Don't Miss Pen Test Hackefest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #31

April 19, 2011


Hearing to Determine if ACS:Law is Liable for Wasted Legal Costs
Coreflood Takedown Tactics Questioned


US Judge Trying to Determine if Google Breached Wiretap Law
Which Cyber Security Specialists are Most Needed?
Adobe Patches Flash Reader Vulnerability
Two-Year Prison Sentence for DDoS Attacks
Private Industry Wants Better Cyber Threat Information Sharing with Government
Updates for Mac OS X and Safari
Guilty Plea in Stolen Credit Card Data Case
Oracle to Fix 73 Vulnerabilities in Quarterly Update



- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation

- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses.

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?

- -- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls

- -- Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live:

************* SPONSORED BY Raytheon Trusted Computer Solutions ***********

Automatically harden your Linux and Solaris OSs with Security Blanket. Reduce the time to deploy new systems, or repurpose machines, while keeping your security posture intact. Locking down to industry guidelines like DISA STIGs, CIS or, PCI, or creating a custom profile, can easily be achieved with Security Blanket. Click link for FREE demo.



Hearing to Determine if ACS:Law is Liable for Wasted Legal Costs (April 18, 2011)

A judge in the UK has ruled that ACS:Law and its sole solicitor, Andrew Crossley, may be responsible for wasted costs in the case involving speculative invoicing of alleged illegal file-sharers. The company sent out thousands of letters, threatening people with legal action if they did not pay GBP 500 (US $813) to settle allegations of illegal file-sharing. The court had originally been asked to hear the cases brought by ACS:Law, but shortly before they came to trial, the firm sought to have them dismissed. The judge did not grant that request. A hearing has been set for June to determine if ACS:Law and Crossley are liable for wasted legal costs.

Coreflood Takedown Tactics Questioned (April 15, 2011)

Although people were happy to see the Coreflood botnet go, some have expressed concern about the tactics used in its recent takedown. Federal prosecutors obtained a temporary restraining order allowing them to replace several identified Coreflood command-and-control (C&C) servers with their own servers, which were then used to send stop commands to machines that were infected with Coreflood malware. Electronic Frontier Foundation technology director Chris Palmer said the method "is not a safe way to go about
[disabling malware ]
and it's divergent with standard practice." Previously, botnets have been taken down by taking down the C&C servers, which renders the botnets silent for a while until new C&C servers are established. Others are less concerned about the impact of this specific takedown than they are about the precedent it sets. Still others say the technique was not intrusive because it just told the malware to stop running.

[Editor's Note (Schultz and Paller): Whether or not we like it, the worsening nature of cybercrime is increasingly dictating that law enforcement take more austere and severe measures. ]

********************** Sponsored Links: ***********************************

1) New SANS Analyst Program Webcast: Debunking Continuous Monitoring Myths, May 17, 1PM EDT. Learn what holds organizations back from implementing continuous monitoring and where to get started. Featuring Eugene E. Schultz and Steve Johnston.

2) In Case you missed it! Web 2.0 Security: Same Old But Different FEATURING: Johannes Ullrich & Eric Crutchlow Sponsored By: SONICWALL

3) New Paper in the SANS reading room: Implementing the 20 Critical Controls with Security Information Event Management Systems, by Senior SANS Analyst, James Tarala.



US Judge Trying to Determine if Google Breached Wiretap Law (April 18, 2011)

A federal judge presiding over combined lawsuits against Google over its inadvertent collection of packets sent over unprotected wireless networks is trying to decide if Google breached the Wiretap Act. US District Judge James Ware is seeking a definition of "radio communication" under the Wiretap Act to determine whether or not home Wi-Fi networks fall under this purview. Google says they do, while the plaintiffs' legal team says that the data were only sent over radio waves while traveling between a home router and a laptop. Both parties agree that eavesdropping on cordless phones is illegal.

Which Cyber Security Specialists are Most Needed? (April 18, 2011)

While no one would dispute that cyber security specialists in government are in short supply, there is disagreement about which areas of cyber security are the most necessary and therefore merit higher pay. The US needs between 20,000 and 30,000 cyber security specialists to effectively protect cyberspace. Competitions (like the US Cyber Challenge initiative's Cyber Quests - see below) aim to draw those with raw talent into the field of cyber security and provide them with specialized technical training. Some say that those who specialize in network operations and penetration testing are the greatest need. Others maintain the need is higher for information assurance analysts, auditors and administrators. The second group currently has higher average salaries than the first group, but the balance may shift as auditors and administrators are increasingly seeing their work automated.
Cyber Quests:

Adobe Patches Flash Reader Vulnerability (April 15 & 16, 2011)

Adobe has released a fix for a zero-day vulnerability in Flash Player that was disclosed last week. The flaw is being actively exploited in targeted attacks with maliciously-crafted Excel and Microsoft Word documents. The updated version of Flash Player for Windows, Mac OS X, Linux and Solaris is A fix for Flash Player on Android smartphones is expected by the end of the month. The flaw has already been fixed in Google's Chrome browser.


[Editor's Note (Honan): As many Adobe applications are usable across many different platforms they are a very attractive target to cyber criminals. Adobe really need to do a root and branch analysis of their applications and implement better security within them. ]

Two-Year Prison Sentence for DDoS Attacks (April 15, 2011)

Bruce Raisley has been sentenced to two years in prison for launching a series of distributed denial-of-service (DDoS) attacks against nine websites. and other sites published accounts of an online affair Raisley had with a fictitious woman. Raisley had been part of a vigilante Internet group that posed as children online to trap sexual predators in sting operations. Raisley had a falling out with the group's leader, who then proceeded to fabricate an online identity for the fictitious woman with whom Raisley engaged in the online affair. Raisley was also ordered to pay more than US $90,000 in restitution.

[Editor's Comment (Northcutt): I would not have thought you could have an affair with a fictitious woman, but I read the other day about cloud girlfriends, so I suppose it is possible, call me silly, but I think I prefer holding hands and long walks along the beach:

Private Industry Wants Better Cyber Threat Information Sharing with Government (April 15, 2011)

In testimony before the US House Committee on Homeland Security, representatives from private sector companies such as AT&T, the North American Electric Reliability Corporation, and the Financial Services Sector Coordinating Council said they need the government to be more forthcoming with information about cyber security and cyber threats. Timely information sharing and collaboration between agencies and private sector companies that own and operate elements of the country's critical infrastructure is critical to protecting vulnerable systems. The companies want to share information with DHS, too. They say there should be a standard protocol to streamline the alert and information sharing processes.
[Editor's Note (Honan): There is a European project currently looking into the setting up of trusted networks to facilitate information sharing amongst groups of stakeholders. Have a look at the NEISAS website, which is an EU funded project, for more information. ]

Updates for Mac OS X and Safari (April 15, 2011)

On Thursday, April 14, Apple released updates for Mac OS X, Safari and several other products, including the iPhone and iPad. The update for Mac OS X (Security Update 2011-002) affects versions 10.5 and 10.6 of the operating system and addresses issues related to digital certificates attackers were able to obtain fraudulently. The certificates were added to a blacklist so they will be recognized as untrustworthy. The updated version of Safari (5.0.5) addresses a pair of vulnerabilities that could be exploited to cause unexpected application termination or arbitrary code execution.


OS X Security Update Information:
Safari Update Information:

Guilty Plea in Stolen Credit Card Data Case (April 13, 14 & 15, 2011)

A Malaysian man has pleaded guilty to access device fraud and has admitted that he broke into a US Federal Reserve Bank computer network and installed malware. Prosecutors say Lin Mun Poo made a living by breaking into networks at financial institutions and other organizations, and selling data he stole from those networks. Lin was arrested last October in New York after law enforcement agents observed a transaction in which Lin sold credit card information for US $1,000. His "heavily encrypted" laptop was seized, but agents were apparently able to break the encryption.
[Editor's Comment (Northcutt): This article has additional information, most of the news sites are rehashing each other:

Oracle to Fix 73 Vulnerabilities in Quarterly Update (April 14, 15 & 18, 2011)

On Tuesday, April 19, Oracle plans to release fixes for 73 security flaws in a variety of products. Some of the vulnerabilities affect multiple products. Six of the patches address flaws in Oracle's flagship database software; two of those flaws are rated critical. Oracle releases fixes, called Critical Patch Updates, every quarter.




The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit