NETSEC Archives
Date Prev | Date Next |
Date Index |
Author Index |
Historical
[Netsec] SANS NewsBites Vol. 14 Num. 20 : Most Dangerous Security Threats; US Government Maintains Right to Seize Top-Level Domains + US Law Firm's Data Stolen in APT
- From: The SANS Institute
- Date: Fri Mar 09 15:04:02 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The managing partner of a large New York law firm had a visit from the
FBI in which he learned that the files of every one of his firm's
clients had been copied from the law firm's servers and placed on
servers in Asia known to be used as transfer points in APT attacks (APT
translates loosely to Chinese, he learned). Nine days later, he and
another partner from his firm came to my house on a Sunday morning for
a conversation. They wanted to know why the intruders wanted the data,
how they got in, why the firewalls and AV and other security tools their
consultants told them to install didn't stop the attacks, and how they
could be stopped in the future. The conversation is posted at
http://www.sans.org/security-resources/cybersecurity-conversations
Alan
**************************************************************************
SANS NewsBites March 9, 2012 Vol. 14, Num. 020
**************************************************************************
THE WEEK'S NEWS
Six Most Dangerous Security Threats
US Government Maintains Right to Seize Top-Level Domains
Microsoft Will Issue Fixes for Seven Flaws
MPAA Seeks to Shut Down Hotfile Filesharing Site
Researchers Ask for Help Identifying Mystery Code in DuQu
Maryland Court Says Government Does Not Need Warrant For Cell Phone
Location Data
LulzSec Member Arrested in June 2011, Became Informant
ISPs Must Contribute to Alleged Filesharers' Appeals Body
Legislators Ask OMB to Investigate Agencies' Electronic Monitoring Policies
FCC Enforcement Advisory a Reminder That Cell Phone Jammers are Illegal
NIST Updates Smart Grid Interoperability Roadmap
******************** SPONSORED BY F5 Networks, Inc. **********************
WHITE PAPER: APPLICATION SECURITY IN THE CLOUD
Whether critical applications live in the cloud, in the data center, or
in both, organizations need a strategic point of control for application
security. Learn about a proven solution that provides the security,
intelligence, and performance that today's dynamic infrastructures
demand.
http://www.sans.org/info/101164
**************************************************************************
TRAINING UPDATE
-- SANS Mobile Device Security Summit: The Growing and Constantly
Changing Challenge, Nashville, TN
Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012
Mobile device security experts and practitioners from organizations
that have implemented successful programs will discuss the most
promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/
--SANS 2012, Orlando, FL March 23-29, 2012
40 courses. Bonus evening presentations include Exploiting
Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving
Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012
7 courses. Bonus evening presentations include Linux Forensics for
Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/
- - --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012
11 courses. Bonus evening presentations include Ninja Assessments:
Stealth Security testing for Organizations; and Adjusting Our Defenses
for 2012.
http://www.sans.org/cyber-guardian-2012/
- - --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012
Listen to two of the best minds in Application Security, Jeremiah
Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training
by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/
- - --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012
12 courses.
http://www.sans.org/secure-amsterdam-2012/
- - --SANS Security West 2012, San Diego, CA May 10-18, 2012
24 courses. Bonus evening presentations include Metametrics - A New
Approach to Information Security Management Metrics; and Malware
Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/
- - --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012
10 courses. Bonus evening presentations include Adjusting Our Defenses
for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/
- - --Looking for training in your own community?
http: sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Abu Dhabi, Toronto, Brisbane, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
***********************************************************
THE WEEK'S NEWS
--Six Most Dangerous Security Threats
(March 7, 2012)
At the RSA conference in San Francisco, in the best attended of all 220
track sessions, the nation's top penetration testing and incident
handling expert, Ed Skoudis, and the director of the Internet Storm
Center, Johannes Ullrich, discussed the six most dangerous new attack
vectors that they saw being used in 2011 and also what has begun to
emerge in 2012.
http://www.scmagazine.com.au/News/292784,the-six-most-dangerous-infosec-attacks.aspx
[Editor's Note (Paller): The Australian journalist who wrote this
article did an extraordinary job of summarizing the presentation
accurately and with enough fidelity to make you feel as if you had been
there (and I was there).]
--US Government Maintains Right to Seize Top-Level Domains
(March 6, 2012)
The US government maintains that it has the right to seize any sites
operating with generic top-level domain names, such as .com, .net, .org,
and others. Last week, the US government seized Bodog.com, a
sports-wagering website. The domain name was registered with a Canadian
company, but the US government served the seizure order on VeriSign, a
US company that manages those top-level domains.
http://www.wired.com/threatlevel/2012/03/feds-seize-foreign-sites/
[Editor's Comment (Northcutt): No matter where you stand on the issue,
this is an important topic and an important article to read.]
--Microsoft Will Issue Fixes for Seven Flaws
(March 9, 2012)
Microsoft will issue six security bulletins on Tuesday, March 13, to fix
a total of seven vulnerabilities. Of those, just one has been given a
maximum severity rating of critical. The bulletins will address flaws
in Microsoft Windows, Visual Studio, and Expression. The bulletin with
the critical rating will address a remote code execution vulnerability
in Windows.
http://www.v3.co.uk/v3-uk/news/2158211/critical-fix-planned-patch-tuesday
http://www.scmagazine.com.au/News/293142,microsoft-to-patch-seven-security-issues-with-six-bulletins.aspx
http://technet.microsoft.com/en-us/security/bulletin/ms12-mar
--MPAA Seeks to Shut Down Hotfile Filesharing Site
(March 8, 2012)
The Motion Picture Association of America (MPAA) has filed a motion for
a summary judgment against filesharing site Hotfile. The plaintiffs
allege that "Hotfile actively fosters the massive copyright infringement
that fuels its business," while Hotfile says it takes down content that
violates copyright law upon request. The plaintiffs say that Hotfile is
no different than Megaupload. Hotfile, which is based in Panama, is
claiming safe harbor protections under the Digital Millennium Copyright
Act (DMCA), but the movie and music companies say that Hotfile does not
qualify for those protections because it did not identify and terminate
the accounts of repeat offenders.
http://www.bbc.co.uk/news/technology-17300225
--Researchers Ask for Help Identifying Mystery Code in DuQu
(March 7 & 8, 2012)
Researchers at Kaspersky Lab are seeking help with deciphering a portion
of DuQu, malware code that has been detected on systems in North Africa
and the Middle East. Researchers suspect that the mysterious code may
be in a completely new programming language. The component in question
is part of DuQu's communication with command-and-control servers. Other
portions of DuQu are written in C++. Analysis indicates similarities
between DuQu and Stuxnet, although Stuxnet aims to sabotage and DuQu
aims to steal information.
http://www.v3.co.uk/v3-uk/news/2157879/researchers-stumped-mystery-code-duqu-malware
http://www.wired.com/threatlevel/2012/03/duqu-mystery-language/
http://www.computerworld.com/s/article/9225024/Researchers_can_39_t_identify_programming_language_used_in_Duqu_ask_for_help?taxonomyId=17
http://www.theregister.co.uk/2012/03/08/duqu_trojan_mystery_code_riddle/
*********************** SPONSORED LINKS: *****************************
1) Oracle Entitlements Server Review
Featuring: Tanya Baccam and Roger Wigenstam
http://www.sans.org/info/101169
2) New Analyst Paper in the SANS.org Reading Room: Needle in a Haystack,
Getting to Attribution in Control Systems by SCADA security expert,
Matthew E. Luallen.
http://www.sans.org/info/101174
3) "Privileged User Access: Root of all Evil!"
Featuring SANS Analyst Dave Shackleford
Wed., March 28 at a special time of 12:30 PM EST
http://www.sans.org/info/101179
************************************************************************
--Maryland Court Says Government Does Not Need Warrant For Cell Phone
Location Data
(March 7, 2012)
A Maryland court has ruled that the government may demand more than six
months worth of location data from cell phone providers without
requiring a warrant. The case involved two people accused of armed
robbery. Their legal team attempted to suppress evidence obtained about
their locations that was obtained without a warrant, but Judge Richard
D. Bennett ruled that a warrant was not needed in the case.
http://arstechnica.com/tech-policy/news/2012/03/obama-admin-wants-warrantless-access-to-cell-phone-location-data.ars
http://www.scmagazine.com/anonymous-hacker-turned-informant-helps-feds-arrest-five/article/230908/
--LulzSec Member Arrested in June 2011, Became Informant
(March 6, 2012)
Hector Xavier Monsegur, known online as Sabu, the alleged leader of the
LulzSec hacking group, became an informant after he was arrested last
June. In August 2011, he pleaded guilty to a dozen hacking charges
connected to cyber attacks on HBGary, Sony, and InfraGard. Monsegur is
facing more than 120 years in prison, but is likely to draw a
significantly lighter sentence because of information he has provided
to law enforcement authorities. That information contributed to five
arrests earlier this week.
http://arstechnica.com/tech-policy/news/2012/03/all-the-latest-on-the-unmasking-of-lulzsec-leader-sabu-arrests.ars
http://www.computerworld.com/s/article/9224917/Former_LulzSec_leader_now_FBI_informant_brings_down_hacking_group_Stratfor_hacker?taxonomyId=82
http://www.wired.com/threatlevel/2012/03/lulzsec-snitch/
http://www.wired.com/threatlevel/2012/03/anonymous-sabu-reaction/
http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232602124/lulzsec-leader-turns-informant-as-feds-arrest-key-members-of-hacking-group.html
http://www.scmagazine.com/anonymous-hacker-turned-informant-helps-feds-arrest-five/article/230908/
[Editor's Note (Murray): Hey guys, this is not the Mafia. There is no
Omerta here. No honor among thieves. If you conspire with a rogue
hacker, you have to assume that if identified, he will shop you.
Moreover, if you are engaged in a hacker conspiracy, remember the first
guy identified walks.]
--ISPs Must Contribute to Alleged Filesharers' Appeals Body
(March 6, 2012)
The UK's Digital Economy Act requires Internet service providers (ISPs)
there to contribute to the costs associated with establishing and
maintaining an appeals body for people who have been accused of
filesharing. UK ISPs TalkTalk and BT appealed the requirement, but a
court ruled against them, saying that ISPs must contribute 25 percent
of the costs. The other 75 percent will be paid by Ofcom, a UK
communications regulator. The Digital Economy Act also requires ISPs to
sever users' Internet connections if they repeatedly engage in illegal
filesharing after receiving several warnings.
http://news.cnet.com/8301-1009_3-57391558-83/u.k-isps-lose-appeal-must-pay-legal-fees-of-file-sharing-suspects/
--Legislators Ask OMB to Investigate Agencies' Electronic Monitoring Policies
(March 6, 2012)
Two US legislators have asked the Office of Management and Budget (OMB)
to investigate electronic monitoring policies at all government
agencies. The request comes in the wake of reports of Food and Drug
Administration (FDA) employees being fired because of comments they made
in personal electronic messages sent over government systems.
http://www.govexec.com/technology/2012/03/lawmakers-seek-agency-policies-email-surveillance/41395/
http://www.computerworld.com/s/article/9224938/US_lawmakers_ask_if_federal_workers_have_email_privacy?taxonomyId=144
[Editor's Note (Murray): All US government employees that use computers
consent to monitoring. The issue is not whether monitoring is
legitimate but whether the purposes to which such monitoring is put are
legitimate. Of course, having consented to being monitored by one's
bosses, a prudent man might abstain from criticizing his boss or his
policies.]
--FCC Enforcement Advisory a Reminder That Cell Phone Jammers are Illegal
(March 6, 2012)
The US Federal Communications Commission (FCC) has issued an Enforcement
Advisory to remind the public that the use of cell phone jammers is
illegal. The advisory mentioned reports of people using the devices on
buses and other modes of public transportation to create "quiet zones."
In another instance, a teacher was using a blocking device in the
classroom, but blocked cell phone communications throughout the entire
school. It is also illegal "to import, advertise, sell, or ship" the
devices. The FCC says that the devices "pose an unacceptable risk to
public safety by potentially preventing the transmission of emergency
communications."
http://www.washingtonpost.com/business/technology/fcc-cellphone-jammers-are-illegal/2012/03/06/gIQAmeRPvR_story.html
http://www.nextgov.com/nextgov/ng_20120306_1935.php?oref=topnews
[Editor's Note (Ranum): They are legal in hospitals and churches. I am a church.]
--NIST Updates Smart Grid Interoperability Roadmap
(March 5, 2012)
The National Institute of Standards and Technology (NIST) has issued an
updated version of The Framework and Roadmap for Smart Grid
Interoperability. Release 2.0 of this publication incorporated 22
additional technical standards. The standards compiled thus far are not
mandatory because it the roadmap is not yet complete.
http://gcn.com/articles/2012/03/05/nist-smart-grid-framework-update.aspx
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top
producer of cyber ranges, simulations, and competitive challenges, now
used from high schools to the Air Force. He is also author and lead
instructor of the SANS Hacker Exploits and Incident Handling course, and
Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAk9aVlIACgkQ+LUG5KFpTkbLGgCfZJA7V27aNEYki2g1JE3mfgX+
JgsAn3Egb9epJjVocAd1o2Oq0ONIRfSW
=rKuF
-----END PGP SIGNATURE-----
|
