Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 14 Num. 24 : US ISPs Agree to FCC-Recommended Security Measures, Verizon Report: Hacktivisim Accounts for More Than Half of Data Theft, US Dept. of Defense to Issue Rules of Cyber Engagement

  • From: The SANS Institute
  • Date: Fri Mar 23 14:52:52 2012

Hash: SHA1


SANS NewsBites                March 23, 2012             Vol. 14, Num. 024



  US ISPs Agree to FCC-Recommended Security Measures

  Verizon Report: Hacktivisim Accounts for More Than Half of Data Theft

  US Dept. of Defense to Issue Rules of Cyber Engagement


    Changes to Data Retention Guidelines Concern Civil Liberties Groups

    Google Releases Sixth Update for Chrome 17

    House Subcommittee Hearing Focuses on DoD's Role in Cyber Security

    Megaupload's Server Host Seeking Relief

    Mozilla Switches to Default SSL Google Searches

    University of Tampa Student Data Compromised

    DuQu Variant Detected

    Russian Police Arrest Eight in Connection with Carberp Trojan

****************** Sponsored By Palo Alto Networks **********************

Do Not Miss SANS Special Webcast: Threat Review of Resurgent Botnets:

Waledac, Kelihos, Zeus sponsored by Palo Alto Networks

WHEN: Thursday, March 29, 2012 at 1:00 PM EST. Sign up TODAY at



 --SANS 2012, Orlando, FL  March 23-29, 2012

40 courses.  Bonus evening presentations include Exploiting

Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving

Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.

 --SANS Northern Virginia 2012, Reston, VA  April  15-20, 2012

7 courses.  Bonus evening presentations include Linux Forensics for

Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack

 --SANS Cyber Guardian 2012, Baltimore, MD  April 30-May 7, 2012

11 courses.  Bonus evening presentations include Ninja Assessments:

Stealth Security testing for Organizations; and Adjusting Our Defenses

for 2012.

 --SANS AppSec 2012, Las Vegas, NV  April 24-May 1, 2012

Listen to two of the best minds in Application Security, Jeremiah

Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training

by also attending one or more of the 4 pre-summit courses.

 --SANS Secure Europe 2012, Amsterdam, Netherlands  May 7-19, 2012

11 courses.

 --SANS Security West 2012, San Diego, CA  May 10-18, 2012

24 courses. Bonus evening presentations include Metametrics - A New

Approach to Information Security Management Metrics; and Malware

Analysis Essentials Using REMnux.

 --SANS Toronto 2012, Toronto, ON  May 14-19, 2012

5 courses. Bonus evening presentations include I've Been Geo-Stalked!

Now What? And What Should Keep You Up at Night: The Big Picture and

Emerging Threats.

 --SANS Rocky Mountain 2012, Denver, CO  June 4-9, 2012

10 courses. Bonus evening presentations include Adjusting Our Defenses

for 2012; and Why Do Organizations Get Compromised?

 --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012

Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012

Techniques and solutions to aid organizations and agencies responding

to crimes and attacks.  Maximize your training by also attending one or

more of the 4 pre-summit courses.

 --Looking for training in your own community?

http: Save on On-Demand training (30 full

courses) - See samples at

Plus Abu Dhabi, Johannesburg, Brisbane, Jakarta, and Malaysia all in the

next 90 days.

For a list of all upcoming events, on-line and live:



 --US ISPs Agree to FCC-Recommended Security Measures

(March 22, 2012)

Eight US Internet service providers (ISPs) in the US, including the four

largest in the country, have committed to implementing cyber security

measures recommended by the US Federal Communications Commission (FCC)

advisory board. The recommended steps are aimed at fighting botnets,

domain name fraud, and Internet route hijacking. In all, eight ISPs

committed to the measures, which include alerting customers when their

machines show signs of being infected with botnet malware and helping

them clean those computers. The eight ISPs provide service to

approximately 80 percent of broadband users in the US.

[Editor's Note (Pescatore): This is a needed step in the right

direction, but it will need to avoid trying to rely on alerting

customers and focus more on active protection. In 2010 Australian ISPs

did a similar thing called iCode and there has been some "in the cloud"

actions taken but mostly more web sites explaining threats vs. making

those "Internet tubes" cleaner. I think the growth of wireless data

access makes the carriers more incentivized to do more filtering on

their end than when the focus is purely on the wired Internet side.

(Paller): The commitments are, for all but two ISPs, merely statements

of intent. What the FCC has not yet established is a method of measuring

the effectiveness of security improvements. FCC Commissioner Julius

Genachowski told the FCC Advisory Board that developed the code of

conduct that such measures of effectiveness are essential.  Sadly, the

ISPs are deeply antagonistic to measuring their individual effectiveness

in reducing the threat of botnets (or to doing the filtering that John

Pescatore describes in the previous editor's comment). Once

effectiveness is measured, however the public would know which ISPs are

the best places to practice safe Internet activities and ISPs would

compete to get the bot count down quickly. If the FCC cannot get a

measurement system in place, the US initiative will be no more effective

that the ICode in Australia where the effectiveness is at best spotty.]

 --Verizon Report: Hacktivisim Accounts for More Than Half of Data Theft

(March 22, 2012)

According to Verizon's 2012 Data Breach Investigations Report, the

majority of data stolen last year was the doing of hacktivists rather

than cyber criminals out to profit from their spoils. Fifty-eight

percent of data stolen in 2011 were pilfered by hackers with a political

or social agenda. The report analyzes 855 incidents worldwide; those

attacks accounted for 174 million stolen records. Verizon director of

research and intelligence Wade Baker said that hacktivists are harder

to defend against because they tailor their attacks for specific


 --US Dept. of Defense to Issue Rules of Cyber Engagement

(March 21, 2012)

The US Department of Defense may issue rules of cyber engagement within

the next few months, according to military officials. The rules will set

forth how the military should respond to cyber attacks describe when

they can take proactive defensive measures. The policy is a cooperative

effort between the Joint Staff and the Office of the Secretary of

Defense's Office of Policy.

************************ Sponsored Links:  ***************************

1) SolarWinds(R) Log and Event Manager for operations, compliance and

security is powerful, easy and affordable!

2) Join Rapid7's HD Moore for an IPv6 security risk webcast + live

Metasploit Pro demo

3) SANS Analyst Program Webcast: Reducing Risk to Federal Systems with

the SANS 20 Critical Controls April 19, 1 PM EST



 --Changes to Data Retention Guidelines Concern Civil Liberties Groups

(March 22, 2012)

US Attorney General Eric Holder has approved guidelines that allow the

National Counterterrorism Center (NCTC) to retain information for up to

five years. Prior guidelines requited NCTC to destroy data within 180

days unless they were clearly connected to terrorism. Civil liberties

groups are concerned about the length of time that people's information

will be held. Officials say that the changes are being made to ensure

that analysts have ready access to the information, and that in some

cases, information that did not appear to be pertinent at first glance

turned out later to be important evidence.

 --Google Releases Sixth Update for Chrome 17

(March 22, 2012)

Google has released another security update for Chrome 17, the sixth in

as many weeks. The update addresses nine vulnerabilities, six of which

are rated critical. Four researchers were paid a total of US $5,500 for

alerting Google to five vulnerabilities.  The other four flaws either

found by Google's own team or were not significant enough to merit a

bounty. Google uses silent updates for Chrome, so machines running the

browser will be automatically updated.

 --House Subcommittee Hearing Focuses on DoD's Role in Cyber Security

(March 21, 2012)

Some US legislators are arguing for the military to take a larger role

in the nation's cyber security. Currently, the role of protecting

private and civil government network is under the purview of the

Department of Homeland Security (DHS). Representative Mac Thornberry

(R-Texas), who chairs the House Armed services emerging threats and

capabilities subcommittee said at a hearing on March 20 that US citizens

expect that the DoD will "defend the country in whatever domain it is

attacked. That means that Cyber Command must be ready, and Congress and

the administration must find a way to ensure that it has the legal

authorities it needs and at the same time ensure that the constitutional

rights of Americans are protected." Army General Keith Alexander,

Commander of the US Cyber Command, said that while the threats in

cyberspace have become more dangerous, he does not believe that DoD

should assume the roles that DHS has been filling, and that the best way

DoD can help both DHS and private sector organizations is through

sharing cyber threat information.

 --Megaupload's Server Host Seeking Relief

(March 21, 22, & 23, 2012)

Megaupload's server host Carpathia is asking a judge for help; the

company has been stuck paying for retaining the 25 petabytes of data at

a cost of about US $9,000 a day. Carpathia wants permission to

reallocate the more than 1,000 servers used to store the data for other

customers who are able to pay for the service. The Motion Picture

Association of America (MPAA) has asked a federal judge to ensure the

data are retained. Megaupload wants the data preserved and has asked

that some of its seized funds be used to pay Carpathia.

[Editor's Comment (Northcutt): A cautionary tale.  No matter where you

stand on the copyright law discussion, this is a company that is paying

real money to preserve the data they collected by their business

relationship with Megaupload. And the requirements to keep the 25

Petabytes of data could easily go on several more years. ]

 --Mozilla Switches to Default SSL Google Searches

(March 21, & 22, 2012)

Mozilla's Firefox browser now uses Secure Sockets Layer (SSL) by default

on Google searches. The change currently affects only the beta version

of the browser, but will eventually be introduced more broadly in a

stable version of Firefox some time later this year. The shift means

that Internet service providers (ISPs) will not be able to look at

users' search query information, and websites visited after users

conduct searches will not be able to access the information, either.

 --University of Tampa Student Data Compromised

(March 21, 2012)

Personally identifiable information belonging to more than 6,800

University of Tampa students was exposed on the Internet for eight

months, according to the Florida university. The breach was discovered

as part of an in-class project on advanced search techniques. Two other

files containing information about nearly 23,000 additional people may

also have been exposed during the same time period.

 --DuQu Variant Detected

(March 21, 2012)

A variant of the driver for the DuQu intelligence-gathering malware has

been detected on computers in Iran. The DuQu driver variant is altered

enough from the earlier version so that it evades detection. Researchers

say it seems that the attacker may use the information gathered by DuQu

to take other action.

 --Russian Police Arrest Eight in Connection with Carberp Trojan

(March 20, 2012)

Russian authorities have arrested eight people believed to have stolen

more than 60 million rubles (US $2.04 million) using the Carberp Trojan

horse program. Carperb steals online banking login credentials, which

the suspects allegedly used to transfer funds from targeted accounts to

accounts opened by members of the group; the money was them withdrawn

from those accounts through ATMs. The number of compromised accounts is

estimated to be 90. The malware was allegedly placed on Russian

newspaper and other frequently visited websites.


The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in

computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of

STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm

Center and Dean of the Faculty of the graduate school at the SANS

Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top

producer of cyber ranges, simulations, and competitive challenges, now

used from high schools to the Air Force. He is also author and lead

instructor of the SANS Hacker Exploits and Incident Handling course, and

Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in

Information Assurance and Associate Professor at the Naval Postgraduate


Rob Lee is the curriculum lead instructor for the SANS Institute's

computer forensic courses ( and a Director

at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in

independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for

Inguardians, a handler for the SANS Institute's Internet Storm Center,

and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS

Institute. He has written five books, including Insider Threat and he

is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)

at the FBI and served as President of the InfraGard National Members

Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information

security field who have held a top management position in a Fortune 50

company (Alcoa).  He is leading SANS' global initiative to improve

application security.

David Hoelzer is the director of research & principal examiner for

Enclave Forensics and a senior fellow with the SANS Technology


Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is

widely recognized as a security products designer and industry


Clint Kreitner is the founding President and CEO of The Center for

Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production

manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.