NETSEC Archives
Date Prev | Date Next |
Date Index |
Author Index |
Historical
[Netsec] SANS NewsBites Vol. 14 Num. 24 : US ISPs Agree to FCC-Recommended Security Measures, Verizon Report: Hacktivisim Accounts for More Than Half of Data Theft, US Dept. of Defense to Issue Rules of Cyber Engagement
- From: The SANS Institute
- Date: Fri Mar 23 14:52:52 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**************************************************************************
SANS NewsBites March 23, 2012 Vol. 14, Num. 024
**************************************************************************
TOP OF THE NEWS
US ISPs Agree to FCC-Recommended Security Measures
Verizon Report: Hacktivisim Accounts for More Than Half of Data Theft
US Dept. of Defense to Issue Rules of Cyber Engagement
THE REST OF The WEEK'S NEWS
Changes to Data Retention Guidelines Concern Civil Liberties Groups
Google Releases Sixth Update for Chrome 17
House Subcommittee Hearing Focuses on DoD's Role in Cyber Security
Megaupload's Server Host Seeking Relief
Mozilla Switches to Default SSL Google Searches
University of Tampa Student Data Compromised
DuQu Variant Detected
Russian Police Arrest Eight in Connection with Carberp Trojan
****************** Sponsored By Palo Alto Networks **********************
Do Not Miss SANS Special Webcast: Threat Review of Resurgent Botnets:
Waledac, Kelihos, Zeus sponsored by Palo Alto Networks
WHEN: Thursday, March 29, 2012 at 1:00 PM EST. Sign up TODAY at
http://www.sans.org/info/102254
**************************************************************************
TRAINING UPDATE
--SANS 2012, Orlando, FL March 23-29, 2012
40 courses. Bonus evening presentations include Exploiting
Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving
Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012
7 courses. Bonus evening presentations include Linux Forensics for
Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/
--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012
11 courses. Bonus evening presentations include Ninja Assessments:
Stealth Security testing for Organizations; and Adjusting Our Defenses
for 2012.
http://www.sans.org/cyber-guardian-2012/
--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012
Listen to two of the best minds in Application Security, Jeremiah
Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training
by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/
--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012
11 courses.
http://www.sans.org/secure-amsterdam-2012/
--SANS Security West 2012, San Diego, CA May 10-18, 2012
24 courses. Bonus evening presentations include Metametrics - A New
Approach to Information Security Management Metrics; and Malware
Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/
--SANS Toronto 2012, Toronto, ON May 14-19, 2012
5 courses. Bonus evening presentations include I've Been Geo-Stalked!
Now What? And What Should Keep You Up at Night: The Big Picture and
Emerging Threats.
http://www.sans.org/toronto-2012/
--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012
10 courses. Bonus evening presentations include Adjusting Our Defenses
for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/
--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012
Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012
Techniques and solutions to aid organizations and agencies responding
to crimes and attacks. Maximize your training by also attending one or
more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/
--Looking for training in your own community?
http: sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Abu Dhabi, Johannesburg, Brisbane, Jakarta, and Malaysia all in the
next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
***********************************************************
TOP OF THE NEWS
--US ISPs Agree to FCC-Recommended Security Measures
(March 22, 2012)
Eight US Internet service providers (ISPs) in the US, including the four
largest in the country, have committed to implementing cyber security
measures recommended by the US Federal Communications Commission (FCC)
advisory board. The recommended steps are aimed at fighting botnets,
domain name fraud, and Internet route hijacking. In all, eight ISPs
committed to the measures, which include alerting customers when their
machines show signs of being infected with botnet malware and helping
them clean those computers. The eight ISPs provide service to
approximately 80 percent of broadband users in the US.
http://www.itworld.com/government/261194/us-isps-commit-new-cybersecurity-measures
[Editor's Note (Pescatore): This is a needed step in the right
direction, but it will need to avoid trying to rely on alerting
customers and focus more on active protection. In 2010 Australian ISPs
did a similar thing called iCode and there has been some "in the cloud"
actions taken but mostly more web sites explaining threats vs. making
those "Internet tubes" cleaner. I think the growth of wireless data
access makes the carriers more incentivized to do more filtering on
their end than when the focus is purely on the wired Internet side.
(Paller): The commitments are, for all but two ISPs, merely statements
of intent. What the FCC has not yet established is a method of measuring
the effectiveness of security improvements. FCC Commissioner Julius
Genachowski told the FCC Advisory Board that developed the code of
conduct that such measures of effectiveness are essential. Sadly, the
ISPs are deeply antagonistic to measuring their individual effectiveness
in reducing the threat of botnets (or to doing the filtering that John
Pescatore describes in the previous editor's comment). Once
effectiveness is measured, however the public would know which ISPs are
the best places to practice safe Internet activities and ISPs would
compete to get the bot count down quickly. If the FCC cannot get a
measurement system in place, the US initiative will be no more effective
that the ICode in Australia where the effectiveness is at best spotty.]
--Verizon Report: Hacktivisim Accounts for More Than Half of Data Theft
(March 22, 2012)
According to Verizon's 2012 Data Breach Investigations Report, the
majority of data stolen last year was the doing of hacktivists rather
than cyber criminals out to profit from their spoils. Fifty-eight
percent of data stolen in 2011 were pilfered by hackers with a political
or social agenda. The report analyzes 855 incidents worldwide; those
attacks accounted for 174 million stolen records. Verizon director of
research and intelligence Wade Baker said that hacktivists are harder
to defend against because they tailor their attacks for specific
targets. http://www.bbc.co.uk/news/technology-17428618
http://www.h-online.com/security/news/item/Verizon-finds-hacktivists-responsible-for-58-of-stolen-data-1478023.html
http://www.wired.com/threatlevel/2012/03/hacktivists-beat-cybercriminals/
http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf
--US Dept. of Defense to Issue Rules of Cyber Engagement
(March 21, 2012)
The US Department of Defense may issue rules of cyber engagement within
the next few months, according to military officials. The rules will set
forth how the military should respond to cyber attacks describe when
they can take proactive defensive measures. The policy is a cooperative
effort between the Joint Staff and the Office of the Secretary of
Defense's Office of Policy.
http://www.informationweek.com/news/government/security/232602957
************************ Sponsored Links: ***************************
1) SolarWinds(R) Log and Event Manager for operations, compliance and
security is powerful, easy and affordable!
http://www.sans.org/info/102259
2) Join Rapid7's HD Moore for an IPv6 security risk webcast + live
Metasploit Pro demo http://www.sans.org/info/102264
3) SANS Analyst Program Webcast: Reducing Risk to Federal Systems with
the SANS 20 Critical Controls April 19, 1 PM EST
http://www.sans.org/info/102269
************************************************************************
THE REST OF THE WEEK'S NEWS
--Changes to Data Retention Guidelines Concern Civil Liberties Groups
(March 22, 2012)
US Attorney General Eric Holder has approved guidelines that allow the
National Counterterrorism Center (NCTC) to retain information for up to
five years. Prior guidelines requited NCTC to destroy data within 180
days unless they were clearly connected to terrorism. Civil liberties
groups are concerned about the length of time that people's information
will be held. Officials say that the changes are being made to ensure
that analysts have ready access to the information, and that in some
cases, information that did not appear to be pertinent at first glance
turned out later to be important evidence.
http://www.washingtonpost.com/world/national-security/new-counterterrorism-guidelines-would-permit-data-on-us-citizens-to-be-held-longer/2012/03/21/gIQAFLm7TS_story.html
--Google Releases Sixth Update for Chrome 17
(March 22, 2012)
Google has released another security update for Chrome 17, the sixth in
as many weeks. The update addresses nine vulnerabilities, six of which
are rated critical. Four researchers were paid a total of US $5,500 for
alerting Google to five vulnerabilities. The other four flaws either
found by Google's own team or were not significant enough to merit a
bounty. Google uses silent updates for Chrome, so machines running the
browser will be automatically updated.
http://www.computerworld.com/s/article/9225441/Google_patches_9_Chrome_bugs_pays_more_to_top_researchers?taxonomyId=17
http://googlechromereleases.blogspot.co.uk/2012/03/stable-channel-update_21.html
--House Subcommittee Hearing Focuses on DoD's Role in Cyber Security
(March 21, 2012)
Some US legislators are arguing for the military to take a larger role
in the nation's cyber security. Currently, the role of protecting
private and civil government network is under the purview of the
Department of Homeland Security (DHS). Representative Mac Thornberry
(R-Texas), who chairs the House Armed services emerging threats and
capabilities subcommittee said at a hearing on March 20 that US citizens
expect that the DoD will "defend the country in whatever domain it is
attacked. That means that Cyber Command must be ready, and Congress and
the administration must find a way to ensure that it has the legal
authorities it needs and at the same time ensure that the constitutional
rights of Americans are protected." Army General Keith Alexander,
Commander of the US Cyber Command, said that while the threats in
cyberspace have become more dangerous, he does not believe that DoD
should assume the roles that DHS has been filling, and that the best way
DoD can help both DHS and private sector organizations is through
sharing cyber threat information.
http://www.nextgov.com/nextgov/ng_20120321_8300.php?oref=topnews
--Megaupload's Server Host Seeking Relief
(March 21, 22, & 23, 2012)
Megaupload's server host Carpathia is asking a judge for help; the
company has been stuck paying for retaining the 25 petabytes of data at
a cost of about US $9,000 a day. Carpathia wants permission to
reallocate the more than 1,000 servers used to store the data for other
customers who are able to pay for the service. The Motion Picture
Association of America (MPAA) has asked a federal judge to ensure the
data are retained. Megaupload wants the data preserved and has asked
that some of its seized funds be used to pay Carpathia.
http://www.wired.com/threatlevel/2012/03/mpaa-megaupload-user-litigatio/
http://arstechnica.com/tech-policy/news/2012/03/isp-storing-25-petabytes-of-megaupload-data-costs-us-9000-a-day.ars
http://computerworld.co.nz/news.nsf/news/will-megauploads-28-petabytes-of-data-be-deleted
[Editor's Comment (Northcutt): A cautionary tale. No matter where you
stand on the copyright law discussion, this is a company that is paying
real money to preserve the data they collected by their business
relationship with Megaupload. And the requirements to keep the 25
Petabytes of data could easily go on several more years. ]
--Mozilla Switches to Default SSL Google Searches
(March 21, & 22, 2012)
Mozilla's Firefox browser now uses Secure Sockets Layer (SSL) by default
on Google searches. The change currently affects only the beta version
of the browser, but will eventually be introduced more broadly in a
stable version of Firefox some time later this year. The shift means
that Internet service providers (ISPs) will not be able to look at
users' search query information, and websites visited after users
conduct searches will not be able to access the information, either.
http://paranoia.dubfire.net/2012/03/firefox-switching-to-https-google.html
http://www.informationweek.com/news/security/privacy/232602977
--University of Tampa Student Data Compromised
(March 21, 2012)
Personally identifiable information belonging to more than 6,800
University of Tampa students was exposed on the Internet for eight
months, according to the Florida university. The breach was discovered
as part of an in-class project on advanced search techniques. Two other
files containing information about nearly 23,000 additional people may
also have been exposed during the same time period.
http://www.computerworld.com/s/article/9225391/Univ._of_Tampa_says_student_info_was_exposed_for_8_months?taxonomyId=203
http://www.infosecurity-magazine.com/view/24672/university-of-tampa-data-breach-affects-30000-students-faculty-and-staff/
--DuQu Variant Detected
(March 21, 2012)
A variant of the driver for the DuQu intelligence-gathering malware has
been detected on computers in Iran. The DuQu driver variant is altered
enough from the earlier version so that it evades detection. Researchers
say it seems that the attacker may use the information gathered by DuQu
to take other action.
http://www.pcworld.com/businesscenter/article/252211/researchers_discover_new_duqu_variant_that_tries_to_evade_antivirus_detection.html
http://www.msnbc.msn.com/id/46821870/ns/technology_and_science-security/
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232700010/duqu-alive-and-well-new-variant-found-in-iran.html
--Russian Police Arrest Eight in Connection with Carberp Trojan
(March 20, 2012)
Russian authorities have arrested eight people believed to have stolen
more than 60 million rubles (US $2.04 million) using the Carberp Trojan
horse program. Carperb steals online banking login credentials, which
the suspects allegedly used to transfer funds from targeted accounts to
accounts opened by members of the group; the money was them withdrawn
from those accounts through ATMs. The number of compromised accounts is
estimated to be 90. The malware was allegedly placed on Russian
newspaper and other frequently visited websites.
http://www.theregister.co.uk/2012/03/20/russia_carberp_suspects_arrested/
http://www.computerworld.com/s/article/9225345/Eight_online_banking_scammers_arrested_in_Russia?taxonomyId=83
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top
producer of cyber ranges, simulations, and competitive challenges, now
used from high schools to the Air Force. He is also author and lead
instructor of the SANS Hacker Exploits and Incident Handling course, and
Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAk9svXAACgkQ+LUG5KFpTkbvggCgjtD3C+GMqucOCbHvGqo88vLF
4l0AnizK702Dhnt6fscE36uMnEzucnNu
=Utdx
-----END PGP SIGNATURE-----
|
