Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 90 : DARPA Doubles Cyber Security Research, Speeds Funding; Senate Votes Down Opposition to Net Neutrality; Arrests in Clickjacking Scheme

  • From: The SANS Institute
  • Date: Fri Nov 11 14:21:24 2011

Hash: SHA1

SANS NewsBites              November 11, 2011             Vol. 13, Num. 90
  DARPA Doubles Cyber Security Research Funding; Also Provides Cyber
    Researchers With Rapid Funding
  Senate Votes Down Opposition to Net Neutrality
  Six Arrested in Connection with Clickjacking Scheme
    Juniper Error Causes Widespread Internet Outage
    Legislator Expresses Concern About Electronic Health Care Record Security
    IEEE Revising Smart Grid Standard
    Judge Rules DoJ May Obtain WikiLeaks Employees' Twitter Records
    Warner Brothers Admits Issuing Over-Broad Takedown Orders
    Mozilla Releases Firefox 8
    Researcher Ousted From Apple's iOS Developer Program
    Microsoft Fixes Four Windows Flaws in November's Patch Tuesday
    DoD Aims to Trap Data Thieves With Phony Documents

******************** Sponsored By Silicium Security  ********************

Worried about targeted attacks and APT? Find what AV misses with
Silicium's ECAT Enterprise Compromise and Assessment Tool -
signature-less malware detection.
See ECAT in action, then download our whitepaper, APT in the Enterprise:

 --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011
5 courses.  Bonus evening presentations include The Worst Mistakes in
Cloud Computing Security; Offensive Countermeasures; and Watching the
Wire at Home
 --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011
Pre-Summit Courses November 26-30, 2011
Post-Summit Courses December 3-4, 2011
Gain the most current information regarding SCADA and Control System
threats and learn how to best prepare to defend against them.
 --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011
7 courses.  Bonus evening presentations include Effective Methods for
Implementing the 20 Critical Security Controls; and Assessing
Deception: Are They Lying to You?
 --SANS London 2011, London, UK, December 3-12, 2011
18 courses.  Bonus evening presentations include IPv6 Challenges for
Intrusion Detection and Understanding How Attackers Bypass Network and
Content Restrictions.
 --Incident Detection & Log Management Summit, Washington DC,
December 7-8, 2011
Learn the latest techniques to detect breaches and intrusions!
 --SANS CDI 2011, Washington, DC, December 9-16, 2011
27 courses.  Bonus evening presentations include Emerging Trends in
Data Law and Investigations, and Critical Infrastructure Control
Systems Cybersecurity.
 --SANS Security East 2012, New Orleans, LA January 17-26, 2012
11 courses.  Bonus evening presentations include Advanced VoIP Pen
Testing: Current Threats and Methods; and Helping Small Businesses
with Security.
 --Looking for training in your own community? Save on On-Demand training (30 full
courses) - See samples at
Plus Tokyo, Perth and Atlanta all in the next 90 days.
For a list of all upcoming events, on-line and live:

 --DARPA Doubles Cyber Security Research Funding; Also Provides Cyber
    Researchers With Rapid Funding
(November 7 & 9, 2011)
The Defense Advanced Projects Research Agency (DARPA) plans to increase
spending on cyber security research by 50 percent over the next five
years. DARPA plans to step up its focus on offensive cyber capabilities.
In addition a new program managed by DARPA program manager Mudge (Peiter
Zatko) has launched "Cyber Fast Track" to provide funds to small
researchers in less than 2 weeks with little or no bureaucracy.  Eight
grants were made in the first 2 months of the program.

 --Senate Votes Down Opposition to Net Neutrality
(November 10, 2011)
In a 52-46 party-line vote, the US Senate has rejected a resolution that
would have overturned the Federal Communications Commission's net
neutrality rules. President Obama had said he would veto the resolution
if it passed. The FCC's net neutrality rules are still facing challenges
through lawsuits filed by telecommunications companies.
[Editor's Note (Murray): The FCC rule surrendered to AT&T and Verizon
on the air side, where it matters, in return for rules on the wired side
where it doesn't.  What am I missing?
(Paller): The answer to Bill's question may be that AT&T and Verizon
lobbyists, along with those of a few other lobbyists representing IT
companies, are now approaching Enron's lobbyists in power to shape
federal actions and in disregard for the public good.]

 --Six Arrested in Connection with Clickjacking Scheme
(November 9 & 10, 2011)
The FBI said that six people have been arrested in connection with a
click-fraud scheme that infected more than four million computers in
countries around the world. The arrests were the result of a two-year
investigation known as Operation Ghost Click. All six were arrested in
Estonia. A seventh defendant, who is Russian, is still at large. The US
attorney's office will seek extradition of those in custody. The malware
used in the scheme is known as DNS Changer. DNSChanger virus changed the
DNS settings on the infected computers pointing them to DNS servers
under the control of the criminals.  They could then redirect victim's
traffic from legitimate sites, e.g. iTunes, to other sites where they
earned more than $14 million from commissions on referrals to the online
advertising. The defendants are facing charges of wire and computer
intrusion. One was also charged with money laundering. The FBI worked
with law enforcement authorities in Estonia and the Netherlands on the
case. The attack targeted both Windows and Mac OS X machines.
The FBI put up a website where people can check if their computer is
Internet Storm Center:
[Editor's Note (Honan): A very large well done to all involved in this
case.  In order to protect those computers that were infected and
minimise disruption of their Internet connectivity, the authorities had
to replace the DNS servers under the criminals' control with genuine DNS
servers.  This case serves as a prime example of how international
cooperation between law enforcement agencies and between public and
private bodies can be used to tackle the scourge of online criminals.
It is encouraging to see such positive action and hopefully it is the
first of many to come.  Hopefully we will also see the statistics
relating to the percentage of computers that were Apple Macs. This would
help raise awareness amongst Apple users that they are no longer immune
from online criminals and the tools of their trade.]

***********************  SPONSORED LINKS:  *********************************
1) Now Available ONDEMAND, Analyst Webcast: Integrating Security into
Development, No Pain Required. FEATURING: Dave Shackleford and Karl
Snider. Go to

2) Sign up for SANS Analyst Webcast-Your Pad or Mine? Enabling Personal
and Mobile Device Use On the Network.  How to Apply Guest Networking,
BYOD (Bring Your Own Device) and Endpoint Security. Go to


 --Juniper Error Causes Widespread Internet Outage
A flaw in an update to the Juniper software that runs large routers that
Juniper supplies to ISPs caused a widespread Internet outage - disabling
large segments of the Internet. 

 --Legislator Expresses Concern About Electronic Health Care Record Security
(November 10, 2011)
The federal government plans to spend close to US $20 billion to move
health records to digital formats. While embracing the new technology
has the potential to increase the effectiveness of medical treatment,
there are also dangers. US Senator Tom Coburn (R-Oklahoma) has warned
that migrating medical records from paper to electronic format creates
a serious security issue. The US attorney for the Eastern District of
New York noted that incorrect information in patients' records could
result in insurers denying them necessary treatment and services. All
but one of the proposed data breach notification bills pending in the
Senate exempt health care data from the requirements.
[Editor's Note (Murray): HIPAA Privacy rules killed EHR.  Unintended
consequence but after a decade it is clear that that is what happened.
Now "safety" is going to put the last nail in the coffin.  It is paper
medical records that are the problem.  They are error prone at best,
dangerously inaccurate at worst.  Not only are they not efficient, they
are ineffective.  They obscure clinical information and render
epidemiological information infeasible to extract.  Yes, there would be
problems with electronic health records but they are dwarfed by the
problems with paper records that we not only tolerate but foster.  Out
of an excess of caution, we are killing ourselves. ]

 --IEEE Revising Smart Grid Standard
(November 8, 2011)
IEEE has begun revising Secure Authentication (SA) protocols in its 1815
Distributed Network protocol (DNP3) smart grid security standard.  The
changes are aimed at improving the security of data gathering, data
exchange, and data use in applications such as supervisory control and
data acquisition (SCADA) systems.

 --Judge Rules DoJ May Obtain WikiLeaks Employees' Twitter Records
(November 10, 2011)
A US District Court Judge in Virginia has ruled that the Justice
Department may legally obtain Twitter account records of three people
who work or worked for WikiLeaks. The ruling allows prosecutors access
to information about the times messages were sent to each other and from
which IP addresses the messages were sent; the content of the messages
is not included in the order.

 --Warner Brothers Admits Issuing Over-Broad Takedown Orders
(November 9, 2011)
Warner Brothers has admitted that it used an automated takedown tool to
request the removal of files from the Internet that were obviously not
infringing on the company's copyrights. The case involved Hotfile, a
locker site that maintains it is in compliance with the Digital
Millennium Copyright Act (DMCA) because it follows the rules about
notice and takedown procedures. In fact, Hotfile provided Warner
Brothers with a takedown tool to facilitate the process. Hotfile is now
arguing that Warner Brothers violated DMCA when it ordered the takedown
of files that were clearly not infringing copyright. The data used in
those takedowns appeared to come from an automated data scraper rather
than a human being's examination. Warner Brothers says it cannot
possibly examine all suspect files due to their sheer volume, but the
DMCA requires that copyright holders issue takedown notices only when
there is a "good faith belief that the use of the material in the manner
complained of is not authorized by the copyright owner, its agent, or
the law."
[Editor's Note (Liston): Warner Bros' assertion that it "cannot possibly
examine all files" is more than a bit disingenuous: what they're really
saying is that they don't want to incur the costs associated with
examining the files.  Media companies are all about enjoying the
monetary benefit of their copyrights, but are constantly looking for
ways to foist the cost of protecting those copyrights off onto someone

 --Mozilla Releases Firefox 8
(November 8 & 9, 2011)
Mozilla has released Firefox 8, addressing seven security flaws, four
of which are rated critical. All four are exploitable through drive-by
downloads. Firefox 8 allows users to search Twitter and includes a
feature that prevents third party plug-ins from being automatically
installed. The Twitter search option is available in the English,
Portuguese, Japanese and Slovenian versions of Firefox 8. The newest
version of the browser is available for Windows, Mac, Linux and Android
operating systems.

 --Researcher Ousted From Apple's iOS Developer Program
(November 8 & 10, 2011)
Apple has revoked researcher Charlie Miller's developer status after he
created a proof-of-concept application that allowed "unapproved code to
run on iPhones and iPads" and managed to fool Apple into approving it
for sale in the App Store. The application that Miller wrote and put in
the App Store appeared to simply track stock share prices; the exploit
operated behind the scenes and allowed Miller to spy on people who had
installed his app. Apple has fixed the flaw exploited by Miller's
application. The iOS Developer Program allows Apple to ban Miller
because his actions "violated [terms of] the developer agreement."
This issue was corrected in iOS 5.0.1 which was released early Thursday.

 --Microsoft Fixes Four Windows Flaws in November's Patch Tuesday
(November 8 & 9, 2011)
Microsoft issued four security bulletins on Tuesday, November 8 to
address four vulnerabilities in Windows. Notably absent from the release
was a fix for the Windows kernel flaw exploited by Duqu, although
Microsoft did issue a temporary workaround to help users protect their
computers from infection. Of the four patches released this month, just
one was rated critical. It addresses a remote code execution flaw in the
Windows TCP/IP stack.
Internet Storm Center:

 --DoD Aims to Trap Data Thieves With Phony Documents
(November 4 & 7, 2011)
According to a military abstract, the US Department of Defense (DOD) is
seeding its computer systems with honeypots to help prevent situations
like the stolen data exposed via WikiLeaks. A computer science professor
who is leading the project said the plan is to put a lot of false
information out there to mislead data thieves. The specially crafted
documents will record the snoop's IP address and let administrators know
that a breach has occurred. Decoy Document System.
[Editors Note (Murray): This is a dangerous method that should be used
sparingly only by those with special training and authorization.  ]

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses ( and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.