Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #42

May 31, 2010

Breaking News: US House of Representatives attaches new FISMA rewrite to Defense Authorization Bill. The press hasn't picked it up yet, but NextGov.Com will have a story in a few minutes. This puts one more nail in the coffin of the Federal CISOs and security contractors who think they can go on ignoring OMB and go on wasting money on out of date report writing contracts.



Facebook Simplifies Privacy Controls
Einstein May be Used on Private Networks That Support Critical Infrastructure
Google Facing More Flak Over Wi-Fi Data Collection
Large US Tech Companies Find Business Continuity a Greater Risk than Data Breaches
Disaster Recovery Plans Not Receiving Adequate Attention


Japanese Police Arrest Two for Alleged Cyber Fraud
Cisco Warns of Flaws in Network Building Mediator
Canadian Legislators Mull Proposed Privacy Law Amendments
Five Indicted in Fraudulent Funds Transfer Case
Second Man Sentenced for Scientology DDoS Attacks
New Twist on Phishing Targets Open Browser Tabs
Apple Has Not Fixed Carpet Bomb Flaw in Safari for OS X

*********************** Sponsored By SANS ******************************
The SANS WhatWorks in Virtualization and Cloud Computing Summit brings together industry leaders to help enterprises realize the enormous benefits of virtualization while addressing the new security challenges that it creates. You'll discuss the latest processes and tools for securing your virtualized systems in open forums designed to bring you together with both industry experts and your peers facing the same day-to-day challenges.

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 36 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat

-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition

-- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives

Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Brisbane, Amsterdam, Kuala Lumpur, Canberra and Taipei all in the next 90 days.

For a list of all upcoming events, on-line and live:


Facebook Simplifies Privacy Controls (May 26 & 27, 2010)

Facebook says it has simplified its privacy controls. The new controls will allow users to choose to share content with friends only, with friends and friends of friends only, or with everyone. Users who want to implement more granular control will still have the opportunity to do so, and all those controls will be on a single page. The Electronic Frontier Foundations (EFF) says that while the changes are a "great first step," there are still privacy issued that need to be addressed. In particular, the EFF says that "no information should be required to be publicly available." Others have pointed out that social networks are designed for sharing information. The features will be rolled out over the next few weeks.


[Editor's Note (Ranum): If you don't want to make something public don't blog, facebook, tweet, or otherwise publicly announce it! Three people can keep a secret if two of them are dead and nobody has published it on the Internet for all their 'friends' to see. ]

Einstein May be Used on Private Networks That Support Critical Infrastructure (May 26 & 27, 2010)

Speaking at the Strategic Command Cyber Symposium in Nebraska on May 26, deputy defense secretary William J. Lynn III said that the Einstein computer security system used to detect and prevent attacks on government systems may be expanded to help protect private sector systems that support critical infrastructure, including utilities and communications. Participation would be voluntary. Lynn suggested that companies that choose not to take advantage of the offer would be braving a lawless cyber frontier. The proposed arrangement poses information sharing issues. It is unclear if the private companies would share the information they collect with the government. The government may be unable to share some information with the companies because it is classified, and companies may be reluctant to share information with one another.
[Editor's Note (Pescatore): The Einstein technology deployed to date doesn't prevent anything, it has been detection and reporting. In general, the government lags behind private industry in deploying active prevention technologies. ]

Google Facing More Flak Over Wi-Fi Data Collection (May 25, 26 & 27, 2010)

US lawmakers have sent a letter to Google chief executive Eric Schmidt seeking answers to a dozen questions about the company's Wi-Fi data collection. Google has acknowledged that for three years, it inadvertently gathered wireless network payload data while gathering images for its Street View feature. Google is facing a criminal investigation in Germany over the issue. The company is shying away from handing over the data to German regulators, suggesting that the country's privacy laws prevent it from surrendering the information. A Massachusetts Internet service provider (ISP) has filed a class action lawsuit against Google. Galaxy Internet Services is also requesting that Google be barred from destroying the information it has collected. Another class action lawsuit was filed in Oregon last week. A third lawsuit has been filed in California.


[Editor's Note (Schultz): Google's current woes show that with the benefits of the information age also come legal and other risks related to obtaining information about which there has been little forethought concerning the need for protection. ]

Large US Tech Companies Find Business Continuity a Greater Risk than Data Breaches (May 24, 2010)

According to research from BDO, business continuity ranks as a higher risk factor than data breaches for the 100 largest US technical companies. The data were compiled from the companies' 2009 10-K SEC filings that require the companies to list risk factors that could affect their bottom lines.

[Editor's Note (Pescatore): This illustrates the big difference between business/market risks and IT risks. What BDO did is look at the "Market Risk" section of financial filings, which came from SEC rules back in 1997 when there were derivative shenanigans way back then. That section in financial filings over time just turned into a dumping ground for listing any possible future event that could potentially lead to a significant event, as a way of warding off lawsuits when a stock tanked: "Well, in Section 7a we did warn you that the stock could drop in any month where the majority of days ended with the letter Y..." From that perspective, business disruption is a much larger cost than a data disclosure event.
(Ranum): Business continuity is also a more important problem for most businesses. Security sometimes should take second place to survival.
(Schultz): Hurricanes Katrina and Wilma were far most costly to many organizations than the worst of all data security breaches. ]

Disaster Recovery Plans Not Receiving Adequate Attention

According to Symantec's 2010 State of the Data Center Report, at least one-third of mid-sized organizations have not evaluated their Disaster Recovery plan in the last year. The study compiled responses from 1,780 data center managers in 26 countries. The lack of disaster recovery plans has been blamed on complex data center expansions, and ever-growing server and storage needs. Furthermore, about one-third of enterprises disaster recovery plans are undocumented.

Learn more about how to implement a hassle free Disaster Recovery solution where information is available during or following a disaster. I call this, One Touch Disaster Recovery
[DR ]
solution for Continuity of Operations

*************************** Sponsored Link: ***************************
1) Measuring network performance, security and stability under hostile conditions - Take our SANS Network Security Survey and be entered into a drawing to win a $250 American Express Gift Certificate.


Japanese Police Arrest Two for Alleged Cyber Fraud (May 27, 2010)

Japanese police have arrested two men who are suspected of using malware named Kenzo to commit fraud. The pair allegedly hid malware in a computer game; users' computers became infected when they downloaded the game with filesharing software. The malware stole personal information and leaked it onto the Internet. The pair then allegedly offered to delete the leaked data for a payment of 5,800 yen (US $64). The malware is believed to have infected 5,000 computers.

Cisco Warns of Flaws in Network Building Mediator (May 26 & 27, 2010)

Cisco is urging users of its Network Building Mediator (NBM) software to install a patch for six vulnerabilities that could be exploited to take control of devices running the software. NBM can be used to remotely monitor buildings' security, ventilation and energy systems. All users with network access can connect to NBM with administrative privileges. The flaws also affect Richards-Zeta Mediator 2500. The flaws also affect Richards-Zeta Mediator legacy products; Cisco acquired Richards-Zeta in January 2009. The problems are especially problematic because the software can interact with power grids.


[Editor's Note (Pescatore): Most of the software running these Building Automation Systems was written by developers who never considered that their systems might be exposed on open networks. It is good to see Cisco fixing vulnerabilities, but enterprises need to very careful in rushing to put BAS system on converged networks - they really should be on standalone networks. If not, treat them like unpatched servers. ]

Canadian Legislators Mull Proposed Privacy Law Amendments (May 25 & 26, 2010)

Canadian legislators are considering amendments to the country's Personal Information Protection and Electronic Documents Act (PIPEDA). Proposed changes include requiring organizations to notify Canada's Privacy Commissioner of material data breaches and to notify individuals if a breach poses the risk of harm; the assessment of the risk of harm would be determined by each organization. Another proposed amendment would expand the authority of law enforcement and national security agencies to demand customer information without a warrant. Canada's lawmakers are also considering anti-spam legislation. The Fighting Internet and Wireless Spam Act (FISA) was originally introduced in April 2009, but has been amended and was reintroduced on May 25, 2010. The proposed legislation would allow the Canadian Radio-Television and Telecommunications Commission (CRTC) to impose fines of up to CAD $1 million (US $953,000) per violation for individuals and CAD $10 million (US $9.53 million) for businesses. Subsequent penalties would be even higher.



Five Indicted in Fraudulent Funds Transfer Case (May 26, 2010)

Five people have been indicted in connection with the theft of nearly US $450,000 from the city of Carson's (California) bank accounts. The thieves used spyware to steal city employee login credentials, and then made two fund transfers from city accounts to other, previously established accounts outside the state. About US $300,000 of the money was recovered, and the city received an additional $100,000 from its insurance company. Carson city treasurer Karen Avila says the bank, City National Bank, should have been aware that something suspicious was going on. Three of those indicted appear to be orchestrating the scheme, while two were indicted for allowing their bank accounts to be used to receive the stolen funds.

[Editor's Note (Schultz): This is not the first major security breach for the city of Carson, California. City officials apparently did not learn much from the city's widely publicized breach several years ago. ]

Second Man Sentenced for Scientology DDoS Attacks (May 25, 2010)

Brian Thomas Mettenbrink has been sentenced to one year in jail and ordered to pay US $20,000 in compensation to the Church of Scientology for his role in a series of distributed denial-of-service (DDoS) attacks against that organization's websites. Another man, Dmitriy Guzner, was sentenced to one year in jail for his role in the attacks late last year. The January 2008 attacks appear to have been prompted by the Church of Scientology's demands to take down videos of Tom Cruise, a prominent member of the organization.

New Twist on Phishing Targets Open Browser Tabs (May 24, 25 & 26, 2010)

A Firefox developer is warning of a new kind of phishing attack that preys on users' inattention to which tabs they have open in their browsers. The attack is perpetrated by JavaScript code in a specially-crafted page. When users have several tabs open and are not viewing the site with the malicious code, the code surreptitiously changes the destination page after several minutes of inactivity; the favicon and title of the page are changed as well. The attack can be made more personal by perusing users' browsing histories and making the page appear to be one that the user frequents, such as Facebook or a banking login page. When the user goes back to the tab, there is a sign-on screen asking for login credentials. The vulnerability affects all major browsers that run on Mac OS X and Windows.



Apple Has Not Fixed Carpet Bomb Flaw in Safari for OS X (May 24, 2010)

Two years after learning of a vulnerability in its Safari web browser, Apple has yet to fix the problem. The flaw, which has been called a "carpet bomb" attack, allows maliciously crafted web pages to download files to users' computer without requiring users' consent. When first alerted to the problem, Apple deemed it "more of an annoyance than anything else," said security researcher Nitesh Dhanjani. Shortly after the disclosure, however, another researcher demonstrated how the carpet bombing vulnerability combined with a Windows flaw could be exploited to run unauthorized software on users' computers. At that time, Apple issued a fix for the Windows version of Safari, but Safari for OS X remains unpatched. Both Firefox and Chrome have received fixes to protect users from this sort of attack.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit