SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #23

March 20, 2012

TOP OF THE NEWS

Pentagon is Fast Tracking Cyber Weaponry
DuQu Framework Language Identified as Object Oriented C
Trojan Uses Stolen Digital Certificate
Indian Court Dismisses Charges Against Microsoft in Objectionable Content Case
UK Man Charged for Allegedly Launching Cyber Attacks on CIA and SOCA

THE REST OF THE WEEK'S NEWS

German Court Orders RapidShare to Prevent Uploading of Pirated Content
GAO Says IRS Needs to Implement Information Security Measures
Microsoft Acknowledges RDP Proof-of-Concept May Have Been Leaked Through Information Sharing Program
Senators Seek Declassification of Rulings That Expand Domestic Spying
Man Arrested in Connection with Online Banking Fraud

================ REMEMBERING HAL TIPTON ====================

Remembering Hal Tipton

---

******************** SPONSORED BY SolarWinds.Net, Inc. ******************
Successful network, application and system defense rests on the ability to identify and respond to threats immediately - before they become a problem. SIEM software should be powerful, easy and affordable for operations, compliance and security. SolarWinds(r) Log and Event Manager (LEM) software gives you the firepower you need to defend your IT infrastructure! http://www.sans.org/info/101959
**************************************************************************
TRAINING UPDATE
- --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/
- --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/
- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/
- --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/
- --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses.
http://www.sans.org/secure-amsterdam-2012/
- --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/
- --SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/
- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/
- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/
- --Looking for training in your own community?
http://www.sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Abu Dhabi, Johannesburg, Brisbane, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************

---

TOP OF THE NEWS

Pentagon is Fast Tracking Cyber Weaponry (March 18, 2012)

The US military is stepping up development of cyber weaponry that could be used against enemy networks, even those not connected to the Internet. To hasten the development of the tools, the Defense Advanced Research Projects Agency (DARPA) budget has been given US $500 million over five years. Among the agency's new cyber development initiatives is a "fast-track" program. Network attacks as a military offensive are unlikely to be standalone events; instead, it is likely that they will be paired with other warfare tactics. Over the last decade, cyber technology has grown to be "a significant factor" in military operations. Offensive measures have been considered but set aside because of possible collateral damage; it is not possible to be certain how far the effects of an attack will reach. Currently, the military is spending more on cyber defense than on offense.
-http://www.washingtonpost.com/world/national-security/us-accelerating-cyberweapo
n-research/2012/03/13/gIQAMRGVLS_story.html
[Editor's Note (Kreitner): One has to wonder whether the Mutually Assured Malfunction scenarios of the Cyber Age will provide a level of deterrent anything like the Mutually Assured Destruction scenarios has during the Nuclear Age. Maybe if the truly powerful cyber offensive capabilities remain only in the possession of nation-states as opposed to independent bad actors. ]

DuQu Framework Language Identified as Object Oriented C (March 19, 2012)

Researchers at Kaspersky Lab, stumped by a portion of code in the DuQu Trojan horse program that the malware uses to communicate with command-and-control servers, have found their answer: old-school Object Oriented C. Kaspersky chief malware expert Vitaly Kamluk noted that "these are techniques used by professional software developers but not malware writers." When they were unable to figure out the language of the portion of the malware known as DuQu Framework, Kaspersky researchers decided to crowdsource the problem.
-http://www.wired.com/threatlevel/2012/03/duqu-mystery-language-solved/
-http://www.theregister.co.uk/2012/03/19/duqu_trojan_mystery/
[Editor's Note (Honan): More details of the code used can be found at
-http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework
and
-http://www.securelist.com/en/blog/677/The_mystery_of_Duqu_Framework_solved
with some interesting observations in the comments sections of those blogs. ]

Trojan Uses Stolen Digital Certificate (March 19, 2012)

A Trojan horse program known as Mediyes uses a digital certificate that is signed by a Swiss company called Conpavi AG and issued by VeriSign. Researchers at VeriSign's parent company Symantec say that the attackers must have gained access to the private encryption key associated with the Conpavi certificate. Symantec has revoked the certificate that was used to sign the malware, which intercepts search engine queries and redirects them to an advertising network server.
-http://www.h-online.com/security/news/item/Advertising-trojan-with-Swiss-signatu
re-1474758.html
-http://www.pcworld.com/businesscenter/article/252099/stolen_encryption_key_compr
omised_symantec_certificate.html
[Editor's Note (Pescatore): The CA/Browser Forum recently met and decided to "to form a working group on organizational reform. The task of this group will be to develop and present to the full organization, by April 16th, proposals for a new charter and bylaws." Drastic improvement is badly needed - the sorry state of security around the issuance of SSL and signing certificates continues to drive the value of those certificates down and down and down. ]

Indian Court Dismisses Charges Against Microsoft in Objectionable Content Case (March 19, 2012)

A court in India has dismissed charges against Microsoft for allegedly hosting objectionable content. Microsoft was one of nearly two dozen companies named in a lawsuit brought by an Indian journalist. Microsoft had argued that no formal allegations were brought against it and the court agreed.
-http://www.bbc.co.uk/news/world-asia-india-17426162
-http://news.cnet.com/8301-1009_3-57399981-83/microsoft-off-the-hook-in-india-cen
sorship-case/

UK Man Charged for Allegedly Launching Cyber Attacks on CIA and SOCA (March 19, 2012)

A UK man has appeared in court and been charged with conspiracy for his alleged role in cyber attacks on websites belonging to the CIA and the UK's Serious Organized Crime Agency (SOCA). Ryan Ackroyd also faces charges for allegedly breaking into the websites of the UK's National Health Service (NHS) and News International, which publishes the Sun newspaper. Ackroyd did not enter a plea at the hearing, but a judge granted him bail; the terms of the bail prohibit Ackroyd from accessing the Internet. He also faces allegations of breaking into other sites in the US.
-http://www.theregister.co.uk/2012/03/19/lulzsec_suspect_court_date/

---

*********************** SPONSORED LINKS: *****************************
1) Nearly 90 % of organizations are not fully aware of what personal devices are accessing what company resources! Register for the SANS Mobile Security Survey and be among the first to receive full results in a paper written by SANS mobility expert, Kevin Johnson. http://www.sans.org/info/101964
2) New Analyst Paper in the SANS Reading Room! Review of NetIQ Sentinel 7 for Security Information and Event Management, by senior SANS analyst, Jerry Shenk. http://www.sans.org/info/101969 For a full index of SANS Analyst papers, go here: http://www.sans.org/reading_room/analysts_program/
************************************************************************

---

THE REST OF THE WEEK'S NEWS

German Court Orders RapidShare to Prevent Uploading of Pirated Content (March 19, 2012)

A court in Germany has ruled that file-hosting website RapidShare must filter the files its users upload to prevent material that violates copyright law from being posted. According to a statement, RapidShare will be required to block its users from uploading content from a list of 4,000 known copyright infringing files. The case in which the court ruled was brought by a coalition of German booksellers. If RapidShare decides to appeal the order, it could find support in a recent EU court ruling that said the type of monitoring that would be required to prevent the upload of illegal content would violate European privacy laws.
-http://arstechnica.com/tech-policy/news/2012/03/german-court-orders-rapidshare-t
o-filter-user-uploads.ars

GAO Says IRS Needs to Implement Information Security Measures (March 16 & 19, 2012)

According to a report from the Government Accountability Office (GAO), the US Internal Revenue Service (ISP) has not adequately protected its computer systems. The IRS has not installed critical fixes for software vulnerabilities, has not made sure the contractors have been trained in security issues, and has not taken steps to restrict permissions to prevent employees from accessing portions of the networks that do not pertain to their responsibilities. There is no mandatory information security program at the IRS according to the GAO. The security issues noted in this report are similar to those in earlier GAO reports on IRS information security.
-http://www.nextgov.com/nextgov/ng_20120319_2120.php?oref=topnews
-http://www.politico.com/news/stories/0312/74123.html
-http://www.gao.gov/assets/590/589399.pdf

Microsoft Acknowledges RDP Proof-of-Concept May Have Been Leaked Through Information Sharing Program (March 16, 18 & 19, 2012)

Microsoft is investigating the possible leak of information about a software vulnerability in Windows Remote Desktop Protocol (RDP). A proof-of-concept exploit code for the flaw was released shortly after Microsoft issued the fix on Tuesday, March 13. Microsoft said that it is likely that sample attack code for the RDP flaw was leaked through an information sharing program it has for antivirus vendors.
-http://www.v3.co.uk/v3-uk/news/2161590/microsoft-launches-investigation-suspecte
d-breach-security
-http://www.scmagazine.com/exploit-for-gaping-microsoft-rdp-hole-may-have-gotten-
help/article/232396/
-http://www.informationweek.com/news/security/app-security/232602800
-http://www.computerworld.com/s/article/9225293/Microsoft_blames_security_info_sh
aring_program_for_attack_code_leak?taxonomyId=82
-http://www.theregister.co.uk/2012/03/16/microsoft_rdp_flaw_release/
-http://nakedsecurity.sophos.com/2012/03/16/rdp-exploit-china/

Senators Seek Declassification of Rulings That Expand Domestic Spying (March 15 & 16, 2012)

Two Democratic US senators are seeking the declassification of secret court rulings that grant the government extensive domestic spying authority under the Patriot Act, beyond what the law originally intended. Senators Ron Wyden (D-Oregon) and Mark Udall (D-Colorado) say that the Foreign Intelligence Surveillance Act Court has broadened the government domestic spying powers under the Patriot Act. In a letter to Attorney General Eric Holder, the senators wrote, "We believe most Americans would be stunned to learn the details of how these secret court opinions have interpreted section 215 of the Patriot Act. As we see it, there is now a significant gap between what most Americans think the law allows and what the government secretly claims the law allows."
-http://www.wired.com/threatlevel/2012/03/declassify-spy-court-rulings/
-http://www.nytimes.com/2012/03/16/us/politics/democratic-senators-warn-about-use
-of-patriot-act.html?_r=1
-https://www.documentcloud.org/documents/325953-85512347-senators-ron-wyden-mark-
udall-letter-to.html
[Editor's Note (Pescatore): Secrecy and security are not synonymous. In many cases, and this is probably one of them, transparency leads to higher levels of security in the long run. ]

Man Arrested in Connection with Online Banking Fraud (March 15, 2012)

Police in Britain have arrested a man in connection with online banking fraud. An unnamed bank had notified police that a number of its customers' online had accounts had been compromised over an 18-month period; the Police Central e-Crime Unit launched an investigation that resulted in the arrest. Police seized equipment from the suspect's residence as well.
-http://www.csoonline.com/article/702228/police-arrest-online-banking-fraudster?s
ource=CSONLE_nlt_newswatch_2012-03-16

---

================ REMEMBERING HAL TIPTON ====================

The flags at SANS are flying at half mast for the passing of Hal Tipton, a pioneer in the field of information security. Two NewsBites editors offered personal thoughts:

From Paul Henry: Back in the early 1990's, with less than 1000 CISSP's, there were very few resources to prepare one for the CISSP exam. Hal Tipton was able to bring together numerous IT professionals and get them involved in an unprecedented collaborative effort to share information to prepare candidates for the exam in the annually published Information Security Handbook that he co-authored with Micki Krause. Through his constant encouragement and his in-depth technical editing skills, he was able to encourage many professionals who had never even considered writing a book chapter to share their experiences and knowledge to increase the level of knowledge within the community. After 10 years and at least 10 book chapters I will miss hearing from Hal with his annual email: "So what interesting things have you learned this year that you can share with the community... can I count on you for another chapter for the ISMH..."

From Stephen Northcutt: I was asked to work with NASA as part of the get back into space after the Challenger disaster. The project culminated with a series of briefings to senior management and I did one on security. In the evening there was a mixer. Hal came up to me, pushed his finger into my chest and said, "You have no idea what you are talking about!" OK, I thought to myself and waited. Hal continued, "Your job is just like the loss prevention officer at Kmart. You can't protect your organization from attack, the best you can hope for is to keep shoplifting to a low enough level that they do not close the Kmart." At the time I was a bit offended, but as the years have gone by, I have come to see the wisdom of his point of view.

From Paul Henry: Back in the early 1990's, with less than 1000 CISSP's,

From Paul Henry: Back in the early 1990's, with less than 1000 CISSP's,

From Stephen Northcutt: I was asked to work with NASA as part of the get

From Stephen Northcutt: I was asked to work with NASA as part of the get

---

************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/