Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #33

April 26, 2011


Apple Facing Lawsuit Over Location Tracking Data
Iranian Investigator Alleges Another Worm Targeted Government Systems


Internet Still Disconnected at Oak Ridge
FBI Raids Home of Suspected Illegal Filesharer
Sony Has No Estimate for Restoration of PlayStation Network
Google Releases Data Center Security Video
Seattle Police Investigating Reports of Wardriving
Quiet Progress in Securing Federal Systems
Software Company Acknowledges Customer Database Breach
Hiding Files on Hard Drives Without Encryption
ACLU Seeks Documents Regarding Michigan Police Use of Data Extraction Devices
Expert Commentary on the FBI Takedown of CoreFlood by Hugh Murray



- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation

- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses.

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?

- -- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls

- -- Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live:

*********************** SPONSORED BY MANDIANT ********************

Be part of something more! MANDIANT is building a world-class threat detection and response organization and needs a few good men and women to join the Product Development and Professional Services teams in our DC, New York, Los Angeles and San Francisco offices.
Check out open positions online at



Apple Facing Lawsuit Over Location Tracking Data (April 25, 2011)

Two people have filed a lawsuit against Apple over location tracking data that are stored on iPhones without users' consent. The suit was filed in the US District Court for the Middle District of Florida. The plaintiffs are seeking an injunction that would require Apple to disable the tracking mechanism. They allege that Apple violated the Computer Fraud and Abuse Act because the company is aware that the majority of users do not pore over the details of user license agreements. In a separate but related story, independent testing shows that the iPhone stores location data even after location services are turned off.


Iranian Investigator Alleges Another Worm Targeted Government Systems (April 25, 2011)

The Iranian investigator looking into the Stuxnet attack that infected systems at a nuclear power plant there says Iran was also the target of another attack, a worm called Stars, which has been described as an "espionage virus." The attack appears to have been aimed at specific computer systems at Iranian nuclear facilities. The same investigator last week blamed Siemens for the Stuxnet attack, asking that the company "explain why and how it provided the enemies with the information about the codes of SCADA software and prepared the ground for a cyber attack against" Iran's nuclear program. Some experts are still trying to determine if Stars is a legitimate targeted attack, or simply an ordinary Windows worm.



[Editor's Note (Schultz): Whether or not this particular worm was part of a targeted attack, one thing is clear--we are just on the tip of the iceberg when it comes to targeted worm attacks. ]

************************** Sponsored Links: *******************************

1) In case you missed it! Web 2.0 Security: Same Old But Different FEATURING: Johannes Ullrich & Eric Crutchlow Sponsored By: SONICWALL

2) REGISTER NOW for the upcoming webcasts with Oracle: Thursday, 4/28/11 at 1:00pm EDT Transparent Data Encryption for Oracle Databases and don't miss RSA Attacked: "Strong" Authentication Is Not The Solution, Wednesday, 5/4/11 at 1:00pm EDT



Internet Still Disconnected at Oak Ridge (April 25, 2011)

Employees at the US Department of Energy's Oak Ridge National Laboratory remain without Internet access following the detection of a spear phishing attack that left a lab network infected with malware. Email and Internet access were suspended on April 15; email was restored on April 19. A lab spokesperson said that they are "being cautious, since the whole purpose of the malware is to exfiltrate data."

[Editor's Note (Northcutt): Good for Oak Ridge! Anyone can get stuck by malware, but they found the problem (how often does that happen) and then took significant defensive action. ]

FBI Raids Home of Suspected Illegal Filesharer (April 25, 2011)

The FBI has raided the apartment of an individual believed to have uploaded several movies to The Pirate Bay that were playing only in theaters at the time. The person has been identified as Wes DeSoto, a member of the Screen Actors Guild and the owner of a clothing shop. DeSoto was pegged as the culprit because the copies of the films he viewed had unique watermarks. Members of the Guild were provided iTunes codes that allowed them to access the screening copies of films nominated for awards. No charges have been filed.

Sony Has No Estimate for Restoration of PlayStation Network (April 25, 2011)

Sony's PlayStation Network (PSN) was taken offline to allow the company to investigate an intrusion. The system remained unavailable as of Monday morning; it has been inaccessible for five days. PSN has more than 70 million accounts around the world. Users can download games, music and movies through the system and can play games online with friends. Sony says it is "rebuilding" the PSN to protect it from future attacks. The company has not yet determined if any customer information was stolen.

[Editor's Note (Paller): You are seeing the visible manifestation of the continuing conflict between accessibility and speed to market on the one hand and security on the other. Sony has to let everyone in -- that's the business model. And they have to continually innovate -- that's the survival strategy. New software has holes. Sony has IT architects and programmers with limited skills in making sure the designs are secure and the code is secure (and limited corporate visibility into the level of security skills of the IT architects and developers). Lack of security skills in the IT architects and software developers creates catastrophes waiting to happen. ]

Google Releases Data Center Security Video (April 25, 2011)

Google has released a video demonstrating the security at their data centers. Physical access is strictly limited to necessary employees. The company does not allow tours of the facilities. Some of the data centers are protected with special badges; others use retinal scans. The video shows Google's practice of destroying hard drives that have reached the end of their life cycle. First the drives are destroyed beyond recovery, then they are shredded and packaged for shipment to recycling centers.

[Editor's Note (Schultz): For all the threats it faces and for all the resources Google has to protect, Google really does an incredible job. ]

Seattle Police Investigating Reports of Wardriving (April 19 & 25, 2011)

Police in Seattle, Washington are investigating a group of alleged criminals who are believed to be driving around the city and breaking into Wi-Fi networks at various businesses and stealing information. Authorities say the group has been conducting the attacks for about five years.



Quiet Progress in Securing Federal Systems (April 22, 2011)

White House Cybersecurity coordinator Howard Schmidt has no interest in making headlines, but instead is working steadily and quietly to improve the security of federal computer systems. The understated stance of the office has led some to question the importance the Obama administration affords cyber security. Public perception may rely on the volume of initiatives and policymaking to come out of an office, but Schmidt explains that once policy has been established, it needs to become operational.
[Editor's Note (Pescatore): It is good to see effort behind the scenes to improve operational security prioritized over buzz and hype. ]

Software Company Acknowledges Customer Database Breach (April 21 & 22, 2011)

German software development company Ashampoo has acknowledged that attackers accessed its customer database. The company has emailed all 14 million customers to notify them of the breach, which affected one of the company's servers. The attackers were able to access customer names and associated email addresses, but no billing data were kept on that server. Ashampoo says it has fixed the vulnerability that the attackers exploited to gain unauthorized access to the server.



Hiding Files on Hard Drives Without Encryption (April 21, 2011)

Researchers have devised a method of hiding data on hard drives without using encryption. The technique allows a 20-megabyte message to be hidden on a 160-gigabyte hard drive. The technique involves storing clusters of the file to be hidden in places on the disk determined by a code, which would need to be known by the person receiving they disk. To an inspector, the disk would look like any other disk on which data have been stored and deleted in the course of regular use. The technique works as long as none of the files on the disk are modified before it reaches its destination. There are instances in which encryption is not desirable, because the extra data it creates are a giveaway that there's something to be found. This could be the case when someone is trying to smuggle information out of a country with a repressive government.

[Editor's Note (Pescatore): Everyone of these schemes always has a "code" involved, and tends to smell very much like encryption - just done in a non-standard way. There are a lot of examples of home-grown approaches being about as secure as paper mache. ]

ACLU Seeks Documents Regarding Michigan Police Use of Data Extraction Devices (April 21 & 25, 2011)

When the American Civil Liberties Union (ACLU) made a Freedom of Information Act (FOIA) request for documents containing information to help them determine if Michigan State Police were violating Fourth Amendment rights, they were told it would cost more than half a million dollars. The issue centers on the use of a data extraction device used by police. The device is capable of scraping data from phones in less than two minutes. The ACLU of Michigan is trying to determine whether police violated people's Fourth Amendment rights by taking those data without search warrants. The Michigan State Police has issued a statement regarding allegations of their abuse of data extraction devices. The statement says there have been no allegations of wrongdoing and that "the
[Michigan State Police ]
only uses the
[devices ]
if a search warrant is obtained or if the person possessing the mobile device gives consent, ...
[and they ]
are not being used to extract citizens' personal information during routine traffic stops."


Expert Commentary on the FBI Takedown of CoreFlood by Hugh Murray

A great deal of experience and wisdom is reflected in this commentary on the current controversy over whether the FBI was "hacking" when it took down the botnet.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit