Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #77

September 27, 2011

Very good news: The Wall Street Journal's Siobhan Gorman stepped out
ahead of other journalists in highlighting what works for companies and
agencies to defend effectively against targeted and other attacks (see
the first story below). I hope this is the beginning of news reporting
in cybersecurity moving beyond highlighting the problems and
vulnerabilities (the easier part) toward discussing and contrasting the
effective solutions - like that at the US Department of State where they
automated the 20 Critical Controls. State's innovation is one of the
winners of the 2011 National Cybersecurity Innovation Awards along with
NASA's and Los Alamos' cloud security initiatives and several very cool
cloud security testing, mobile security improvement, the best cyber test
range, and APT risk mitigation innovations. The winning innovators will
share the lessons they learned and how to replicate what they did, at
the National Cybersecurity Innovation Conference Oct 11-12 in

Very sad news: Gene Schultz, a cybersecurity pioneer and NewsBites
editor, founder of the Department of Energy's CIAC and one of the
greatest teachers of security, suffered a severe brain injury from a bad
fall on Friday afternoon at the Minneapolis Airport. His family is with
him at the hospital and our prayers are as well. If you are one of
Gene's students, colleagues, and friends and want to follow his
progress, visit the web site his family has set up at



State Department Network Security Serves as Model for Other Large Organizations
Dutch Government to revoke its DigiNotar Certificates on September 28
MySQL Website Compromised; Serves Malware to Visitors


Legislators Speak Out on FCC's Net Neutrality Rules
OnStar Data Collection Practices Draw Fire from US Legislators
USCC Cyber Quests Winners Announced
Alleged LulzSec Member's IP Address Identified Through VPN/Proxy Server Provider
Phony Flash Player Installer Targets Mac Users
Trojan Uses Double Extension Trick to Get Malware on Macs
Microsoft Turns Rustock Botnet Evidence Over to FBI

************* Sponsored By Raytheon Trusted Computer Solutions ***********

Manually hardening operating systems to DISA STIGs, PCI, or SANS Consensus Audit Guidelines is cumbersome and time consuming. Automate it with Security Blanket(r) for consistent and predictable lock down results. Security Blanket now supports SELinux 'targeted' policy for Red Hat(r), Enterprise Linux(r) and Fedora(r). Learn more by registering for a free demonstration today!



- -- The National Security Architecture Workshop, DC, Sept. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,

- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.

- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?

- --SANS London 2011, London, UK, December 3-12, 2011 16 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.

- --SANS CDI 2011, Washington, DC, December 9-16, 2011 26 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.

- --Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Baltimore, Singapore, Seoul and Rome all in the next 90 days. For a list of all upcoming events, on-line and live:



State Department Network Security Serves as Model for Other Large Organizations (September 26, 2011)

The US State Department has developed an effective approach to network security that makes it easier for managers to identify and address problems. The program has proven such a success that it is serving as a model for other large organizations. The State Department is responsible for guarding networks around the world, in a multitude of offices and in all time zones, much like a multinational company. The system assigns a value to security issues; the larger the problem, the larger the value, which lets officials know how to prioritize their attentions. A number of companies have made inquiries at the State Department regarding the program. The program was created by four people, including State CISO John Streufert. Requests have been made for the program's code, which Streufert offers at no cost. Of course, no program is perfect, and this program addresses only known vulnerabilities. It scans only Windows computers, not routers or other network equipment, although the program is being expanded to include these devices. The State Department's greatest innovation is the "monetization" of risk by computing the risk from various mis-configurations and vulnerabilities on a single "risk-point" scale and then providing the data to system administrators every day in a form that shows the sysadmins what action will provide the highest risk-point reduction that day.
[Editor's note (Murray): It would be wonderful if our security was a function of the strength of our walls rather than the guards at our gates.
(Paller) Federal agencies that have purchased tools like HBSS and BigFix and/or vulnerability management systems, but have not taken the final step of computing a common risk-score and delivering task prioritization data to system administrators every day, are wasting their software investment and leaving their agencies at risk. IOW they are grasping defeat from the jaws of victory. This is especially true given the State Department's active program of providing its NSA-verified risk-point scoring system and sysadmin prioritization tools to other agencies and companies around the world at no cost.
(Honan): Kudos to Mr. Streufert for openly sharing this model with other organisations, and at no cost. It is open and effective information sharing between organisations that will help us all to better improve all our information security. ]

Dutch Government to revoke its DigiNotar Certificates on September 28 (September 26, 2011)

The Dutch government will revoke both its DigiNotar certificates on Wednesday, September 28. The government said that while there is no evidence that the compromised certificates had been abused, they are nonetheless vulnerable. In some instances, compromised DigiNotar certificates have been use to launch man-in-the-middle attacks. DigiNotar has filed for bankruptcy.


MySQL Website Compromised; Serves Malware to Visitors (September 26, 2011)

On Monday, September 26, the MySQL website was compromised and was being used to serve malware. The attack was discovered about 5 AM PDT; the site was cleaned up several hours later. The JavaScript code known as the Black Hole exploit kit attempts to launch a series of known browser attacks against site visitors. Security journalist Brian Krebs noted that administrative access to the site was being offered last week on the hacker underground for US $3,000.

[Editor's Note (Liston): This is the second time in a year that the MySQL site has been compromised. The first compromise pegged the ol' irony-meter by reportedly being the result of SQL-injection. No definitive word yet on the root cause of this latest attack. ]

*************************** SPONSORED LINKS ******************************

1) SANS Analyst Webcast September 29, 1 PM EST: Integrating Security into Development Cycles, No Pain Required, featuring Senior SANS Analyst Dave Shackleford and IBM Rational's Karl Snyder.

2) Protecting Federal Systems and Advanced Persistent Threats, featuring security expert and speaker, G. Mark Hardy, September 28, 1 PM EST:

3) Nasuni Whitepaper: Understanding Security in Cloud Storage



Legislators Speak Out on FCC's Net Neutrality Rules (September 26, 2011)

US legislators have spoken out on both sides of the argument surrounding the Federal Communications Commission's (FCC's) net neutrality rules. Senator Jay Rockefeller (D-West Virginia) said the "rules ... promote transparency and prohibit discrimination." Others believe the FCC is over-reaching its authority. Senator Kay Bailey Hutchison (R-Texas) plans to encourage a Senate vote on a resolution of disapproval later this fall. The rules have been published in the Federal Register and are slated to take effect on November 20.


OnStar Data Collection Practices Draw Fire from US Legislators (September 26, 2011)

Three US senators have voiced concerns over OnStar's announcement that it would continue to collect location data from car owners even after they had cancelled the OnStar service. Senators Al Franken (D-Minnesota) and Chris Coons (D-Delaware) have said that "violate
[s ]
basic principles of privacy and fairness." And Senator Charles Schumer (D-New York) has written a letter to the Federal Trade Commission asking for an investigation into the matter. OnStar made the announcement earlier this month in an email to subscribers. The company said it is reserving the right to sell the data, anonymized, to third parties. The legislators are skeptical about OnStar's claim that the data will be anonymized, because there is a "broad body of research showing that it is extraordinarily difficult to successfully anonymize personal data like location."

[Editor's Note (Murray): I think that OnStar's trial balloon just got shot down. Someone read their terms. ]

USCC Cyber Quests Winners Announced (September 26, 2011)

The US Cyber Challenge has announced the winners of the most recent round of Cyber Quests. The online competition is open to people 18 and older with a strong interest in cyber security. Chad Weber, a Vermont Technical College student, took first place; his prize is a trip to the SANS NetWars competition where he can further hone his skills and make valuable connections with people in the industry. Ben Toews, a graduate of DePaul University in Illinois took second place, and Dan Borges, a senior at East Stroudsberg University in Pennsylvania, took third place.

Alleged LulzSec Member's IP Address Identified Through VPN/Proxy Server Provider (September 26, 2011)

A VPN and web proxy service has acknowledged that it provided information that led to the identification of Cody Kretsinger, who is allegedly a member of the LulzSec hacking group; the man was arrested last week. Hide My Ass (HMA) said it was complying with a court order to disclose the IP address with which Kretsinger had logged into its service. HMA notes that its terms-of-service agreement stipulates that it not be used for illegal purposes. HMA logs users' IP addresses at the beginning and end of VPN sessions.


[Editor's Note (Murray): David Brin told us, "Privacy and anonymity are what we want for ourselves; accountability is what we want for everyone else." All hope of anonymity in the Internet died when was forced to shut down. Until it was shut down, I always suspected that it was run by NSA. However, when the Finnish police sided with the Church of Scientology against it, that established its bona fides but destroyed the necessary trust. Finland surrendered its claim to be a bastion of freedom. At least HMA claims that it yielded to a court order. The requirement for a court order is about the best we can hope for now. ]

Phony Flash Player Installer Targets Mac Users (September 26, 2011)

A Trojan horse program masquerading as a Flash Player installer has been detected in the wild. The malware, which targets Mac users, does not exploit a vulnerability but relies on users who do not have Flash installed clicking on the offered link. The Trojan disables some security software and installs a dynamic loader library with auto-launch that injects code into applications the user runs. It also sends information about the infected computer to a remote server.


[Editor's Note (Murray): Adobe sets users up to be victims of such attacks by encouraging Flash customers to offer it from their sites. While most of the sites that offer Flash are legitimate, the practice is dangerous. One should download Flash only from the Adobe site. ]

Trojan Uses Double Extension Trick to Get Malware on Macs (September 23, 2011)

A Trojan horse program that targets Mac computers has been detected. The malware disguises itself as a PDF document. It uses a trick employed by writers of malware for Windows systems years ago - the double extension, which makes it appear to be a PDF file rather than an executable. The malware exploits no flaw in Mac OS X; it just attempts to trick users into allowing it to run on their machines.


[Editor's Note (Liston): Everything old is new again. As OS X grabs a larger share of the marketplace, expect to see more and more of these old Windows attacks being repurposed for use against unsuspecting Mac users. ]

Microsoft Turns Rustock Botnet Evidence Over to FBI (September 23, 2011)

Microsoft has won a civil case against the operators of the Rustock botnet. The company has given its evidence to the FBI, which it hopes will pursue criminal charges. Washington State ruled that the domain names and IP addresses involved in hosting Rustock could be disabled for two years.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit