Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #55

July 15, 2008

A note for anyone who uses the NIST Special Publication 800-53 document as guidance for evaluation or auditing. NIST's new assessment guide, SP 800-53A, provides an essential starting point for consistent, reliable testing of security of government and contractor systems and applications. It can be found at

To enable it to meet its full potential for up-to-date, reliable, repeatable, and comparable security evaluations, a follow-on project is being launched called the SP800-53 Consensus Audit Guide (CAG) project. The CAG will integrate up-to-date threat information from NSA, US CERT, the National Cyber Security Center, and Internet Storm Center, and define specific repeatable measures to test each control that can be shown to reduce the risk posed by the important threats. With Federal CIO and CISO Council approval, the CAG can become a guide that auditors can use, as well as the guide that CIOs can use to measure their own security so they know in advance what the audits will find. A council is being formed of experienced security auditors to prepare the first draft for public comment. If you have extensive security audit experience (Red and Blue Team skills are especially valuable here) please email me ( with a short summary of your current position, your relevant experience and a statement of why you would like to be considered for membership on the CAG Council.


OMB Reports Progress on the Trusted Internet Connection Initiative
Lawsuit Filed Challenging FISA Act


Chinese Man Found Guilty of Hacking Red Cross Website
Former HP Executive Pleads Guilty to Passing IBM Trade Secrets
Former Analyst at Certegy Sentenced to Over 4 Years in Prison
Apple's iPhone 2.0 Software Update Includes 13 Security Fixes
Homer Simpson Spreading Malware to AIM Users
Army Laptop Recovered
NIST Release Draft Paper on Mobile Computing Security
UK Councils Sell Voters' Addresses
Printer Tracking Technology Raises Privacy Concerns

******************* Sponsored By Palo Alto Networks *********************

A Firewall Won Interop 2008 Grand Prize? How can that be? Firewalls haven't changed much in 15 years. Until now! Get to know next generation firewall solutions from Palo Alto Networks, and you'll discover why we won the Interop 2008 Best of Show Grand Prize. Start by learning about patent-pending App-ID technology, our secret sauce!


- - Wash. DC (7/22-7/31) (SANSFIRE 2008)
- - Boston (8/9-8/16)
- - Virginia Beach (8/21-8/29):
- - and in 100 other cites and on line any time:



OMB Reports Progress on the Trusted Internet Connection Initiative. (July 10, 2008)

According to the Office of Management and Budget government agencies are making progress in reducing the number of internet gateways serving the federal government under the Trusted Internet Connection (TIC) initiative. The TIC is due for completion towards the end of 2009 with the target being there will be less than 100 gateways to the internet. These gateways will be provided by the agencies themselves or by the services of TIC Access Providers. When the initiative started in January there were 4,300 external connections to the Internet. By May this number had reduced to 2,758. Agencies in the initiative will also deploy Einstein technology to continuously monitor traffic at the trusted internet gateways.
[Editor's Note (Schultz): I wonder if OMB considered the potential consequences of having fewer gateways on susceptibility to denial of service-related attacks. ]

Lawsuit Filed Challenging FISA Act (July 11, 2008)

A number of civil liberties groups, including the American Civil Liberties Union (ACLU) and Amnesty International, have filed a lawsuit challenging the newly signed law, the Foreign Intelligence Surveillance Act (FISA) Amendments Act. FISA allows for warrantless surveillance of telecommunications and immunity from subsequent lawsuits served against the telecommunications companies facilitating the surveillance. The lawsuit claims that FISA breaches the Fourth Amendment of the U.S. Constitution, which prevents the government from unreasonable searches and seizures. Supporters of the law claim it is a vital weapon in the fight against terrorism.


[Editor's Note (Northcutt): There has not been enough terrorist activity on US soil to support the systematic reduction in civil liberties that have happened in the past eight years. The deaths in the 9/11 attack, while horrific, are a drop in the bucket compared to deaths from cancer or in motor vehicles. This law will allow the government to spy on citizens. What kind of America are we leaving to our children? ]

************************* Sponsored Link: *****************************

1) Join your peers and other professionals to learn about Virtualization Security issues at the Virtualization Security Summit August 7-8.




Chinese Man Found Guilty of Hacking Red Cross Website (July 14, 2008)

Yang Litao, a 23 year old Chinese man, was found guilty on Friday by a court in the eastern Jiangsu province of hacking into a Red Cross website. The website was set up to raise funds in the aftermath of the May 12th earthquake in the Sichuan province which left nearly 90,000 people dead. Using credentials stolen from the website administrator, Litao altered the website redirecting users to donate money into his own bank account. He also installed malware on the site resulting in it being offline for over 24 hours while Red Cross staff dealt with the infection. Chinese authorities were able to arrest Litao before any of the donations reached his bank account.

[Editor's Note (Northcutt): Litao may have made a significant mistake. I am no expert in China, but I remembered reading, "Hacking in China carries the death penalty," says Professor Neil Barrett, of the Royal Military College at Shrivenham." So I dug up the link:

Former HP Executive Pleads Guilty to Passing IBM Trade Secrets (July 12, 2008)

Atul Malhotra pleaded guilty before the San Jose District Court to one count of theft of trade secrets. His sentencing is scheduled for October 29th where he could face up to 10 years in jail and a fine of up to US $250,000. While as a director in IBM's global services department, Malhotra received a report containing "Trade Secret" information on IBM's calibration metrics. Each page in the report was marked "IBM Confidential". In May 2006, two months after receiving the report, Malhotra moved to Hewlett Packard as vice president of imaging and printing services. In late July of that year Malhotra sent an email to a HP senior vice president with an attachment containing the IBM calibration metrics document. He also sent the same document to another HP senior vice president. Upon discovering the nature of the document, HP reported the incident to both IBM and law enforcement. According to a HP statement ""The activity with which Malhotra is charged was in direct violation of clear HP policies, including HP Standards of Business Conduct,"


[Editor's Note (Northcutt) I know the bad press over Kevin Hunsaker and pretexting sullied HP's reputation, but talk to any long time employee and you'll learn that this is a company that tries hard to do the right thing. I have included a link as a pretexting reminder and also HP's own Ethics page. They did the right thing here and are to be commended!

Former Analyst at Certegy Sentenced to Over 4 Years in Prison (July 14, 2008)

A man has been sentenced to four years and nine months in jail and fined US $3.2 million for his part in the theft of 8.4 million consumer records from Certegy Check Services. William G. Sullivan, who worked as an analyst for Certergy, exceeded his authorized computer access to steal personal banking details (bank account data or credit/debit card data) of over 5.3 million customers. Sullivan then sold that information to his co-conspirators for US $580,000. He claimed he took part in the scheme because he had no retirement plan and his wife was not working.

[Editor's Note (Pescatore): There are also reports that the Cisco VPN client on the iPhone gets interrupted if a voice call or SMS message comes into the phone when the VPN is running. This means the VPN will not get used much. ]


Apple's iPhone 2.0 Software Update Includes 13 Security Fixes (July 14, 2008)

The latest version of Apple's iPhone software, released on July 11, contains 13 security fixes. The fixes include 8 that address vulnerabilities in the Safari web browser, 1 in CFNetwork, 1 on the Kernel, and 3 in Webkit. Also included in the update are two security features aimed at the corporate market. One is the ability to remotely wipe data from the iPhone should it become lost or stolen, the other enforces complex passwords for users. Some users reported the update resulted in their iPhone becoming inoperable due to a problem with the Apple iTunes update validation.

Homer Simpson Spreading Malware to AIM Users (July 12, 2008)

An email address,, used by the Homer Simpson character in a 2003 episode in the cartoon series "The Simpsons," is being used to spread malware to unsuspecting AIM users. The email address used in the episode was a real address and employed by the TV studio to respond to queries from fans of the show. The address became defunct, but has now resurfaced and is being used to spread a Trojan. AOL users who have the email address in their buddy list receive a message with a link promising a web exclusive video of the show. The link leads to a malicious site which attempts to recruit the computer into a Botnet controlled by Turkish hackers.


Army Laptop Recovered (July 11, 2008)

A 17 year old teenager has been arrested in relation to the theft of a laptop containing personal information on 700 soldiers based at Fort Lewis, WA. Police recovered the laptop when they arrested the teenager. The laptop was reported stolen on July 4 from the seat of an Army employee's Dodge truck. A 500 GB removable hard drive was also taken in the theft. The employee "appears to have violated Army standards and policies for protecting personal information and government property" by leaving the laptop and the removable hard drive overnight in the vehicle which was unlocked.
[Editor's Note (Veltsos): Follow-up: Army CID (Criminal Investigation Command) found that there had been an unsuccessful attempt to access the data on the laptop. The external hard drive had not been turned on.

BTW, the 17-year-old called the police himself, to report a stolen wallet. ]


NIST Release Draft Paper on Mobile Computing Security (July 14, 2008)

The US National Institute of Standards and Technology have released a paper containing draft guidelines on how to address the risks posed by mobile phones and other portable computing devices. NIST is seeking comments on the draft before final publication.
[Editor's Comment (Northcutt): If you have wondered how to make a difference, this is your chance. Download the document from the link provided and make at least one substantive comment back to NIST.]

UK Councils Sell Voters' Addresses (July 11, 2008)

A report from the UK's Information Commissioner and the Wellcome Trust has called on the practice whereby local councils sell voter details to commercial companies to end. Under current legislation councils are able to sell details of voters held on the electoral roll to commercial marketing companies for as little as GBP 5, US $10, per 1,000 names. While individuals can opt out of having their details passed on to third parties, many fail to do so.

Printer Tracking Technology Raises Privacy Concerns (July 14, 2008)

A feature built into many modern laser printers is raising concerns among civil liberties groups that individuals' privacy may be eroded. The feature uses technology to print hidden yellow dots that are unique to the printer onto each page. These dots are invisible to the eye, but when viewed under a blue LED light they can identify the printer. The technology is used to track those who attempt to use color laser printers to create counterfeit money. However, privacy advocates are concerned that the technology could be misused to track and identify whistleblowers or dissidents in totalitarian regimes.
[Editor's Note (Skoudis): I find this article fascinating, especially the comment by the director of the Central Bank Counterfeit Deterrence Group, who is quoted as saying, "The Secret Service is the only U.S. body that has the ability to decode the information." Oh, really? Then what about the EFF document that describes how to decode the dots, which I found with a simple Google search here:
That link even has a little web app in which you can click on a grid of dots, and it'll automatically decode the info for you. Are we simply supposed to trust this assertion of privacy through obscurity? ]


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit