Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #15

February 21, 2012

A good news story: The CISO of one of the largest Midwest power
companies gave a talk at the Orlando SCADA Security Summit where he told
the audience he had implemented the 20 Critical Controls and, for the
first time, senior management understood what needed to be done in cyber
security and they made his budget "base." Apparently that means he
doesn't have to fight for budget to fix security. On top of the
extraordinary success with the 20 Critical Controls at the State
Department, his story is another good reason that 2012 is a good time
to implement the 20 critical controls. And that's especially true
because of NSA's initiative to lead by example in implementing them. If
you are going to implement them and did not get the 20 Critical Controls
poster with the NSA rankings, send me an email at paller@sans.org with
your name organization and surface mail address. The poster gives you
great top cover to get management support because it is a joint document
of SANS US DHS, UK CPNI and Australia's DSD and includes the NSA

In depth courses coming up on how to implement the 20 Critical Controls:
Orlando March 23-30: http://www.sans.org/sans-2012/description.php?tid=4871
Washington July 9-13: https://www.sans.org/sansfire-2012/description.php?tid=4871
Also Ottawa, Amsterdam and Vancouver
Or you can attend a 2-day version at RSA in San Francisco.


NSA Chief Describes Anonymous Group Threat To Power Systems


Mozilla Grants Amnesty Period for Certificate Authorities to Comply With Policy
Republican Senators to Introduce Cyber Security Bill
UK High Court Rules The Pirate Bay Infringes Copyright
Legislators Call for FTC Investigation Into Google's Browser Privacy Circumvention
Three Teens Arrested for Defacing Greek Government Website
Eight-Month Sentence for Facebook Hacker
Goldman Sachs Programmer's Conviction for Code Theft is Reversed
Updated Megaupload Indictment Adds Counts of Criminal Copyright Infringement
Government Urging Court to reject Appeal in Laptop Decryption Case
Hackers Attack Russian Election-Monitoring Cameras
No Explanation Given for JotForm's Temporary Shuttering

************************** SPONSORED BY Zscaler ************************
ONLINE WEBCAST with GARTNER: DEADLY TRIO? TABLETS, FACEBOOK, and BOTNETS in your enterprise Web Applications, Tablets, and Smartphones all drive productivity, but expose businesses to web threats and data theft.
Join Zscaler, and Gartner Analyst Lawrence Orans, to learn how to enable employees while protecting your business. March 6 at 10am PST / 1pm EST

- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...

- -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.

- --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.

- --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack

- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.

- --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses.

- --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses.

- --SANS Security West 2012, San Diego, CA May 10-18, 2012 25 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.

- --Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus San Francisco, Stuttgart, Boston, Abu Dhabi, and Toronto all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php


NSA Chief Describes Anonymous Group Threat To Power Systems (February 21, 2012)

Gen. Keith Alexander's warning of a cyberattack on the electrical grid has come in White House meetings and in "other private sessions," the Journal writes, citing "people familiar with the gatherings." Although the so-called hacktivists have not indicated a desire to disrupt the power system, the article continues, "some federal officials believe Anonymous is headed in a more disruptive direction," pointing to the Anonymous announcement last week that members will attempt to shut down the Internet on March 31. Computer security experts doubt that "Operation Global Blackout" will succeed.


Mozilla Grants Amnesty Period for Certificate Authorities to Comply With Policy (February 20, 2012)

Mozilla has offered a period of amnesty for all Certificate Authorities (CAs) to revoke sub-CA certificates or face having their root keys removed from Mozilla products. CA Trustwave issued a sub-CA certificate to a private company, which used it to monitor encrypted traffic sent to and from its staff. Trustwave said that the certificate in question was irretrievably stored in a hardware security module (HSM), but the fact of its existence violates Mozilla's CA policy. The offer of amnesty requires CAs to acknowledge the existence of such sub-CA certificates, revoke them, and destroy the HSMs. Mozilla also requests the certificates' serial numbers so they can be detected and distrusted if they are found somewhere else on the Internet.


[Editor's Note (Murray): Our reliance on Browser publishers for the enforcement of PKI, a role in which they have only a limited financial interest, is problematic. ]

Republican Senators to Introduce Cyber Security Bill (February 20, 20120

Republican legislators plan to introduce their own cyber security bill. The Democratic bill already introduced would give more authority to the Department of Homeland Security (DHS). The Republicans' bill would grant more authority to the US Cyber Command and the National Security Agency (NSA). One of the forthcoming bill's sponsors, Senator John McCain (R-Arizona) said that the Democrats' bill was moving too fast and that it would make DHS into a "super regulator."

UK High Court Rules The Pirate Bay Infringes Copyright (February 20, 2012)

A UK High Court judge has ruled that The Pirate Bay and its users are committing copyright infringement, meaning that the torrent site could be blocked there. The lawsuit, brought by a group of recording labels, was prompted by a July 2011 ruling that required Internet service provider (ISP) BT to block user access to Newzbin2. The court is expected to decide in June whether ISPs will be required to block The Pirate Bay as well.


Legislators Call for FTC Investigation Into Google's Browser Privacy Circumvention (February 17 & 20, 2012)

Three US legislators want the Federal Trade Commission (FTC) to investigate whether or not Google violated an agreement reached with the company last year when it allegedly circumvented do-not-track controls in Apple's Safari browser. Reports say that Google managed to find a way around privacy settings in the browser. Safari is configured so that it allows only cookies from the site a user is visiting to be stored on the computer, not cookies from advertisers and other third-parties. Microsoft says that Google bypassed privacy settings in Internet Explorer as well.



Three Teens Arrested for Defacing Greek Government Website (February 20, 2012)

Three Greek teenagers have been arrested; they are believed to be responsible for hacking a government website. The attack, which occurred earlier this month, resulted in the defacement of the Greek Ministry of Justice's website. The three are expected to be charged with illegal computer network access.


Eight-Month Sentence for Facebook Hacker (February 17 & 20, 2012)

Glenn Mangham has been sentenced to eight months in prison for breaking into Facebook computer systems. Mangham admitted the activity, which occurred in April and May 2011, but maintained that he was an "ethical hacker," trying to help Facebook improve its security. Prosecutors said that Facebook spent US U$200,000 to repair the damage Mangham had caused.

Goldman Sachs Programmer's Conviction for Code Theft is Reversed (February 17, 2012)

The US Circuit Court of Appeals in Manhattan last week reversed the conviction of former Goldman Sachs programmer Sergey Aleynikov. In March 2010, Aleynikov was sentenced to more than eight years in prison for stealing source code from the company. Aleynikov had worked as a programmer at Goldman Sachs until June 2009, when he left for a new position at another firm. Goldman Sachs accused him of taking with him proprietary source code for a high frequency trading program. The code was alleged to be so dangerous that it had the potential to harm financial markets. Aleynikov never denied having taken the code; he maintained that he did not steal or profit from it. Prosecutors have acknowledged that a search of the computers of the company where Aleynikov had accepted a new position showed no traces of the purloined code.


Updated Megaupload Indictment Adds Counts of Criminal Copyright Infringement (February 17, 2012)

US authorities have issued a superseding indictment in the Megaupload case, adding a number of charges, including counts of criminal copyright infringement, conspiracy to commit money laundering, and wire fraud. Associated websites and several people believed to be in the company's upper echelons were arrested last month. The indictment also notes that while the site claimed 180 million registered users, figures on January 19 showed just over one-third that number, and records indicate that less than 10 percent of those users used Megaupload to upload files. Megaupload maintains it responded to reports of pirated content in a timely manner.

Government Urging Court to reject Appeal in Laptop Decryption Case (February 17, 2012)

The US government has asked the 10th Circuit Court of Appeals to reject an appeal filed on behalf of Ramona Fricosu, maintaining that an order forcing her to decrypt her laptop would violate her constitutional rights. Fricosu is a defendant in a bank fraud case. A laptop computer found in her possession is protected by heavy-duty encryption, and prosecutors want to know what is on that machine. Prosecutors have pointed out that appellate courts prefer not to take cases until after a verdict has been reached.

Hackers Attack Russian Election-Monitoring Cameras (February 17, 2012)

Hackers have targeted a network of cameras that Russian Prime Minister Vladimir Putin ordered to be installed to help alleviate concerns about vote-rigging in the upcoming March election. Putin ordered two cameras to be placed in each of the 91,000 polling places; so far, 54,000 of the polling stations have cameras installed. They are intended to stream footage of activity at the sites, but have fallen prey to distributed denial-of-service (DDoS) attacks.

No Explanation Given for JotForm's Temporary Shuttering (February 16 & 20, 2012)

JotForm, a website that helps users create online forms for their websites, was shut down with no advance warning last week, then several days later, was reinstated. No explanation has been given. The shut down came at the behest of the US Secret Service, which ordered domain name registrar GoDaddy to take JotForm's Domain Name server entries off its servers. There does not appear to have been a court order involved in the takedown. JotForm has since moved its domains to another registrar. GoDaddy supported of SOPA until a boycott of the company forced it to reconsider its position.



[Editor's Note (Murray): This case demonstrates the importance of alternative sources of Internet services. It should not be possible for a single ISP to limit access to the Internet in pursuit of its own policy interests. It also demonstrates the importance of the courts. ]


The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/