Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #98

December 15, 2009


Supreme Court to Review Reasonable Expectation of Privacy in Text Messaging Case
US and Russia Discussing Cyber Warfare and Cyber Security


Gartner Report Says Two-Factor Authentication Isn't Enough
22 Million Bush White House eMails Recovered
DECAF Aims to Take The Zing Out of COFEE
NIST Issues FIPS 140-3 Draft Document for Public Comment
Google Blocking Facial Recognition Component of Goggles Image Search Service
Fraud Prevention Security Questions Take a Strange Turn
MOD Laptop and Encryption Key Stolen
Stolen Swiss Bank Data Used in French Tax Evasion Investigation
Legislators Want to Keep TSA Document From Being Reposted

******************** Sponsored By Trend Micro, Inc. ********************

Trend Micro Ranked #1

In Real-World Independent Testing of Endpoint Malware Protection Conventional anti-malware testing methods don't deliver optimal protection get proven endpoint protection with OfficeScan.



- -- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
- -- SANS Phoenix, February 14 -February 20, 2010
- -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
- -- SANS Northern Virginia Bootcamp 2010, April 6-13
- -- SANS Security West 2010, San Diego, May 7-15, 2010
Looking for training in your own community?
Save on On-Demand training (30 full courses)
- See samples at
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.
For a list of all upcoming events, on-line and live:



Supreme Court to Review Reasonable Expectation of Privacy in Text Messaging Case (December 14, 2009)

The US Supreme court will review a federal appeals ruling that the Ontario, California police department exceeded its reach when it accessed and read officers' personal text messages sent from work accounts. The appeals court also found that the text messaging service erred when it turned over transcripts of the messages without the officers' authorization. The Supreme Court said it would not hear the text messaging company's appeal, but would hear arguments in the case against the city. The officers in question said their employer's informal policy indicated the employer would not monitor their personal messages if the officers paid for any excess use.


US and Russia Discussing Cyber Warfare and Cyber Security (December 13 & 14, 2009)

Officials from the US and Russia are meeting to discuss improving Internet security and establishing cyber warfare policy. The Russians would like to see a cyber warfare disarmament treaty between the two countries. The talks are a step forward for the US, as the previous administration refused to engage in cyber warfare discussions with Russia.

************************* Sponsored Link: ****************************

1) Participation is needed! Be a part of this years 2010 SANS Log Management Report by completing the survey and have a chance to win a $250 AMEX Card. Click here to complete the survey an be automatically registered.



Gartner Report Says Two-Factor Authentication Isn't Enough (December 14, 2009)

A report from Gartner says that two-factor authentication is not providing adequate security against fraud and online attacks. Specifically, Trojan-based, man-in-the-middle browser attacks manage to bypass strong two-factor authentication. The problem resides in authentication methods that rely on browser communications. The report predicts that while bank accounts have been the primary target of such attacks, they are likely to spread "to other sectors and applications that contain sensitive valuable information and data." Gartner analyst Avivah Litan recommends "server-based fraud detection and out-of-band transaction verification" to help mitigate the problem.


[Editor's Note (Ullrich): Authentication will not be able to solve the untrusted platform problem. If you use a compromised system, authentication doesn't matter. Out of band communication will only work if the out-of band channel and associated hardware is secure, which may be questionable if devices like smartphones are used.

(Ranum): The problem is not 2 factor and it never has been; the problem is that SSL authentication has been broken since its inception. A transaction security layer that allows man in the middle attacks is not a transaction security layer.

(Northcutt): Litan's suggestion is important. Criminals are succeeding at stealing money from individual's online back accounts. The Finjan report in September did a great job of documenting all of this. Only 9 pages long, it is a valuable read. Read it at a 200% zoom so the screen shot examples are easily read.

22 Million Bush White House eMails Recovered (December 14, 2009)

Technicians have recovered about 22 million emails that the George W. Bush administration had claimed were missing. The National Security Archive at George Washington University said the errant messages were "mislabeled and effectively lost." The emails are not likely to be made public for several years. The email problem has its origins in the 2006 firings of federal prosecutors across the country. When Congressional committees asked for documents related to the decisions and the actions, the Bush White house said the messages had been lost from servers. The missing emails were retrieved as a result of lawsuits filed by the National Security Archive and Citizens for Responsibility and Ethics in Washington.



DECAF Aims to Take The Zing Out of COFEE (December 14, 2009)

Someone released a tool designed to foil a Microsoft forensic toolkit that helps law enforcement agents examine hard drives during raids. The attackers' tool, called DECAF, monitors computers for signs of the forensic tool, called the Computer Online Forensic Evidence Extractor, or COFEE. DECAF cripples COFEE's ability to function properly by deleting the temporary files associated with the toolkit, erasing its logs, disabling the USB drive and contaminating or spoofing MAC addresses. Storm Center

NIST Issues FIPS 140-3 Crypto Standard Draft for Public Comment (December 14, 2009)

The National Institute for Standards and Security (NIST) has released a draft document, Federal Information Processing Standard 140-3 (FIPS 140-3), Security Requirements for Cryptographic Modules, for public comment. The first draft of FIPS 140-3 was released in July 2007; comments on that draft have been taken into account in drafting the current version.

Google Blocking Facial Recognition Component of Goggles Image Search Service (December 14 & 15, 2009)

Google is blocking the facial recognition component of its Goggles image search service in the wake of privacy concerns. Goggles allows users to take a picture of an object with their smart phones and then uses the Google database to try to match the object - it has the most success with landmarks, artwork and books. A Google executive said that "Until (the company) understand(s) the implications of the facial-recognition tool, (it has) decided to block out people's faces." Goggles is available only on mobile devices that use Google's Android operating system.


[Editor's Note (Schultz): This turn of events is fascinating in that up until now, research has shown that somewhat surprisingly in some cases users have not considered biometric methods such as fingerprint and retinal scans to be too invasive. The use of facial images appears to "cross the line," however. ]

Fraud Prevention Security Questions Take a Strange Turn (December 13 & 14, 2009)

When Roger Thompson attempted to check out of a London hotel last week, the clerk informed him his credit card had been declined. After contacting his bank, he learned that because he had not informed the bank that he would be traveling, the transaction appeared to be suspicious. The bank eventually cleared the card for Thompson's use so he could check out of his hotel, but not before a Fraud Department representative asked him a slew of questions to ascertain his identity, including obscure questions about his daughter-in-law that the bank maintains had been obtained from "publicly available information."

MOD Laptop and Encryption Key Stolen (December 12 & 14, 2009)

The theft of a laptop computer from the UK Ministry of Defence headquarters in Whitehall has prompted an investigation. The computer was stolen late last month along with an encryption key that could be used to decrypt files. Although it was not specified, the key is likely stored on a USB stick or other security token. Statistics released by MOD indicate that 28 laptops have been stolen from the ministry between January 1 and May 11, 2009; in the last four years, 658 MOD laptops have been stolen.


Stolen Swiss Bank Data Used in French Tax Evasion Investigation (December 11 & 14, 2009)

Some of the data used by French authorities in tax evasion investigations appears to have been leaked by a former employee of HSBC Private Bank in Switzerland. Initially it was believed the man had provided French authorities with information on about 10 accounts, but that number is now believed to be much higher. The data were stolen about three years ago and a criminal complaint was filed in 2008. The man allegedly gave the information to the French government, but was not paid for it. He is reportedly under judicial protection in France.



Legislators Want to Keep TSA Document From Being Reposted (December 10, 2009)

US legislators have sent a letter to Department of Homeland Security (DHS) secretary Janet Napolitano asking if there are legal remedies to prevent a leaked Transportation Security Administration (TSA) document from being reposted to the Internet. The airport passenger screening procedures document was posted to the Internet with inadequate redaction; when the problem was detected, the document was removed, but not before other people made copies and reposted it to other sites. The legislators also asked Secretary Napolitano if the DHS is considering establishing rules to prohibit reposting to prevent similar issues in the future.

[Editor's Note (Northcutt): I think it is fairly obvious that once something is posted on the Internet it is gone forever.]


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit