Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 14 Num. 20 : Most Dangerous Security Threats; US Government Maintains Right to Seize Top-Level Domains + US Law Firm's Data Stolen in APT

  • From: The SANS Institute
  • Date: Fri Mar 09 15:04:02 2012

Hash: SHA1

The managing partner of a large New York law firm had a visit from the

FBI in which he learned that the files of every one of his firm's

clients had been copied from the law firm's servers and placed on

servers in Asia known to be used as transfer points in APT attacks (APT

translates loosely to Chinese, he learned). Nine days later, he and

another partner from his firm came to my house on a Sunday morning for

a conversation. They wanted to know why the intruders wanted the data,

how they got in, why the firewalls and AV and other security tools their

consultants told them to install didn't stop the attacks, and how they

could be stopped in the future. The conversation is posted at



SANS NewsBites                March 9, 2012              Vol. 14, Num. 020



  Six Most Dangerous Security Threats

  US Government Maintains Right to Seize Top-Level Domains

  Microsoft Will Issue Fixes for Seven Flaws

  MPAA Seeks to Shut Down Hotfile Filesharing Site

  Researchers Ask for Help Identifying Mystery Code in DuQu

  Maryland Court Says Government Does Not Need Warrant For Cell Phone

    Location Data

  LulzSec Member Arrested in June 2011, Became Informant

  ISPs Must Contribute to Alleged Filesharers' Appeals Body

  Legislators Ask OMB to Investigate Agencies' Electronic Monitoring Policies

  FCC Enforcement Advisory a Reminder That Cell Phone Jammers are Illegal

  NIST Updates Smart Grid Interoperability Roadmap

******************** SPONSORED BY F5 Networks, Inc. **********************


Whether critical applications live in the cloud, in the data center, or

in both, organizations need a strategic point of control for application

security.  Learn about a proven solution that provides the security,

intelligence, and performance that today's dynamic infrastructures




 -- SANS Mobile Device Security Summit: The Growing and Constantly

Changing Challenge,  Nashville, TN

Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012

Mobile device security experts and practitioners from organizations

that have implemented successful programs will discuss the most

promising approaches to this new and evolving challenge.

 --SANS 2012, Orlando, FL  March 23-29, 2012

40 courses.  Bonus evening presentations include Exploiting

Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving

Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.

 --SANS Northern Virginia 2012, Reston, VA  April  15-20, 2012

7 courses.  Bonus evening presentations include Linux Forensics for

Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack

- - --SANS Cyber Guardian 2012, Baltimore, MD  April 30-May 7, 2012

11 courses.  Bonus evening presentations include Ninja Assessments:

Stealth Security testing for Organizations; and Adjusting Our Defenses

for 2012.

- - --SANS AppSec 2012, Las Vegas, NV  April 24-May 1, 2012

Listen to two of the best minds in Application Security, Jeremiah

Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training

by also attending one or more of the 4 pre-summit courses.

- - --SANS Secure Europe 2012, Amsterdam, Netherlands  May 7-19, 2012

12 courses.

- - --SANS Security West 2012, San Diego, CA  May 10-18, 2012

24 courses. Bonus evening presentations include Metametrics - A New

Approach to Information Security Management Metrics; and Malware

Analysis Essentials Using REMnux.

- - --SANS Rocky Mountain 2012, Denver, CO  June 4-9, 2012

10 courses. Bonus evening presentations include Adjusting Our Defenses

for 2012; and Why Do Organizations Get Compromised?

- - --Looking for training in your own community?

http: Save on On-Demand training (30 full

courses) - See samples at

Plus Abu Dhabi, Toronto, Brisbane, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:



 --Six Most Dangerous Security Threats

(March 7, 2012)

At the RSA conference in San Francisco, in the best attended of all 220

track sessions, the nation's top penetration testing and incident

handling expert, Ed Skoudis, and the director of the Internet Storm

Center, Johannes Ullrich, discussed the six most dangerous new attack

vectors that they saw being used in 2011 and also what has begun to

emerge in 2012.,the-six-most-dangerous-infosec-attacks.aspx

[Editor's Note (Paller): The Australian journalist who wrote this

article did an extraordinary job of summarizing the presentation

accurately and with enough fidelity to make you feel as if you had been

there (and I was there).]

 --US Government Maintains Right to Seize Top-Level Domains

(March 6, 2012)

The US government maintains that it has the right to seize any sites

operating with generic top-level domain names, such as .com, .net, .org,

and others. Last week, the US government seized, a

sports-wagering website. The domain name was registered with a Canadian

company, but the US government served the seizure order on VeriSign, a

US company that manages those top-level domains.

[Editor's Comment (Northcutt): No matter where you stand on the issue,

this is an important topic and an important article to read.]

 --Microsoft Will Issue Fixes for Seven Flaws

(March 9, 2012)

Microsoft will issue six security bulletins on Tuesday, March 13, to fix

a total of seven vulnerabilities. Of those, just one has been given a

maximum severity rating of critical. The bulletins will address flaws

in Microsoft Windows, Visual Studio, and Expression. The bulletin with

the critical rating will address a remote code execution vulnerability

in Windows.,microsoft-to-patch-seven-security-issues-with-six-bulletins.aspx

 --MPAA Seeks to Shut Down Hotfile Filesharing Site

(March 8, 2012)

The Motion Picture Association of America (MPAA) has filed a motion for

a summary judgment against filesharing site Hotfile. The plaintiffs

allege that "Hotfile actively fosters the massive copyright infringement

that fuels its business," while Hotfile says it takes down content that

violates copyright law upon request. The plaintiffs say that Hotfile is

no different than Megaupload. Hotfile, which is based in Panama, is

claiming safe harbor protections under the Digital Millennium Copyright

Act (DMCA), but the movie and music companies say that Hotfile does not

qualify for those protections because it did not identify and terminate

the accounts of repeat offenders.

 --Researchers Ask for Help Identifying Mystery Code in DuQu

(March 7 & 8, 2012)

Researchers at Kaspersky Lab are seeking help with deciphering a portion

of DuQu, malware code that has been detected on systems in North Africa

and the Middle East. Researchers suspect that the mysterious code may

be in a completely new programming language. The component in question

is part of DuQu's communication with command-and-control servers. Other

portions of DuQu are written in C++.  Analysis indicates similarities

between DuQu and Stuxnet, although Stuxnet aims to sabotage and DuQu

aims to steal information.

***********************  SPONSORED LINKS:  *****************************

1) Oracle Entitlements Server Review

Featuring: Tanya Baccam and Roger Wigenstam

2) New Analyst Paper in the Reading Room: Needle in a Haystack,

Getting to Attribution in Control Systems by SCADA security expert,

Matthew E. Luallen.

3) "Privileged User Access: Root of all Evil!"

Featuring SANS Analyst Dave Shackleford

Wed., March 28 at a special time of 12:30 PM EST


 --Maryland Court Says Government Does Not Need Warrant For Cell Phone

    Location Data

(March 7, 2012)

A Maryland court has ruled that the government may demand more than six

months worth of location data from cell phone providers without

requiring a warrant. The case involved two people accused of armed

robbery. Their legal team attempted to suppress evidence obtained about

their locations that was obtained without a warrant, but Judge Richard

D. Bennett ruled that a warrant was not needed in the case.

 --LulzSec Member Arrested in June 2011, Became Informant

(March 6, 2012)

Hector Xavier Monsegur, known online as Sabu, the alleged leader of the

LulzSec hacking group, became an informant after he was arrested last

June. In August 2011, he pleaded guilty to a dozen hacking charges

connected to cyber attacks on HBGary, Sony, and InfraGard. Monsegur is

facing more than 120 years in prison, but is likely to draw a

significantly lighter sentence because of information he has provided

to law enforcement authorities. That information contributed to five

arrests earlier this week.

[Editor's Note (Murray): Hey guys, this is not the Mafia.  There is no

Omerta here.  No honor among thieves.  If you conspire with a rogue

hacker, you have to assume that if identified, he will shop you.

Moreover, if you are engaged in a hacker conspiracy, remember the first

guy identified walks.]

 --ISPs Must Contribute to Alleged Filesharers' Appeals Body

(March 6, 2012)

The UK's Digital Economy Act requires Internet service providers (ISPs)

there to contribute to the costs associated with establishing and

maintaining an appeals body for people who have been accused of

filesharing. UK ISPs TalkTalk and BT appealed the requirement, but a

court ruled against them, saying that ISPs must contribute 25 percent

of the costs. The other 75 percent will be paid by Ofcom, a UK

communications regulator. The Digital Economy Act also requires ISPs to

sever users' Internet connections if they repeatedly engage in illegal

filesharing after receiving several warnings.

 --Legislators Ask OMB to Investigate Agencies' Electronic Monitoring Policies

(March 6, 2012)

Two US legislators have asked the Office of Management and Budget (OMB)

to investigate electronic monitoring policies at all government

agencies. The request comes in the wake of reports of Food and Drug

Administration (FDA) employees being fired because of comments they made

in personal electronic messages sent over government systems.

[Editor's Note (Murray): All US government employees that use computers

consent to monitoring.  The issue is not whether monitoring is

legitimate but whether the purposes to which such monitoring is put are

legitimate.  Of course, having consented to being monitored by one's

bosses, a prudent man might abstain from criticizing his boss or his


 --FCC Enforcement Advisory a Reminder That Cell Phone Jammers are Illegal

(March 6, 2012)

The US Federal Communications Commission (FCC) has issued an Enforcement

Advisory to remind the public that the use of cell phone jammers is

illegal. The advisory mentioned reports of people using the devices on

buses and other modes of public transportation to create "quiet zones."

In another instance, a teacher was using a blocking device in the

classroom, but blocked cell phone communications throughout the entire

school. It is also illegal "to import, advertise, sell, or ship" the

devices. The FCC says that the devices "pose an unacceptable risk to

public safety by potentially preventing the transmission of emergency


[Editor's Note (Ranum): They are legal in hospitals and churches. I am a church.]

 --NIST Updates Smart Grid Interoperability Roadmap

(March 5, 2012)

The National Institute of Standards and Technology (NIST) has issued an

updated version of The Framework and Roadmap for Smart Grid

Interoperability.  Release 2.0 of this publication incorporated 22

additional technical standards. The standards compiled thus far are not

mandatory because it the roadmap is not yet complete.


The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in

computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of

STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm

Center and Dean of the Faculty of the graduate school at the SANS

Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top

producer of cyber ranges, simulations, and competitive challenges, now

used from high schools to the Air Force. He is also author and lead

instructor of the SANS Hacker Exploits and Incident Handling course, and

Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in

Information Assurance and Associate Professor at the Naval Postgraduate


Rob Lee is the curriculum lead instructor for the SANS Institute's

computer forensic courses ( and a Director

at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in

independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for

Inguardians, a handler for the SANS Institute's Internet Storm Center,

and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS

Institute. He has written five books, including Insider Threat and he

is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)

at the FBI and served as President of the InfraGard National Members

Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information

security field who have held a top management position in a Fortune 50

company (Alcoa).  He is leading SANS' global initiative to improve

application security.

David Hoelzer is the director of research & principal examiner for

Enclave Forensics and a senior fellow with the SANS Technology


Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is

widely recognized as a security products designer and industry


Clint Kreitner is the founding President and CEO of The Center for

Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production

manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.