Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #55

July 13, 2010

Metasploit users can take a phenomenal new advanced capabilities course
written by Ed Skoudis, co-sponsored by H.D. Moore and the Metasploit
team at Rapid 7. It will boost any penetration testing team's
effectiveness. See Sponsored Links for details on the 3 locations and
online schedule.



Microsoft to Share Windows 7 Source Code With Russian Intelligence
China Renews Google's Internet Content Provider License
Senators Call for US and China to Lead on Cyber Security


Oracle's Critical Patch Update for July to Address 59 Vulnerabilities
Google Apologizes for Wi-Fi Data Gathering in Australia
Judge Reduces Fine By 90 Percent in Tenenbaum Filesharing Case
NSA Says Perfect Citizen is Not a Monitoring Program
FBI Raid Homes of Alleged Cyber Harassers
Cisco Live 2010 Attendee Data Breached
Manning Copied Stolen Data Onto CDs
SANS FACULTY AT WORK: Stripped-Down Ubuntu Released

*************************** Sponsored By Splunk ***************************
FREE DOWNLOAD - SPLUNK FOR SECURITY Real-time Business Needs Real-time IT
* See incidents and attacks as they occur * Monitor application SLAs in real time * Correlate and analyze events on streaming data * Track live transactions and online activity.
Do this and more with real-time search in Splunk.
TRAINING UPDATE -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat

-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition

-- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses

-- Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Washington DC, Canberra, Portland and London all in the next 90 days. For a list of all upcoming events, on-line and live:



Microsoft to Share Windows 7 Source Code With Russian Intelligence (July 8, 2010)

Microsoft has agreed to share Windows 7 source code with Russian intelligence services. According to a report in Vedomosti, Microsoft will also allow the Russian Federal Security service access to source code for Microsoft Windows Server 2008 R2, Microsoft Office 2010 and Microsoft SQL Server. The goal, according to the report, is to help boost the sale of Microsoft products to the Russian government. Microsoft says the agreement is an extension of the Government Security Program agreement reached with Russia in 2002.

China Renews Google's Internet Content Provider License (July 9, 10 & 11, 2010)

China and Google have come to an agreement that will allow Google to once again operate in that country. In January 2010, attacks compromised Google internal servers and the email accounts of Chinese human rights activists; Google indicated that it believed China was behind the attacks. Shortly thereafter, Google announced it would stop censoring search results in China. In March, Google began redirecting users of its site to its site in Hong Kong. Google now has a renewed operating license in China. Google will stop rerouting users of to its Hong Kong site. If users want to visit Google's Hong Kong site, they will now be required to click to get there. Google has also agreed to "abide by Chinese law."


Senators Call for US and China to Lead on Cyber Security (July 9, 2010)

In an open letter published in the San Francisco Chronicle, US Senators Dianne Feinstein (D-California), Mark Udall (D-Colorado) and Kay Hagan (D-North Carolina) call for the US and China to be leaders in cyber security, and say that the issue should be on the agenda for Chinese president Hu Jintao's state visit to Washington. The dates of the visit have not yet been established. The Senators point to attacks against banks and technology companies as well as against government and military networks. They visited China in early June and spoke with top Chinese legislator Wu Bangguo, who suggested that cyber security be made part of the annual Strategic and Economic dialogue between China and the US.

**************************** SPONSORED LINKS **************************
1) CLOUD SECURITY READY FOR PRIME TIME? July 27 - Ask IDC panelist during online discussion.
Register here:

2) New Advanced Metasploit class by Ed Skoudis. Take it live in 3 cities or live-online from your home: Boston, Aug. 8-9:

Virginia Beach, Aug. 27-28:

Las Vegas, September 26-27:

[With Network Security 2010] Live web-based course beginning October 4:

P.S. Because it is a new course, you can use discount code MET25 to save 25%.



Oracle's Critical Patch Update for July to Address 59 Vulnerabilities (June 12, 2010)

On Tuesday, July 13, Oracle will issue its quarterly critical Patch Update to address Oracle will issue 59 vulnerabilities. Twenty-one of the vulnerabilities to be fixed are in Solaris products; seven of those can be remotely exploited. There will also be fixes for 13 flaws in Oracle's database products; of those, nine are remotely exploitable.


[Editor's Note (Skoudis): Wow! 59 vulnerabilities. Fifteen years ago, when I started in the infosec business, I thought we'd start seeing vulnerability numbers gradually go down over long periods of time. They aren't. They are just shifting around to other products and applications. We'll be on this "hamster wheel of pain" of patching for a good long time. ]

Google Apologizes for Wi-Fi Data Gathering in Australia (July 10 & 12, 2010)

Australian Privacy Commissioner Karen Curtis has issued a statement saying that Google's collection of personal information through unprotected Wi-Fi networks is a breach of the Australian Privacy Act. Google collected the extra data while gathering images and Wi-Fi location data for its Street View feature in countries around the world. While Australia's Privacy Act does not allow Curtis to impose sanctions on Google, the company was ordered to apologize. Google has also agreed to allow any future Street View activity to be subject to a privacy impact assessment and will consult Curtis about future plans.



[Editor's Note (Skoudis): The idea of a "privacy impact assessment" is intriguing. In some countries, organizations that conduct big projects that could impact the ecosystem are subject to an environmental impact study. Major Internet services, such as social networking sites and search engines, should be doing such studies internally at least, and not just fly by the seat of their pants when it comes to privacy. (Pescatore): Dealing with the impact of getting caught surreptitiously violating customer privacy, costly. Avoiding violating your customers' privacy, priceless. ]

Judge Reduces Fine By 90 Percent in Tenenbaum Filesharing Case (July 9, 2010)

The judge in a music file sharing case has reduced the damages award against Boston University graduate student Joel Tenenbaum from US $675,000 to US $67,500. US District Judge Nancy Gertner says that while the initial award was "unconstitutionally excessive," she believes the reduced amount "is still severe, even harsh." Tenenbaum's attorneys may attempt to have the damage award reduced even further because he cannot afford that amount.

[Editor's Note (Skoudis): I'm glad to hear that the harassment has stopped. Wesley, a close personal friend, did some great work here. What's that old saying? No good deed goes unpunished. (Northcutt): This one is worth reading, especially his argument that DRM networks were not available so it was the victim's fault. I think less of people who blame the victim. On the other hand it is easy to feel a bit sorry for the guy. $67k is a serious chunk of change, and he was young when he did it. On the other hand, I had also felt sorry for the other Tenenbaum the first time he got in trouble, but I didn't feel sorry for him the second time he got busted. You will recall "The Analyzer" and his digital bank robberies:

NSA Says Perfect Citizen is Not a Monitoring Program (July 9, 2010)

The US National Security Agency has acknowledged the existence of the "Perfect Citizen" program, but refuted claims made in a Wall Street Journal article last week that it is a secret system designed to monitor government and private networks. Instead, according to a written statement from an NSA spokesperson, the program is a research and development (R&D) initiative. "Perfect Citizen is purely a vulnerabilities-assessment and capabilities-development contract .... There is no monitoring activity involved, and no sensors are deployed in this endeavor."

FBI Raid Homes of Alleged Cyber Harassers (July 8, 2010)

The FBI has raided the homes of three people for allegedly harassing a security expert who helped put the leader of a hacking group behind bars. In May, Jesse William McGraw pleaded guilty to transmitting malicious code. He is scheduled to be sentenced on September 16, 2010. McGraw installed malware on computers at the Texas hospital where he worked as a security guard. McGraw was the leader of a hacking group known as the Electronik Tribulation Army and his arrest prompted a series of cyber attacks and harassment of R. Wesley McGrew, who discovered suspicious software on the hospital computers and informed the FBI. The raids occurred in California, Ohio and Kansas on June 23; all harassment ceased following the raids.
[Editor's Note (Northcutt): I like and admire Wesley McGrew and am very thankful he is on our side, but I think the Wired story is slightly one sided, McGrew gives as good or better than he gets. I know I would not want to cross him:

Cisco Live 2010 Attendee Data Breached (July 8, 2010)

People who attended the Cisco Live 2010 conference last week came home to notice informing them of a possible breach of their personal information. A conference vendor detected what "an unexpected attempt to access attendee information through" The data include names, company addresses, email addresses and conference badge numbers.
[Editor's Note (Schultz): This incident highlights the importance of obtaining as large an amount of feedback concerning policy provisions as possible. Surely at least one reviewer would have noticed the omission of CDs as non-allowed portable media in the policy had many individuals been involved in the review process. ]

Manning Copied Stolen Data Onto CDs (July 8, 2010)

Pfc. Bradley E. Manning, the US Army intelligence analyst who stole more than 150,000 diplomatic cables and secret video footage and allegedly leaked it to the Internet, copied the data to CDs. While the US military has issued a ban on removable storage devices to cut down on the possibility of data theft and malware infection, CDs were not on the list of prohibited devices. Manning allegedly used CDs that were labeled with album titles and pretended to be singing along to music while he was downloading the information.
[Editor's Note (Pescatore): Two major mistakes here: (1) USB wasn't why Conficker succeeded, poor patch management was. (2) There is a mission need to physically transfer information between PCs. Security policy that ignores mission needs is like screen windows on submarines.
(Honan): This story highlights one of the problems I regularly see with badly written policies. If your policies are too specific in relation to certain technologies they can become quickly outdated, irrelevant and users will use those specifics as a way of bypassing the policy. When developing your policies you think of them being similar to a country's constitution with your processes and procedures as the laws to support it. ]

SANS FACULTY AT WORK: Stripped-Down Ubuntu

IT Security expert and SANS Instructor Lenny Zeltser has released a stripped-down version of Ubuntu designed for reverse engineering malware. Dubbed REMnux, the OS comprises an array of malware analysis, network monitoring and memory forensics tools. Zeltser describes REMnux as "a virtual machine that runs Ubuntu and has various useful malware tools set up on it."


The Editorial Board of SANS NewsBites Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC) John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978. Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute. Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit