SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #24

March 23, 2012

TOP OF THE NEWS

US ISPs Agree to FCC-Recommended Security Measures
Verizon Report: Hacktivisim Accounts for More Than Half of Data Theft
US Dept. of Defense to Issue Rules of Cyber Engagement

THE REST OF THE WEEK'S NEWS

Changes to Data Retention Guidelines Concern Civil Liberties Groups
Google Releases Sixth Update for Chrome 17
House Subcommittee Hearing Focuses on DoD's Role in Cyber Security
Megaupload's Server Host Seeking Relief
Mozilla Switches to Default SSL Google Searches
University of Tampa Student Data Compromised
DuQu Variant Detected
Russian Police Arrest Eight in Connection with Carberp Trojan

---

****************** Sponsored By Palo Alto Networks **********************
Do Not Miss SANS Special Webcast: Threat Review of Resurgent Botnets: Waledac, Kelihos, Zeus sponsored by Palo Alto Networks WHEN: Thursday, March 29, 2012 at 1:00 PM EST. Sign up TODAY at http://www.sans.org/info/102254
**************************************************************************
TRAINING UPDATE
--SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/
--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/
--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/
--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses.
http://www.sans.org/secure-amsterdam-2012/
--SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/
--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/
--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/
--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/
--Looking for training in your own community?
http://www.sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Abu Dhabi, Johannesburg, Brisbane, Jakarta, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************

---

TOP OF THE NEWS

US ISPs Agree to FCC-Recommended Security Measures (March 22, 2012)

Eight US Internet service providers (ISPs) in the US, including the four largest in the country, have committed to implementing cyber security measures recommended by the US Federal Communications Commission (FCC) advisory board. The recommended steps are aimed at fighting botnets, domain name fraud, and Internet route hijacking. In all, eight ISPs committed to the measures, which include alerting customers when their machines show signs of being infected with botnet malware and helping them clean those computers. The eight ISPs provide service to approximately 80 percent of broadband users in the US.
-http://www.itworld.com/government/261194/us-isps-commit-new-cybersecurity-measur
es
[Editor's Note (Pescatore): This is a needed step in the right direction, but it will need to avoid trying to rely on alerting customers and focus more on active protection. In 2010 Australian ISPs did a similar thing called iCode and there has been some "in the cloud" actions taken but mostly more web sites explaining threats vs. making those "Internet tubes" cleaner. I think the growth of wireless data access makes the carriers more incentivized to do more filtering on their end than when the focus is purely on the wired Internet side.
(Paller): The commitments are, for all but two ISPs, merely statements of intent. What the FCC has not yet established is a method of measuring the effectiveness of security improvements. FCC Commissioner Julius Genachowski told the FCC Advisory Board that developed the code of conduct that such measures of effectiveness are essential. Sadly, the ISPs are deeply antagonistic to measuring their individual effectiveness in reducing the threat of botnets (or to doing the filtering that John Pescatore describes in the previous editor's comment). Once effectiveness is measured, however the public would know which ISPs are the best places to practice safe Internet activities and ISPs would compete to get the bot count down quickly. If the FCC cannot get a measurement system in place, the US initiative will be no more effective that the ICode in Australia where the effectiveness is at best spotty. ]

Verizon Report: Hacktivisim Accounts for More Than Half of Data Theft (March 22, 2012)

According to Verizon's 2012 Data Breach Investigations Report, the majority of data stolen last year was the doing of hacktivists rather than cyber criminals out to profit from their spoils. Fifty-eight percent of data stolen in 2011 were pilfered by hackers with a political or social agenda. The report analyzes 855 incidents worldwide; those attacks accounted for 174 million stolen records. Verizon director of research and intelligence Wade Baker said that hacktivists are harder to defend against because they tailor their attacks for specific targets.
-http://www.bbc.co.uk/news/technology-17428618
-http://www.h-online.com/security/news/item/Verizon-finds-hacktivists-responsible
-for-58-of-stolen-data-1478023.html
-http://www.wired.com/threatlevel/2012/03/hacktivists-beat-cybercriminals/
-http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report
-2012.pdf

US Dept. of Defense to Issue Rules of Cyber Engagement (March 21, 2012)

The US Department of Defense may issue rules of cyber engagement within the next few months, according to military officials. The rules will set forth how the military should respond to cyber attacks describe when they can take proactive defensive measures. The policy is a cooperative effort between the Joint Staff and the Office of the Secretary of Defense's Office of Policy.
-http://www.informationweek.com/news/government/security/232602957

---

************************ Sponsored Links: ***************************
1) SolarWinds(R) Log and Event Manager for operations, compliance and security is powerful, easy and affordable! http://www.sans.org/info/102259
2) Join Rapid7's HD Moore for an IPv6 security risk webcast + live Metasploit Pro demo http://www.sans.org/info/102264
3) SANS Analyst Program Webcast: Reducing Risk to Federal Systems with the SANS 20 Critical Controls April 19, 1 PM EST http://www.sans.org/info/102269
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Changes to Data Retention Guidelines Concern Civil Liberties Groups (March 22, 2012)

US Attorney General Eric Holder has approved guidelines that allow the National Counterterrorism Center (NCTC) to retain information for up to five years. Prior guidelines requited NCTC to destroy data within 180 days unless they were clearly connected to terrorism. Civil liberties groups are concerned about the length of time that people's information will be held. Officials say that the changes are being made to ensure that analysts have ready access to the information, and that in some cases, information that did not appear to be pertinent at first glance turned out later to be important evidence.
-http://www.washingtonpost.com/world/national-security/new-counterterrorism-guide
lines-would-permit-data-on-us-citizens-to-be-held-longer/2012/03/21/gIQAFLm7TS_s
tory.html

Google Releases Sixth Update for Chrome 17 (March 22, 2012)

Google has released another security update for Chrome 17, the sixth in as many weeks. The update addresses nine vulnerabilities, six of which are rated critical. Four researchers were paid a total of US $5,500 for alerting Google to five vulnerabilities. The other four flaws either found by Google's own team or were not significant enough to merit a bounty. Google uses silent updates for Chrome, so machines running the browser will be automatically updated.
-http://www.computerworld.com/s/article/9225441/Google_patches_9_Chrome_bugs_pays
_more_to_top_researchers?taxonomyId=17
-http://googlechromereleases.blogspot.co.uk/2012/03/stable-channel-update_21.html

House Subcommittee Hearing Focuses on DoD's Role in Cyber Security (March 21, 2012)

Some US legislators are arguing for the military to take a larger role in the nation's cyber security. Currently, the role of protecting private and civil government network is under the purview of the Department of Homeland Security (DHS). Representative Mac Thornberry (R-Texas), who chairs the House Armed services emerging threats and capabilities subcommittee said at a hearing on March 20 that US citizens expect that the DoD will "defend the country in whatever domain it is attacked. That means that Cyber Command must be ready, and Congress and the administration must find a way to ensure that it has the legal authorities it needs and at the same time ensure that the constitutional rights of Americans are protected." Army General Keith Alexander, Commander of the US Cyber Command, said that while the threats in cyberspace have become more dangerous, he does not believe that DoD should assume the roles that DHS has been filling, and that the best way DoD can help both DHS and private sector organizations is through sharing cyber threat information.
-http://www.nextgov.com/nextgov/ng_20120321_8300.php?oref=topnews

Megaupload's Server Host Seeking Relief (March 21, 22, & 23, 2012)

Megaupload's server host Carpathia is asking a judge for help; the company has been stuck paying for retaining the 25 petabytes of data at a cost of about US $9,000 a day. Carpathia wants permission to reallocate the more than 1,000 servers used to store the data for other customers who are able to pay for the service. The Motion Picture Association of America (MPAA) has asked a federal judge to ensure the data are retained. Megaupload wants the data preserved and has asked that some of its seized funds be used to pay Carpathia.
-http://www.wired.com/threatlevel/2012/03/mpaa-megaupload-user-litigatio/
-http://arstechnica.com/tech-policy/news/2012/03/isp-storing-25-petabytes-of-mega
upload-data-costs-us-9000-a-day.ars
-http://computerworld.co.nz/news.nsf/news/will-megauploads-28-petabytes-of-data-b
e-deleted
[Editor's Comment (Northcutt): A cautionary tale. No matter where you stand on the copyright law discussion, this is a company that is paying real money to preserve the data they collected by their business relationship with Megaupload. And the requirements to keep the 25 Petabytes of data could easily go on several more years.]

Mozilla Switches to Default SSL Google Searches (March 21, & 22, 2012)

Mozilla's Firefox browser now uses Secure Sockets Layer (SSL) by default on Google searches. The change currently affects only the beta version of the browser, but will eventually be introduced more broadly in a stable version of Firefox some time later this year. The shift means that Internet service providers (ISPs) will not be able to look at users' search query information, and websites visited after users conduct searches will not be able to access the information, either.
-http://paranoia.dubfire.net/2012/03/firefox-switching-to-https-google.html
-http://www.informationweek.com/news/security/privacy/232602977

University of Tampa Student Data Compromised (March 21, 2012)

Personally identifiable information belonging to more than 6,800 University of Tampa students was exposed on the Internet for eight months, according to the Florida university. The breach was discovered as part of an in-class project on advanced search techniques. Two other files containing information about nearly 23,000 additional people may also have been exposed during the same time period.
-http://www.computerworld.com/s/article/9225391/Univ._of_Tampa_says_student_info_
was_exposed_for_8_months?taxonomyId=203
-http://www.infosecurity-magazine.com/view/24672/university-of-tampa-data-breach-
affects-30000-students-faculty-and-staff/

DuQu Variant Detected (March 21, 2012)

A variant of the driver for the DuQu intelligence-gathering malware has been detected on computers in Iran. The DuQu driver variant is altered enough from the earlier version so that it evades detection. Researchers say it seems that the attacker may use the information gathered by DuQu to take other action.
-http://www.pcworld.com/businesscenter/article/252211/researchers_discover_new_du
qu_variant_that_tries_to_evade_antivirus_detection.html
-http://www.msnbc.msn.com/id/46821870/ns/technology_and_science-security/
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
232700010/duqu-alive-and-well-new-variant-found-in-iran.html

Russian Police Arrest Eight in Connection with Carberp Trojan (March 20, 2012)

Russian authorities have arrested eight people believed to have stolen more than 60 million rubles (US $2.04 million) using the Carberp Trojan horse program. Carperb steals online banking login credentials, which the suspects allegedly used to transfer funds from targeted accounts to accounts opened by members of the group; the money was them withdrawn from those accounts through ATMs. The number of compromised accounts is estimated to be 90. The malware was allegedly placed on Russian newspaper and other frequently visited websites.
-http://www.theregister.co.uk/2012/03/20/russia_carberp_suspects_arrested/
-http://www.computerworld.com/s/article/9225345/Eight_online_banking_scammers_arr
ested_in_Russia?taxonomyId=83

---

************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/