Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #79

October 04, 2011

Obituary: Dr. Eugene Schultz passed away Sunday, Oct. 2, at 7 PM EDT.
His passing is a huge loss for the information security community.
Gene was one of the founding instructors for SANS in 1989. He authored
the first Windows Security course many of us ever took. Perhaps you
remember the smile on his face as he recited obscure registry keys from
memory. He was one of the very few participants of the SANS World Tour
for our highest scoring instructors. Gene was an active SANS faculty
member at the time of his passing teaching MGT 512 SANS Security
Leadership Essentials. He also started one of the world's first incident
response organizations (CIAC at the U.S. Department of Energy) and
helped invent the 6 step Incident Response process we use and teach
today. Dr. Schultz is one of only three security professionals to be
awarded the SANS Security Lifetime Achievement Award. He was the
Program Director for the Master of Science in Information Security
Management degree at SANS college He was a friend and mentor
to so many of us and will be deeply missed.

Steve Northcutt and Alan Paller


Australian Telecom Cut Infected PC Off From Internet
500 Domains Suspended as Part of Operation Pangea IV
GAO Report: Government Agencies Have Not Fully Implemented Security Programs


HTC Will Issue Fix for Phone Data Exposure Flaw
Google Re-Releases Chrome to Fix Problems Caused by Microsoft Security Products
US Signs International Anti-Piracy Agreement
DHS and Idaho National Labs Conduct Security Training Exercises
Network Switch Bought on eBay Contained Air Traffic Control Data
NinjaVideo Co-Founder to Plead Guilty to Copyright Infringement
Verizon Files Suit Challenging Legality of FCC's Net Neutrality Rules

******************** Sponsored By Tufin Technologies ********************

Are you implementing SANS 20 Critical Security Controls? Tufin Security Suite automates firewall configuration change management and auditing so you can support the Critical Controls quickly and easily, while cutting costs by as much as 50%. Link to:



-- NCIC: The National Cybersecurity Innovation Conference, DC, Oct.11-12, 2011 Learn from the people who found the most important innovations this year in cloud security, mitigating the advanced persistent threat, cool open source tools, and developing cyber warriors. These are the benchmarks; Is your organization doing as well?

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?

--SANS London 2011, London, UK, December 3-12, 2011 16 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.

--SANS CDI 2011, Washington, DC, December 9-16, 2011 26 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.

--Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Baltimore, Singapore, Seoul and Rome all in the next 90 days. For a list of all upcoming events, on-line and live:



Australian Telecom Cut Infected PC Off From Internet (September 30, 2011)

An Australia telecommunications company cut off a customer's Internet service after sending her repeated warnings that her computer was infected with malware and was being used to launch attacks as part of a botnet. As part of their voluntary compliance with the country's iCode initiative, the unnamed company made the decision to limit the customer's access to a "walled garden" until her computer had been cleaned of the malware.

500 Domains Suspended as Part of Operation Pangea IV (September 30, 2011)

The UK domain name registry, Nominet, has suspended about 500 domains associated with a scheme promoting counterfeit pharmaceutical products. The takedown is part of an international effort called Operation Pangea IV, which has resulted in the shuttering of 13,500 websites and dozens of arrests in 81 countries. Authorities also seized counterfeit drugs in late September raids. The suspect UK domains were not seized, as some domains have been recently in the US, but the action taken by Nominet prevents them from resolving.
[Editor's Note (Murray): The suspension of the domains seems to be the least of the action taken in this case. One assumes the police had warrant. Nominet acted on its contractual terms and in consultation with others. One more demonstration that the Internet is no longer the "wild west." Kudos to all concerned. ]

GAO Report: Government Agencies Have Not Fully Implemented Security Programs (October 3, 2011)

According to a report from the Government Accountability Office (GAO), sensitive data held by two dozen US government agencies is not adequately protected from theft, unauthorized access and leaks. Although "reports of security incidents from federal agencies are on the rise," agencies have not taken sufficient steps to improve their security posture. Many agencies have developed information security programs, but have not yet fully implemented them.

[Editor's Note (Liston): A quick search on the terms "information security weaknesses" on the GAO website is both informative and frustrating. Every year, the GAO "re-reports" on the dismal state of information security within the U.S. Government. While some progress has been made, it falls far short of what needs to be accomplished. Since the GAO's yearly "reminders" don't seem to provide the impetus needed, I shudder to think what it WILL take to move agencies in the right direction. ]

Firefox Developers Think Disabling Java Might Kill the BEAST (September 29, 2011)

Developers at Mozilla are considering disabling the Oracle Java plug-in as a work-around for the SSL/TLS flaw. If Firefox developers were to take that step, the browser would be prevented from working with many websites. Developers for other browsers have taken less severe steps to protect users from attacks. Chrome developers addressed the issue by adding a random element to the encryption process, which has created some loss of functionality.

[Editor's Note (Liston): It's important to understand that the BEAST exploit is actually a combination of two exploits: 1) The injection of JavaScript code into the SSL stream, and 2) an exploitable flaw in Java that can be used to bypass the browser's Same Origin Policy (SOP). Mozilla is focusing attention on the Java vulnerability, but that's just the method that Rizzo and Duong chose to use. If another method of violating SOP is found, then the underlying issue still exists. What needs to happen is fixing the underlying issues surrounding the deployment of TLS 1.1/1.2.
(Murray): Getting the code to run is still the trick. If one can do that, there are an infinite number of ways to exploit it. Of those ways, this one is very slow. ]

*************************** SPONSORED LINKS ******************************

1) Controlling Privileged User Access: SANS WhatWorks Case Study on How a Leading Manufacturer is Securing Their Systems

2) Announcing THREE New SANS Analyst Papers in the SANS Reading Room!

- - Adding Enterprise Access Management to Identity Management by SANS Analyst, J. Michael Butler
- - Integrating Security into Development, No Pain Required by SANS Analyst and course author, Dave Shackleford
- - Oracle Database Firewall Review--Part I of a series of reviews on Oracle security products by SANS Oracle expert, Tanya Baccam



HTC Will Issue Fix for Phone Data Exposure Flaw (October 3 & 4, 2011)

The makers of the HTC Android smartphone are investigating reports of a vulnerability that exposes personal user data to all Internet-connected applications. The flaw affects several different models of the devices. The problem lies in a program called HTCLoggers.apk, which was recently added and logs large chunks of phone data. The vulnerability has the potential to expose email addresses, GPS locations, SMS data and system logs. HTC plans to issue a fix for the problem.

[Editor's Note (Murray): Serious implementation error but identified early. Developing a fix will be easier than getting it pervasively distributed. Android's essential openness creates a requirement for a great deal of user, knowledge, skill, ability, and diligence to protect sensitive data and applications. ]

Google Re-Releases Chrome to Fix Problems Caused by Microsoft Security Products (October 3, 2011)

Google has released updated versions of both the stable and beta versions of its Chrome browser to address an issue that caused Microsoft antivirus products to identify the browser as malware and in some cases, delete the chrome.exe file from users' computers. Microsoft quickly re-released the errant products, but Chrome users whose browsers had been deleted were reporting that they could not re-install the browser, or that they were unable to retrieve their bookmarks.


[Editor's Note (Murray): False positives are a fundamental risk for such proactive strategies. ]

US Signs International Anti-Piracy Agreement (October 3, 2011)

The US was one of eight countries to sign the Anti-Counterfeiting Trade Agreement over the weekend in Japan. Mexico, Switzerland and the European Union have voiced their support of the agreement and intend "to sign
[it ]
as soon as possible." The US is pleased with the agreement especially because piracy and other counterfeiting crimes require international cooperation because of the global economy. The agreement places a ban on marketing devices that circumvent copyright protections. Australia, Canada, Japan, Morocco, New Zealand, Singapore, and South Korea also signed the agreement.
[Editor's Comment (Northcutt): This is a step in the right direction. Over the past few weeks a number of luxury retailers have filed suit to get control of domain names of counterfeiting web sites. Chanel alone, is trying to stop 399 websites. When the problem is that bad it is a clear sign new enforcement tools are badly needed:

DHS and Idaho National Labs Conduct Security Training Exercises (October 1 & 3, 2011)

The Department of Homeland Security (DHS) and Idaho National Laboratory invited the press to an abbreviated version of cyber security training exercises they conduct for representatives of various industries, including utilities and transportation. The increased attention given to threats against production systems is due in large part to the Stuxnet worm, which targeted very specific components at Iran's Natanz nuclear reactor.



Network Switch Bought on eBay Contained Air Traffic Control Data (September 30, 2011)

Network gear purchased on eBay was found to contain sensitive air traffic control data. A security consultant bought the switch for GBP 20 (US $31) and discovered that it still hold networking configurations and passwords used at the national Air Traffic Services center in Prestwick (UK). The discovery of the data illustrates the importance of purging or overwriting data from memory before selling used components.
[Editor's Note (Honan): In many places the secure disposal of equipment focuses only on computers. We need to remember that all electronic devices, such as printers, smartphones, photocopiers and network equipment, can contain sensitive data and should be disposed of in a secure manner. ]

NinjaVideo Co-Founder to Plead Guilty to Copyright Infringement (September 30, 2011)

A co-founder of the NinjaVideo video filesharing site will plead guilty to conspiracy and criminal copyright infringement. Hana Beshara has reportedly admitted to earning more than US $200,000 from the business; she will forfeit assets seized by authorities. Beshara has been an outspoken proponent of filesharing, citing huge profits enjoyed by Hollywood. One of her co-defendants pleaded guilty several days before Beshara's decision to agree to a deal with prosecutors.


Verizon Files Suit Challenging Legality of FCC's Net Neutrality Rules (September 30, 2011)

As expected, Verizon has filed a lawsuit challenging the US Federal Communications Commission's (FCC) net neutrality rules. The suit alleges that the rules are too strict and that they exceed the FCC's authority. Verizon attempted to file a similar lawsuit earlier this year, but the suit was not allowed because the FCC had not yet published the rules in the Federal Register.

Legislators Calling for FTC Investigation of Persistent Cookies (September 27 & 28, 2011)

Two US legislators are calling for the Federal Trade Commission (FTC) to investigate the use of persistent tracking cookies on many websites. The cookies, which are also known as supercookies, are difficult to remove and the legislators are concerned that the tracking method could be unfair business practices. The cookies can be installed without users' permission. Representatives Joe Barton (R-Texas) and Edward Markey (D-Massachusetts) told FTC chairman Jon Leibowitz in a letter that "the usage of supercookies takes away consumer control over their own personal information."


[Editor's Note (Murray): As is almost always the case, the problem here is not the tool but the use. Saving state on the client side is an essential part of the client-server computing model. ]


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit