Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #41

May 25, 2010

Two cool competitions in Cyber Forensics as part of the US Cyber Challenge A new digital forensics contest based on real world malicious software pushes investigators to learn and evolve within their trade as Advanced Persistent Threat (APT) hacking groups achieve new levels of success. The contest's theme - how to combat complex threats - will be highlighted at the 2010 What Works in Digital Forensicsand Incident Response Summit.

For more information on the Summit:
For more information on the contest:

And there's an even more challenging forensics competition sponsored by the DOD Cyber Crime Center Forensics Challenge. Info at:

Federal employees who have done cool things in security - share please at the 1105 Security Conference. Here's the call for paper:



House Subcommittee Approved Bill to Revamp FISMA
Google Says it Won't Delete Any More Wi-Fi Data
Class Action Lawsuit Filed Against Google for Data Collection


Zuckerberg Promises to Make Facebook Privacy Controls Simpler
Eircom Implements "Three Strikes" Anti-Piracy Program
Three Charged in Payment Card Skimming Scheme
Energy Company Implements Secure Code Development Program
IBM Hands Out Infected USB Drives at Conference in Australia
Instigating Flood of eMail to Judge Does Not Constitute Contempt of Court
VA Taking Steps to Improve Data Security
Man Charged with Attempting to Steal Video Game Code
FTC Looking Into Digital Photocopier Data Security Issues

*********************** Sponsored By PacketMotion **********************

Considering segmenting your network PCI assets with firewalls?

Consider this. Firewalls were designed to protect the perimeter, are difficult to integrate, expensive to maintain, and fail to address other PCI audit requirements. Keep the number of "in-scope" systems to a minimum and reduce the cost of isolating your PCI assets with Virtual Segmentation.


-- SANSFIRE 2010, Baltimore, June 6-14, 2010
36 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010
8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat

-- SANS Boston 2010, August 2-8, 2010
11 courses. Special Events include Rapid Response Security Strategy Competition

-- SANS Virginia Beach 2010, August 29-September 3, 2010
9 courses.

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010
40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives

Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at
Plus Amsterdam, Kuala Lumpur, Canberra and Taipei all in the next 90 days.

For a list of all upcoming events, on-line and live:



House Subcommittee Approved Bill to Revamp FISMA (May 20, 2010)

The House Oversight and Government Reform Committee has approved a bill aimed at revamping the Federal Information Security Management Act (FISMA) which is nearly 10 years old. The 2010 Federal Information Security Amendments Act (HR 4900) would establish permanent positions of director of cyber security, and chief technology officer. It would also abolish certain paperwork requirements and require continuous network monitoring in place of 3-ring binders. The bill would also require IT contracts to address cyber security requirements. The bill now goes before the full House; a vote is expected sometime next month. A companion bill in the Senate is expected to be introduced in the next few weeks.

Google Says it Won't Delete Any More Wi-Fi Data (May 21, 2010)

Google has called a halt to deleting Wi-Fi data it inadvertently collected while gathering images for its Street View feature. Google has acknowledged that over the last three years, its Street View data collection vehicles also gathered Wi-Fi payload data in 30 countries. Some of the countries had requested that Google delete the data it had gathered, but the company has decided to stop deleting any more data after the European Union requested that they stop deleting the information (to enable further investigation into whether or not criminal charges will be brought against Google). Although Google had said earlier that it was collecting only SSIDs and MAC addresses from the wireless networks, an audit of the data collection system ordered by Germany authorities turned up evidence to the contrary. Google says it was unaware that the data were being collected until presented with the audit results.
[Editor's Note (Pescatore): In business models that depend on getting people to expose information in order to sell advertising around it, it seems like mistakes always seem to fall on the accidentally collecting too much information, versus mistakenly ever collecting too little. ]

Class Action Lawsuit Filed Against Google for Data Collection (May 21 & 24, 2010)

Google is facing a class action lawsuit over the Wi-Fi data gathered by its Street View data collection systems. The suit seeks up to US $10,000 for each instance it collected data from unprotected wireless networks. The lawsuit was filed in a Portland, Oregon federal court. The plaintiffs have also filed a motion for a temporary restraining order that would prohibit Google from deleting any of the data it collected.


**************************** Sponsored Links: **************************

1) Coffee Coaching: Start your day with a sip of coffee and a byte of technology

2) Measuring network performance, security and stability under hostile conditions - Take our SANS Network Security Survey and be entered into a drawing to win a $250 American Express Gift Certificate.



Zuckerberg Promises to Make Facebook Privacy Controls Simpler (May 21 & 24, 2010)

Mark Zuckerberg says Facebook "missed the mark" with recent changes to its privacy controls. The social networking site's founder said that the company's "intention was to give
[users ]
lots of granular controls, but that may not be what
[they ]
wanted." Zuckerberg said that there are changes coming to Facebook privacy controls soon that will make them simpler. In a separate story, Facebook has fixed a security hole that could have been exploited to let hackers delete Facebook users' friends. Zuckerberg's Column:


[Editor's Note (Pescatore): There is a big difference between making user privacy controls "simpler" and making user privacy a core feature in all Facebook software development. Especially in a business model in which all revenue depends on getting people to expose information so you can sell advertising around it. ]

Eircom Implements "Three Strikes" Anti-Piracy Program (May 24, 2010)

As of Monday, May 24, Irish Internet service provider (ISP (Eircom) will start cutting off broadband service to its customers who have been identified as persistent illegal filesharers. Eircom will receive the IP addresses of the alleged copyright violators from the Irish Recorded Music Association (IRMA); IRMA obtains the information with the help of Dtecnet, an anti-piracy monitoring company. Eircom will warn users the first two times they are identified as copyright violators. If a particular Eircom customer is found to have engaged in illegal filesharing three times, the company will suspend access for one week. If the activity persists after the week's suspension, the account will be suspended for a year. The rules apply to illegal music sharing only.

[Editor's Note (Honan): Eircom is the only ISP currently complying with this request from IRMA. Other ISPs are refusing to implement the three strikes rule claiming that there is no legal framework to support it. The Internet Service Provider, UPC, will be taking their case to court on June 19th.

(Schultz): It appears that in time most if not all ISPs will go the direction that Eircom has chosen to go. With ISPs increasingly being held responsible for music and film downloads through peer-to-peer protocols, what choice do ISPs really have? ]

Three Charged in Payment Card Skimming Scheme (May 23 & 24, 2010)

Three Washington, DC-area Cheesecake Factory restaurant employees have been charged in connection with a credit card skimming scheme that racked up more than US $117,000 in fraudulent charges. The suspects were identified because the restaurant provides waiters with cards waiters must swipe before they swipe customers' payment cards. Two waiters remain unidentified because they are cooperating with authorities; a third, Nicole L. Ward, allegedly recruited the pair to engage in the illegal activity. Ward allegedly gave them the skimmers they used to steal data from the cards; the devices were then given to other members of a larger ring. Ward has been arrested and released.


Energy Company Implements Secure Code Development Program (May 21, 2010)

After a web page belonging to MidAmerican Energy Company was attacked through an SQL injection vulnerability, John Kerber, the company's manager of information protection, conducted a review of MidAmerican's security procedures. He realized that the company's decentralized network needed tightening and the number of Internet access points reduced. He also conducted a wide-reaching code review and developed an application security program based on the OWASP standard and Security Development Lifecycle.

[Editor's Note (Ranum): Application security is, and always has been, the elephant in the room. It's heartening to see efforts like this one happening in key infrastructure. ]

IBM Hands Out Infected USB Drives at Conference in Australia (May 21, 2010)

USB drives handed out as swag by IBM at last week's Asia Pacific Information Security Conference have been found to be infected with malware. IBM has sent all conference attendees an email acknowledging and apologizing for the problem and offering instructions for removing the infection from systems. This particular malware was discovered in 2008 and should be detected by most anti-virus products. Internet Storm Center:


[Editor's Note (Ranum): I was at the conference and, on my flight home, gave the USB stick to the guy sitting next to me. If he ever figures out what hit him, he'll probably think I did it deliberately. ]

Instigating Flood of eMail to Judge Does Not Constitute Contempt of Court (May 20 & 21, 2010)

Encouraging supporters to spam a judge to rule in a defendant's favor does not constitute contempt of court, according to a federal appeals court decision. The 7th Circuit Court of Appeals overturned a contempt citation against Kevin Trudeau, who had encouraged his supporters to inundate the judge in his case with email urging him to rule in Trudeau's favor. The judge's Blackberry froze from the deluge. Trudeau was being sued by the Federal Trade Commission (FTC). The issue raised in the case is whether contempt can be cited outside the judge's presence. The judge's attorney argued that computers are part of the courtroom and hence their disruption could be found to constitute contempt. The appeals court wrote, "We resist the district court's suggestion that the term 'presence' should be expanded to reach beyond the judge's actual, physical presence." The court vacated the 30-day jail sentence and the finding of contempt. A civil contempt charge for which Trudeau was originally being tried on different issues remains.

VA Taking Steps to Improve Data Security (May 19 & 21, 2010)

At a hearing of the House Veterans Affairs Committee subcommittee on oversight and investigations, convened in the wake of a number of data security breaches involving VA information, VA CIO Roger Baker described steps his agency is taking to improve data security. One of the breaches involved a laptop stolen from a contractor's office; the data on the laptop were not encrypted. VA contracts include language requiring that contractors comply with VA data protection policies, which include data encryption. However, it is difficult to ensure that the contractors are following the rules, so the VA has begun auditing its supply chain partners. The VA also plans to deploy data scanning technology to monitor the activity of electronic devices that are connected to the VA network. Baker expects to "have visibility to every device on
[the department's ]
network by September 30 this year." The VA also plans to make sure all 50,000 of its medical devices are secure by the end of the year.

Man Charged with Attempting to Steal Video Game Code (May 19 & 20, 2010)

Justin May has been charged with larceny and buying, selling or receiving stolen trade secrets for attempting to download the code of an unreleased video game at the PAX East 2010 conference in March. May allegedly used his laptop to gain unauthorized access to an Xbox 360 test kit demonstrating a game called "Breach" and was able to download about 14MB of the game's code before he was caught. May pleaded not guilty to the charges.


FTC Looking Into Digital Photocopier Data Security Issues (May 18 & 19, 2010)

The FTC is looking into the data security risks inherent in digital photocopiers. Many photocopiers in use today retain all scanned images, leading to concerns that machines that are sold, thrown away, or returned after being leased could expose sensitive data, including financial and health information. In a letter to Representative Edward Markey (D-Mass.), FTC Chairman Jon Leibowitz noted, "with respect to government agencies, our own practice is to acquire ownership of the hard drives in the digital copiers
[they ]
lease, and to erase and subsequently destroy these hard drives when the copiers are returned." Leibowitz's letter is a response to a letter from Rep. Markey regarding the security issues raised about digital copiers in an April 19 CBS news report.


[Editor's Note (Northcutt): Not just photocopiers, some high end printers retain print files and it if is a color photocopier, keep in mind a number of photocopiers / printers embed a steganographic image designed not to be visible to the casual observer that has the serial number of the device. Finally to add insult to injury, some of these devices give off toxic fumes with really un-healthy selenium and cadmium sulphide:


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit