Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #50

June 25, 2010

There is no kill switch in the Lieberman-Collins Bill. But there is one
already on the books in the Communications Act of 1934.

The Lieberman-Collins bill just authorizes standard filtering like that
done by ISPs every day, but in a nationally-coordinated fashion. The
only kill switch appears to be in Sec. 706(c) of the Communications
Act of 1934, that already gives the President the power in a
time of national security emergency to shut down or disrupt internet
traffic. The Lieberman Collins Bill is much more measured and
effective. The relevant sections of both bills are provided at the end
of this issue. Read it yourself. The press has been totally fooled by
IT and telephone company lobbyists, and by an incorrect article from a
CNET reporter (I wonder who gave him the incorrect data). That false
press report got repeated over and over. If you are a journalist, next
time you hear one of the lobbyists talk about "unintended consequences"
and "kill switches" remember how the car companies tried to block
mandatory seat belts by saying "your wives and children will die in car
fires because the seat belts will keep them from getting out of their
cars in time." And you might consider recalling the immortal words of
Garrison Keillor, "Liar, liar, pants on fire."


PS. A wonderful webcast about the new continuous FISMA reporting and
continuous security monitoring featuring DHS' Matt Coose and State's
John Streufert just finished. Even if you have heard them before this
is FAR more current and actionable data. You can watch and hear it at


No Kill Switch in Cyber Security Bill
Twitter Settles FTC Privacy Charges


Two UK Teens Arrested for Roles in Cyber Crime Group
Man Who Rejected Plea Deal Now Facing Possible Lengthy Sentence
Cyber Thieves Stoles Hotel Customers' Credit Card Data
Firefox Update Incorporates Crash Protection
Groups Question Motives and Methods of Anti-Piracy Organization
Gas Station Card Skimmer Gang Sentenced
International Police Call for Stronger Domain Name Registration Rules
Alleged Cyber Extortionist Charged
Army intelligence analyst allegedly carried classified U.S. combat video out on CD
SEC 248 of the Lieberman-Collins Bill (No kill switch) and Sec 706 of the Communications Act of 1934 (The real kill switch)

*********************** Sponsored By IBM (ISS) *************************
With an end-to-end approach to web application security, IBM helps you safeguard code, identify vulnerabilities, spot malware and block attacks. Comprehensive IBM solutions also deliver security and performance in Web services and SOA, while providing ongoing management of your Web applications.

- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat

- -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition

- -- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives

- -- SOS: SANS October Singapore, October 4-11, 2010 7 courses

- -- Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Amsterdam, Washington DC, Canberra and Portland all in the next 90 days.

For a list of all upcoming events, on-line and live:


No Kill Switch in Cyber Security Bill (June 23 & 24, 2010)

In response to misconceptions about their proposed cyber security legislation, US Senators Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Thomas Carper (D-Del.) have published a fact sheet to clarify issues and quash rumors about the powers the bill grants. The Protecting Cyberspace as a National Asset Act does not give the president the authority to take control or shut down the Internet.



Twitter Settles FTC Privacy Charges (June 24, 2010)

Twitter has agreed to a settlement with the US Federal Trade Commission (FTC) over privacy issues stemming from two attacks that compromised Twitter accounts. The FTC complaint says that Twitter's stated privacy policy at the time led users to believe that stronger privacy protections were in place than were actually in use. On two separate occasions in 2009, attackers gained unauthorized access to administrative control of the Twitter service. In January 2009, an attacker gained administrative access to Twitter through a brute force dictionary attack. The intruder reset user passwords and posted some of the passwords on a website, where others accessed them and used them to send phony messages from those accounts. In April 2009, a Twitter employee's account was compromised, compromising Twitter user's personal information and messages sent. At the time, Twitter had no policy against easy-to-guess administrative passwords, nor did it suspend or disable account access after a certain number of failed log-in attempts. Twitter has now implemented many of the FTC's security recommendations. The terms of the agreement prohibit Twitter from "misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information." Twitter will also be required to undergo third-party security audits.


[Editor's Note (Pescatore and Paller): Back in 2007 the FTC managed to reach a similar agreement with Microsoft around questionable privacy practices in Microsoft Passport. Notice how the FTC has managed to be an effective regulatory agency without requiring any new laws or regulations? Kudos to FTC. ]

**************************** Sponsored Links: **************************
1) REGISTER NOW for the upcoming webcast: Making the Case for SIEM Sponsored By: ArcSight

2) Join SANS on June 30th at 1 PM ET for a special webinar event: a roundtable with leading experts on cloud security and compliance featuring Dave Shackleford, author of SANS' upcoming white paper on cloud security; McAfee Cloud CTO and Bugtraq inventor Scott Chasin; and Catbird CTO Michael Berman, a member of the Electronic Crimes Taskforce. Sponsored by Catbird and McAfee


Two UK Teens Arrested for Roles in Cyber Crime Group (June 24, 2010)

Police in the UK have arrested two teenagers for being involved with a cyber crime forum. The unnamed forum had nearly 8,000 members who traded stolen financial account data, cybercrime lessons and malware. Details for more than 65,000 credit card accounts were discovered in the forum. The teenagers were arrested on suspicion of encouraging or assisting crime, conspiracy to commit fraud, and unauthorized access under the Computer Misuse Act. The investigation has been underway for eight months and is expected to conclude in August.

Man Who Rejected Plea Deal Now Facing Possible Lengthy Sentence (June 24, 2010)

Barry Vincent Ardolf, the Minnesota man who allegedly used his neighbor's wireless network to send threatening messages to Vice President Joe Biden, could face decades in prison after rejecting a plea deal that would have imposed a two-year sentence. Federal prosecutors brought additional charges against Ardolf, including identity theft and possession and distribution of child pornography. Ardolf allegedly created email accounts and a MySpace page in the neighbor's name. He also allegedly sent email that appeared to come from the neighbor to the neighbor's co-workers; that email contained child pornography images. Ardolf maintains his innocence.

Cyber Thieves Stoles Hotel Customers' Credit Card Data (June 23 & 24, 2010)

Cyber thieves stole credit card information of as many as 700 people who stayed at hotels operated by Destination Hotels & Resorts over the last several months and used it to run up hundreds of thousands of dollars in fraudulent charges. The vulnerability the attackers exploited has been fixed. Authorities believe some of the card numbers were sold online in batches. Destinations Hotels & Resorts operates more than 30 facilities in Washington DC, Denver, San Diego, Los Angeles and other major cities.


[Editor's Note (Northcutt): Guess this is a good time to take a peek at your credit card statements to make sure you recognize the charges. For my job I travel a lot and want to use debit cards, but in general, as an individual, I have stronger protections when I use my credit card.]

Firefox Update Incorporates Crash Protection (June 22 & 23, 2010)

On Tuesday, June 22, Mozilla released updates for Firefox versions 3.5 and 3.6 to address nine vulnerabilities, six of which are rated critical. Firefox 3.6.4 also incorporates crash protection. If users running the latest version of Firefox experience a plug-in freeze or crash, users can refresh the page instead of having to restart the browser. The current version of the feature allows users to recover from Flash Player, QuickTime and Silverlight plug-in crashes for users running Windows and Linux. Mozilla plans to expand the crash protection to other plug-ins and operating systems.


Groups Question Motives and Methods of Anti-Piracy Organization (June 23, 2010)

The motives and methods of an organization established to find and punish illegal filesharers are being questioned. The US Copyright Group (USCG) operates on behalf of film-makers, and has said it will find and prosecute 150,000 illegal filesharers. According to an Electronic Frontier Foundation (EFF) spokesperson, "the USCG attorneys bringing these suits are not affiliated with any major entertainment companies, but are instead intent on building a lucrative business model from collecting settlements from the largest possible set of individual defendants." USCG has filed seven cases in Washington, DC; each case names thousands of alleged copyright violators. The majority of the defendants do not live in the DC area and would therefore have to pay for travel and accommodations, not to mention legal fees, if they wanted to fight the lawsuit. The EFF and the American Civil Liberties Union (ACLU) have asked the judges in the cases to cancel the summonses. The judges have given USCG until the end of June to explain why they have named so many individuals in each lawsuit. The methods used to gather the incriminating evidence have been called into question as well. The technique involves identifying the IP addresses associated with the illegal downloads and through the courts obtaining the address of the person who owns the computer associated with that address.
[Editor's Note (Schultz): The USCG's basing accusations on source IP addresses is completely unreasonable. Hopefully, the legal system will wake up to these realities and force this organization to use other tactics. ]

Gas Station Card Skimmer Gang Sentenced (June 21 & 23, 2010)

Theogenes De Montford has been sentenced to four-and-a-half years in jail for his role in a scheme that installed card skimmers at gas stations across the UK. The devices allowed De Montford and his accomplices to steal information and create clones of the cards. When authorities arrested him, De Montford had data for 35,000 payment cards in his possession. De Montford is believed to be the ringleader of the gang; Rajakumar Thevathasan, Rashid Hassan and Usman Mahmood were each sentenced to three-and-a-half years in jail last week.

International Police Call for Stronger Domain Name Registration Rules (June 22, 1010)

Law enforcement officials from four agencies around the world said at a public meeting for ICANN (the Internet Corporation for Assigned Names and Numbers) that domain name registrars need to impose more stringent rules on registering domain names to help combat cyber crime. Cyber criminals have long been registering domains with phony information to avoid being tracked down. The groups suggested that if ICANN does not do something about the problem, they might turn to legislators. The group of law enforcement representatives provided a list of a dozen proposals, including requiring registrars to collect the IP addresses ad HTTP headers of users when they register the domains. The proposals acknowledge the need for privacy and proxy registration, but would require registrars to provide that information to law enforcement if they are investigating criminal activity.
[Editor's Note (Pescatore): This is one of those privacy vs. safety issues. Domain name registration has long erred on the privacy side and the world of phishing and botnets has taken full advantage of that. In the US, the telephone system provides caller ID and full telephone directory information if you sign up for landline service - unless you opt out. The cellphone world and the Internet evolved completely in the other direction. It really is time for some thoughtful movement towards more accountability around registering domain names.

(Schultz): ICANN has over the years maintained what can more or less be described as a hands-off policy concerning Internet security issues. These issues have greatly intensified over the last decade, however, something that requires more ICANN intervention in dealing with them. ]

Alleged Cyber Extortionist Charged (June 22, 23 & 24 2010)

Luis Mijangos has been charged with extortion for allegedly using peer-to-peer file sharing networks to break into women's computers, steal information and blackmail them. Mijangos allegedly stole revealing pictures and videos of the women from their computers and threatened to expose them if they did not send him sexually explicit videos. He was also allegedly able to access web cams on infected computers and thus spy on his victims. He infected some of the computers by luring people to download what appeared to be files of popular music through P2P networks; others became infected after users clicked on files sent through instant messaging programs. Mijangos also allegedly installed keystroke logging software on the infected computers and used it to steal financial account information.

Army intelligence analyst allegedly carried classified U.S. combat video out on CD (June 23, 2010)

A U.S. Army intelligence analyst, identified as Bradley Manning, was arrested in May for allegedly leaking the 2007 Baghdad footage, additional video from 2009 air strike in Afghanistan, and over 260,000 classified U.S. diplomatic cables. According to Wired, the 22-year-old analyst discussed leaking the secret material to former computer hacker Adrian Lamo. Wired has published a transcript of the conversations.

Legislation to keep computers safe in a national emergency

Section 706(c) of the Communications Act of 1934 already gives the President Internet disruption powers: "Upon proclamation by the President that there exists war or a threat of war, or a state of public peril or disaster or other national emergency, or in order to preserve the neutrality of the United States, the President, if he deems it necessary in the interest of national security or defense, may suspend or amend, for such time as he may see fit, the rules and regulations applicable to any or all stations or devices capable of emitting electromagnetic radiations within the jurisdiction of the United States"

SEC 248 of the Lieberman-Collins Bill provides industry-mediated precision action without employing the heavy hand of the Communications Act of 1934:

"If the President issues a declaration under paragraph (1), the Director shall-

''(A) immediately direct the owners and operators of covered critical infrastructure subject to the declaration under paragraph (1) to implement response plans required under section 248(b)(2)(C);

''(B) develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure;

''(C) ensure that emergency measures or actions directed under this section represent the least disruptive means feasible to the operations HEN10601 S.L.C. of the covered critical infrastructure and to the national information infrastructure;

''(D) subject to subsection (g), direct actions by other Federal agencies to respond to the national cyber emergency;

''(E) coordinate with officials of State and local governments, international partners of the United States, owners and operators of covered critical infrastructure specified in the declaration, and other relevant private section entities to respond to the national cyber emergency;

''(F) initiate a process under section 248 to address the cyber risk that may be exploited by the national cyber emergency; and

''(G) provide voluntary technical assistance, if requested, under section 242(f)(1)(S)."

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit