Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #30

April 15, 2011


Coreflood Takedown
New Zealand Passes Three-Strikes Anti-Piracy Law


Microsoft Patches Record 64 Flaws
WordPress Servers Breached
Adobe Will Fix Zero-Day Flaw on April 15
Critics Say Proposed Online Privacy Law Does Not Go Far Enough
Requests for Stored Communication Data Not Reported
National Cyber Emergency Plan Needed
Barracuda Suffers Network Intrusion



-- The National Cybersecurity Innovation Conference, April 18-19, 2011 - CISOs and other users (no vendors or consultants) sharing remarkable solutions they found to (1) defense against APT, (2) continuous monitoring, (3) proving the value of security investment and making security strategic, (4) reliable, risk-based decisions on which new tools to buy, (5) finding all their hardware and software across large networks, (6) the most promising automation initiative in security. Plus expert briefings on the most dangerous new attack techniques and the 20 Critical Controls.

-- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts

-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation

-- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses.

-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link

-- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?

-- Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live:

********************* SPONSORED BY MANDIANT *******************************

Be part of something more! MANDIANT is building a world-class threat detection and response organization and needs a few good men and women to join the Product Development and Professional Services teams in our DC, New York, Los Angeles and San Francisco offices. Check out open positions online at



Coreflood Takedown (April 13 & 14, 2011)

A federal judge granted the US Justice Department permission to take control of the Coreflood botnet and send infected machines a message that shuts down the malware. The DOJ seized five command-and-control servers and 29 domain names associated with Coreflood. The DOJ was granted a temporary restraining order allowing them to put other servers in those servers' place; the new servers send messages to infected machines in the US to stop running the botnet malware. Coreflood is believed to have infected more than 2.3 million Windows machines as of early 2010. The malware steals sensitive personal information which has subsequently been used to steal funds from people's bank accounts. The US Attorney's Office for the District of Connecticut has filed a civil complaint against 13 John Does, alleging wire fraud, bank fraud and illegal interception of electronic communications.
[Editor's Comment (Northcutt): This is a major shift in policy. Putting replacement servers in place to send messages to botnet machines amounts to hacking. I am not against it, though it raises complex questions from an ethics point of view. The government has been against such behavior ever since Nachi, the worm that patched the Blaster vulnerability. In any case, here is hoping for some arrests and convictions:

New Zealand Passes Three-Strikes Anti-Piracy Law (April 14, 2011)

Legislators in New Zealand have passed a three-strikes anti-piracy law. Vehemently opposed by members of the country's Green Party and independent MPs, the Copyright and Infringing File Sharing bill provides for warning illegal filesharers twice; a third infringement would give rights holders the opportunity to bring the offender before a tribunal with the authority to impose fines of up to NZ $15,000 (US $12,000). Subsequent violations could result in a court order suspending the offender's Internet account. Those opposing the law say that people could have their accounts suspended without sufficient proof of wrongdoing.



Microsoft Patches Record 64 Flaws (April 12, 2011)

Microsoft's released security updates for April address 64 vulnerabilities. The flaws affect Windows, Office and several other products. The Microsoft Security Response Center has flagged three of the bulletins as top priorities: MS11-018, MS11-019 and MS11-020. The first bulletin addresses five flaws in Internet Explorer (IE). The second and third address critical flaws in the way Windows handles the Server Message Block (SMB) protocol.




WordPress Servers Breached (April 13 & 14, 2011)

Attackers may have accessed source code from servers that support the WordPress blogging platform, according to WordPress parent company Automattic. The intruders gained access to code belonging to WordPress and some of its partners. WordPress said it had experienced "a low-level (root) break-in to several ... servers," and that it is reviewing logs and records to determine how much information was compromised. This is not the first time WordPress has come under attack; earlier this year, it was the target of a denial-of-service attack that prevented users from publishing content.



Adobe Will Fix Zero-Day Flaw on April 15 (April 13, 2011)

Adobe says that it will release a fix for a zero-day flaw in Flash Player on Friday, April 15. The fix will address the vulnerability in Flash for Windows, Mac OS X, Linux and Solaris; the flaw was fixed in Google's Chrome browser on Thursday. The vulnerability is being actively exploited in targeted attacks.

Critics Say Proposed Online Privacy Law Does Not Go Far Enough (April 12 & 13, 2011)

US lawmakers have proposed legislation that would allow Internet users the right to demand that their online activity not be tracked. The Commercial Privacy Bill of Rights, sponsored by Senators John Kerry (D-Massachusetts) and John McCain (R-Arizona), requires that consumers deliberately opt out of tracking practices through links on websites, drawing criticism from some groups who say the proposed law does not go far enough. Some critics would like to have a universal opt-out capability so consumers do not have to perform the cumbersome task of opting out on every site they visit. The bill does require that websites provide clear information about their data collection practices and that the organizations collect only as much information as necessary to conduct transactions or render services. The bill does not apply to data mining, surveillance or other actions used by governments to collect personal data. Local, state and federal law enforcement agencies are exempt, as are government agencies.


[Editor's Note (Honan): I think the European Opt-in model under the EU Data Protection Directive would be a more consumer friendly approach. ]

Requests for Stored Communication Data Not Reported (April 12, 2011)

While US law requires reporting of requests to intercept communications data in real-time, no such requirement exists for requests for stored communications data. Researcher Christopher Soghoian says that law enforcement agencies have made tens of thousands of requests for stored data from companies like Facebook and AOL. Not only is it easier for law enforcement to get their hands on the information once it has become stored communication, but it is considerably less expensive, too. At one US service provider, wiretaps can run into the thousands of dollars, while account information is provided for US $40.

National Cyber Emergency Plan Needed (April 11 & 12, 2011)

Speaking at a cyber security symposium at the University of Rhode Island on April 11, US Senator Sheldon Whitehouse (D-RI) said that the country needs a cyber emergency response capability to help elements of critical infrastructure in the event of a major cyber attack. Those responsible for the day-to-day elements of cyber security at those facilities may be overwhelmed by the attack and need a place to look to for direction. Whitehouse also said that the country should develop rules that prevent computers that are not adequately protected from accessing the Internet. US Representative James Langevin (D-RI) spoke about the large financial losses US organizations experience because of cyber attacks, estimating the cost to the US economy at US $8 billion annually. Also speaking at the symposium was General Keith Alexander, who heads the US Cyber Command and is the director of the National Security Agency. He said that US electric companies may not have the capability to protect the grid in the event of a cyber attack because is it not an area on which they have focused and they lack the "technical expertise
[and ]
government help that they need."


Barracuda Suffers Network Intrusion (April 11 & 12, 2011)

An attacker broke into a database at Barracuda Networks and stole information that was then posted to the Internet. The data appear to include names and email addresses. The attack was launched on April 9 during a period when the firewall that was supposed to protect it had been taken offline for maintenance. The attack was launched through an SQL injection flaw.



[Editor's Note (Honan): Time and time again I see breaches resulting from poor change management.
(Schultz): Every break-in and other types of security incident that a security product vendor experiences not only tarnishes its image, but also shows that the vendor's highly self-touted technology is suspect. I wonder how Barracuda will try to explain away this ugly incident to its customers and potential customers. ]


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit