SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #43

June 02, 2009

Web application penetration testing is very different from system and network pen testing. If you want to know whether you know how to do it, a lengthy review of the top training class in web app pen testing posted is at


Cyber Security Review Report Response


Man Who Created Clandestine Database to Get Harsh Punishment
Former Employee Arrested in Connection With Cyber Intrusion
Cyclist and Coach Fail to Appear in Court Over Hacking Allegations
Apple Releases QuickTime Update
Windows Update Installs Firefox Add-on Surreptitiously
Microsoft Office 2000 Support Will Expire This Summer
Microsoft Developing Patch for DirectShow Vulnerability
Twitter Scareware Attack
British MP's Facebook Account Hit By Spam Scam
Stolen Laptop Recovered Thanks to Internet-Based Backup Service

******************* Sponsored By Tufin Technologies *********************

Slash Costs with Automated Firewall Security Audits

For security executives and administrators, Tufin SecureTrack is the key to fast, accurate firewall audits. Learn how you can reduce opex and increase network security by automating manual, repetitive firewall administration tasks and optimizing rulebases to improve performance.

Learn more - click for a free Tufin Polo shirt and a chance to win an Apple iPod Touch.



- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses)
- - Pen Testing and Web Application Attack Summit - June 1-2
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses)
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses)
- - National Forensics Summit, July 6-14
Looking for training in your own community? Save 25% on all On-Demand training (30 full courses) - See samples at Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live:



Cyber Security Review Report Response (May 30/June 2009)

The release of the report on the 60-day cyber security review has generated copious response. One of the primary concerns raised is that of information sharing between the public and private sector; all but one of the industry-specific Information Sharing and Analysis Centers (ISACs) created as a result of 1998's Presidential Decision Directive 63 failed, largely due to lack of trust between participants. The government also needs to make the most of its power to lead by example, requiring that products it purchases have security baked in.

Industry leaders and others with cyber security ties have voiced their responses to President Obama's policy statement and plan to name a cyber security coordinator.

Legislators supportive:

Czartalk (May 28 & 30 & June 1, 2009)

National cyber security would be better served by a federal chief information security office rather than a cyber security czar, according to Gartner VP and analyst John Pescatore. "Organizations with high security in private industry and government almost invariably have a strong security office and a chief information security officer, and that should be the model that the US government follows." Others have expressed concern that the announcement of the position of cyber security coordinator last week was weak on details, leaving open to speculation how much power the position will have.




Man Who Created Clandestine Database to Get Harsh Punishment (May 27 & June 1, 2009)

Magistrates in Macclesfield, Cheshire, UK, have sent the case of Ian Kerr, who compiled a construction worker blacklist database, to crown court for sentencing. The reason they gave: they could not impose a severe enough penalty. The highest fine the magistrates have the authority to impose is GBP 5,000 (US $8,206). The man gathered information on more than 3,200 construction workers and sold it to companies for as much as GBP 20,000 (US $32,823) a year. The information included not only employment records, but political affiliations and union memberships. Kerr has admitted that he violated the Data Protection Act by creating the database but not registering it. The information Commissioner's office plans to go after the companies that used the information as well.
[Editor's Note (Ranum): Don't we expect that this kind of thing is happening everyplace? Data leakage becomes a serious problem once the leaked data gets into the hands of aggregators. ]

Former Employee Arrested in Connection With Cyber Intrusion (May 29, 2009)

FBI agents arrested Dong Chul Shin, a former Texas power company employee who is a suspect in a computer intrusion at his former employer's network. The intrusion hobbled an energy forecast system at Energy Future Holdings; the intrusion did not pose a threat to power availability, but did cost the company US $26,000. Dong was fired from the company on March 3, 2009, but his VPN access was not immediately terminated. Later that same day, Dong's account was used to access the corporate network and email proprietary data to a Yahoo account believed to belong to Dong. According to logs, the VPN connection came from Dong's home.
[Editor's Note (Northcutt): Have I mentioned my two favorite words are "Access Control" lately? Sheesh.
Editor's Note (Schultz): Insider attacks are now being perpetrated more often by ex-employees who use computers outside their ex-employees' networks to attack these networks and the computers therein than by current employees. Organizations thus need to be extra conscientious in identifying revoking all access available to ex-employees.
(Ranum): Revoking accounts when terminating an employee is something that we've been preaching for decades. This kind of thing makes me realize that, "no, they will never learn." ]


Cyclist and Coach Fail to Appear in Court Over Hacking Allegations (May 29, 2009)

Competitive cyclist Floyd Landis and his coach, Arnie Baker, were no-shows at a scheduled May 5 court appearance in France regarding allegations of hacking. The French laboratory that tested samples from Landis's Tour de France race in 2006 and found evidence of doping experienced an intrusion in which several documents were copied. eMail messages spoofed to appear to be coming from the lab were sent to various people; the documents suggested that the lab had previously made errors in sample testing. A recipient performed a history search on one of the documents that identified a previous user as "Arnie." The intrusion and document theft was allegedly carried out by a man named Alain Quiros, who was paid by a company called Kargas Consultants, but a direct link between Baker or Landis and the intrusion has not been made.


Apple Releases QuickTime Update (June 1, 2009)

Apple has released QuickTime version 7.6.2, an update that addresses 10 arbitrary code execution vulnerabilities. The flaws can be exploited by tricking users into opening specially crafted movie or image files. All users running QuickTime 7 are urged to update their software. The update also "includes changes that increase reliability, improve compatibility and enhance security."



Windows Update Installs Firefox Add-on Surreptitiously (May 29 & June 1, 2009)

Firefox users are unhappy that a recent Windows Update installed the .NET Framework assistant extension to the browser without first asking for authorization. The extension piggybacked on .NET Framework 3.5 Service Pack 1. The add-on establishes in Firefox "the ability for web sites to easily and quietly install software on your PC." The add-on is difficult to uninstall. Initially, the uninstall button was grayed out and manually uninstalling the add-on required "modifying the Windows registry, resetting changes made to the Firefox user agent and removing the .NET Framework extension files." There is now a fix available from Microsoft that restores the functionality of the uninstall button.


[Editor's Note (Northcutt): This reminds me of the Sony rootkit mess, is this even legal? To install sw without permission, I don't think it is. I just checked my Firefox and they got me too and my Uninstall is grayed out. But good for Microsoft for making a fix available:

But bad for Microsoft to make the fix scary. Why would you put software on people's computers without their permission if it had known issues? ]

Microsoft Office 2000 Support Will Expire This Summer (June 1, 2009)

Microsoft has announced that after July 2009, it will issue no more security patches for Office 2000. Office Update and Office Inventory Tool will also be dropped after July; Office Inventory users are urged to switch to Windows Server Update Services. Office 2000 users should also be aware that once support for the software is withdrawn, attackers are likely to target reported vulnerabilities in the software.


Microsoft Developing Patch for DirectShow Vulnerability (June 1, 2009)

Microsoft now says it is developing a patch for a vulnerability in the Windows DirectShow platform. The company has issued an advisory warning that attackers are actively exploiting the vulnerability. The attack is perpetrated through maliciously crafted QuickTime files. The attack is not browser specific and does not even require that users have QuickTime installed. The vulnerability affects Windows 2000, XP and Windows Server 2003; Windows Vista, Windows server 2008 and Windows 7 are not affected.



Twitter Scareware Attack (June 1, 2009)

A scareware scam is spreading through Twitter. A message reading "Best Video" contains a link that, if clicked, leads users to a site that attempts to download phony security software known as scareware onto their computers. Once a machine is infected, the malware tells users that certain programs cannot be run because they are infected and offers several different packages at varying prices for software that will "clean" their computers of the infection.

[Editor's Note (Pescatore): I keeping thinking Twitter will pass, just like the blinking URL tag thankfully faded away. The attackers have definitely glommed onto Twitter - maybe they will help? ]

British MP's Facebook Account Hit By Spam Scam (June 1, 2009)

A British MP has expressed dismay that his Facebook account was hijacked and used to send spam messages to 1,500 contacts. Michael Fabricant's account has been suspended; the spam messages, which ask the recipients to "Look at this," contain a link to a maliciously crafted web page. Fabricant's Facebook account was restored after he contacted one of the company's directors.


Stolen Laptop Recovered Thanks to Internet-Based Backup Service (May 29, 2009)

A California man's stolen laptop computer was found when he discovered self-portraits of the thief on his Internet-based backup service. Police recognized the suspect as a man who was released from jail earlier this year. The photographs indicated that the suspect was in a hotel room, so police attempted to identify the IP address he used to access the Internet with the hope that it would lead them to him. The man was spotted by police in a motel parking lot and arrested; law enforcement officers found additional stolen equipment in the hotel room where he had been staying. A second person was also arrested.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit