Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 66 : DoD Success in Signature Sharing to Expand; 20 Critical Controls Updated; Google Report Examines Attacker Detection Evasion

  • From: The SANS Institute
  • Date: Fri Aug 19 15:19:07 2011

Hash: SHA1

The best solution anyone has found for ensuring security engineering is
baked into every new system and application was created at Cisco.  The
architect who created it will lead the Security Architecture workshop
in Washington, DC August 29-30

SANS NewsBites                 August 19, 2011            Vol. 13, Num. 65
  DOD to Expand Cyber Threat Information Sharing Program
  Version 3.0 of the Twenty Critical Controls Released
  Google Report Examines Attackers' Detection Evasion Techniques
    Second Attack on BART Site Exposes Police Information
    Investigation Confirmed Insider Problems at Immigration Processing Center
    Four Cleared in Phone Hacking Scandal; One More Arrested
    IPv6 Flaw in Windows 7
    Metadata Helps Identify Suspect in Collar Bomb Ransom Case
    AT&T Suing Two for Allegedly Stealing Customer Data
    Man Wreaks Havoc on Former Employer's Network From McDonald's
    Cyber Thieves Target Nebraska Non-Profit

********************** Sponsored By VeriSign, Inc. ***********************

Do not miss SANS Ask the Expert: Leveraging SSL to Battle Emerging
Security Threats. Sign up at:

 --SANS Virginia Beach 2011, August 22- September 2, 2011
10 courses.   Bonus evening presentations include SANS Hacklab;
Offensive Countermeasures; and Evolving VoIP Threats
 -- The National Security Architecture Workshop, DC, Aug. 29-30,2011
2-day workshop discussing techniques to ensure security is considered
in every step of the development life cycle,
 --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011
6 courses.   Bonus evening presentations include DNS Sinkhole: Peer
Into Your Network While You Sleep; and I See What You Did There:
Forensic Time Line Analysis
 --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011
45 courses.   Bonus evening presentations include Securing the Kids;
Who is Watching the Watchers?; and Emerging Trends in the Law of
Information Security and Investigations
 -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011
3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile
Security training
 --SANS Chicago 2011, Chicago, IL, October 23-28, 2011
6 courses.  Bonus evening presentations include Computer Forensics in
the Virtual Realm and Electrical Grid Security
 --SANS Seattle 2011, Seattle, WA, November 2-7, 2011
5 courses.  Bonus evening presentations include Future Trends in
Network Security; and Ninja Developers: Penetration Testing and Your SDLC
 --Looking for training in your own community? Save on On-Demand training (30 full
courses) - See samples at
Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days.
For a list of all upcoming events, on-line and live:

 --DOD to Expand Cyber Threat Information Sharing Program
(August 17, 2011)
The US Department of Defense (DOD) will soon expand an experimental
cyber threat information sharing program that it says has prevented
"hundreds of intrusions" in its 90-day pilot run. The Defense Industrial
Base (DIB) program currently has 20 participants, all defense
contractors and network providers. Participation in the program is
voluntary and the government is "not monitoring, intercepting, or
storing any private sector communications."
[This initiative is one of the eight most important cybersecurity
innovations of 2011. It is clearly a model of the future of
Cybersecurity and will be briefed, in-depth, along with the other seven
key innovations (in cloud security and mitigating the advanced
persistent threat) at the National Cybersecurity Innovation Conference
in Arlington, VA (across from the Pentagon) in early October. See:]

 --Version 3.0 of the Twenty Critical Controls Released
Version 3.0 of the 20 Critical Controls was released today. It pulls
together all three sources of threat-based guidance (NSA and the
Australians as well as the sources of the 20 CC) providing an even
stronger consensus on why these mitigations should be done before the
less critical ones.

 --Google Report Examines Attackers' Detection Evasion Techniques
(August 18, 2011)
A new technical report from Google is the fruit of analysis conducted
on four years of data from 160 million web pages on eight million sites.
The data were collected through Google's Safe Browsing initiative. Every
day, Google sends out three million warnings about malware to users
whose browsers support the Safe Browsing API. The report found "that
exploit delivery mechanisms are becoming increasingly complex and
evasive." Among the more prevalent methods used by the attackers are IP
cloaking, social engineering, and drive-by downloads.
[Editor's Comment (Northcutt): This is a must read for any security
professional. Suggest that you read/reread this team's earlier paper:
"All your Iframes point to us" before jumping into this paper.]

****************************  SPONSORED LINK  ******************************
1) Be entered in a drawing to WIN a $100 American Express gift card.
Please take five minutes to help us improve the type and quality of
Vendor Programs at SANS Conferences.

 --Second Attack on BART Site Exposes Police Information
(August 18, 2011)
A second attack on a website of the San Francisco Bay Area Rapid Transit
(BART) system has resulted in the exposure of personal information of
102 BART police officers. No one has claimed responsibility for this
attack. The first attack exposed personally identifiable information of
BART customers and is believed to have been conducted by members of
Anonymous in response to BART's decision to disrupt mobile device
service on trains underground in the hopes of thwarting a planned

 --Investigation Confirmed Insider Problems at Immigration Processing Center
(August 18, 2011)
An investigation into allegations of unauthorized computer access by
insiders at the US Citizenship and Immigration Services Texas Service
Center has revealed a number of violations. Employees and supervisors
at the center gained unauthorized access to data and then altered logs
to remove their digital footprints. The investigation started in January
2008. Staff members appear to have accessed management level
information, including emails. In all 17, people were investigated.
[Editor's Note (Murray): Controls in government protect against fraud
by citizens.]

 --Four Cleared in Phone Hacking Scandal; One More Arrested
(August 17 & 18, 2011)
Four men have been cleared of misconduct in connection with the phone
hacking (voice mail hacking) scandal that preceded the demise of the
News of the World tabloid paper. Former Metropolitan Police Commissioner
Sir Paul Stephenson was cleared during an inquiry. Three other men, John
Yates, Andy Hayman and Peter Clarke, have been cleared as well. In a
separate, related story, a thirteenth person has been arrested in
connection with the phone hacking scandal. The 28-year-old man was
arrested "on suspicion of conspiring to unlawfully intercept voicemails
contrary to" law.

 --IPv6 Flaw in Windows 7
(August 17, 2011)
A vulnerability found in Windows 7's handling of IPv6 could be exploited
to crash computers, according to researchers. Microsoft has acknowledged
that the problem exists, but says it does not plan to issue a fix
because exploitation requires local network access. The issue lies in
the way the Windows 7 remote procedure call (RPC) function handles
malformed DHCPv6 requests.

 --Metadata Helps Identify Suspect in Collar Bomb Ransom Case
(August 17, 2011)
A man has been arrested in Kentucky in connection with a bizarre
attempted ransom incident in Australia. Earlier this month, a man broke
into a home near Sydney, Australia and fastened what he said was a bomb
around a teenage girl's neck. He also put a lanyard around her neck with
an attached USB drive that contained ransom instructions.  What the man
did not realize is that he had left traces of documents he thought he
had deleted on the drive; one of them contained metadata that identified
the author as Paul P. On August 15, authorities in Kentucky arrested
Paul "Doug" Peters, who had at one time worked for a company owned by
the victim's father. An email address contained in the ransom note was
also used to help track the suspect.

 --AT&T Suing Two for Allegedly Stealing Customer Data
(August 16 & 17, 2011)
AT&T has filed a complaint against two men for allegedly using
questionable data mining techniques to obtain AT&T customer information.
Phil Iverson and Chris Gose allegedly used auto-dialing programs to
place calls to phone numbers they had purchased, but then spoofed the
calls to make them appear as though they were coming from other AT&T
numbers, which allowed them to collect the caller ID information in the
AT&T database. They allegedly used the pilfered information for
telemarketing schemes.

 --Man Wreaks Havoc on Former Employer's Network From McDonald's
(August 16 & 17, 2011)
A man who used to work as an IT administrator at a pharmaceutical
company has pleaded guilty to charges of computer intrusion for
accessing the company's computer system and deleting the contents of 15
VMWare host systems. Jason Cornish worked for the US subsidiary of
Japanese pharmaceutical manufacturer Shionogi until September 2010, when
he was laid off along with other employees. Cornish had been in a
management dispute and had resigned from the company several months
earlier, but he was kept on as a consultant. He accessed the Shionogi
network through a Wi-Fi network at a McDonald's restaurant. The attack
hobbled Shionogi's business operations for several days; the associated
costs have been estimated at US $800,000. The company was unable to ship
products, cut checks or communicate through email.

 --Cyber Thieves Target Nebraska Non-Profit
(August 16, 2011)
An Omaha, Nebraska non-profit has lost US $70,000 to cyber thieves.
After an employee opened an attachment that came with an email from the
thieves, the Metropolitan Entertainment & Convention Authority's (MECA)
computer system became infected with malware that allowed the thieves
to steal passwords. The attackers added people to the company's payroll
and made fraudulent transfers to their accounts. In all, the thieves
attempted to steal US $217,000. One transfer in the amount of US
$147,000 was reversed, but the rest of the money is gone.  MECA declined
security precautions its bank offered because they seemed
"administratively burdensome." MECA chief financial officer Lea French
remarked "Why isn't someone out shouting on the rooftops about this
fraud? People need to understand how exposed they are."
[Editor's Note (Murray): How long is it going to take before the
legislatures, regulators, and the courts hold the banks accountable for
their fundamental responsibility to ensure that transactions are
properly authorized?  While it is true that bank customers are
responsible for the hygiene of the machine that they use for on-line
banking, banks must understand that, across all of their customers, some
will inevitably become contaminated.  Customers should use a dedicated
machine for on-line banking and reconcile their accounts daily but banks
should require authentication that resists credential replay.  They
should also resist transfers to accounts that have not been confirmed
out of band. Correspondent banks should not permit funds received via
ACH to be "forward wire transferred" intraday.  The FFIEC Guidance
leaves too much flexibility to, and requires too much special knowledge
and judgment of, the banks.  It is not a coincidence that the word
"replay" does not even appear in the new FFIEC Guidance. ]

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses ( and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.