Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #20

March 11, 2008

It is surprising how few people are aware of the new security courses that were launched in the past few months, because security isn't standing still. Here's a short list of the new ones that you can attend at SANS 2008. Look particularly at the new pen testing courses. If you hired a pen tester who hasn't taken the new pen testing course and completely updated his tools and techniques in the past year, his tests are woefully out of date and ineffective. And as a special gift to security folks reading NewsBites, we are inviting you to get two or three of your programmers to come to Orlando for the Secure Coding in Java/JEE class. Email for the discount code for them. More info on SANS 2008 in Orlando:

New Courses:
SEC560 Network Penetration Testing and Ethical Hacking
SEC542 Web Application Penetration Testing In-Depth
SEC519 Web Application Security Workshop
SEC538 Web Application Penetration Testing Fundamentals
SEC426 AJAX and Web Services Security Overview
SEC541 Secure Coding in Java/JEE: Developing Defensible Applications
AUD521 Meeting the Minimum: PCI/DSS 1.1: Becoming and Staying Compliant
SEC531 Windows Command-Line Kung Fu In-Depth for Info Sec Pros
SEC533 Windows PowerShell
SEC540 VoIP Security
SEC427 Browser Forensics
SEC535 Network Security Projects Using Hacked Wireless Routers
SEC526 Next Evolution in Digital Forensics
SEC537 Identifying and Removing Malware
SEC616 Defensible .NET



Brothers Receive Prison Sentences for Selling Pirated Software
Chinese Hackers Say They Infiltrated Pentagon Systems


Harry & David Suing IBM for Software Fraud
Cyber Warfare Exercise Underway
Tories Outline Their Plan for Tackling Cybercrime
Music Labels Want Irish ISP to Help Fight Piracy
Sun Releases Update for Java Runtime Environment
MTV Data Breach Exposes 5,000 Employees' Personal Data
Man Indicted in South Korea for Intellectual Property Crimes
Police Decline to Intervene in Libelous Bebo Page Case
Students Develop Linux-Based Cyber Forensics Tool
NJ Legislator Wants investigation Into Stolen Insurance Company Laptop

************************** Sponsored By PacketMotion ********************

Are your internal controls and acceptable use policies for consultants, temporary, and high-risk users working? What information assets are in jeopardy? Find the facts, blind spots and new technology regarding real-time visibility and control of network user transactions. Download the FREE whitepaper "TRUST BUT VERIFY: 24/7 Monitoring of High-risk User Activity in the Network" now.


Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products:
- - Washington DC (Tyson's) 3/24-3/31
- - San Diego (5/9-5/16)
- - Toronto (5/10-5/16)
- - and in 100 other cites and on line any time:



Brothers Receive Prison Sentences for Selling Pirated Software (March 8, 2008)

Brothers Maurice A. Robberson and Thomas K. Robberson have been sentenced to prison for selling pirated software online. Together, the brothers made more than US $1 million by selling counterfeit software worth more than US $6.5 million. Both men have agreed to forfeit all they earned from their business. Maurice was sentenced to three years in prison, while Thomas received a sentence of 30 months. Two other people involved on the scheme have already been sentenced. The pirated software included products from Adobe Systems, Autodesk, and Macromedia.

Chinese Hackers Say They Infiltrated Pentagon Systems (March 7, 2008)

A group of Chinese hackers who met with CNN claim to have broken into Pentagon computers and downloaded sensitive data. They say they have received payment from the Chinese government for their activities, although the government denies this. The group's leader told CNN that "no web site is one hundred percent safe ... there is always a weakness."
[Editor's Note (Pescatore): note that the Shanghai Daily (
has article with the hackers denying CNN's claim. (Skoudis): I find it fascinating that one of these attackers is a "marketing graduate," according to the article. While I'm sure that their exploit stories contain a grain of truth, I'll bet that at least some of their tales have been enhanced using their group's self-proclaimed marketing expertise. ]

************************** Sponsored Links: ***************************

1) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at

2) Live Webcast March 18th. Listen to Hertz, Forrester, and GuardianEdge Discuss Endpoint Data Protection - Beyond Encryption. Register Now!




Harry & David Suing IBM for Software Fraud (March 10, 2008)

Harry & David, the online gourmet gift basket retailer, has filed a lawsuit against IBM, alleging the company knowingly sold Harry & David ecommerce software that violated other companies' patents. Furthermore, the suit alleges, IBM did not come to Harry & David's defense when they were faced with legal problems over the software patents. The lawsuit seeks at least US $6 million in damages.


Cyber Warfare Exercise Underway (March 7 & 10, 2008)

Cyber Storm II is underway. Five countries and 40 companies will participate in a series of cyber war games to test their preparedness to respond to and recover from cyber attacks. Eighteen US government agencies are involved in the simulation. Other countries participating are Canada, the UK, Australia, and New Zealand. This year, "the exercise will feature mock attacks by nation states, terrorists and saboteurs against the IT and communications sector and the chemical, pipeline and rail transportation industries." The exercise, which is a follow-up to 2006's Cyber Storm I, is the culmination of a year-and-a-half of planning.



Tories Outline Their Plan for Tackling Cybercrime (March 6, 2008)

British conservatives have expressed dissatisfaction with the current government's response to cybercrime and data security and have developed plans for addressing those issues should they win the next election. The Tories would establish a police national cyber crime unit, a fraud and cybercrime complaint center, and create the post of e-crime minister. They would also press for legislation that would require data breach disclosure. Shadow Home Secretary David Davis was especially critical of the government's decision to roll the National Hi-Tech Crime Unit into the Serious and Organized Crime Office.


Music Labels Want Irish ISP to Help Fight Piracy (March 10, 2008)

Irish Internet service provider (ISP) Eircom may be compelled to take steps to prevent illegal music downloading if four major record labels have their way. The four - EMI Records (Ireland) Ltd, Sony BMG Music Entertainment (Ireland) Ltd, Universal Music (Ireland) Ltd, and Warner Music (Ireland) Ltd - have brought a High Court action in an attempt to force the ISP to use technology specially designed to identify and stop the illegal activity. Eircom has thus far refused to employ technological filtering and blocking technologies to stop illegal downloads. One record company executive cited a 30 percent drop in sound recording sales since 2001.


Sun Releases Update for Java Runtime Environment (March 7, 2008)

Sun Microsystems has released an update to address a number of vulnerabilities in the Sun Java Runtime Environment (JRE). The most critical flaws could allow remote execution of arbitrary code. The affected products are JDK and JRE 6 Update 5, JDK and JRE 5.0 Update 15, SDK and JRE 1.4.2_17, and SDK and JRE 1.3.1_22. Users are urged to apply the update or disable Java in their web browsers.


MTV Data Breach Exposes 5,000 Employees' Personal Data (March 8 & 11, 2008)

A compromised Internet connection on an MTV Networks employee's computer led to a data breach that exposed personally identifiable information of approximately 5,000 MTV employees. The data include names, Social Security numbers (SSNs), and compensation information. Someone external to the company breached the files, though it is unclear whether the files were opened. MTV is conducting an internal investigation and employees have been notified.


Man Indicted in South Korea for Intellectual Property Crimes (March 6, 2008)

A former LG Electronics employee has been arrested and indicted for giving technology from LG to a Chinese company, according to South Korean prosecutors. The man, identified only as Jeong, allegedly took a portable hard drive with information about plasma display technology when he left the company and later gave the information to his new employer, the Chinese company COC. Another former LG employee and one who still works for the company have also been indicted for assisting Jeong. LG maintains that the theft and sharing of the proprietary information could cost the company as much as 1.3 trillion won (US $1.35 billion).



Police Decline to Intervene in Libelous Bebo Page Case (March 7 & 8, 2008)

Saying it is not a criminal matter, police in Strathaven, South Lanarkshire have declined to become involved in a case in which a 65-year-old woman's identity was used to create a page on the Bebo social networking website that contained patently false information damaging to her reputation. Helen Kilby had never used the Internet and does not own a computer. Bebo has been contacted and the libelous page taken down. Kilby says there should be measures in place to make sure this sort of incident does not take place; she is considering civil action against the people who created the defamatory page.


[Editor's Note (Schultz): One of the most unfortunate aspects of the Internet is the ability for anyone to completely fabricate information, post it on a Web site, and then watch with satisfaction as gullible users believe it at face value. It is unlikely that any measure, legal or not, will make much of a difference as far as this goes. ]

Students Develop Linux-Based Cyber Forensics Tool (March 7, 2008)

Students at Edith Cowan University's School of Computing and Information Sciences in Australia have developed a Linux-based tool to help police collect cyber evidence without compromising its integrity. The idea arose after the Western Australian Police asked the university for help two years ago. Normally, the police take PCs back to the station to gather evidence, but this tool allows them to collect it on site. The tool also searches out certain file types, which saves the police a great deal of time. To make sure the original evidence will still be admissible in court, the tool's developers "removed all network support and the ability to write to disk. If for some reason a disk is writeable, the system will halt automatically."

NJ Legislator Wants investigation Into Stolen Insurance Company Laptop (March 3, 2008)

New Jersey State Senator Kevin O'Toole (R-40) has called for a hearing to investigate the circumstances surrounding the theft of a laptop that holds personally identifiable information of more than 300,000 Horizon Blue Cross/Blue Shield of New Jersey subscribers. The computer was stolen from an employee's home in January. Senator O'Toole wants to know how many other laptops hold Horizon subscriber data and wants Horizon's data privacy practices closely examined. Horizon has said that security procedures designed to protect data were not followed in this instance.


ISC Threat Update: March 2008
WHEN: Wednesday, March 12, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Johaness Ullrich and Tony Magallanez
Sponsored By: F-Secure

The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

WhatWorks Webcast: PaulDotCom's Penetration Testing Dojo: Core IMPACT Style
WHEN: Tuesday, March 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Paul Asadoorian
Sponsored By: Core Security Technologies

When beginning a security process at a consortium of non-profits, senior network security engineer, Paul Asadoorian of Pauldotcom began looking for a penetration testing tool that did network, web application and social engineering tests. The tool he purchased is low on manpower use, mostly self-maintaining and reliably proves the existence of network vulnerabilities. Please attend this webcast to find out why Paul selected CORE IMPACT and learn how it can help you safely perform network, web application and end-user penetration testing.

SANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole This Month's Topic: Encryption
WHEN: Wednesday, March 19, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole

Based on first-hand experience, this talk will look at areas where encryption should be used and how to avoid common mistakes. Dr. Cole will also identify areas where encryption should not be deployed. Overall, this talk will provide expert knowledge of the landscape of encryption, proper uses and common pitfalls. Register now for this free webcast!

Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
Sponsored By: Norman Data Defense Systems

The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.

Tool Talk Webcast: Are You Naked? Why virtualization and service processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: Tdi

Virtualization and on board service processors are making log management systems obsolete and opening their customers to huge compliance issues. All existing log management systems are based on an 'inside out' agent based, SYSLOG and SNMP architecture. This model is obsolete in today's datacenter. Traditional log management systems do not log all events or watch the data center all the time, opening the door to Sarbanes Oxley, HIPAA and other compliance risks.

Tool Talk Webcast: Analyzing Pen Testing Tools: Shootout at the Blackbox Corral
WHEN: Wednesday, March 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: Fortify Software

All black box testing tools are not created equal. In the Fall of 2007, security consultant Larry Suto published a report that evaluates the coverage and balance between false positives and false negatives of three popular penetration testing tools. His findings, which some found surprising, prompted official responses from a number of tool vendors that called into question areas of the experiment that could have led to shaky results.

SANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt
Sponsored By: Core Security Technologies

Stephen Northcutt challenges leaders to move past "Security Theater", practices like confiscating nail files in airport security or running vulnerability scans and taking no action or pretending a SIEM "partial implementation" actually helps create effective security. If we want to get better and actually implement security well one of the atomic keys is to configure the system correctly and maintain that configuration. Stephen will discuss the three views, the inside view, outside view and user view that give us the information we need to assess the configuration of our system. We can use tools like the Center for Internet Security toolsets to create the inside view, vulnerability scanners and exploitation tools like CORE for the outside view and to get the user view we need to run a number of tests to determine the level of awareness and practice. The data from all three views gives us the ability to accurately assess our exposure to threat.

SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann
Sponsored By: TrendMicro and Utimaco Software

Data leakage occurs everywhere computing is conducted - whether it be hand-helds, USB tokens or even protected internal computers where cut, copy and paste functions are difficult to control. Organizations need a map of these leakage points so they can plug them and protect themselves against regulatory violations. This Webcast discusses where and how data leaks, what types of privacy violations these leakage points present, and what to do about them.

Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
Sponsored By: StillSecure

This webinar will discuss the challenges associated with NAC deployments and =provide organizations with a blueprint on how to cost-effectively take =advantage of this critical technology. Learn first hand how your =organization can benefit from this ground-breaking technology.

SANS Special Webcast: Log Management Part II: Real-Time Event Management
WHEN: Thursday, April 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Sunil Bhargava
Sponsored By: Intellitactics, Inc.

This Webcast discusses how logs and event correlation should be managed for =compliance purposes and how auditors, working closely with security and =operations teams, can help develop processes that leverage logging and event =data to measure the effectiveness of their controls.

SANS Special Webcast: Security Insights with Dr. Eric Cole This Month's Topic: DLP
WHEN: Tuesday, April 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole

Cyber security is all about reducing risk to critical assets. Protecting and controlling data flow is a critical part of an organizations security arsenal. Therefore data loss prevention would seem like a perfect solution for reducing risk. However, just because a product is called a data loss prevention solution, does not necessarily mean that it properly reduces risk. Before purchasing or deploying a solution it is critical to understand the key risks you are trying to reduce and make sure the solution is the most cost effective way to reduce risk. This talk will provide insight into what product features are most valuable and which solutions should be avoided. To accomplish this it will provide a detail understanding of the landscape and the best way to protect data at an organization. Register now for this free webcast!

Analyst Webcast: Security and Performance on Converged Networks
WHEN: Thursday, April 24, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dave Shackleford
Sponsored By: NIKSUN

Events from security and monitoring devices fire off an unmanageable number of alarms with no way of telling how they're related, or how they impact performance. As networks converge their video, voice and data traffic over IP networks, these alarms will only increase, while providing less visibility into what set them off. This Webcast discusses what will be needed of security monitoring tools as these data, voice, video convergence becomes ubiquitous.

SANS Special Webcast: The Little Hybrid Web Worm That Could
*** Previously scheduled for 3/6/08***
WHEN: Wednesday, April 30, 2008 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: HP

This Webcast examines the possibility of hybrid web worms which use several methods to overcome the limitations of current web worms. Specifically the authors examine how a hybrid web worm: mutates itself to evade defenses; updates itself with new attack vectors while in the wild; and finds and exploits targets regardless of whether they are client web browsers or web servers.


Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit