Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #47

June 15, 2010

The new Senate legislation (top story) has a very high probability of becoming law, as the centerpiece of an omnibus cybersecurity overhaul. It is an extraordinarily good bill. To see why, and to get an inside scoop on what goes on behind the scenes when cybersecurity laws are being considered, take a look at the Senate testimony from today's hearing posted at (available after 3 PM, when the hearing starts). One of the best elements of new bill is that it does away with most of the manual reporting that wastes $500 million every year and replaces it with continuous monitoring of daily automated feeds that lead to rapid vulnerability reduction.

On that same topic, the U.S. Office of Management and Budget released its budget guidance for all agencies saying: Your submission should include funding for the tools necessary to enable continuous monitoring of agency IT systems security as described in OMB memorandum M-10-15, "FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management," dated April 21, 2010. The whole budget guidance document is posted at:



New Legislation Proposed: Protecting Cyberspace as a National Asset Act of 2010
UK ICO Does Not Plan to Make Breach Reporting Mandatory
FBI Investigating iPad Data Exposure
Judge Disallows Evidence Gathered From Laptop Six Months After Seizure


Google Maintains Inadvertent Data Collection Was Not Illegal
Minnesota Man Charged with Threatening VP Through Neighbor's Wi-Fi Network
Microsoft Support for Windows XP SP2 Ends on July 13
California Hospitals Fined for Data Breaches
Physical and IT Security Integration Tied to Better Risk Management
South Korean Government Website Hit With DDoS Attack

********************* Sponsored By BreakingPoint ************************
What is Resiliency and why is it Important to Network Security? Does your organization measure the impact of security threats, blended traffic and extreme load on the overall performance, security and stability of network devices and systems? Take our SANS network resiliency survey and help us find out if organizations have security resiliency on their radars. Complete the survey and be entered in a drawing for a $250 American Express Gift Certificate! Results will be announced in our June 30 SANS Analysts Webcast, 1PM EST.

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat

-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition

-- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses

-- Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Amsterdam, Washington DC, Canberra and Portland all in the next 90 days.

For a list of all upcoming events, on-line and live:


New Legislation Proposed: Protecting Cyberspace as a National Asset Act of 2010 (June 10 & 11, 2010)

Last week, US Senators Joseph Lieberman (I-Connecticut), Susan Collins (R-Maine) and Thomas Carper (D-Delaware) introduced the Protecting Cyberspace as a National Asset Act of 2010 (S.3480), "comprehensive legislation to modernize, strengthen, and coordinate the security of federal civilian and select private sector critical infrastructure cyber networks." If it passes, the legislation would establish an Office of Cyber Policy in the White House and a National Center for Cyber Security and Communications at the Department of Homeland Security (DHS). It would also update the Federal Information Security Management Act (FISMA) so federal agencies can move away from generating compliance reports and toward real-time monitoring that leads to rapid vulnerability reduction and risk reduction. The newly proposed US legislation would give the President emergency powers to take certain actions to protect private networks that support critical infrastructure if they face imminent attack or are actively under attack. The legislation would not allow the President to take control of the private networks, but would grant authority to order that a patch be applied or that the network(s) block incoming data from certain countries. Organizations that comply with the order would be immune from liability that arises from the actions they were required to take. The legislation has raised concerns among members of a trade group "about the unintended consequences that would result from the
[bill's ]
regulatory approach." Of particular concern are the regulatory powers allotted to the Department of Homeland Security.


James Lewis, senior fellow at the Center for Strategic and International Studies, provides an analysis of the bill's strengths and weaknesses.

UK ICO Does Not Plan to Make Breach Reporting Mandatory (June 10, 2010)

The UK's Information Commissioner's Office (ICO) will not require organizations to report data breaches despite the Irish Data Protection Commissioner's plan to seek mandatory breach reporting in that country. The UK's ICO expects that organizations will report breaches to them as part of their best practices, but has no plans to make it mandatory. At a conference in April, Deputy UK Information Commissioner David Smith noted that companies in the Telecoms industry may have to report breaches concerning personal data of customers following the review of the European Privacy and Electronic Communications Directive which is due to come into effect sometime in 2011.

FBI Investigating iPad Data Exposure (June 10, 11, 12 & 14, 2010)

The FBI is investigating the exposure of information belonging to iPad owners. In a letter sent to iPad users, AT&T said the only information exposed by the attack was the users' email addresses; that no other information was at risk of exposure. The group behind the data breach and several other security specialists say that those claims may not be accurate "about the potential for harm" from the flaw. The FBI is seeking additional information from Gawker, the website that first published the story about the iPad hack. AT&T says it will cooperate with efforts to prosecute those responsible for the attack. The US Federal Communications Commission (FCC) has expressed concern over recent incidents involving the exposure of personal information including the iPad breach and Google's collection of personal data over unprotected wireless networks.



Judge Disallows Evidence Gathered From Laptop Six Months After Seizure (June 10 & 14, 2010)

A US federal judge has ruled that evidence gathered in June 2009 from a laptop computer seized at a US border crossing in late January 2009 may be suppressed. Andrew Hanson was randomly selected for secondary baggage search in January 2009. Hanson is a US citizen who was returning from South Korea to the US through San Francisco. An image of child pornography justified seizure of his laptop; a subsequent scan of the hard drive several weeks later turned up more evidence. However, the laptop's contents were not viewed again until June 2009. The judge allowed evidence discovered on the laptop in early February 2009 because the search was conducted within a reasonable time frame. The judge determined that evidence obtained during the June search, which was conducted without a warrant, was inadmissible; a search so long after the fact requires a warrant.

**************************** Sponsored Links: **************************
Real-time Business Needs Real-time IT
* See incidents and attacks as they occur
* Monitor application SLAs in real time
* Correlate and analyze events on streaming data
* Track live transactions and online activity
Do this and more with real-time search in Splunk.


Google Maintains Inadvertent Data Collection Was Not Illegal (June 14, 2010)

While US legislators are calling for a Federal Trade Commission (FTC) investigation of Google's data gathering practices, Google is maintaining that it did nothing illegal (under U.S. law) when it inadvertently collected payload data from unprotected wireless networks while collecting images for its Street View feature. The company does acknowledge "that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry."

[Editor's Note (Schultz): Google sounds about as innocent as BP is in the current US Gulf Oil Spill. ]

Minnesota Man Charged with Threatening VP Through Neighbor's Wi-Fi Network (June 14, 2010)

A Minnesota man has been charged with aggravated identity theft and threats to the president and successors for allegedly tapping into a neighbor's wireless network and sending threatening messages to US vice president Joe Biden. Barry Ardolf has a history of disputes with neighbors. He has also allegedly stolen personal information, sent offensive messages and sent indecent photographs to his neighbor's co-workers from an email account set up to appear as if the messages were coming from the neighbor. FBI agents seized numerous computers, hard drives and routers after a search of Ardolf's home last summer.
Editor's Comment: (Northcutt): Sounds like a great security awareness Tip of the Day: If you fail to enable WPA2 on your home wireless access point, it may be used to threaten the President, and get you in big trouble with the Secret Service and local police! There are a thousand reasons why it is a good idea to protect your access point with WPA and none why it is not. ]

Microsoft Support for Windows XP SP2 Ends on July 13 (June 14, 2010)

The Microsoft monthly security update scheduled for July 13, 2010 marks the last time the company will issue security updates for Windows XP SP2. Users should note that Microsoft's discontinuation of support for XP SP 2 means that they will no longer receive patches for vulnerabilities in Internet Explorer (IE), either; the company has no mechanism for delivering IE-only patches to customers still running that version of the operating system. Because Microsoft normally issues IE updates only every other month, XP SP2 users have received their last IE updates barring the release of an emergency IE patch on or before July 13. Users are urged to install XP SP3 to keep receiving security updates. Microsoft will continue to support XP SP3 through April 2014.

[Editor's Note (Schultz): Microsoft is being more than reasonable in supporting WXP SP3 for as long as it has announced. At the same time, it is important to realize that Windows Vista was a human-computer interface catastrophe and that in some (but many fewer) ways Windows 7 has not been all that different from the same perspective. ]

California Hospitals Fined for Data Breaches (June 11, 2010)

The California Department of Public Health (CDPH) announced that five California hospitals have been fined a total of US $675,000 for failing to protect patient information. The largest breach involved personal data of 204 patients. The penalties were imposed under new state legislation that allows a US $25,000 penalty for each patient whose information is compromised. Once the penalties are imposed, the hospitals have 10 days to submit a correction plan to prevent breaches in the future.

Physical and IT Security Integration Tied to Better Risk Management (June 10, 2010)

A survey of more than 250 attendees at the GovSec Conference in Washington, DC in March found that cyber attacks are viewed as the top threat to US national security, followed by terrorist activity, insider threats and information security breaches. Sixty-five percent of respondents said their organizations are "focused on integrating IT security and physical security." Those who said their organizations were focused on integrating physical and IT security also had the highest opinions of their organizations' security monitoring and risk response.

South Korean Government Website Hit With DDoS Attack (June 10, 2010)

A distributed denial-of-service (DDoS) attack against a South Korean government website has reportedly been traced to servers based in China. A South Korean government official said that they are working on uncovering the attack's origins. Access to the site was slowed, but it was never shut down. Last summer, similar attacks on South Korean and US government websites were believed to have come from North Korea.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit