OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #78

September 30, 2011

Kids in Cybersecurity: October 14 is the last date for high school
students to sign up for the Fall 2011 national high school cyber talent
search competition of the US Cyber Challenge. 109 high schools in 30
states are already registered and their students are participating
(listed at

Ed Skoudis created a great tutorial for students and teachers who want
to prepare for the first competition. And SANS alumni may grant, on
behalf of SANS, a $100 to $500 scholarship to any US school in their
state that wants their children to participate in the talent search.
With that scholarship and Ed's tutorial, every high school in the
country has what they need to enable their students to participate and
to do well. More data at uscyberchallenge.org. If you have questions
about getting your local high school engaged, email Renee Mclaughlin

Is cyber insurance a scam? We just got asked by a reporter for a major
news organization for data on whether cyber insurance was real or a
scam. Has any reader ever had a cyber attack in which the insurance
paid and their organization was made whole? Or has any reader ever had
a breach where you thought you had insurance and found it didn't cover
the loss? Email me at apaller@sans.org. We won't use your name or
company unless you tell us to.



European Union to Introduce Liability Rules for Cloud Vendors
DoD Moving To Standardize on Single Windows Image: Unified Master Gold Disk
Legislators Calling for FTC Investigation of Persistent Cookies
Firefox Developers Think Disabling Java Might Kill the BEAST


ISC2 Plans Rapid Growth in Number of CISSP Certified Professionals
Activist Group Challenging FCC Net Neutrality Rules Over Wireless Exemptions
Facebook Fixes Cookie Problem
Prison Sentence for Countrywide Data Thief
State Dept. Officer Threatened With Job Loss Over Blog
Microsoft Will Issue Patch to Fix The Flaw BEAST Exploits
Microsoft Shuts Down Kelihos Botnet

************************ Sponsored By Firemon ***************************

Enterprise backup for your Juniper, Check Point and Palo Alto firewalls! Network devices fail all too often and when they do, recovery can be difficult and the outage costly. BackBox provides enterprise backup for security devices. Evaluate BackBox on your own network! Contact us at sales@firemon.com to get started. Learn more at http://www.sans.org/info/87969



--NCIC: The National Cybersecurity Innovation Conference, DC, Oct. 11-12, 2011 Learn from the pioneers who found the most important innovations this year in cloud security, mitigating the advanced persistent threat, cool open source tools, and developing cyber warriors.

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?

--SANS London 2011, London, UK, December 3-12, 2011 16 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.

--SANS CDI 2011, Washington, DC, December 9-16, 2011 26 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.

--Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Dubai, Baltimore, Singapore, Seoul and Rome all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php



European Union to Introduce Liability Rules for Cloud Vendors (September 28 & 29, 2011)

The European Union (EU) plans to introduce the Binding Safe Processor Rules, which would hold vendors of cloud services in the EU liable for data security breaches. Vendors would sign up for what amounts to an accreditation. Consumers are likely to feel safer doing business with a company that is willing to stand behind its services. The rules are an update to the Data Protection Directive. The companies will be required to demonstrate their compliance with certain data protection standards for approval under the rules. Current law holds data owners responsible for data loss.


[Editor's Note (Murray): The devil is in the details and the rules may be helpful. However, the idea that one can transfer the responsibility for protecting the data from the owner to the custodian by fiat, or any other way, is absurd on its face. The decisions about protecting the data cannot be separated from the decisions about collecting it and using it. ]

DoD Moving To Standardize on Single Windows Image: Unified Master Gold Disk (September 29, 2011)

The unified master gold disk (UMGD) is scheduled to be available in the first quarter of 2012. The UMGD aims to replace gold masters at the Department of Defense (DoD) that are applicable only service-wide. The test of the new standard in US CENTCOM provided five key benefits that are unavailable when non-standard configurations are allowed to infect an important network of systems: (1) Systems get into the fight faster because the soldiers don't have to reconfigure the systems after the software is installed. (2) Systems are significantly safer because they are configured - out of the box - to withstand most common attacks. (3) Systems require significantly less system administrator time reducing the load on (and chances of errors by) recruits without a lot of experience. (4) Systems can be patched much more quickly without concern for incompatibilities, so they can respond fast to new threats. (5) Systems with the standard configurations enable easier interoperability because they share common operating characteristics.
[Editor's Note (Paller): The CENTCOM deployment and proof along with DoD's leadership in expanding the use of the UMGD across its huge user population led to their being selected as one of the winners of the 2011 National Cybersecurity Innovation Awards and they will be presenting the lessons learned and how they are moving forward at the workshop on Oct 11-12 in Washington.

Legislators Calling for FTC Investigation of Persistent Cookies (September 27 & 28, 2011)

Two US legislators are calling for the Federal Trade Commission (FTC) to investigate the use of persistent tracking cookies on many websites. The cookies, which are also known as supercookies, are difficult to remove and the legislators are concerned that the tracking method could be unfair business practices. The cookies can be installed without users' permission. Representatives Joe Barton (R-Texas) and Edward Markey (D-Massachusetts) told FTC chairman Jon Leibowitz in a letter that "the usage of supercookies takes away consumer control over their own personal information."


[Editor's Note (Murray): As is almost always the case, the problem here is not the tool but the use. Saving state on the client side is an essential part of the client-server computing model. ]

Firefox Developers Think Disabling Java Might Kill the BEAST (September 29, 2011)

Developers at Mozilla are considering disabling the Oracle Java plug-in as a work-around for the SSL/TLS flaw. If Firefox developers were to take that step, the browser would be prevented from working with many websites. Developers for other browsers have taken less severe steps to protect users from attacks. Chrome developers addressed the issue by adding a random element to the encryption process, which has created some loss of functionality.

[Editor's Note (Liston): It's important to understand that the BEAST exploit is actually a combination of two exploits: 1) The injection of JavaScript code into the SSL stream, and 2) an exploitable flaw in Java that can be used to bypass the browser's Same Origin Policy (SOP). Mozilla is focusing attention on the Java vulnerability, but that's just the method that Rizzo and Duong chose to use. If another method of violating SOP is found, then the underlying issue still exists. What needs to happen is fixing the underlying issues surrounding the deployment of TLS 1.1/1.2.
(Murray): Getting the code to run is still the trick. If one can do that, there are an infinite number of ways to exploit it. Of those ways, this one is very slow. ]

*************************** SPONSORED LINK *******************************

1) Controlling Privileged User Access: SANS WhatWorks Case Study on How a Leading Manufacturer is Securing Their Systems http://www.sans.org/info/87974



ISC2 Plans Rapid Growth in Number of CISSP Certified Professionals

ISC2's executive director, Hord Tipton, told a SearchSecurity reporter that one reason many companies struggle with information security is because, despite more than 76,000 active CISSPs worldwide and 3,200 who took the test last December, they can't find enough qualified infosec pros to work for them. "I need to find 2 million people in three years to come close to meeting the expected need," said Tipton. On the other had, some CISSPs expressed concern to the reporter their hard-earned certification is being watered down by a bevy of inexperienced applicants.

Activist Group Challenging FCC Net Neutrality Rules Over Wireless Exemptions (September 28, 2011)

The Federal Communications Commission (FCC) expected legal challenges to its net neutrality rules from those who believe the rules exceed the FCC's authority, but an activist group at the other end of the spectrum has filed a lawsuit over the rules, claiming they do not go far enough. Free Press wants a federal appeals court to review the rules because it is concerned that wireless companies are exempt from some of the most important policies.

[Editor's Note (Murray): Anyone else remember how we got here? The ISPs said "we will consent to regulation of the wire-side in return for being able to do what we want on the air-side." I cannot speak for everyone but it seems to me that the air-side is the important space. What am I missing? ]

Facebook Fixes Cookie Problem (September 28, 2011)

Facebook says it has addressed a problem with cookies that made it possible for the social networking company to track users' online activity even after they have logged out of the site. The issue came to light after a blogger discovered that Facebook could continue to track users after they have logged out if they are visiting websites with Facebook integration.
[Editor's Note (Liston): Facebook is only the tip of the iceberg on this issue. Take a close, hard look at the long-lived cookies that hang around in your browser and consider enabling the feature that clears your browser's cookies every time you close it. ]

Prison Sentence for Countrywide Data Thief (September 28, 2011)

Rene Rebollo Jr. has been sentenced to eight months in prison for stealing and selling personal data. Rebollo is a former employee of Countrywide, where he had worked as an analyst. Rebollo has been ordered to pay restitution of US $1.2 million, and the judge in his case also ordered him to serve 10 months in a community jail. Rebollo was charged in 2008 with exceeding authorized access to data, stealing the data and selling them to loan officers from other companies. Rebollo and an accomplice, Wahid Siddiqi, downloaded data in batches of 20,000 customers and sold each batch for US $500. The pair carried on the scheme for two years. Siddiqi has been sentenced to 36 months in prison for selling the data.

State Dept. Officer Threatened With Job Loss Over Blog (September 27, 2011)

A US State Department foreign service officer has been told he could lose his job for a blog posting that included a link to one of the State Department cables released by WikiLeaks. Peter Van Buren is under investigation for allegedly disclosing classified information even though the documents he allegedly disclosed were already readily accessible on the Internet. Van Buren said that investigators demanded to know who had helped him with his blog and asked him for details about his contract for a recently published book that is critical of US foreign policy in the Middle East. He was told that if he did not provide answers, he would be fired.

Microsoft Will Issue Patch to Fix The Flaw BEAST Exploits (September 27, 2011)

Microsoft will issue an update for Windows to address a vulnerability in security socket layer 3.0 (SSL) and transport layer security (TLS) technology. The vulnerability has been known for years, but was recently highlighted when a pair of researchers demonstrated an exploit of the flaw with a tool they call BEAST, or browser exploit against SSL/TLS. Microsoft's advisory said the company is developing a fix, but did not say when it would be available.

Microsoft Shuts Down Kelihos Botnet (September 27, 2011)

Microsoft says it has taken down the Kelihos botnet, which comprised 41,000 infected computers around the world and is believed to be responsible for as many as 3.8 billion spam messages every day. Kelihos stole personal data and was used to send spam that promoted questionable pharmaceutical products, stock scams, and child pornography. The takedown was achieved through obtaining a court order to close down 21 domains associated with Kelihos. Microsoft has also identified an individual who lives in the Czech Republic as the alleged creator of Kelihos. This is "the first time Microsoft has named a defendant in one of its civil cases involving a botnet."


[Editor's Note (Liston): Kaspersky Labs played a major role in getting Kelihos shut down, but somehow that information seems to have gotten lost in the shuffle. Kudos to both Microsoft and Kaspersky on a job well done. ]


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/