Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #18

March 02, 2012

The biggest story from the RSA conference this week is the first story
in this issue: NSA found and described a path to security for mobile
devices - not one they will build exclusively for military use but one
all large organizations can use by ensuring their vendors deliver tools
and services that follow the NSA roadmap. The second biggest story from
RSA isn't in the news, because reporters were excluded from the meeting
where it played out. Top US and Canadian government cybersecurity
leaders met to discuss why and how to standardize (as the Brits have
done) on the 20 Critical Controls and on automated continuous (daily)
monitoring and mitigation were now the sensible path forward. With the
President adding $200 million to the Budget for rapid acquisition and
implementation of the tools for automated continuous monitoring of those
controls across government, "we have reached the tipping point," wrote
one of the US officials who was at the meeting.

Checks are flowing in for the Paul Bartock Scholarship Fund, the total
passed $10,500 today. Some people stopped me at RSA and asked if they
could use credit cards. To do so, go to; on
right hand side of web site click on DONATE; where it says "What would
you like to donate to?" hit the drop down menu and select Paul Bartock
Scholarship (it will be under P); complete the form including amount you
would like to donate and credit card info; submit form.



NSA Addresses Mobile Security
Republican Senators Introduce Cyber Security Legislation
US Air Force Makes Cyber A Career Option
Police in South America and Europe Arrest 25 in Connection with Anonymous Activity


Cyber Challenge Competitions Offer Hands-on Training
Malware Launches Man-in-the-Middle Attacks on Online Banking Transactions
Two Arrested in France in Connection with Mobile Trojan
Microsoft Acknowledges Attack on Microsoft Store India
The Pirate Bay Switches to Magnet Links
NIST Releases Draft Update of Security and Privacy Guidance for Federal Agencies
Officials Crack Encryption on Defendant's Laptop
Stolen NASA Laptop Was Unencrypted
Ireland Passes Copyright Act Amendment

********************** SPONSORED BY LogLogic, Inc. **********************
Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud. Don't take our word. Try it yourself! For a limited time, download here:

--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...

-- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.

--SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.

--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.

--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses.

--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 12 courses.

--SANS Security West 2012, San Diego, CA May 10-18, 2012 25 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.

--Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Stuttgart, Abu Dhabi, Toronto, Brisbane, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live:


NSA Addresses Mobile Security (February 29, 2012)

A national Security Agency (NSA) pilot program aims to model secure classified communications over commercial mobile devices. However, the NSA has found that off-the-shelf products are inconsistent in their implementation of the standards and protocol that NSA requires. The agency would prefer not to have to be tied to one platform, but for the time being, they have no choice.

[Editor's Note (Pescatore): Back in the late 80s NSA and the DoD tried to push multi-level secure versions of Windows, Solaris, Unix etc because the commercial versions weren't "consistent in their implementation of..." and after a few years even the DoD and Intelligence community found they could not use the MLS versions and had to use the commercial versions. The use of encrypted data containers, mobile device management and "business strength" app stores on mobile devices will be more mainstream approaches.
(Paller): On the other hand, perhaps NSA learned a great deal from those experiences in the 80s and a joint approach involving major industrial buyers and other nations will have a different outcome this time. ]

Republican Senators Introduce Cyber Security Legislation (February 29 & March 1, 2012)

Republican legislators have introduced their own cyber security bill in the US Senate. The SECURE IT Act is being promoted as less regulatory than the Cyber Security Act. The bill aims to encourage cyber threat information sharing through incentives. Most information sharing would be voluntary; the only case in which it would be required is if the threat information is related to a federal contract. The newer bill would also stiffen penalties for those convicted of certain cyber crimes.


US Air Force Makes Cyber A Career Option (March 1, 2012)

The Air Force has established career paths for both enlisted personnel and officers that allow them to stay in the field of computers for the duration of their careers. Previously, people were given one tour in the cyber arena followed by tours in other areas. People with an interest in computers left to work for private industry so they could stay in the areas they enjoyed. The Air Force is aware that it cannot compete with a private sector salary, but "when you're working with the right authorities here, you can do a lot of things that can get you put in jail in the private sector," according to Skip Runyan, technical director for the Air Force's main cyber training unit.

Police in South America and Europe Arrest 25 in Connection with Anonymous Activity (February 28 & 29, 2012)

Police in Argentina, Chile, Colombia, and Spain have arrested a total of 25 people in connection with the Anonymous hacking collective. The arrests are part of "Operation Unmask," which also resulted in the seizure of 250 pieces of equipment. The action was taken in response to cyber attacks on government, political, and corporate websites.

*********************** SPONSORED LINKS: *****************************
1) Privileged Password Sharing: Root of All Evil. Featuring Senior SANS Analyst, J. Michael Butler, and Jason Fehrenbach from Quest Software
2) Take the SANS 8th Annual Log and Event Management Survey and be entered to WIN a $250 American Express Card.
3) Demystifying External Authorization: Oracle Entitlements Server Review. Featuring: Tanya Baccam and Roger Wigenstam


Cyber Challenge Competitions Offer Hands-on Training (February 29, 2012)

Panelists speaking at the RSA Conference in San Francisco earlier this week said that according to the Cyber Challenge, colleges are not adequately preparing students to work in the field of cyber security. Cyber Challenge national director Karen Evans compared the problem to "trying to field a professional baseball team when there's no little league team out there." One competitor, Alex Levinson, said his college education did not prepare him to work in cyber security, and that the Cyber Challenge competitions provide the opportunity "to go through and learn the actual hands-on skills that you're going to use in the workplace." Cyber Challenge is a public-private partnership that offers cyber security competitions and camps for high school and college students as well as working professionals.

Malware Launches Man-in-the-Middle Attacks on Online Banking Transactions (February 28, 2012)

A new piece of malware dubbed Shylock is being used to conduct man-in-the-middle attacks on customers who use online banking services. The attacks have focused mainly on business banking customers. Shylock hijacks sessions after users log in to their accounts; it pops up a live chat session window in which users are told the session has been suspended for one reason or another, and then the attacker poses as a customer service representative, who transmits information to the bank and steals funds. The live chat session seeks the information necessary to carry out the fraudulent transaction.

Two Arrested in France in Connection with Mobile Trojan (February 28, 2012)

Law enforcement authorities in France have arrested two people in connection with a malware scam involving Android phones. The pair allegedly infected the devices with the Foncy Trojan horse program, which sent text messages to premium rate numbers, costing infected users 4.5 euros (US$6) each. The two allegedly netted 100,000 euros (US$133,000) through the scheme.

Microsoft Acknowledges Attack on Microsoft Store India (February 28, 2012)

Microsoft is now acknowledging that an attack on its Microsoft Store India website may have compromised the credit card information and other financial data of customers who have used that site. The site has been offline since early February, when the attack was detected. Microsoft said it has notified all potentially affected customers.

The Pirate Bay Switches to Magnet Links (February 28, 2012)

As of February 29, The Pirate Bay is no longer providing torrent files. Instead, the site is offering magnet links, which allow users to download files from other BitTorrent users. In an interview, members of The Pirate Bay team said that "it shouldn't make that much of a difference for the average user." Their explanation for the change is that Torrents consume a lot of space and time. Aside from using fewer resources, magnet links are also less likely to get a site shut down.

NIST Releases Draft Update of Security and Privacy Guidance for Federal Agencies (February 29, 2012)

The National Institute of Standards and Technology (NIST) has issued the first public draft of the updated version of Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. The document was last updated in 2009, before the widespread adoption of cloud computing and the WikiLeaks scandal. The new draft document includes guidance on spotting and dealing with an employee who may pose a threat to data security. The publication also address smartphone security issues, including the recommendation that ensuring that data on the devices can be remotely purged if they are lost or stolen. NIST is accepting comments on the draft document through April 6, 2012.

Officials Crack Encryption on Defendant's Laptop (February 29 & March 1, 2012)

Federal law enforcement officials have decrypted a seized laptop belonging to Ramona Fricosu, rendering moot a judge's order for her to decrypt the drive or face jail time for contempt of court. Fricosu and her former husband are defendants in a mortgage fraud case. The case was being closely watched because it was addressing the question of whether or not ordering a defendant to decrypt a laptop violated the defendant's Fifth Amendment rights.

Stolen NASA Laptop Was Unencrypted (February 29 & March 1, 2012)

A laptop computer stolen from NASA last March contained information used to send commands to the International Space Station. In written testimony provided to US legislators, NASA inspector general Paul Martin said that the laptop was not encrypted. Martin's testimony also mentioned that between April 2009 and April 2011, NASA reported 48 laptops or mobile devices lost or stolen. Martin also noted that NASA's IT chief lacks the authority to enforce IT security policies.


[Editor's Note (Honan): Policies that are not enforced are about as useful as a chocolate coffee pot. ]

Ireland Passes Copyright Act Amendment (February 29 & March 1, 2012)

Irish lawmakers have passed an amendment to the Copyright Act that is being compared to the US's now-defunct SOPA bill. The law allows copyright holders to seek injunctions against Internet service providers (ISPs) that let users access websites offering pirated content. Opposition to the amendment is being expressed through an online petition. The public outcry has prompted the Irish government to undertake a review of existing copyright law.



The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit