Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #101

December 24, 2010


US State Department Creates Cyber Security Position
FCC Approves Net Neutrality Rules


Microsoft Acknowledges Zero-Day Flaw in IE
VA Doctors Used Unauthorized Yahoo Cloud Calendar to Store Patient Information
CIA Investigating Impact of Leaked Diplomatic Cables
Man Pleads Guilty in Wi-Fi Framing Case
Texas Man Indicted for Allegedly Stealing US $274,000 from Digital River Programmers
Mobile Phone Companies Taking Security More Seriously
Apple Pulls WikiLeaks App from iTunes Stores
NIST Issues Draft Document on Continuous Monitoring for IT Security

************************ Sponsored By SANS ******************************
Christmas in May: Take the SANS 2011 Annual Log Management Survey

Take the 7th Annual Log Management Survey and be entered to win a $250 American Express Gift card. This comprehensive survey has become a leading indicator of how well log management and automation helps organizations with their security and compliance needs. To take our survey, follow this link:

The results will be released in early May during a short series of live webcasts with Jerry Shenk and Dave Shackleford.

New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security

-- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011

-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module

-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security

-- Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Atlanta, Bangalore, Singapore and Barcelona all in the next 90 days.

For a list of all upcoming events, on-line and live:


US State Department Creates Cyber Security Position (December 22, 2010)

The US Department of State has created the Office of the Coordinator for Cyber Issues, a post that will have the authority to coordinate agency cyber security. The coordinator will report directly to Secretary of State Hillary Clinton. The coordinator will also be responsible for the security of communications between the US and other governments. The position has been in the works since before WikiLeaks' release of tens of thousands of diplomatic cables.


FCC Approves Net Neutrality Rules (December 22, 2010)

As expected, the US Federal Communications Commission (FCC) approved Chairman Julius Genachowski's net neutrality plan by a 3-2 vote. Proponents of net neutrality have been concerned that cable and telecommunications companies could start to wield too much power over Internet traffic. The rules prohibit Internet service providers (ISPs) from favoring one company's traffic over another's on lines to customers' homes, and landline broadband providers cannot block legal content on websites. While the rules allow providers to sell Internet services in which companies pay a premium for faster data delivery, the FCC is unlikely to approve any such arrangements. The rules also require that providers disclose their traffic management policies to consumers. Rules for wireless networks are less restrictive.



Microsoft Acknowledges Zero-Day Flaw in IE (December 23, 2010)

Microsoft has confirmed reports of a zero-day vulnerability in Internet Explorer (IE) that could be exploited to allow remote code execution when IE processes a Cascading Style Sheets (CSS) file with "@import" rules. The flaw was reported earlier this month, but exploit code for the vulnerability has recently been released. The flaw affects IE8 on Windows XP, Vista and Windows 7 and IE6 and IE7 on Windows XP. The attack defeats IE's data execution prevention (DEP) and address space layout randomization (ASLR) features. Microsoft has issued an advisory with recommendations for protecting systems from attack until a fix is available. The company does not plan to issue an out-of-band fix for the issue.



VA Doctors Used Unauthorized Yahoo Cloud Calendar to Store Patient Information (December 23, 2010)

The Department of Veterans Affairs (VA) has shut down an unauthorized Yahoo website cloud application that was being used by VA doctors to store sensitive medical information. Late last month, VA information security authorities became aware of a shared calendar on a Yahoo cloud application that had a single password for multiple users. The password had never been changed in the three years that the calendar was in use. The information stored in the calendar included names, types of surgery performed and the last four digits of SSNs. The calendar was ordered to be shut down on November 24 and all the information was deleted. Nearly 900 patients will be notified that their information was stored on the site, which did not have adequate security controls in place. The incident is being called a mishandling of electronic information.


[Editor's Note (Schultz): The incident may be termed "a mishandling of electronic information," but I fear it may in reality be the result of "cloud security per the usual."
(Honan): This is a good example of why education and awareness are key elements in an effective infosec program. Many cloud solutions need no intervention from IT to set up. Some services are free while others simply require the client to know how to enter their credit card details into a web page. It is important therefore to ensure your users are aware of the risks involved in using these services and that they consult you before committing sensitive data to them. ]

CIA Investigating Impact of Leaked Diplomatic Cables (December 22, 2010)

A CIA task force will examine the implications of the recently released diplomatic cables on WikiLeaks. One issue of concern is the possible erosion of relationships between the agency and informants following the leak. The CIA appears to have been relatively untouched by the leak, due perhaps to its reluctance to share information with other agencies. When asked to make information available on SIPRNet, the CIA refused because of concern about the number of people with access to the network. The National Security Agency's (NSA) response to the WikiLeaks disclosures has been "to assume that all the components of
[its ]
system" have been compromised.


Man Pleads Guilty in Wi-Fi Framing Case (December 22, 2010)

A Minnesota man has pleaded guilty to computer hacking, aggravated identity theft and other charges for sending email threats against Vice President Joe Biden in his neighbor's name. Barry Vincent Ardolf admitted to breaking into his neighbor's wireless network, setting up phony email accounts and sending the threatening messages to appear as though they came from his neighbor. Ardolf also sent offensive email messages to some of the neighbor's co-workers

Texas Man Indicted for Allegedly Stealing US $274,000 from Digital River Programmers (December 22 & 23, 2010)

A Texas man has been indicted on charges of computer and wire fraud for allegedly stealing more than US $250,000 from a Minnesota e-commerce company. Jeremey Parker allegedly redirected electronic payments from a Digital River subsidiary, SWReg, to his personal bank account. SWReg is used to pay independent software developers who create code for Digital River; they can go online, see how much they are owed in royalties, and transfer the funds to their personal accounts.


Mobile Phone Companies Taking Security More Seriously (December 22, 2010)

Wireless phone companies are taking steps to improve the security of the ubiquitous devices. Carriers are making efforts to help prevent attacks and data theft, while hardware manufacturers are improving their products as well. AT&T has hired 13 PhDs to open a new mobile phone security lab in New York City. Carriers are also working with startup companies that are focused solely on mobile device security. Research in Motion (RIM) plans to improve the way BlackBerry users back up their data and remotely locate, lock or wipe the devices.

[Editor's Comment (Northcutt): This story was found by my colleague David Hoelzer who noted that an emphasis on secure development will do more good than hiring PhDs to retrofit security. I would agree, but my biggest smartphone concern are the apps that phone home with information about the phone's owner.]

Apple Pulls WikiLeaks App from iTunes Stores (December 21 & 22, 2010)

Citing violations of developer guidelines, Apple has removed a WikiLeaks iPhone and iPad application from the iTunes store. The app allowed users to access WikiLeaks' Twitter feed and documents on the organization's website. It had been downloaded more than 4,000 times before Apple removed it from the store. Apps sold in the iTunes store "must comply with local laws and may not put an individual or targeted group in harm's way," according to a company spokesperson. The app was unofficial, meaning it was not released or endorsed by WikiLeaks, but the developer said that US $1, or half of the sale proceeds, was being donated to WikiLeaks for each download.

NIST Issues Draft Document on Continuous Monitoring for IT Security (December 21, 2010)

The National Institute of Standards and Technology (NIST) has released Special Publication 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations. The draft publication says that effective IT security needs to start with organizational level planning rather than working system by system and provides guidelines for developing and implementing an effective continuous monitoring strategy. NIST is accepting comments on the draft document until March 15, 2011.

[Editor's Comment (Northcutt): In principle continuous monitoring is a great idea. I have only made one quick pass through the document, looks like they have changed some of the titles and descriptions and invented some new acronyms. If you are government or government contractor I encourage you to download the document, read it and give them feedback! ]


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Adv isory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit