak Ridge
(April 25, 2011)
Employees at the US Department of Energy's Oak Ridge National Laboratory
remain without Internet access following the detection of a spear
phishing attack that left a lab network infected with malware.  Email
and Internet access were suspended on April 15; email was restored on
April 19. A lab spokesperson said that they are "being cautious, since
the whole purpose of the malware is to exfiltrate data."
[Editor's Note (Northcutt): (Northcutt): Good for Oak Ridge! Anyone can
get stuck by malware, but they found the problem (how often does that
happen) and then took significant defensive action.]

 --FBI Raids Home of Suspected Illegal Filesharer
(April 25, 2011)
The FBI has raided the apartment of an individual believed to have
uploaded several movies to The Pirate Bay that were playing only in
theaters at the time.  The person has been identified as Wes DeSoto, a
member of the Screen Actors Guild and the owner of a clothing shop.
DeSoto was pegged as the culprit because the copies of the films he
viewed had unique watermarks.    Members of the Guild were provided
iTunes codes that allowed them to access the screening copies of films
nominated for awards.  No charges have been filed.

 --Sony Has No Estimate for Restoration of PlayStation Network
(April 25, 2011)
Sony's PlayStation Network (PSN) was taken offline to allow the company
to investigate an intrusion.  The system remained unavailable as of
Monday morning; it has been inaccessible for five days.  PSN has more
than 70 million accounts around the world.  Users can download games,
music and movies through the system and can play games online with
friends.  Sony says it is "rebuilding" the PSN to protect it from future
attacks.  The company has not yet determined if any customer information
was stolen.
[Editor's Note (Paller): You are seeing the visible manifestation of the
continuing conflict between accessibility and speed to market on the one
hand and security on the other.  Sony has to let everyone in -- that's
the business model. And they have to continually innovate -- that's the
survival strategy.  New software has holes. Sony has IT architects and
programmers with limited skills in making sure the designs are secure
and the code is secure (and limited corporate visibility into the level
of security skills of the IT architects and developers). Lack of
security skills in the IT architects and software developers creates
catastrophes waiting to happen.]

 --Google Releases Data Center Security Video
(April 25, 2011)
Google has released a video demonstrating the security at their data
centers.  Physical access is strictly limited to necessary employees.
The company does not allow tours of the facilities.  Some of the data
centers are protected with special badges; others use retinal scans.
The video shows Google's practice of destroying hard drives that have
reached the end of their life cycle.  First the drives are destroyed
beyond recovery, then they are shredded and packaged for shipment to
recycling centers.
[Editor's Note (Schultz): For all the threats it faces and for all the
resources Google has to protect, Google really does an incredible job.]

 --Seattle Police Investigating Reports of Wardriving
(April 19 & 25, 2011)
Police in Seattle, Washington are investigating a group of alleged
criminals who are believed to be driving around the city and breaking
into Wi-Fi networks at various businesses and stealing information.
Authorities say the group has been conducting the attacks for about five

 --Quiet Progress in Securing Federal Systems
(April 22, 2011)
White House Cybersecurity coordinator Howard Schmidt has no interest in
making headlines, but instead is working steadily and quietly to improve
the security of federal computer systems.  The understated stance of the
office has led some to question the importance the Obama administration
affords cyber security.  Public perception may rely on the volume of
initiatives and policymaking to come out of an office, but Schmidt
explains that once policy has been established, it needs to become
[Editor's Note (Pescatore): It is good to see effort behind the scenes
to improve operational security prioritized over buzz and hype.]

 --Software Company Acknowledges Customer Database Breach
(April 21 & 22, 2011)
German software development company Ashampoo has acknowledged that
attackers accessed its customer database.  The company has emailed all
14 million customers to notify them of the breach, which affected one
of the company's servers.  The attackers were able to access customer
names and associated email addresses, but no billing data were kept on
that server.  Ashampoo says it has fixed the vulnerability that the
attackers exploited to gain unauthorized access to the server.,hackers-breach-security-vendors-defences.aspx

 --Hiding Files on Hard Drives Without Encryption
(April 21, 2011)
Researchers have devised a method of hiding data on hard drives without
using encryption.  The technique allows a 20-megabyte message to be
hidden on a 160-gigabyte hard drive.  The technique involves storing
clusters of the file to be hidden in places on the disk determined by a
code, which would need to be known by the person receiving they disk.
To an inspector, the disk would look like any other disk on which data
have been stored and deleted in the course of regular use.  The
technique works as long as none of the files on the disk are modified
before it reaches its destination.  There are instances in which
encryption is not desirable, because the extra data it creates are a
giveaway that there's something to be found.  This could be the case
when someone is trying to smuggle information out of a country with a
repressive government.
[Editor's Note (Pescatore): Everyone of these schemes always has a
"code" involved, and tends to smell very much like encryption - just
done in a non-standard way. There are a lot of examples of home-grown
approaches being about as secure as paper mache.]

 --ACLU Seeks Documents Regarding Michigan Police Use of Data Extraction Devices
(April 21 & 25, 2011)
When the American Civil Liberties Union (ACLU) made a Freedom of
Information Act (FOIA) request for documents containing information to
help them determine if Michigan State Police were violating Fourth
Amendment rights, they were told it would cost more than half a million
dollars.  The issue centers on the use of a data extraction device used
by police.  The device is capable of scraping data from phones in less
than two minutes.  The ACLU of Michigan is trying to determine whether
police violated people's Fourth Amendment rights by taking those data
without search warrants.  The Michigan State Police has issued a
statement regarding allegations of their abuse of data extraction
devices.  The statement says there have been no allegations of
wrongdoing and that "the [Michigan State Police] only uses the [devices]
if a search warrant is obtained or if the person possessing the mobile
device gives consent, ... [and they] are not being used to extract
citizens' personal information during routine traffic stops."

 --Expert Commentary on the FBI Takedown of CoreFlood by Hugh Murray
A great deal of experience and wisdom is reflected in this commentary
on the current controversy over whether the FBI was "hacking" when it
took down the botnet.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses ( and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.