One Day Left! Get an iPad, Tab A, or $250 Off with your OnDemand registration

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #51

June 29, 2010


FTC Cracks Down on Patient Cyber Thieves
White House Releases Draft Plan for National Online ID
Senate Committee Passes Cybersecurity Bill


Unpatched PDF Flaw is Being Actively Exploited
FBI Investigating Possible Cyber Extortion
Google Changes Encrypted Search Engine's Address
Encryption Used by Brazilian Banker Proving Difficult to Break
Adobe to Release Reader and Acrobat Security Updates Two Weeks Ahead of Schedule
Three Arrested in Spain for Allegedly Planting Logic Bombs in Custom Software
Updated Chrome Incorporates Latest Version of Flash Player
Company Gets Probation and US $1 Million Penalty for Exporting Military Technology

******************** Sponsored By ArcSight, Inc. ************************
REGISTER NOW for the upcoming webcast: Making the Case for SIEM Sponsored By: ArcSight
Featuring Aarij M. Khan

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat

-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition

-- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses

-- Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Kuala Lumpur, Washington DC, Canberra and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:


FTC Cracks Down on Patient Cyber Thieves (June 28, 2010)

The US Federal Trade Commission (FTC) is cracking down on a group of patient cyber thieves who set up phony businesses and merchant accounts and made millions of small fraudulent charges to over one million payment cards. In all, the group stole nearly US $10 million. The scammers created phony companies whose names were close to those of legitimate companies. The fraudulent charges ranged from US $0.20 to US $10, and the scammers usually charged each card only once. A US District Court judge in Illinois has issued an injunction freezing the assets of the group responsible for the scheme, although the culprits are unknown. The stolen money was automatically deposited in bank accounts set up by money mules, who then sent the money on to accounts in Cyprus, Estonia, Lithuania and other eastern European countries. Ninety percent of the fraudulent charges were uncontested by card holders.


White House Releases Draft Plan for National Online ID (June 26 & 28, 2010)

The White House has released a draft plan for protecting personal information while conducting online transactions. Rather than presenting a detailed plan, the proposed National Strategy for Trusted Identities in Cyberspace is painted in broad brush strokes. The proposal involves having consumers use secure identifiers, such as smart identity cards or digital certificates, to authenticate their identities before online transactions are conducted. The plan would be voluntary and would allow consumers to choose their identifiers from a range of public and private services. The White House is seeking comments on the proposal.



[Editor's Note (Schultz): This proposal is fraught with pros and cons. Trusted identities are in principle good from a security perspective, but if these identities are compromised, Pandora's Box will be opened. It is important to remember that the US Government has a less than stellar record in safeguarding personally identifiable information. ]

Senate Committee Passes Cybersecurity Bill (June 25, 2010)

The US Senate Homeland Security and Governmental Affairs Committee unanimously passed the Protecting Cyberspace as a National Asset Act of 2010. The proposed legislation has generated some controversy due to misinformation. The bill does not give the President the authority to take control of or shut down the Internet. It does grant the President powers to order emergency measures in the event of an imminent cyber attack. The bill now moves to the full Senate for a vote.


**************************** Sponsored Links: **************************
1) RETHINKING PROVISIONING: New security and identity management requirements? Get a roadmap for success. Watch webcast!

2) Top Layer Security's new Intrusion Prevention System appliances free with maintenance. Broadest protection, ultra-reliable, and blazing performance.


Unpatched PDF Flaw is Being Actively Exploited (June 28, 2010)

An unpatched hole in the PDF format is being actively exploited. Attackers are sending malicious messages that appear to come from company system administrators and have subject headings regarding mailbox setting changes. The messages claim the attachments contain instructions for updating email settings. The attachments instead infect users' computers with malware known as Auraax or Emold. The attack exploits PDF viewers' "/Launch" functions to infect computers.

[Editor's Note (Northcutt): Is there an alternative to a .pdf? It was supposed to be a printable image of what you saw on the screen. At least that was the idea 15 years ago. It should not need "launch" functions to do that. Do you remember five or six years ago, you weren't supposed to send an excel spreadsheet or a word document because they might contain malware, you were supposed to send a .pdf. Guess that has changed! If anyone has a suggestion for a replacement for .pdfs that works on linux, Apple and Microsoft and has almost no features beyond imaging of the document, please drop me a note ( ]

FBI Investigating Possible Cyber Extortion (June 28, 2010)

The FBI is investigating a report that the Texas Cancer Registry was the victim of cyber extortion in May. State officials told State Department of Health and Human Services Commissioner Tom Suehs that someone was holding the registry's data hostage and demanding a ransom. A preliminary investigation suggests that the incident is a hoax; the Department of State Health Services does not believe that patient data were stolen. Whether or not the incident is a hoax, it is still a crime to send threats, and the incident has raised awareness of security issues that the department needs to address.

Google Changes Encrypted Search Engine's Address (June 28, 2010)

Google has changed the address of its encrypted search engine to make it easier for schools and universities to block the site without blocking access to other Google services. Many educational institutions ban the use of encrypted search engines because they allow students to bypass the schools' content filters. Users wanting to access the encrypted search engine can find it at

Encryption Used by Brazilian Banker Proving Difficult to Break (June 28, 2010)

Brazilian police have been stumped by cryptography protecting hard drives they seized in a July 2008 raid. The drives were taken from the home of a Brazilian banker who is suspected of committing financial crimes. The FBI was called in to assist the decryption efforts, but after a year has had no success. There is no law in Brazil that would compel the banker, Daniel Dantas, to reveal his password.

Adobe to Release Reader and Acrobat Security Updates Two Weeks Ahead of Schedule (June 24 & 25, 2010)

Adobe will release security updates for Reader and Acrobat on Tuesday, June 29, two weeks ahead of the company's regularly scheduled quarterly security update. The updates address a critical vulnerability in Flash that is being actively exploited. Adobe released a fix for the issue in Flash Player on June 10. Because of the accelerated patch release, Adobe will not be issuing updates on July 13, 2010. The affected software includes Adobe Reader 9.3.2 and earlier for Windows, Mac and UNIX, and Adobe Acrobat 9.3.2 and earlier for Windows and Mac.


Three Arrested in Spain for Allegedly Planting Logic Bombs in Custom Software (June 25, 2010)

Spanish authorities have arrested three people in connection with an alleged logic bomb scheme. The three are managers at a Spanish software company, and are accused of planting logic bombs in the custom software they marketed to other businesses. The logic bombs would cause the software to fail, guaranteeing that the clients would require the company's services and possibly extend their maintenance agreements. The Guardia Civil believes that at least 1,000 of the company's clients have been affected by the scheme since 1998. The scheme also allegedly involved building logic bombs into repairs to ensure ongoing business. The investigation was led by the Guardia Civil in cooperation with police in Cordoba, Spain.
[Editor's Note (Schultz): Hmmm, once again we see how correct Ken Thompson was in his now-legendary paper, "Reflections on Trusting Trust." ]

Updated Chrome Incorporates Latest Version of Flash Player (June 25 & 27, 2010)

Google has released an update for its Chrome browser to address five security flaws, three rated critical. Chrome version 5.0.375.86 also incorporates the built-in Flash Player. Flash support was integrated in Chrome in the beta phase, but Google waited for Flash Player 10.1 to integrate it in the stable version of Chrome 5. The updated version of the browser is available for Mac, Linux and Windows.



Company Gets Probation and US $1 Million Penalty for Exporting Military Technology (July 22, 2010)

A Colorado company has been sentenced to five years of probation and oversight and ordered to pay US $1 million to the federal government for exporting military technology to foreign countries without permission from the US State Department. Rocky Mountain Instrument Co. (RMI) exported military optical prisms and data to Turkey, South Korea, China and Russia between April 2005 and October 11, 2007. The products and data are on a list of items that may not be exported to foreign countries. RMI chief executive Steven Hahn pleaded guilty on the company's behalf in US District Court. Hahn told Judge Wiley Y. Daniel that the company has made changes to improve its business practices.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit