Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #14

February 19, 2008

SANS Delays Penetration Testing Summit
For the first time in its 19 years of existence, SANS has postponed a scheduled event. The Penetration Testing and Ethical Hacking Summit was moved from March to June, but for a very good reason: to allow the Pen Testing folks to also attend the web application security sessions at SANS Application Security Summit, and vice versa. But that's not the only good news. By delaying it to June, we were also able to persuade both Johnny Long (the highest rated hacking speaker other than Ed Skoudis - who will chair the Summit) and H.D. Moore (the renowned author of Metasploit) to come share their latest findings at the Pen Testing and Ethical Hacking Summit.

So if you buy penetration testing services or if you perform penetration testing or red teaming, please join others with like interests in Las Vegas June 2-3 (courses June 4-5).

More information:



Indiana Lawmakers Consider Requiring Companies to Encrypt Customer Data
White House Wary of Proposed Changes to FISMA
UK and Australia Mull Making ISPs Piracy Monitors


Teen Pleads Guilty in Botnet Scheme
SEC Appeals Judge's Order to Release Illegal Profits to Hacker
Woman Fined for Intercepting Nanny Agency eMail
Former Intern Arrested for Allegedly Accessing City eMail
UK Information Commissioner's Office Says Number of Data Breaches Not Out of the Ordinary
ISP Gave FBI More Data Than it Sought in National Security Letter
Nine Sued for Selling Pirated Software on eBay
FreeBSD Flaws Fixed
Halifax Bank Blocks Credit Card Payments to WoW Publisher

***************** Sponsored By Credant Technologies *********************

FULL DATA ENCRYPTION2 = Full Disk without the Risk Full disk encryption methods require unwelcome compromises to IT operations, and can't provide the level of data security that enterprises now need.
New Full Data Encryption2 is here! Protect What Matters: Your Data. Download overview.


Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products:
- - Washington DC (Tyson's) 3/24-3/31
- - San Diego (5/9-5/16)
- - Toronto (5/10-5/16)
- - and in 100 other cites and on line any-time:



Indiana Lawmakers Consider Requiring Companies to Encrypt Customer Data (February 16, 2008)

Indiana state legislators are considering a bill that would require companies to encrypt customers' personal data to protect them from identity fraud. The Indiana House version of the bill requires that companies use high-level encryption for customer data and that they report breaches to affected customers and to the state attorney general's office, where a list of all reported breaches would be available for citizens' perusal. The Senate version of the bill would not require as high a level of encryption or notification of the attorney general's office. The House and Senate are trying to reconcile their bills.

See the text of the bill here:

[Editor's Note (Shpantzer): Interesting thing about the wording here, it says that a ""Breach of the security of a system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information." So if someone causes a database to crash, (attack on integrity), but no information is leaked (confidentiality is maintained), then the law says a 'breach' has occurred..
(Schultz): It is troubling to learn that the biggest obstacle to this bill's being passed is controversy concerning whether the Indiana attorney general's office must be notified when data security breaches occur. The proposal that all customer data be encrypted is both exemplary and groundbreaking--it needs to become law regardless of whether the provision concerning required reporting goes through.]

White House Wary of Proposed Changes to FISMA (February 14, 2008)

The White House is questioning the need for many changes to the Federal Information Security Management Act (FISMA) described in the Federal Agency Data Protection Act. One section would require US government agencies to inform Congress about the methods they are using to protect their systems from the risks of peer-to-peer file sharing programs. The objection to this element stems largely from a reluctance to focus on a specific technology in outlining security requirements. The proposed legislation "would
[also ]
require agencies to develop policies and plans to identify and protect personal information and to develop requirements for reporting data breaches." Office of Management and Budget (OMB) administrator for e-government and information technology Karen Evans is resistant to some of the proposals because they could "seriously impact established security and privacy practices while not necessarily achieving the outcomes of improved privacy and security." The bill's sponsor, Representative William Clay (D-Mo.) maintains that it "would move us toward more rigid security requirements while staying within the FISMA framework."


UK and Australia Mull Making ISPs Piracy Monitors (February 15 & 17, 2008)

The UK and Australian governments are considering policy changes that would require Internet service providers (ISPs) to act as monitors of illegal downloading. The ISPs would keep track of who is downloading pirated content and possibly cut off their service if they do not refrain from the activity. In the UK, the ISP industry association says there are "legal and technical barriers" to them acting as anything more than a "mere conduit." According to current law, ISPs may not inspect the contents of packets traveling over their networks unless compelled to do so by a warrant. Representatives from some ISPs acknowledge that they engage in traffic management to prevent a few customers from hogging available bandwidth. In Australia, the government is considering a three strikes policy before users are cut off from the Internet.

[Editor's Note (Schultz): Proposing that ISPs act as monitors of piracy activity does not seem reasonable for many reasons, one of the most important of which is that ISPs, many of which are currently not doing all that well monetarily, do not really have the resources to engage in such efforts.
(Paller): These UK and Australian initiatives are the front edge of a wave of similar legislation that will be introduced asking ISPs to take on added responsibility for improved privacy and security for their customers. Users cannot protect themselves; asking them to do so is disingenuous. Only their ISPs and their software providers are in a position to make security and privacy feasible for most users. ]

************************** Sponsored Links: ***************************

1) Complimentary White Paper: Beyond NetFlow, JFlow, and SFlow: Harnessing Application-aware Flow Information to Improve Network Security

2) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at

3) FREE Webcast "Shining a Spotlight on MPLS Security Issues" to utilize network behavior analysis to overcome MPLS pitfalls.




Teen Pleads Guilty in Botnet Scheme (February 19, 2008)

A US teenager has pleaded guilty to using botnets to place adware on hundreds of thousands of computers. The unnamed teen worked with Jeanson James Ancheta, who is currently serving a 57-month sentence for his part in the attacks. The teenager will face a prison sentence of between one year and 18 months when he is sentenced in May. The pair infected computers at the Defense Information Security Agency (DISA) and Sandia National Laboratories.
[Editor's Note (Northcutt): Teens do dumb things sometimes, I just hope that Ancheta doesn't get out of prison and get famous with a book or movie deal. Here is his picture, don't hire him!

SEC Appeals Judge's Order to Release Illegal Profits to Hacker (February 15 & 18, 2008)

The Securities and Exchange Commission (SEC) is appealing a ruling that would have them release illegally obtained funds to a Ukrainian hacker. Oleksandr Dorozhko broke into the servers of IMS Health and viewed the company's results announcement hours before it was released to the public. He then used the information to place sell orders on which he earned nearly US $300,000. The judge who made the initial ruling said the actions did not violate US securities laws. The judge acknowledged that the situation was unusual, but said she had no choice and the most reasonable avenue to pursue would be a hacking prosecution. The US Department of Justice has rejected that option possibly because of the anticipated difficulty of obtaining a conviction in the Ukraine.

Woman Fined for Intercepting Nanny Agency eMail (February 18, 2008)

A woman has been fined GBP 500 (US $975) for reading email messages from her previous employer's account. Susan Holmes had worked for a nanny agency that accepted registration forms through an AOL email account. The company neglected to change the account password after Holmes left, which allowed her access to the information. The company became suspicious after a noticeable decline in the amount of email they received on the account in the first few months of 2007. AOL connections logs revealed IP addresses that eventually led to Holmes being identified as the culprit. Last week, she pleaded guilty to unauthorized access to a computer, in violation of section one of the Computer Misuse Act 1990.
[Editor's Note (Northcutt): Great security awareness story, when someone leaves, whether at work or home, change any password they may have had access to. ]

Former Intern Arrested for Allegedly Accessing City eMail (February 16, 2008)

A former intern for a San Jose (CA) city councilman has been arrested for breaking into the city's email system. Eric Hernandez worked as an intern for Councilman Sam Liccardo; during his work there, he created email accounts for Liccardo's staff and knew the account passwords. Hernandez was allegedly trying to find information about another Liccardo staff member with whom he was angry; he planned to give the information to a blog and a newspaper. Hernandez faces up to three years in prison for the felony charge made against him.
[Editor's Note (Northcutt): Trying to diss his former boss's girl friend! Same song, second verse, a great security awareness story, when someone leaves, whether at work or home, change any password they may have had access to. ]


UK Information Commissioner's Office Says Number of Data Breaches Not Out of the Ordinary (February 18, 2008)

The UK Information Commissioner's Office (ICO) says the apparent upturn in the number of security breaches within the government is due to a growing recognition among government departments that reporting data breaches is important. It does not signify a sudden increase in the number of data breaches. The increased number of disclosures can be attributed to "increasing scrutiny from legislators" and Whitehall's examination of data-handling procedures.

ISP Gave FBI More Data Than it Sought in National Security Letter (February 17, 2008)

In what FBI officials have called an "apparent miscommunication," an unnamed Internet service provider (ISP) provided the agency with far more private information than they had requested. The extra records were destroyed. The FBI sought information about email addresses sent by one individual; the ISP provided the FBI with information about all email accounts that use the same domain as that particular individual. The incident took place in 2006 and was disclosed in papers obtained by the Electronic Frontier Foundation (EFF) through a Freedom of Information Act (FOIA) request.


Nine Sued for Selling Pirated Software on eBay (February 14, 2008)

The Software & Information Industry Association has filed lawsuits against nine people for allegedly selling pirated software on eBay. The lawsuits were filed on behalf of Symantec and Adobe as part of SIIA'a Auction Litigation Program, which offers rewards in the form of credit toward legitimate copies of software to people who turn in those selling the counterfeit software. The SIIA's antipiracy program has already helped them catch other sellers of counterfeit software.


FreeBSD Flaws Fixed (February 15, 2008)

Developers have fixed two vulnerabilities in the FreeBSD open source operating system. One of the flaws could be exploited to crash vulnerable systems with just one network packet, but apparently cannot be used to inject code. The other could allow local users to "access protected information."



Halifax Bank Blocks Credit Card Payments to WoW Publisher (February 15, 2008)

The UK's Halifax bank has decided to block credit card payments to World of Warcraft publisher Blizzard Entertainment after noting that an unusually large number of payments being made through the company's gaming sites involved stolen credit card information. Customers who want to subscribe to Blizzard game sites with Halifax or Bank of Scotland credit cards can contact the bank and make arrangements for the payments to go through. It is not apparent that other banks or financial institutions have followed Halifax's lead.


SANS Special Webcast Series: Part 1 of 3: "Security Insights with Dr. Eric Cole"
WHEN: Wednesday, February 20, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Dr. Eric Cole

The 2008 information security environment suggests new challenges and increasing potential for organizations to fall victim to the latest threats. While information security practices are improving, attackers and business requirements continue to raise the bar for the security professional. As organizations look at a technical landscape fraught with viruses, web-based exploits and social-engineering attacks, data loss challenges and beyond, the need to select proven technologies that address threats to their unique environment is crucial. Too often organizations are trying out new strategies and wonder what other organizations have done in similar situations. One of the leading experts in network security will draw above his teaching experience and interacting with thousands of students and different organizations, to show strategies that will allow organizations to implement cost effective solutions. Participants will walk away with insights they can directly apply, to increase their security. Register now for this free webcast!

Ask the Expert: Security Needs a New Paradigm
WHEN: Thursday, February 21, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
Sponsored By: Prism MicroSystems

In this webcast, we'll discuss the reasoning behind a "whitelist" approach, how change monitoring can complement logging and event monitoring in your security program, and common system changes that may indicate malicious activity.

Tool Talk Webcast: A Practical Approach to Cyber Security within Control System Environments
WHEN: Tuesday, February 26, 2008 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: ArcSight

Recently there has been substantial media hype surrounding cyber attacks against critical infrastructure: oil and gas, power and energy, chemical, etc. Few disagree that systems controlling critical infrastructure make valuable targets for a wide range of attackers and pursuits; but the FUD sometimes shadows the facts. So rather than debate the threat level, this webcast will focus on empirical findings derived from multiple, federally funded research projects. These collaborative projects have brought together federal agencies, academia, control system vendors, IT security vendors like ArcSight, and industry representatives to research and test practical cyber incident prevention, detection and response.

Ask the Expert Webcast: Regulatory Compliance and Securing Endpoint Data against Internal Threats
WHEN: Wednesday, February 27, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Richard Stone
Sponsored By Credant Technologies

This webcast will then discuss why today's dynamic IT environments must move away from first gen encryption products and to a more data-centric, not stand-alone, platform-specific point product of old. Gone are the days of the "encrypt everything" approaches, which lack protection against insider threats and have significant manageability, recovery, and usability issues. Hear how a new solution simultaneously meets security, IT operations, and compliance needs.

SANS Special Webcast: How to Win Friends and Influence People (for Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser
Sponsored By: Core Security

The success of a security test is often determined in the planning stage, when the "human element" plays a critical role. This is especially true for penetration testing projects, which sometimes encounter political hurdles before they even begin. Please join us to learn how, with a little transparency and tact, you can not only get approval for pen testing projects but also help colleagues use the results to improve your overall security.

Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
Sponsored By: Norman Data Defense Systems

The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books --including BEYOND FEAR and SECRETS AND LIES --and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit