Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 14 Num. 34 : Conficker Infections Still Increasing; Deadline Approaches To Clean Machines of DNS Changer; House Passes CISPA Despite Threat of Veto

  • From: The SANS Institute
  • Date: Fri Apr 27 19:47:48 2012

Hash: SHA1

SANS NewsBites                April 27, 2012             Vol. 14, Num. 034
  Number of Conficker Infections Increased in 2011
  As Deadline Approaches, Efforts to Clean Machines of DNS Changer Increase
  House Passes CISPA Despite Threat of Veto
    UK's Anti-Piracy Legislation Delayed at Least Two Years
    Hacker Steals and Posts VMWare Source Code
    International Law Enforcement Effort Targets Sites Selling Payment
      Card Data
    DOD Set to Expand Cyber Threat Information Sharing Program
    Backdoor Found in Industrial Control Systems
    Majority of Fines for Data Breaches in UK Fall to Public Sector
    eMail Gaffe Sent Termination Notice to All Employees

************************  SPONSORED BY SANS ****************************

New Analyst paper in the SANS Reading Room: A Review of Oracle Entitlement 
Server, by SANS Oracle Security expert, Tanya Baccam. 

- --SANS AppSec 2012, Las Vegas, NV  April 24-May 1, 2012
Listen to two of the best minds in Application Security, Jeremiah
Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training
by also attending one or more of the 4 pre-summit courses.
- --SANS Cyber Guardian 2012, Baltimore, MD  April 30-May 7, 2012
11 courses.  Bonus evening presentations include Ninja Assessments:
Stealth Security testing for Organizations; and Adjusting Our Defenses
for 2012.
- --SANS Secure Europe 2012, Amsterdam, Netherlands  May 7-19, 2012
10 courses.
- --SANS Security West 2012, San Diego, CA  May 10-18, 2012
24 courses. Bonus evening presentations include Metametrics - A New
Approach to Information Security Management Metrics; and Malware
Analysis Essentials Using REMnux.
- --SANS Toronto 2012, Toronto, ON  May 14-19, 2012
5 courses. Bonus evening presentations include I've Been Geo-Stalked!
Now What? And What Should Keep You Up at Night: The Big Picture and
Emerging Threats.
- --SANS Rocky Mountain 2012, Denver, CO  June 4-9, 2012
10 courses. Bonus evening presentations include Adjusting Our Defenses
for 2012; and Why Do Organizations Get Compromised?
- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012
Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012
Techniques and solutions to aid organizations and agencies responding
to crimes and attacks.  Maximize your training by also attending one or
more of the 4 pre-summit courses.
- --SANS Canberra 2012, Canberra, Australia   July 2-10, 2012
5 courses. Bonus evening presentations include Tales From the Crypt:
TrueCrypt Analysis.
- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012
Walk away with best practices from some who have already implemented
IPv6, in large networks, for a few years.
- - - - --SANSFIRE 2012, Washington, DC   July 6-15, 2012
44 courses. Bonus evening presentations include Authentication Issues
Between Entities During Protocol Message Exchange in SCADA Systems;
Critical Infrastructure Control Systems Cybersecurity; and Why Don't We
Consider Our Cars Critical Infrastructure?
- --Vulnerability Management Summit & Training, San Antonio, TX August 14-17, 2012
Listen to strategies and best practices that allow network
administrators and asset owners to understand the best approaches to
creating vulnerability management strategies.
- --SCADA Security Advanced Training, Houston, TX August 20-24, 2012
5 day course combining advanced topics from SCADA and IT Security into
the first hands-on Ethical Hacking course for Industrial Control Systems.
- - - --Looking for training in your own community?
http: Save on On-Demand training (30 full
courses) - See samples at
Plus Johannesburg, Atlanta, Brisbane, Boston, New York, and Malaysia all
in the next 90 days.
For a list of all upcoming events, on-line and live:

 --Number of Conficker Infections Increased in 2011
(April 26, 2012)
According to a report from Microsoft, the number of computers infected
by the Conficker worm increased 225 percent between 2009 and 2011; by
the end of the 2011, the malware had compromised 1.7 million computers
worldwide. Conficker first appeared in 2008 and at its height, infected
seven million computers. The worm is seen as a greater threat to
enterprises than to individual users because it exploits weak passwords
to spread to administrative shares of computers on a network.
Conficker's persistence can be attributed in part to its defense: it
blocks infected users from accessing security websites, disables
security software, and uses encryption to disguise its malicious intent.

 --As Deadline Approaches, Efforts to Clean Machines of DNS Changer Increase
(April 24 & 25, 2012)
The FBI and the ad hoc DNSChanger Working group are stepping up efforts
to inform users that their machines may still be infected with the
DNSChanger malware. At its height, the malware had infected four million
machines. The malware redirected users' computers to web sites crafted
specifically for the purpose of fraud. It also disabled antivirus
software on infected machines. As suggested by its name, DNSChanger
change DNS server settings on infected machines, redirecting them to
sites under the hackers' control. The operation was busted last fall,
and at that time, the FBI obtained a court order allowing the Internet
Systems Consortium to run alternate DNS servers in the place of those
the criminal group had set up. Infected machines were then communicating
with the new servers and appeared to be accessing the Internet as usual.
When the order expires, the servers will be taken offline and people
whose computers remain infected will not be able to access the Internet.
Initially, that court order expired in March, but the FBI was granted
an extension through July 9. The efforts to clean up the remaining
infected machines are include expanded news coverage of news story and
availability of resources to help detect the malware and remove it from
infected machines.
[Editor's Note (Murray): We can count them but not identify them?  We
can clean up DNSchanger but not Conficker?  Is the difference a judge?
A corrupt machine is a corrupt machine]

 --House Passes CISPA Despite Threat of Veto
(April 25 & 26, 2012)
On Thursday, the US House of Representatives passed the Cyber
Intelligence Sharing and Protection Act (CISPA). The White House has
promised to veto the bill, and privacy rights organizations are speaking
out against it. One of the legislators opposed to CISPA say that it
"would waive every single privacy law ever enacted in the name of
cybersecurity." The bill's proponents maintain that recently introduced
amendments would establish "significant safeguards to protect personal
and private information." The Electronic Frontier Foundation (EFF),
which opposes CISPA, says the amendments do not go far enough. The White
House says that CISPA "fails to provide authorities to ensure that the
nation's core infrastructure is protected while repealing important"
privacy protections.

*************************** Sponsored Links:  *************************
1) Sorting Through the Noise: SANS 8th Log and Event Management Survey, part I
Tuesday May 1, 1 PM EDT

2) Learning from Logs: SANS 8th Log and Event Management Survey, part II
Thursday, May 3, 1 PM EDT

 --UK's Anti-Piracy Legislation Delayed at Least Two Years
(April 26, 2012)
Anti-piracy provisions of the UK's Digital Economy Act will not be
enforced until at least 2014 because of legal challenges to the
legislation. The provisions have been criticized by the ISPs, which say
they would be placed in the role of policing user behavior. The measures
in question include sending warning letters to repeat offenders and
increasingly harsh penalties that could limit users' bandwidth or even
cut them off from the Internet altogether.

 --Hacker Steals and Posts VMWare Source Code
(April 25 & 26, 2012)
Source code for VMWare's ESX virtual machine software has been leaked
to the Internet. The person claiming responsibility said it was taken
from a Chinese company's network. VMWare has acknowledged the leak of
the code that is part of the ESX hypervisor and downplayed the idea that
the leak posed an increased risk to customers. However, a 2010 IBM study
found that 35 percent of vulnerabilities in a virtualized environment
can be traced to the hypervisor. The code dates back to 2003-2004. The
hacker said he has roughly 300 megabytes of the source code.

 --International Law Enforcement Effort Targets Sites Selling Payment
    Card Data
(April 26, 2012)
The UK's Serious Organised Crime Agency (SOCA) and the US's FBI and the
Department of Justice in the US have seized 36 domains linked to stolen
payment card information trafficking. Law enforcement agencies in five
other countries assisted in the investigation and subsequent seizure of
the domains. The sites used ecommerce software called Automated Vending
Carts, which allowed them to sell large amounts of stolen data quickly.
Three people have been arrested in connection with the scheme.

 --DOD Set to Expand Cyber Threat Information Sharing Program
(April 25, 2012)
The success of a US Department of Defense's (DOD) cyber threat
information sharing pilot program has prompted the DOD to make plans to
expand the program and make it permanent. The defense industrial base
(DIB) pilot program would then expand from the original 37 participating
entities to approximately 200 firms. The proposal to expand the program
and make it permanent is awaiting approval from the Office of Management
and Budget (OMB).  The program was started two years ago when it became
apparent that foreign attackers were targeting firms in the US's defense
industrial base to steal information. The information sharing runs both
ways; the companies share threat information with the government
agencies, and the agencies share it with the participating members of
private industry.
[Editor's Note (Honan): The article form is worth
the time taken to read it as it offers some interesting insights behind
the headlines we see. For example "most incidents that are characterized
as "attacks" are more aptly described as probes, intelligence gathering
or espionage" are among some of the more sensible commentary on the
issues surrounding cyber security.]

 --Backdoor Found in Industrial Control Systems
(April 25, 2012)
Industrial control equipment made by Rugged Operating Systems has been
found to have an undocumented backdoor. The backdoor exists in all
versions of the Rugged Operating System made by RuggedCom; it cannot be
disabled. The company's equipment is designed to be used in "harsh
environments" such as oil refineries and power plants. The backdoor is
a factory user account with a password based on the MAC address of the
network interface. A workaround has been made available to be used until
a fix is released. The person who discovered the backdoor contacted
RuggedCom about the issue more than a year ago but the company did not
address the issue then.
[Editor's Comment (Northcutt): What could possibly go wrong? This
reminds me of the Verizon MiFi problem first published by Josh Wright
in 2010, if you could see the default SSID, you could deduce the shared
secret password: 
(Murray): We are already having a hard enough time identifying and
eliminating the vulnerabilities in this space; we did not need this. I
remember when a plenary session of the National Computer Security
Conference was told that they would never be professionals unless and
until they stopped paying rogues for after dinner confessions.
Programmers will never be software "engineers" until they are willing
to "stand under the bridge while the army marches across."  There must
be someone between the brand and the code to accept accountability for
the product.]

 --Majority of Fines for Data Breaches in UK Fall to Public Sector
(April 25, 2012)
Although more than a third of the data security breaches reported in the
UK in a recent 11 month period occurred in the private sector, the fines
imposed on those firms are significantly lower than those imposed on
public sector organizations. Between March 2011 and February 2012, there
were five fines imposed on public sector entities, totaling GBP 790,000
(US $1.28 million), while there was just one fine imposed on a private
sector for GBP 1,000 (US $1,619). According to the Information
Commissioner's Office, fines may be imposed only if certain conditions
are met. 
[Editor's Note (Murray): Without counting, I would suggest that here the
major fines are paid by hospitals.  Not all malware is the same but a
corrupt machine is a corrupt machine.
(Honan): A striking aspect of the breaches reported is the number that
are caused by to human error.  Of the 730 incidents reported, 281 were
due to emails or documents sent to the wrong people, while another 108
incidents were the result of lost equipment and 17 due to incorrect
disposal.  That means 55% of incidents were self-inflicted breaches,
while only 170, or 23%, of the incidents reported were due to theft of
data or hardware.  A good reminder that we need to focus on better
security awareness training for users and controls to compensate for
when users make mistakes or break policy.]

 --eMail Gaffe Sent Termination Notice to All Employees
(April 23, 2012)
An email slip-up sent job termination notices to more than 1,300
employees of a London-based investment firm. Aviva Investors has offices
throughout Europe and in Canada and the US. The message was supposed to
have been sent to just one person. A message correcting the error was
sent out soon after. Aviva announced in January that it planned to cut
approximately 160 jobs worldwide and a part of its restructuring

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top
producer of cyber ranges, simulations, and competitive challenges, now
used from high schools to the Air Force. He is also author and lead
instructor of the SANS Hacker Exploits and Incident Handling course, and
Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses ( and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.