SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #20

March 09, 2012

The managing partner of a large New York law firm had a visit from the
FBI in which he learned that the files of every one of his firm's
clients had been copied from the law firm's servers and placed on
servers in Asia known to be used as transfer points in APT attacks (APT
translates loosely to Chinese, he learned). Nine days later, he and
another partner from his firm came to my house on a Sunday morning for
a conversation. They wanted to know why the intruders wanted the data,
how they got in, why the firewalls and AV and other security tools their
consultants told them to install didn't stop the attacks, and how they
could be stopped in the future. The conversation is posted at
http://www.sans.org/security-resources/cybersecurity-conversations

Alan

---

TOP OF THE NEWS

Six Most Dangerous Security Threats
US Government Maintains Right to Seize Top-Level Domains
Microsoft Will Issue Fixes for Seven Flaws
MPAA Seeks to Shut Down Hotfile Filesharing Site
Researchers Ask for Help Identifying Mystery Code in DuQu

THE REST OF THE WEEK'S NEWS

Maryland Court Says Government Does Not Need Warrant For Cell Phone Location Data
LulzSec Member Arrested in June 2011, Became Informant
ISPs Must Contribute to Alleged Filesharers' Appeals Body
Legislators Ask OMB to Investigate Agencies' Electronic Monitoring Policies
FCC Enforcement Advisory a Reminder That Cell Phone Jammers are Illegal
NIST Updates Smart Grid Interoperability Roadmap

---

******************** SPONSORED BY F5 Networks, Inc. **********************
WHITE PAPER: APPLICATION SECURITY IN THE CLOUD Whether critical applications live in the cloud, in the data center, or in both, organizations need a strategic point of control for application security. Learn about a proven solution that provides the security, intelligence, and performance that today's dynamic infrastructures demand.
http://www.sans.org/info/101164
**************************************************************************
TRAINING UPDATE
-- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/

--SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

- - --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

- - --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

- - --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 12 courses.
http://www.sans.org/secure-amsterdam-2012/

- - --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

- - --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

- - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Abu Dhabi, Toronto, Brisbane, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************

---

TOP OF THE NEWS

Six Most Dangerous Security Threats (March 7, 2012)

At the RSA conference in San Francisco, in the best attended of all 220 track sessions, the nation's top penetration testing and incident handling expert, Ed Skoudis, and the director of the Internet Storm Center, Johannes Ullrich, discussed the six most dangerous new attack vectors that they saw being used in 2011 and also what has begun to emerge in 2012.
-http://www.scmagazine.com.au/News/292784,the-six-most-dangerous-infosec-attacks.
aspx
[Editor's Note (Paller): The Australian journalist who wrote this article did an extraordinary job of summarizing the presentation accurately and with enough fidelity to make you feel as if you had been there (and I was there). ]

US Government Maintains Right to Seize Top-Level Domains (March 6, 2012)

The US government maintains that it has the right to seize any sites operating with generic top-level domain names, such as .com, .net, .org, and others. Last week, the US government seized Bodog.com, a sports-wagering website. The domain name was registered with a Canadian company, but the US government served the seizure order on VeriSign, a US company that manages those top-level domains.
-http://www.wired.com/threatlevel/2012/03/feds-seize-foreign-sites/
[Editor's Comment (Northcutt): No matter where you stand on the issue, this is an important topic and an important article to read. ]

Microsoft Will Issue Fixes for Seven Flaws (March 9, 2012)

Microsoft will issue six security bulletins on Tuesday, March 13, to fix a total of seven vulnerabilities. Of those, just one has been given a maximum severity rating of critical. The bulletins will address flaws in Microsoft Windows, Visual Studio, and Expression. The bulletin with the critical rating will address a remote code execution vulnerability in Windows.
-http://www.v3.co.uk/v3-uk/news/2158211/critical-fix-planned-patch-tuesday
-http://www.scmagazine.com.au/News/293142,microsoft-to-patch-seven-security-issue
s-with-six-bulletins.aspx
-http://technet.microsoft.com/en-us/security/bulletin/ms12-mar

MPAA Seeks to Shut Down Hotfile Filesharing Site (March 8, 2012)

The Motion Picture Association of America (MPAA) has filed a motion for a summary judgment against filesharing site Hotfile. The plaintiffs allege that "Hotfile actively fosters the massive copyright infringement that fuels its business," while Hotfile says it takes down content that violates copyright law upon request. The plaintiffs say that Hotfile is no different than Megaupload. Hotfile, which is based in Panama, is claiming safe harbor protections under the Digital Millennium Copyright Act (DMCA), but the movie and music companies say that Hotfile does not qualify for those protections because it did not identify and terminate the accounts of repeat offenders.
-http://www.bbc.co.uk/news/technology-17300225

Researchers Ask for Help Identifying Mystery Code in DuQu (March 7 & 8, 2012)

Researchers at Kaspersky Lab are seeking help with deciphering a portion of DuQu, malware code that has been detected on systems in North Africa and the Middle East. Researchers suspect that the mysterious code may be in a completely new programming language. The component in question is part of DuQu's communication with command-and-control servers. Other portions of DuQu are written in C++. Analysis indicates similarities between DuQu and Stuxnet, although Stuxnet aims to sabotage and DuQu aims to steal information.
-http://www.v3.co.uk/v3-uk/news/2157879/researchers-stumped-mystery-code-duqu-mal
ware
-http://www.wired.com/threatlevel/2012/03/duqu-mystery-language/
-http://www.computerworld.com/s/article/9225024/Researchers_can_39_t_identify_pro
gramming_language_used_in_Duqu_ask_for_help?taxonomyId=17
-http://www.theregister.co.uk/2012/03/08/duqu_trojan_mystery_code_riddle/

---

*********************** SPONSORED LINKS: *****************************
1) Oracle Entitlements Server Review Featuring: Tanya Baccam and Roger Wigenstam
http://www.sans.org/info/101169
2) New Analyst Paper in the SANS.org Reading Room: Needle in a Haystack, Getting to Attribution in Control Systems by SCADA security expert, Matthew E. Luallen. http://www.sans.org/info/101174
3) "Privileged User Access: Root of all Evil!" Featuring SANS Analyst Dave Shackleford Wed., March 28 at a special time of 12:30 PM EST
http://www.sans.org/info/101179
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Maryland Court Says Government Does Not Need Warrant For Cell Phone Location Data (March 7, 2012)

A Maryland court has ruled that the government may demand more than six months worth of location data from cell phone providers without requiring a warrant. The case involved two people accused of armed robbery. Their legal team attempted to suppress evidence obtained about their locations that was obtained without a warrant, but Judge Richard D. Bennett ruled that a warrant was not needed in the case.
-http://arstechnica.com/tech-policy/news/2012/03/obama-admin-wants-warrantless-ac
cess-to-cell-phone-location-data.ars
-http://www.scmagazine.com/anonymous-hacker-turned-informant-helps-feds-arrest-fi
ve/article/230908/

LulzSec Member Arrested in June 2011, Became Informant (March 6, 2012)

Hector Xavier Monsegur, known online as Sabu, the alleged leader of the LulzSec hacking group, became an informant after he was arrested last June. In August 2011, he pleaded guilty to a dozen hacking charges connected to cyber attacks on HBGary, Sony, and InfraGard. Monsegur is facing more than 120 years in prison, but is likely to draw a significantly lighter sentence because of information he has provided to law enforcement authorities. That information contributed to five arrests earlier this week.
-http://arstechnica.com/tech-policy/news/2012/03/all-the-latest-on-the-unmasking-
of-lulzsec-leader-sabu-arrests.ars
-http://www.computerworld.com/s/article/9224917/Former_LulzSec_leader_now_FBI_inf
ormant_brings_down_hacking_group_Stratfor_hacker?taxonomyId=82
-http://www.wired.com/threatlevel/2012/03/lulzsec-snitch/
-http://www.wired.com/threatlevel/2012/03/anonymous-sabu-reaction/
-http://www.darkreading.com/database-security/167901020/security/attacks-breaches
/232602124/lulzsec-leader-turns-informant-as-feds-arrest-key-members-of-hacking-
group.html
-http://www.scmagazine.com/anonymous-hacker-turned-informant-helps-feds-arrest-fi
ve/article/230908/
[Editor's Note (Murray): Hey guys, this is not the Mafia. There is no Omerta here. No honor among thieves. If you conspire with a rogue hacker, you have to assume that if identified, he will shop you. Moreover, if you are engaged in a hacker conspiracy, remember the first guy identified walks. ]

ISPs Must Contribute to Alleged Filesharers' Appeals Body (March 6, 2012)

The UK's Digital Economy Act requires Internet service providers (ISPs) there to contribute to the costs associated with establishing and maintaining an appeals body for people who have been accused of filesharing. UK ISPs TalkTalk and BT appealed the requirement, but a court ruled against them, saying that ISPs must contribute 25 percent of the costs. The other 75 percent will be paid by Ofcom, a UK communications regulator. The Digital Economy Act also requires ISPs to sever users' Internet connections if they repeatedly engage in illegal filesharing after receiving several warnings.
-http://news.cnet.com/8301-1009_3-57391558-83/u.k-isps-lose-appeal-must-pay-legal
-fees-of-file-sharing-suspects/

Legislators Ask OMB to Investigate Agencies' Electronic Monitoring Policies (March 6, 2012)

Two US legislators have asked the Office of Management and Budget (OMB) to investigate electronic monitoring policies at all government agencies. The request comes in the wake of reports of Food and Drug Administration (FDA) employees being fired because of comments they made in personal electronic messages sent over government systems.
-http://www.govexec.com/technology/2012/03/lawmakers-seek-agency-policies-email-s
urveillance/41395/
-http://www.computerworld.com/s/article/9224938/US_lawmakers_ask_if_federal_worke
rs_have_email_privacy?taxonomyId=144
[Editor's Note (Murray): All US government employees that use computers consent to monitoring. The issue is not whether monitoring is legitimate but whether the purposes to which such monitoring is put are legitimate. Of course, having consented to being monitored by one's bosses, a prudent man might abstain from criticizing his boss or his policies. ]

FCC Enforcement Advisory a Reminder That Cell Phone Jammers are Illegal (March 6, 2012)

The US Federal Communications Commission (FCC) has issued an Enforcement Advisory to remind the public that the use of cell phone jammers is illegal. The advisory mentioned reports of people using the devices on buses and other modes of public transportation to create "quiet zones." In another instance, a teacher was using a blocking device in the classroom, but blocked cell phone communications throughout the entire school. It is also illegal "to import, advertise, sell, or ship" the devices. The FCC says that the devices "pose an unacceptable risk to public safety by potentially preventing the transmission of emergency communications."
-http://www.washingtonpost.com/business/technology/fcc-cellphone-jammers-are-ille
gal/2012/03/06/gIQAmeRPvR_story.html
-http://www.nextgov.com/nextgov/ng_20120306_1935.php?oref=topnews
[Editor's Note (Ranum): They are legal in hospitals and churches. I am a church. ]

NIST Updates Smart Grid Interoperability Roadmap (March 5, 2012)

The National Institute of Standards and Technology (NIST) has issued an updated version of The Framework and Roadmap for Smart Grid Interoperability. Release 2.0 of this publication incorporated 22 additional technical standards. The standards compiled thus far are not mandatory because it the roadmap is not yet complete.
-http://gcn.com/articles/2012/03/05/nist-smart-grid-framework-update.aspx

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/