SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #102

December 28, 2010


Stuxnet May be Responsible for Decommissioning of 1,000 Centrifuges at Iranian Uranium Enrichment Facility
Germany to Establish National Cyber Defense Center
Missouri Escrow Company Sues Bank Over Unauthorized Electronic Transfer


Hackers Target and Five Other Sites
FCC's Net Neutrality Rules to Face Hurdles
Security Not Always a Consideration in Web Connected Gadgets
Man Facing Possible Prison Time for Reading Wife's eMail
Napolitano Reiterates DHS's Commitment to Cyber Security

******************** Sponsored By SANS 2011 ****************************
SANS 2011 in Orlando is now taking registration for 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security.">


New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security

-- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011

-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module

-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security">

-- Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Atlanta, Bangalore, Singapore and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: ****************************************************************************


Stuxnet May be Responsible for Decommissioning of 1,000 Centrifuges at Iranian Uranium Enrichment Facility (December 24 & 27, 2010)

According to a report prepared by the Institute for Science and International Security, the Stuxnet worm may have been responsible for putting as many as 1,000 centrifuges out of service at the Natanz uranium enrichment facility in Iran. The plant currently has IR-1 10,000 centrifuges. Stuxnet contains code that causes these IR-1 centrifuges' rotors to vary their speed in such a way that their motors are damaged.

Germany to Establish National Cyber Defense Center (December 27, 2010)

Germany's Interior Ministry has announced that it will establish a National Cyber Defense Center next year. Government spokesperson Stefan Paris said that government systems recorded 1,600 attacks in the first six months of 2010, a significant increase over the 900 attacks reported in all of 2009. Paris acknowledged that there were likely many more attacks that were not detected. The government believes the majority of the attacks originated in China.

[Editor's Note (Cole): The awareness that so many attacks are not detected is a wakeup call to look more closely at the traffic that is leaving your network, identifying anomalies or strange patterns in the traffic. Since many organizations are broken into and do not realize it, the more proactive you are the better. Prevention is important, but detection is a must. ]

Missouri Escrow Company Sues Bank Over Unauthorized Electronic Transfer (December 26, 2010)

A Missouri escrow company is suing BancorpSouth Bank for failing to take adequate precautions against unauthorized funds transfers. Choice Escrow lost US $440,000 from their BancorpSouth account to cyber thieves, and the bank has refused to refund the money. The company's director of business development, Jim A. Payne, is urging legislators at the state and federal level to pass laws that would force banks that do not implement effective security measures to cover losses from unauthorized transfers from commercial accounts. Cyber security blogger Brian Krebs broke the story more than a month ago. He observed that banks often blame the clients for the thefts, saying that it's their fault for allowing their computers to become infected with malware. But Krebs says that "any security or authentication mechanism that does not start with the assumption that the customer's system is already compromised by malicious software does not have a prayer of defeating today's malicious attacks."

[Editor's Note (Schultz): I agree with Krebs. Financial institutions should assume the worst case when it comes to security in customer computers and should at a minimum provide customers with software and/or services that provide a high amount of assurance that these computers have not been compromised.
(Ranum): The bank performing the transaction cannot reasonably be expected to assume responsibility for an endpoint they have no ability to control. Legislating that banks "implement effective security measures" is nonsensical, since 'effective' measures would have to include things that are not widely in use today because they are considered onerous. ]


Hackers Target and Five Other Sites (December 27, 2010)

On December 25, hackers broke into,, and three other websites to demonstrate their lapses in security. All of the targeted sites either have criminal ties or are run by security experts whose security was not up to par. It is the second time in a year that this particular group has broken into, an underground forum used by cyber criminals for trading stolen credit card information. The first time the attackers broke into, they posted some of the stolen credit card numbers they found there; this time, no numbers were published.


[Editor's Comment (Northcutt): In this era of organized crime hacking for money, we have not seen a lot of 1990s-era hacking for glory. But between Gawker and this, we may be seeing a bit of a turnaround. Some of the posts and papers from #27C3 lead me to think there is a growing sense in the security community that if we don't start to take control of the situation we will descend into chaos.

FCC's Net Neutrality Rules to Face Hurdles (December 26, 2010)

The net neutrality rules approved by the US Federal Communications Commission (FCC) last week are likely to face legal challenges and attempts by Republican lawmakers to repeal them. The question is not whether the rules will be challenged in court, but rather, who will file the lawsuit. The key legal question is likely to be whether the FCC has the authority to establish the rules. An April ruling from the US Court of Appeals for the District of Columbia Circuit curtailed the FCC's effort to enforce net neutrality in a case involving Comcast.

Security Not Always a Consideration in Web Connected Gadgets (December 26, 2010)

Researchers are discovering that new gadgets designed to connect to the Internet, such as smartphones and certain HDTVs, are not always being designed with security in mind. Hackers shifting their focus to these devices is inevitable as the Internet-ready gadgets become more and more ubiquitous. Protecting the devices from attacks will also require new approaches. In some cases, the volume of mobile phone apps offered makes it impossible to vet them all adequately.
[Editor's Note (Schultz): Saying that security is not always a consideration in Web connected devices is a gross understatement. Because mobile device applications are intended for single-user contexts, there is little or no authentication and authorization in most of these applications. Critical security functions such as data encryption and auditing are also almost always missing.
(Cole): With the holiday season wrapping up this is a good time to remind your family to do a few important things with regard to security: 1) turn off Bluetooth and other services that are not needed; 2) always run some form of security on your wireless; 3) put any web enabled devices behind a firewall or filtering device. ]

Man Facing Possible Prison Time for Reading Wife's eMail (December 27, 2010)

A Michigan man could face up to five years in prison for reading his wife's email. Leon Walker found his wife's (Clara Walker) gmail password in a notebook and used it to access her account, from which he learned that she was having an affair. Leon Walker is Clara Walker's third husband. The email disclosed that she was having an affair with her second husband, who has a history of domestic violence against her. Leon Walker shared the information with Clara Walker's first husband, the father of her son, who filed an emergency motion for custody. Walker is facing a felony charge under a law that is aimed at prosecuting people who have committed identity theft or have stolen trade secrets. His trial is slated to begin in February 2011.

Napolitano Reiterates DHS's Commitment to Cyber Security (December 22, 2010)

In a speech in Washington DC earlier this month, Department of Homeland Security (DHS) Secretary Janet Napolitano said she sees cyber security as DHS's primary responsibility. Napolitano said that "cyberspace is fundamentally a civilian space, and government has a role to help protect it, in partnership with responsible partners across the economy and across the globe." She noted the devastating effect a major cyber attack could have on components of the country's critical infrastructure and listed DHS's recent cyber security-related accomplishments, including the launch of the National Cybersecurity and Communications Integration Center.



The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Adv isory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit