Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #37

May 10, 2011

One of the most provocative new opportunities in cybersecurity has been
discovered at a major California technology company. They have recruited
IT architects and engineers and trained them to be extensions of the
security group while still holding their regular jobs - enabling
security to be baked into every application from the beginning. It's a
surprisingly effective method, based in part on a series of precisely
targeted security gates, and will be one of the key "take aways" from
the Workshop on Baking Security into Application and Networks 2011 in
Washington this summer. The Call for Participation is at the end of this


Clause in Spending Bill Bans Scientific Collaboration with China
US Government Wants Coreflood Removed From Computers
Spyware is Forever


Raid Targets Computer Allegedly Used in DDoS Against Gene Simmons' Website
French Security Firm Claims to Have Code That Bypasses Chrome Sandbox
Sony May Offer Reward in PSN Attack
Sony PlayStation Network Relaunch Delayed
Skype for Mac Update Addresses "Wormable" Flaw
PC Rental Company Allegedly Used Webcam to Take Pictures of Customers Remotely
Google Image Poisoning





-- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses.

-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link

-- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?

-- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls

-- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats

-- Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Barcelona, London, Austin, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live:

********************** SPONSORED BY WinMagic Inc. **********************

WinMagic SecureDoc offers a comprehensive full-disk encryption solution for Windows, Mac, and Linux platforms and removable media (USB thumb drives, CD/DVDs, SD Cards). The central administration console simplifies enterprise management of encrypted devices, user permissions, and encryption keys. SecureDoc manages Intel Anti-theft Technology, SEDs, advanced Lenovo technologies, and exclusively offers pre-boot networking. Evaluate SecureDoc today.



- Clause in Spending Bill Bans Scientific Collaboration with China (May 7, 2011)

A clause inserted into the recently passed US spending bill prohibits the White House Office of Science and Technology Policy (OSTP) and NASA from collaborating with China in any scientific endeavor. Representative Frank Wolf (R-Va.), the legislator who put the language into the bill, did so because "we don't want to give them the opportunity to take advantage of our technology, and we have nothing to gain from dealing with them." Wolf cited a litany of incidents in which cyber attacks and data thefts have been traced to China.

[Editor's Note (Schultz): China's position, of course, will be to deny any involvement in any incident cited by Rep. Wolf. One would think that in time China's government might think of something different to say whenever it is implicated in the myriad of security-related incidents, the origin of which ostensibly is China. ]

- US Government Wants Coreflood Removed From Computers (May 6, 2011)

The FBI is likely to start asking for consent from users whose computers are infected with Coreflood bot malware for written permission to remove the software from their machines. Unlike ZeuS, which is designed to grab specific information related to financial accounts, Coreflood harvests large quantities of data, so that those behind the botnet can sift through them for what they want. The U.S. government has a strong incentive to ensure that Coreflood ceases its activity, because investigators found that it had stolen a "master key" that allowed access to computer systems at a Middle East embassy and sent the key back to a server in Russia. There are concerns that the action the FBI will take remotely, even with permission, will have unknown effects on users' computers. Coreflood comprises about 2.3 million PCs worldwide, more than 1 million of those machines are in the US. The takedown used for the first time a technique that allowed law enforcement agents to replace the botnet's command and control servers with their own, which then sent a message to infected computers to cease activity on behalf of Coreflood. But because it will start up again whenever a system is rebooted, the FBI wants to remove the malware entirely.

- Spyware is Forever (May 6, 2011)

Documents obtained from the FBI by the Electronic Frontier Foundation (EFF) under a Freedom of Information Act (FOIA) request say that software placed on suspects' computers by the FBI to assist in gathering evidence in cyber crimes gathers information whenever the target's computer is turned on. The documents obtained indicate that government officials are unclear as to the legal procedures for requesting permission to use the Computer and Internet Protocol Address Verifier software. EFF staff attorney Jennifer Lynch says the tool has proven valuable in identifying and capturing serious criminals and that in that regard "it's an important tool to use
[but ]
we need to get on the FBI about ... using the proper authority" for installing the tool and for deactivating it once the investigation is complete.

**************** Announcing New SANS Reading Room Papers! ***************

1. The highly-anticipated SANS 7th Annual Log Management Survey Report is now available in the SANS Reading Room here:

2. A new survey on network security and resiliency is available in the SANS Reading Room here:



- Raid Targets Computer Allegedly Used in DDoS Against Gene Simmons' Website (May 6 & 9, 2011)

US federal law enforcement agents have raided a home in Gig Harbor, Washington in connection with distributed denial-of-service (DDoS) attacks against Gene Simmons' website. Simmons' website came under attack last October, days after the KISS frontman spoke out against illegal filesharing and encouraged musicians to "sue everybody." Some of the traffic implicated in the attack had been traced to the Gig Harbor home, where law enforcement agents seized a computer that reportedly belongs to a teenager who lives there. Internet Storm Center:

- French Security Firm Claims to Have Code That Bypasses Chrome Sandbox (May 9, 2011)

French security firm Vupen claims to have developed a method of exploiting a zero-day flaw in Google's Chrome browser that bypasses both Chrome's sandbox and Windows 7's integrated security measures. Vupen claims the flaw can be exploited through malicious websites. Google has been unable to verify Vupen's claims because the security company did not provide Google with any details.


- Sony May Offer Reward in PSN Attack (May 6 & 9, 2011)

There are reports that Sony is considering offering a monetary reward for information leading to the arrests of those responsible for the recent breach that compromised the information of as many as 100 million Sony customers. The bounty may be offered through the FBI. Over the weekend, two members of the hacking collective known as Anonymous said that some of the group's members may have participated in the attack, despite earlier claims that Anonymous was not involved. The group had planned a distributed denial-of-service (DDoS) attack against PSN to protect Sony's legal action against George Hotz.

- Sony PlayStation Network Relaunch Delayed (May 7 & 8, 2011)

Sony missed its planned deadline for restoring the PlayStation Network (PSN). In a blog last week, Sony senior director of corporate communications and social media Patrick Seybold said the company was still conducting security checks. He cited the recent discovery that Sony Online Entertainment was affected by the breach as a factor in the delay. Seybold did not say when Sony expects to have the system back online. Adding to Sony's embarrassment, last week it was found that the company had left customer information associated with a 2001 sweepstakes exposed on an old server.

- Skype for Mac Update Addresses "Wormable" Flaw (May 6 & 9, 2011)

Skype has issued an update for its Skype for Mac software to fix a flaw that could be exploited to spread a worm. When Mac users launch affected versions of Skype, they are now being offered version of the voice over Internet protocol (VoIP) software. Skype recommends that all Mac users upgrade to the newest version. An attacker could exploit the vulnerability and gain control of a user's computer by sending the targeted user a message. The vulnerability has been called "wormable." Internet Storm Center:


- PC Rental Company Allegedly Used Webcam to Take Pictures of Customers Remotely (May 5 & 6, 2011)

A Wyoming couple has filed a lawsuit against a store through which they had a rent-to-own computer agreement. The suit alleges that the store spied on them. Crystal and Brian Bird discovered that someone at the store had used remotely activated software to take a picture of Brian when a store employee came to their home and attempted to repossess the computer. The lawsuit also names the company that developed the software allegedly used to take the picture. Evidently a picture was taken each time the couple received a pop-up reminder to register their software. The Byrds are seeking class action status for their lawsuit.

[Editor's Comment (Northcutt): Here is a site with clear, easy to follow instructions to turn the camera off, but the setting can probably be reversed with software. Painter's masking tape over the lens, while low tech, gives you the last word:

- Google Image Poisoning (May 6, 7 & 9, 2011)

Reports are emerging that Google Images searches are returning results laced with malicious links. Users have reported that when they clicked on certain results, their computers became infected with scareware alerts and warnings. The technique has been used recently to take advantage of people's curiosity about the royal wedding and about bin Laden. Internet Storm Center:


[Editor's Comment (Northcutt): Another reminder to use Firefox/Noscript when surfing to unknown locations. I was not able to find a web site with a script that concerned me on a search for royal wedding, but was able to quickly find dangerous scripts on a search for bin Laden images, and confirmed with Google safebrowsing that it was a malware distro site:


Call for Participation in the Workshop on Baking Security into


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit