Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 14 Num. 23 : Pentagon is Fast Tracking Cyber Weaponry

  • From: The SANS Institute
  • Date: Tue Mar 20 15:38:18 2012

Hash: SHA1

SANS NewsBites                March 20, 2012             Vol. 14, Num. 023
  Pentagon is Fast Tracking Cyber Weaponry
  DuQu Framework Language Identified as Object Oriented C
  Trojan Uses Stolen Digital Certificate
  Indian Court Dismisses Charges Against Microsoft in Objectionable
    Content Case
  UK Man Charged for Allegedly Launching Cyber Attacks on CIA and SOCA
  German Court Orders RapidShare to Prevent Uploading of Pirated Content
  GAO Says IRS Needs to Implement Information Security Measures
  Microsoft Acknowledges RDP Proof-of-Concept May Have Been Leaked
    Through Information Sharing Program
  Senators Seek Declassification of Rulings That Expand Domestic Spying
  Man Arrested in Connection with Online Banking Fraud

******************** SPONSORED BY SolarWinds.Net, Inc. ******************

Successful network, application and system defense rests on the ability
to identify and respond to threats immediately - before they become a
problem.  SIEM software should be powerful, easy and affordable for
operations, compliance and security.   SolarWinds(r) Log and Event
Manager (LEM) software gives you the firepower you need to defend your
IT infrastructure!

- --SANS 2012, Orlando, FL  March 23-29, 2012
40 courses.  Bonus evening presentations include Exploiting
Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving
Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
- --SANS Northern Virginia 2012, Reston, VA  April  15-20, 2012
7 courses.  Bonus evening presentations include Linux Forensics for
Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
- --SANS Cyber Guardian 2012, Baltimore, MD  April 30-May 7, 2012
11 courses.  Bonus evening presentations include Ninja Assessments:
Stealth Security testing for Organizations; and Adjusting Our Defenses
for 2012.
- --SANS AppSec 2012, Las Vegas, NV  April 24-May 1, 2012
Listen to two of the best minds in Application Security, Jeremiah
Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training
by also attending one or more of the 4 pre-summit courses.
- --SANS Secure Europe 2012, Amsterdam, Netherlands  May 7-19, 2012
11 courses.
- --SANS Security West 2012, San Diego, CA  May 10-18, 2012
24 courses. Bonus evening presentations include Metametrics - A New
Approach to Information Security Management Metrics; and Malware
Analysis Essentials Using REMnux.
- --SANS Toronto 2012, Toronto, ON  May 14-19, 2012
5 courses. Bonus evening presentations include I've Been Geo-Stalked!
Now What? And What Should Keep You Up at Night: The Big Picture and
Emerging Threats.
- --SANS Rocky Mountain 2012, Denver, CO  June 4-9, 2012
10 courses. Bonus evening presentations include Adjusting Our Defenses
for 2012; and Why Do Organizations Get Compromised?
- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012
Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012
Techniques and solutions to aid organizations and agencies responding
to crimes and attacks.  Maximize your training by also attending one or
more of the 4 pre-summit courses.
- --Looking for training in your own community?
http: Save on On-Demand training (30 full
courses) - See samples at
Plus Abu Dhabi, Johannesburg, Brisbane, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live:

 --Pentagon is Fast Tracking Cyber Weaponry
(March 18, 2012)
The US military is stepping up development of cyber weaponry that could
be used against enemy networks, even those not connected to the
Internet. To hasten the development of the tools, the Defense Advanced
Research Projects Agency (DARPA) budget has been given US $500 million
over five years. Among the agency's new cyber development initiatives
is a "fast-track" program. Network attacks as a military offensive are
unlikely to be standalone events; instead, it is likely that they will
be paired with other warfare tactics. Over the last decade, cyber
technology has grown to be "a significant factor" in military
operations. Offensive measures have been considered but set aside
because of possible collateral damage; it is not possible to be certain
how far the effects of an attack will reach. Currently, the military is
spending more on cyber defense than on offense.
[Editor's Note (Kreitner): One has to wonder whether the Mutually
Assured Malfunction scenarios of the Cyber Age will provide a level of
deterrent anything like the Mutually Assured Destruction scenarios has
during the Nuclear Age.  Maybe if the truly powerful cyber offensive
capabilities remain only in the possession of nation-states as opposed
to independent bad actors.]

 --DuQu Framework Language Identified as Object Oriented C
(March 19, 2012)
Researchers at Kaspersky Lab, stumped by a portion of code in the DuQu
Trojan horse program that the malware uses to communicate with
command-and-control servers, have found their answer: old-school Object
Oriented C. Kaspersky chief malware expert Vitaly Kamluk noted that
"these are techniques used by professional software developers but not
malware writers." When they were unable to figure out the language of
the portion of the malware known as DuQu Framework, Kaspersky
researchers decided to crowdsource the problem.
[Editor's Note (Honan): More details of the code used can be found at
with some interesting observations in the comments sections of those

 --Trojan Uses Stolen Digital Certificate
(March 19, 2012)
A Trojan horse program known as Mediyes uses a digital certificate that
is signed by a Swiss company called Conpavi AG and issued by VeriSign.
Researchers at VeriSign's parent company Symantec say that the attackers
must have gained access to the private encryption key associated with
the Conpavi certificate. Symantec has revoked the certificate that was
used to sign the malware, which intercepts search engine queries and
redirects them to an advertising network server.
[Editor's Note (Pescatore): The CA/Browser Forum recently met and
decided to "to form a working group on organizational reform. The task
of this group will be to develop and present to the full organization,
by April 16th, proposals for a new charter and bylaws." Drastic
improvement is badly needed - the sorry state of security around the
issuance of SSL and signing certificates continues to drive the value
of those certificates down and down and down.]

 --Indian Court Dismisses Charges Against Microsoft in Objectionable
    Content Case
(March 19, 2012)
A court in India has dismissed charges against Microsoft for allegedly
hosting objectionable content. Microsoft was one of nearly two dozen
companies named in a lawsuit brought by an Indian journalist. Microsoft
had argued that no formal allegations were brought against it and the
court agreed.

 --UK Man Charged for Allegedly Launching Cyber Attacks on CIA and SOCA
(March 19, 2012)
A UK man has appeared in court and been charged with conspiracy for his
alleged role in cyber attacks on websites belonging to the CIA and the
UK's Serious Organized Crime Agency (SOCA). Ryan Ackroyd also faces
charges for allegedly breaking into the websites of the UK's National
Health Service (NHS) and News International, which publishes the Sun
newspaper. Ackroyd did not enter a plea at the hearing, but a judge
granted him bail; the terms of the bail prohibit Ackroyd from accessing
the Internet. He also faces allegations of breaking into other sites in
the US.

***********************  SPONSORED LINKS:  *****************************
1) Nearly 90 % of organizations are not fully aware of what personal
devices are accessing what company resources! Register for the SANS
Mobile Security Survey and be among the first to receive full results
in a paper written by SANS mobility expert, Kevin Johnson. 

2) New Analyst Paper in the SANS Reading Room! Review of NetIQ Sentinel
7 for Security Information and Event Management, by senior SANS analyst,
Jerry Shenk.
For a full index of SANS Analyst papers, go here:

 --German Court Orders RapidShare to Prevent Uploading of Pirated Content
(March 19, 2012)
A court in Germany has ruled that file-hosting website RapidShare must
filter the files its users upload to prevent material that violates
copyright law from being posted. According to a statement, RapidShare
will be required to block its users from uploading content from a list
of 4,000 known copyright infringing files. The case in which the court
ruled was brought by a coalition of German booksellers. If RapidShare
decides to appeal the order, it could find support in a recent EU court
ruling that said the type of monitoring that would be required to
prevent the upload of illegal content would violate European privacy

 --GAO Says IRS Needs to Implement Information Security Measures
(March 16 & 19, 2012)
According to a report from the Government Accountability Office (GAO),
the US Internal Revenue Service (ISP) has not adequately protected its
computer systems. The IRS has not installed critical fixes for software
vulnerabilities, has not made sure the contractors have been trained in
security issues, and has not taken steps to restrict permissions to
prevent employees from accessing portions of the networks that do not
pertain to their responsibilities. There is no mandatory information
security program at the IRS according to the GAO. The security issues
noted in this report are similar to those in earlier GAO reports on IRS
information security.

 --Microsoft Acknowledges RDP Proof-of-Concept May Have Been Leaked
    Through Information Sharing Program
(March 16, 18 & 19, 2012)
Microsoft is investigating the possible leak of information about a
software vulnerability in Windows Remote Desktop Protocol (RDP). A
proof-of-concept exploit code for the flaw was released shortly after
Microsoft issued the fix on Tuesday, March 13. Microsoft said that it
is likely that sample attack code for the RDP flaw was leaked through
an information sharing program it has for antivirus vendors.

 --Senators Seek Declassification of Rulings That Expand Domestic Spying
(March 15 & 16, 2012)
Two Democratic US senators are seeking the declassification of secret
court rulings that grant the government extensive domestic spying
authority under the Patriot Act, beyond what the law originally
intended. Senators Ron Wyden (D-Oregon) and Mark Udall (D-Colorado) say
that the Foreign Intelligence Surveillance Act Court has broadened the
government domestic spying powers under the Patriot Act. In a letter to
Attorney General Eric Holder, the senators wrote, "We believe most
Americans would be stunned to learn the details of how these secret
court opinions have interpreted section 215 of the Patriot Act. As we
see it, there is now a significant gap between what most Americans think
the law allows and what the government secretly claims the law allows."
[Editor's Note (Pescatore): Secrecy and security are not synonymous. In
many cases, and this is probably one of them, transparency leads to
higher levels of security in the long run.]

 --Man Arrested in Connection with Online Banking Fraud
(March 15, 2012)
Police in Britain have arrested a man in connection with online banking
fraud. An unnamed bank had notified police that a number of its
customers' online had accounts had been compromised over an 18-month
period; the Police Central e-Crime Unit launched an investigation that
resulted in the arrest. Police seized equipment from the suspect's
residence as well.

================  Remembering Hal Tipton ====================

The flags at SANS are flying at half mast for the passing of Hal Tipton,
a pioneer in the field of information security. Two NewsBites editors
offered personal thoughts:

- From Paul Henry: Back in the early 1990's, with less than 1000 CISSP's,
there were very few resources to prepare one for the CISSP exam. Hal
Tipton was able to bring together numerous IT professionals and get them
involved in an unprecedented collaborative effort to share information
to prepare candidates for the exam in the annually published Information
Security Handbook that he co-authored with Micki Krause. Through his
constant encouragement and his in-depth technical editing skills, he was
able to encourage many professionals who had never even considered
writing a book chapter to share their experiences and knowledge to
increase the level of knowledge within the community. After 10 years and
at least 10 book chapters I will miss hearing from Hal with his annual
email: "So what interesting things have you learned this year that you
can share with the community... can I count on you for another chapter
for the ISMH..."

- From Stephen Northcutt: I was asked to work with NASA as part of the get
back into space after the Challenger disaster. The project culminated
with a series of briefings to senior management and I did one on
security. In the evening there was a mixer. Hal came up to me, pushed
his finger into my chest and said, "You have no idea what you are
talking about!" OK, I thought to myself and waited. Hal continued, "Your
job is just like the loss prevention officer at Kmart. You can't protect
your organization from attack, the best you can hope for is to keep
shoplifting to a low enough level that they do not close the Kmart."  At
the time I was a bit offended, but as the years have gone by, I have
come to see the wisdom of his point of view.

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top
producer of cyber ranges, simulations, and competitive challenges, now
used from high schools to the Air Force. He is also author and lead
instructor of the SANS Hacker Exploits and Incident Handling course, and
Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses ( and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.