Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #24

March 26, 2010

When the history of cyber security in the US is written, the US House of Representatives' hearing on March 24, 2010, will play a prominent role. It was at that hearing that the White House official charged with overseeing $80 billion of IT expenditures told the members, under oath, that the US government mandated culture of compliance resulted in waste of over a hundred of million dollars at one agency alone (more than $3 billion across government). He vowed to change government requirements, to stop asking agencies to develop three-ring binders of compliance reports. Those reports (certification and accreditation) are filled with out-of-date data and rarely discuss the important threats. Corporations and state agencies cheered along with all the feds who wanted to invest in security instead of 3-ring binders. Most importantly, Federal Inspectors General were put on notice that if they demand their agencies produce those wasteful reports, then the IGs are taking responsibility for the failures of security that the misallocated spending creates. See the first story for testimony from the hearing. If you are still making money selling those reports or buying them as a government official, check out the second story about the statement from the FBI's top cyber official about why you might want to share Mr. Kundra's sense of urgency.

A second good news story this week, covered by FOX News this morning. The US Navy has established full four-year scholarships for young people who have good cyber security talent as demonstrated in the US Cyber Challenge. The first competition for scholarship eligibility will run during the second week in April. Information on how to get your kids those scholarships at



Harsh Words for FISMA; FISMA 2.0 Bill Supported By Industry and Government Witnesses
Cyber Attacks Could "Challenge Our Country's Very Existence"
FOX, Yahoo and Google Ads Delivering Malware, Claims Security Company
TJX Mastermind Gets 20 Years in Prison


House Bill Would Restrict P2P Use on Government Systems
Google to Alert Gmail Users to Suspicious Account Activity
Anti-Counterfeiting Trade Agreement Draft Leaked
Mozilla Releases Firefox 3.6.2 a Week Ahead of Schedule
TJX Accomplice Gets Probation
Professional Certification Requirements in Rockefeller-Snowe Bill Raise Concerns
Proposed Legislation Would Tie Foreign Aid to Effective Cyber Security Efforts

*********** Sponsored By Trusted Computer Solutions ***********
Is your IT organization struggling to keep your enterprise servers in compliance with security policy? Could your organization pass a surprise security audit today? Security Blanket performs fast, consistent, and repeatable operating system lock down to industry or custom security settings in minutes, not days. Audit ready, all the time! Try Security Blanket for FREE.

-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND

-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report

-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat

-- SANS Boston 2010, June 6-14, 2010 11 courses

Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Dubai, Geneva, Toronto, Singapore and Amsterdam all in the next 90 days. For a list of all upcoming events, on-line and live:


Harsh Words for FISMA; FISMA 2.0 Bill Supported By Industry and Government Witnesses (March 25, 2010)

Chairwoman Watson of the House Committee on Oversight and Government Reform's Subcommittee on Government Management, Organization and Procurement (responsible for drafting the Federal Information Security Management Act) introduced a complete rewrite of FISMA that solves many of the problems that made federal cyber security spending so wasteful. Industry (TechAmerica), ex federal CIO John Gilligan, and government witnesses (OMB, State Dept. and DoD) all gave it thumbs up. Mrs. Watson expressed a sense of urgency, so the bill may have a chance to become law soon. Even if it doesn't, Vivek Kundra, the US CIO, appears to be willing to implement many of the most important changes using the White House's existing authorities. SANS Director of Research Alan Paller told the Subcommittee that FISMA, as it has been implemented and enforced until now has been more detrimental than helpful to government IT security. In his testimony, Paller focused in particular on FISMA provisions that have siphoned necessary resources away from spending that would have helped the government respond more quickly and effectively to cyber attacks. He said the misdirected expenditures have led to an imbalance in pay for security professionals that is equivalent to "pa
[ying ]
the compliance staff at a hospital more than the surgeons," Paller listed the four "terribly damaging" processes created to implement FISMA: the federal information security controls and audit manual (FISCAM); the annual report implemented by federal CIOs and inspectors general; the certification and accreditation report writing process; and the security controls assessment specified in the National Institute of Standards and technology's (NIST) Special Publications 800-53. Paller said that the most important and effective security process the government could implement would be to monitor IT systems and networks in real time.

Kundra Testimony:

Paller Testimony:

Gilligan Testimony:

More testimony at:

Cyber Attacks Could "Challenge Our Country's Very Existence" (March 24, 2010)

Speaking at the Federal Office Systems Exposition (FOSE) government IT trade show on Tuesday, March 23, deputy assistant director of the FBI's cyber division Steven Chabinsky warned that cyber attackers are growing increasingly more sophisticated and that the attacks could pose a threat to the existence of the US as we know it. He also said the FBI's top priorities are terrorism and countries "that seek every day to steal our state secrets and private sector intellectual property, sometimes for" nefarious purposes.


FOX, Yahoo and Google Ads Delivering Malware, Claims Security Company (March 22, 2010)

Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times <
and conservative news aggregator Drudge <
Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser, the company said.

TJX Mastermind Gets 20 Years in Prison (March 25, 2010)

A US District Court Judge has sentenced Albert Gonzalez to 20 years in prison for masterminding cyber attacks that resulted in the theft of tens of millions of payment card numbers and associated PINs. Kim Zetter (Wired) provides a clear and comprehensive description of the lengthy cyber crime operation that involved accomplices in Latvia and Ukraine.



House Bill Would Restrict P2P Use on Government Systems (March 25, 2010)

The US house has passed legislation (HR 4098) that would restrict the use of peer-to-peer software on government computers. Recreational use of P2P software would be banned outright, and legitimate uses of the software would need to be approved by the Office of Management and Budget (OMB) on a case-by-case basis. OMB would also provide Congress with a list of agencies that are using P2P software along with the justification for its use. The bill now goes to the Senate.

Google to Alert Gmail Users to Suspicious Account Activity (March 24 & 25, 2010)

In an effort to fight spam and social engineering attacks, Google has begun notifying Gmail users of suspicious activity on their accounts. The company now provides information about the dates and times the accounts were last accessed as well as logs of the IP addresses used to access the account. The detailed information will be accessible by clicking through a warning banner that will appear on the in-box page. The banner will contain basic information about why Google deemed the activity suspicious.

[Editor's Note (Pescatore): The warning of suspected suspicious activity is a good thing, but much, much better to crank up the protections to prevent takeover of mail accounts. That same detailed information is what mainframe email used to show users and they quickly learned that peering at login times and IP or MAC addresses wasn't very meaningful to them. ]

Anti-Counterfeiting Trade Agreement Draft Leaked (March 24, 2010)

According to a leaked draft of the Anti-Counterfeiting Trade Agreement (ACTA), the US is urging other countries to suspend the Internet access of users who download digital content in violation of copyright laws. If the ACTA accord were adopted as written in the draft, Internet service providers (ISPs) would be held responsible for the downloading habits of their subscribers unless the ISPs "adopt and reasonably implement a policy to address the unauthorized storage or transmission of materials protected by copyright or related rights," namely a "graduated response" or three-strikes policy.


Mozilla Releases Firefox 3.6.2 a Week Ahead of Schedule (March 23 & 24, 2010)

Mozilla has pushed out an updated version of Firefox to address a critical zero-day flaw a week ahead of schedule. Firefox 3.6.2 was slated for release on March 30, 2010, but users were notified that the update was available on the evening of March 22. The new version of the browser fixes an integer overflow flaw in the WOFF font decoder that could be exploited to spread malware through drive-by attacks and allow attackers to take control of vulnerable computers. The vulnerability affects older versions of Firefox 3.6, but previous versions of Firefox are not affected. Firefox 3.6.2 also addresses seven other vulnerabilities.



TJX Accomplice Gets Probation (March 23 & 24, 2010)

Jeremy Jethro has been sentenced to three years of probation for selling exploit code to Albert Gonzalez, who masterminded data breaches at TJX, Hannaford Brothers, Heartland payment Systems and other businesses. Jethro reportedly received US $60,000 for the exploit code. Jethro pleaded guilty to a misdemeanor conspiracy charge. He will also pay a US $10,000 fine.

Professional Certification Requirements in Rockefeller-Snowe Bill Raise Concerns (March 24, 2010)

Provisions in the Rockefeller-Snowe cyber security bill in the Senate that would require cyber security professionals to obtain yet-to-be-specified training, accreditation and certification are raising concerns among technology trade associations. While applauding the 2009 Cybersecurity Act's efforts to bolster public-private cyber security cooperation, the associations are concerned that "the bill creates a compliance-focused framework that we think could hamper effective risk management." The Senate Commerce Committee approved the bill on Wednesday, March 24.



[Editor's Note (Pescatore): Since software engineering is still an oxymoron, there really are no meaningful software developer or IT system architect certifications. So, trying to say IT security professionals need certification will be good for the companies that will sell such certifications but really does not make sense from the point of any improvement of security.
(Paller): Cisco and NSA and SANS are compiling the available body of knowledge on what works and what doesn't work in security engineering. They will be doing a workshop in June for people who will be hiring security engineers and architects.

Proposed Legislation Would Tie Foreign Aid to Effective (March 23, 24 & 25, 2010)

The Senate earlier this week would cut off financial assistance to countries that refuse to take an active stand against cyber crime. The International Cybercrime Reporting and Cooperation Act aims to address the problem inherent in prosecuting cyber criminals who operate across international borders. Without harmonized rules, cyber criminals often evade punishment. The US would identify those countries that appear to be cybercrime havens, offer help establishing plans to crack down on cyber crime offenses, and evaluate the countries' progress after a year. Those countries that fail to take needed steps could have their aid, financing and trade programs suspended. The Senate bill is sponsored by Senators Kristen Gillibrand (D-NY) and Orrin Cyber Security Efforts Legislation introduced in the US Hatch (R-Utah). House members plan to introduce their own version of the bill.



The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit