SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #17

February 28, 2012

Six of the SANS2012 courses will be simulcast so you can participate in
a major SANS training program without leaving your desk.
List and schedule at
http://www.sans.org/virtual-training/sessions#simulcast

---

TOP OF THE NEWS

Network Monitoring Plan Raises Questions of Privacy and "Active Defenses"
Proposed legislation Would have ISP Retain IP Logs for One Year
Appeals Court Rules Forced Decryption Violates Fifth Amendment Rights

THE REST OF THE WEEK'S NEWS

WikiLeaks Publishes Purloined Stratfor eMail
New ZeuS Variants Get instructions Through P2P Network
US Government Aims to Clear Computers of DNSChanger
Supreme Court Decision Spurs FBI to Turn Off 3,000 GPS Tracking Devices
Filesharing Site Throttles Download Speeds for Unpaid Users
Flashback.G Exploits Known Holes in Mac OS
Court Cannot Tell FTC to Enforce Agreements

---

************************** SPONSORED BY Zscaler **************************
ONLINE WEBCAST with GARTNER: DEADLY TRIO? TABLETS, FACEBOOK, and BOTNETS in your enterprise
Web Applications, Tablets, and Smartphones all drive productivity, but expose businesses to web threats and data theft.
Join Zscaler, and Gartner Analyst Lawrence Orans, to learn how to enable employees while protecting your business. March 6 at 10am PST / 1pm EST http://www.sans.org/info/100371
**************************************************************************
TRAINING UPDATE
- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
http://www.sans.org/singapore-2012/

- -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/

- --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

- --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

- --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses.
http://www.sans.org/appsec-2012/

- --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses.
http://www.sans.org/secure-amsterdam-2012/

- --SANS Security West 2012, San Diego, CA May 10-18, 2012 25 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Stuttgart, Boston, Abu Dhabi, Toronto, and Brisbane all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

---

TOP OF THE NEWS

Network Monitoring Plan Raises Questions of Privacy and "Active Defenses" (February 27, 2012)

The White House has resisted pressure from the National Security Agency (NSA) to expand that agency's authority in the protection of private-sector networks that are part of the country's critical infrastructure. While the NSA has advanced tools and skills, both the White House and the Justice Department expressed concerns that the plan would over-reach privacy boundaries. Also at issue is the lack of clarity about what action constitutes "active defenses" in protecting the networks.
-http://www.washingtonpost.com/world/national-security/white-house-nsa-weigh-cybe
r-security-personal-privacy/2012/02/07/gIQA8HmKeR_story.html
-http://www.washingtonpost.com/blogs/checkpoint-washington/post/active-defense-at
-center-of-debate-on-cyberattacks/2012/02/27/gIQACFoKeR_blog.html?hpid=z1
[Editor's Note (Paller): In the past several months, new people have come into most of the important cybersecurity jobs in DHS. The new DHS people have the technical talent to take on the monitoring job - supported but not controlled by NSA. People at the White House and Justice Department who continue to fight immediate mandates to monitor key DoD contractors and other critical infrastructure networks, do not believe the cyber threat is important enough. They are waiting for "the big one." When it comes, they'll conveniently try to forget they were the people who set their nation up as an easy target. ]

Proposed legislation Would have ISP Retain IP Logs for One Year (February 27, 2012)

Proponents of privacy rights and civil liberties are speaking out against proposed legislation in the US House of Representatives that would requires Internet service providers (ISPs) to retain customers' IP logs for one year. The Protecting Children From Internet Pornographers Act is sponsored by Lamar Smith (R-Texas) who also sponsored the Stop Online Piracy Act (SOPA). The concerns about the proposed legislation include the fact that IPSs would be collecting data about users whether or not they have been accused of wrongdoing and that the stored data would be ripe for theft, leaks, and snooping.
-http://www.computerworld.com/s/article/9224668/Advocacy_group_takes_aim_at_anti_
porn_bill_requiring_ISP_data_retention?taxonomyId=17

Appeals Court Rules Forced Decryption Violates Fifth Amendment Rights (February 24, 2012)

Last week, a US federal appeals court in Atlanta has ruled that forcing an individual to decrypt a computer hard drive so the data on the device can be used by prosecutors violates the individual's Fifth Amendment rights. Just a day before the 11th Circuit Court of Appeals' ruling, the 10th Circuit Court of Appeals in Denver refused to hear the appeal of Ramona Fricosu, who has been ordered by a lower court to decrypt a laptop found in her possession because it is believed to contain information that could help the prosecution. The Denver court agreed with the DOJ's assertion that Fricosu must have a verdict against her before an appeal can be considered. A 2000 Supreme Court case ruled that only when government can describe the documents it seeks with "reasonable particularity" can it compel a suspect to produce those documents. In the Atlanta case, the John Doe defendant has spent months in jail for contempt charges for refusing to decrypt hard disks.
-http://arstechnica.com/tech-policy/news/2012/02/appeals-court-fifth-amendment-pr
otections-can-apply-to-encrypted-hard-drives.ars
-http://www.wired.com/threatlevel/2012/02/laptop-decryption-unconstitutional/
-http://news.cnet.com/8301-1009_3-57385022-83/note-to-self-encrypt-data-memorize-
password/
-http://www.h-online.com/security/news/item/US-ruling-Disclosure-of-passwords-is-
unenforceable-1442424.html

---

THE REST OF THE WEEK'S NEWS

WikiLeaks Publishes Purloined Stratfor eMail (February 26 & 27, 2012)

WikiLeaks has begun publishing email messages that were stolen from Stratfor Global Intelligence in December. The stolen messages span more than seven years and reportedly contain information about the US government's and Stratfor's own efforts to undermine WikiLeaks and its founder, Julian Assange. Stratfor offers global security analysis to the US military and government contractors as well as to private clients. WikiLeaks claims to have more than five million messages; as of Monday morning, fewer than 200 of the messages had been posted.
-http://www.computerworld.com/s/article/9224625/WikiLeaks_releases_Stratfor_email
s_possibly_from_December_hack?taxonomyId=82
-http://www.h-online.com/security/news/item/Wikileaks-begins-publishing-Stratfor-
emails-1443254.html
-http://news.cnet.com/8301-1009_3-57385496-83/wikileaks-plans-to-release-e-mails-
from-security-think-tank/
-http://www.bbc.co.uk/news/world-us-canada-17176602
-http://www.wired.com/threatlevel/2012/02/wikileaks-anonymous-partners/
-http://www.eweek.com/c/a/Security/WikiLeaks-Stratfor-Email-Release-Raises-Uncomf
ortable-Questions-734788/

New ZeuS Variants Get instructions Through P2P Network (February 27, 2012)

The most recently detected variants of ZeuS/SpyEye are receiving instructions not from command-and-control (C&C) servers, but through peer-to-peer (P2P) networks. C&C servers have increasingly become the targets of takedown orders and monitoring by authorities. A version detected last year used P2P as a means of communication if C&C servers became unavailable, but the newest version has made C&C servers unnecessary.
-http://www.theregister.co.uk/2012/02/27/p2p_zeus/
-http://www.pcworld.com/businesscenter/article/250488/symantec_new_zeus_botnet_no
_longer_needs_central_command_servers.html
[Editor's Note (Liston): Just like the guys in the white hats, the black hats recognize when their network has a single-point-of-failure and take action to provide redundancy. ]

US Government Aims to Clear Computers of DNSChanger (February 27, 2012)

The Department of Homeland security (DHS) is working to identify those government computers that are still infected with malware known as DNSChanger. Unless the malware is removed from those machines, they will no longer be able to access the Internet after March 8, when a court order allowing substitute DNS servers set up by the FBI expires. The FBI has requested an extension of that order through July 9, and an expedited decision has been requested.
-http://www.nextgov.com/nextgov/ng_20120227_9754.php?oref=topstory
Internet Storm Center (on the FBI extension):
-http://isc.sans.edu/diary.html?storyid=12652
[Editor's Note (Liston): I'm not entirely sure why this is taking so long. The mechanism for identifying DNSChanger-infected hosts is straightforward. Unfortunately, government has allowed this to drag on and now it has become a crisis. Why not leverage the FBI controlled DNS servers to notify users? i.e. when someone does a DNS lookup for specific "human-in-front-of-the-computer" type sites, redirect them to a warning page. ]

Supreme Court Decision Spurs FBI to Turn Off 3,000 GPS Tracking Devices (February 26 & 27, 2012)

FBI general counsel Andrew Weissmann said that the agency has turned off 3,000 GPS tracking devices in the wake of a recent Supreme Court ruling. The January 23 decision said that placing a GPS device on an individual's car qualifies as a search and therefore requires a warrant. The case heard by the Supreme Court involved a man whose car was tracked with a GPS device; although a warrant was obtained, the device was installed after the warrant had expired and it was installed while the car was in a different jurisdiction from that in which the warrant had been issued.
-http://arstechnica.com/tech-policy/news/2012/02/fbi-turns-off-3000-gps-trackers-
after-supreme-court-ruling.ars
-http://gcn.com/articles/2012/02/27/agg-fbi-gps-tracking-devices.aspx
-http://www.theverge.com/2012/2/26/2826606/fbi-gps-tracking-device-shutdown-supre
me-court-privacy-ruling

Filesharing Site Throttles Download Speeds for Unpaid Users (February 26, 2012)

Since Megaupload has been shuttered, illegal filesharers have been turning to other Internet file hosts. To manage the resulting significant uptick in unpaid user traffic, one site, RapidShare, has reduced download speeds for unpaid users. Paid users who want customers to be able to download the files they have uploaded for free must supply RapidShare with additional information, including data that will allow RapidShare to contact them. Legitimate files will be permitted to download at high speed.
-http://www.pcmag.com/article2/0,2817,2400762,00.asp
-http://arstechnica.com/gadgets/news/2012/02/to-reduce-piracy-rapidshare-throttle
s-download-speed-for-free-users.ars

Flashback.G Exploits Known Holes in Mac OS (February 24, 2012)

A new version of the Flashback malware, which targets computers running Mac OSes, has been detected. In an apparent effort to evade detection, Flashback.G does not install itself on systems that are running certain anti-virus programs. It infects users who visit specially crafted web pages either by exploiting one of two known security flaws, or by using a Java Applet that attempts to fool the users into believing it is Apple certified. Flashback.G has the capacity to steal login credentials for PayPal, Google, and online banking sites. Users who have upgraded to OS X Lion are more protected that users of older versions of Mac OSes because Java does not come pre-installed on Lion.
-http://www.h-online.com/security/news/item/Flashback-malware-uses-new-infection-
technique-1442810.html
-http://www.theregister.co.uk/2012/02/24/flashback_mac_trojan/
-http://www.v3.co.uk/v3-uk/news/2154961/flashback-mac-trojan-aims-steal-users-onl
ine-banking-details

Court Cannot Tell FTC to Enforce Agreements (February 24, 2012)

A US District Court Judge has agreed with the Federal Trade Commission (FTC) that the courts do not have the authority to tell government agencies how to enforce agreements. The ruling comes in response to a lawsuit filed by the Electronic Privacy Information Center (EPIC) that sought to compel the FTC to enforce a Consent Order it reached with Google. That suit was filed in response to Google's announcement of its new privacy policy. The judge's ruling did not include an opinion on whether or not Google's new policy violates the order, leaving that determination to the FTC. EPIC plans to appeal the decision. In response to a question about Google's privacy policy, FTC chairman Jon Leibowitz replied that Google has "been clear and that it's a fairly binary and somewhat brutal choice that they are giving consumers."
-http://www.nextgov.com/nextgov/ng_20120224_3521.php?oref=topnews
-http://techdailydose.nationaljournal.com/2012/02/ftc-chairman-google-giving-con.
php
(Northcutt): I like Google. But there are a few things I try to do to manage my privacy. On my MAC I use three browsers. I use Chrome incognito with Ghostery to access any Google service (GMAIL, Google Finance, Google Search). I use Safari and simply kill history and cookies once a week. On both my MAC and PC, when I use Firefox, I use it with NoScript and if I use a search engine I try to use IXQUICK, the non-tracking search engine. I also use rm -rf in the Macromedia directories to clear flash cookies. If I am using a PC, my main browser is I IE 9, with tracking lists (there is a tracking list just for Google, URL below) and usually InPrivate browsing and my search engine is Bing. I wonder if a side effect of the Google privacy change will be more search market share for Bing?
-http://www.iegallery.com/en/trackingprotectionlists/
-http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/features/trac
king-protection
-http://windows.microsoft.com/en-US/windows7/How-to-use-Tracking-Protection-and-A
ctiveX-Filtering]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/