OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #33

April 27, 2010


IT Security Job Market Getting Stronger
US Defense Contractors Bulk Up on Cyber Skills To Compete for New Money
No Agreement on UN Global Cyber Crime Treaty


Blippy Will Hire CSO After Data Leak
NHS Computers Reportedly Infected with Qakbot
Microsoft Pulls Ineffective Patch
Chinese Company Must Pay Microsoft for Using Illegal Software
Former NSA Official Pleads Not Guilty in Data Leak Case
Man Indicted on Cyber Extortion Charges
NSA Holds 10th Annual Cyber Defense Exercise
Affinity Health Plan Acknowledges Data Breach

********************* Sponsored By Palo Alto Networks *******************
Join Palo Alto Networks on May 7th in one of 15 cities in North America to hear Gartner discuss the state of the firewall market and give predictions for the future of network security. Then enjoy the premiere of Iron Man 2.

- -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World

- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report

- -- SANS Secure Europe Amsterdam 2010, June 21-July 3, 2010 8 courses.

- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat

- -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Geneva, Toronto, Singapore and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php


IT Security Job Market Getting Stronger (April 24, 2010)

The high profile attacks against Google disclosed earlier this year are prompting companies to take a look at their own cyber security posture. The public awareness of data breaches has heightened awareness of the need for people with skills to protect valuable information assets. In the first three months of 2010, one employment market information company has seen a 25 percent jump in the number of cyber security job openings, from 32,000 to 40,000. An information security recruitment company says it has seen a 50 percent increase in the number of companies seeking IT security specialists. Companies that have been working with limited employees are feeling the pinch of not having adequate data security in place. The companies are looking for people with specific skill sets: particularly those with experience in identity and access management; cloud computing security; forensics; and reverse engineering.
[Editor's Note (Paller): Although not included in the final version, the journalist who wrote this story told me, during our interview, that the recruiters he had contacted said that out-of-work people with management credentials in cyber security were lingering on the job market for six months and often much longer. Demand has dropped off for people with soft skills, but is increasing for those people when they can prove they can do the technical work required to protect systems and networks.
(Northcutt): There do appear to be "green shoots" of employment growth in the security field. I am not sure about identity and access management, but I know people are desperate to find qualified incident response people who can find and eliminate modern malware. ]

US Defense Contractors Bulk Up on Cyber Skills To Compete for New Money (March 18, 2010)

Defense firms are investing in cyber security skills training, in acquiring small security companies, and in hiring new talent to tap new revenue streams and offset declining revenue from traditional weapon systems purchased by the US Department of Defense. Northrup-Grumman, Lockheed-Martin, Raytheon, and Europe's biggest defense contractor, BAE Systems, are all mentioned. They face substantial competition in this new market from consulting firms such as Booz Allen & Hamilton.
[Editor's Note (Paller): The new competition has almost entirely halted the "rush to mediocrity" that DoD contractors launched in response to DoD's 8570 mandate. Contractors tell us that certifications like Security+ are now seen by government proposal review boards as overt signs of "paper skills," doing more harm than good in competitions for new contracts. ]

No Agreement on UN Global Cyber Crime Treaty (April 23, 2010)

A proposed global cyber crime treaty was rejected by the United Nations after Russia, China and several other countries could not bridge human rights and sovereignty differences over the treaty's contents with the UK, the US, Canada, and the European Union. The advent of cyber crime has prompted countries to seek international agreements to allow law enforcement agencies the authority to pursue cases outside their own geo-political borders. The advent of cloud computing has made the need for such arrangements even more pressing. The EU and the US maintain there is no need for a new treaty because the Budapest Convention on Cybercrime already exists and has been ratified by 46 countries. That treaty allows law enforcement authorities to cross borders to access servers without the consent of local authorities as long as the network owners give their permission.

************************* Sponsored Links: ******************************
1) Just added: 2 bonus sessions at this year's SANS Security Architecture Summit April 24th - 26th in Las Vegas. http://www.sans.org/info/58453

2) The 2010 SANS What Works in Penetration Testing & Vulnerability Assessment Summit features an agenda loaded with brand-new talks from the best penetration testers and vulnerability assessment leaders in the
world. http://www.sans.org/info/58458

3) Save $350 on the SANS Forensics and Incident Response Summit when you book by May 26, 2010. http://www.sans.org/info/58463


Blippy Will Hire CSO After Data Leak (April 23 & 26, 2010)

Social networking and shopping site Blippy has announced that it is hiring a chief security officer in the wake of a security incident that exposed members' credit card numbers in Google searches. The data leak was due to technical oversight that permitted transaction data to appear in some HTML code for several hours in February. Blippy was unaware, however, that a Google crawler had indexed Blippy pages that contained the sensitive account information. Blippy has since asked Google to remove the information. Blippy also plans to hire information security staff to work with the CSO and focus solely on data protection.


[Editor's Note (Pescatore): This is a common path for consumer-grade, advertising supported services. The business model is to make money by exposing people's information and selling advertising around it, so security is really not Job #1 - data protection severely limits revenue possibilities. What's really needed is a security architect on the app dev side, and focus on security *before* the service is turned on. ]

NHS Computers Reportedly Infected with Qakbot (April 23, 2010)

Some of the UK's National Health Service (NHS) computers have been infected with Qakbot, malware that is designed to steal data, including credit card information, search histories and account passwords. More than 1,100 computers appear to have been affected. Qakbot is normally detected by most off-the-shelf security software. Researchers monitoring the malware say it has the capability to steal significant amounts of data. The malware spreads through web pages manipulated to exploit known flaws in Internet Explorer and QuickTime, and through file shares on local networks. It spreads at a measured pace so as not to attract attention.

Microsoft Pulls Ineffective Patch (April 23, 2010)

Microsoft has stopped distributing one of the 11 patches it issued on April 13 because of "quality issues." The company plans to release a refined version of the patch before the end of the month. The MS10-025 update did "not address the underlying issue effectively." The update is meant to fix a critical remote code execution flaw in the way Windows 2000 Server handles network packets while running Windows Media Services. This appears to be the first instance in which Microsoft has pulled a patch without having a replacement available.



Chinese Company Must Pay Microsoft for Using Illegal Software (April 23, 2010)

A Chinese court has ordered an insurance company there to pay Microsoft 2.2 million yuan (US $322,000) for using illegal copies of Microsoft software, including Windows XP and Microsoft Office. Microsoft said that Dazhong Insurance was using 450 illegal copies of its software. Dazhong plans to appeal the verdict. The case is the first brought by Microsoft against a large Chinese company for software copyright infringement. The rate of pirated software in China in 2008 was estimated to be 80 percent; while still high, the number is lower than in previous years.

[Editor's Note (Schultz): If this verdict is upheld, it would signal a major change of direction regarding software piracy in China. ]

Former NSA Official Pleads Not Guilty in Data Leak Case (April 23 & 24, 2010)

Former National Security Agency (NSA) official Thomas Andrews Drake has pleaded not guilty to charges of willful retention of national defense information, obstruction of justice and making a false statement. Drake allegedly leaked NSA secrets to a journalist who used the information in a series of articles about problematic programs within the NSA. Drake's attorneys have requested that he be tried by a jury; a trial has been scheduled for October.


Text of Indictment:

Man Indicted on Cyber Extortion Charges (April 23, 2010)

Anthony Digati has been indicted on charges of cyber extortion for threatening to spread negative information about his insurance company and former employer over a dispute concerning a variable universal life insurance policy. Digati, a former registered agent and manager at New York Life Insurance Company, allegedly demanded that the company pay him nearly US $200,000; he had paid just under US $50,000 in premiums. If the demand was not met by a certain date, he is alleged to have said the amount would increase to US $3 million and that he would send millions of email messages to people disparaging the company. If convicted, Digati could face up to two years in prison.
Text of Indictment:

NSA Holds 10th Annual Cyber Defense Exercise (April 22, 2010)

The National Security Agency (NSA) held its 10th annual Cyber Defense Exercise last week. The competition involves students from US military academies battling each other and the competition leaders in cyber space. Competition participants "build and defend computer networks against simulated intrusions by the National Security Agency Services Red Team." They will face a variety of threats, including malicious attachments and scanning. There is also a gray-cell, or uneducated user on this year's NSA team; this individual is clicking on all links.


Affinity Health Plan Acknowledges Data Breach (April 21, 2010)

A New York managed health care service is notifying more than 400,000 people that their personally identifiable information may have been compromised. The data were held on the hard drive of a digital copier that had been leased by Affinity Health Plan and then returned to the leasing company. The notification follows an NBC News story about information contained on hard drives of used digital copiers. Affinity has not yet reviewed the data, but the breach is believed to affect former and current employees, providers, job applicants, members, and coverage applicants.

[Editor's Note (Honan): Any device with a hard disk can pose a risk to your data. ENISA published an interesting paper regarding the security risks associated with most printers and it is available from

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/