Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #43

May 29, 2012


UK Tracking Law Takes Effect
Flame Cyber Espionage Malware Called the "Next Phase" of Cyber Warfare


Federal Thrift Savings Plan Data Breached
Former Nokia Siemens Employee Stole and Resold Old Routers
NSA to Establish Centers of Academic Excellence in Cyber Operations
DHS Releases List of Keywords Used to Monitor Online Media
Texas School District to Use RFID Chips in Student IDs
Massachusetts Hospital to Pay US $750,000 Over Data Security
New Jersey Mayor and Son Arrested in Recall Website Hack
Cloud Services Can Receive FedRAMP Approval Without Real-Time Threat Reporting
Gas Pipeline Security Questioned
WHMCS Breached; Exploit Being Sold on Underground Forum

************************* SPONSORED BY SANS ***************************
Special Webcast: SEC575 Webcast Series: Session 1: A Taste of SANS Security 575 - Invasion of the Mobile Phone Snatchers. Friday, June 01, 2012 at 1:00 PM EDT.
--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.

--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?

--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.

--Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Malaysia, Bangkok, Boston, and San Antonio all in the next 90 days. For a list of all upcoming events, on-line and live:


UK Tracking Law Takes Effect (May 26 & 28, 2012)

As of May 26, UK-based websites are required to notify visitors if they will be tracked in any way. Despite the legislation's nickname of the "cookie law," it applies to all forms of site visitor tracking, not just cookies. The date the law was scheduled to take effect has been known for a year, but the BBC said that most sites would not be in compliance by the target date. The law requires sites to obtain "informed consent" from visitors to use tracking technology. The UK's Information Commissioner's Office (ICO) has the authority to fine violators up to GBP 500,000 (US $783,000), but for the time being, the ICO appears to be focusing on notifying administrators of sites that are not in compliance.


Flame Cyber Espionage Malware Called the "Next Phase" of Cyber Warfare (May 28, 2012)

Researchers at Kaspersky Lab say they have detected an espionage toolkit called Flame that appears to be far more sophisticated than Stuxnet. Flame is believed to have gone undetected for at least two years and has been found on computers in the Middle East and North Africa. It is being called the "next phase" of malware. It appears to be designed to steal information. Because Flame is so complex, there is speculation that is the product of a government-backed effort rather than a group of hackers.

[Editor's Note (Murray): This kind of rhetoric is unnecessary, unseemly and provocative. Based upon what is on the Kaspersky blog, it is both premature and hyperbolic.
(Honan): The worrying aspect of this piece of malware is that is went undetected for up to 2 years. ]

************************** SPONSORED LINK ***************************
1) Join us at SANSFIRE 2012 - Washington, DC July 7 - 15.


Federal Thrift Savings Plan Data Breached (May 25 & 28, 2012)

The personal information of more than 123,000 participants in the US Federal Retirement Thrift Investment Board's (FRTIB) Thrift Savings Plan was exposed when a computer belonging to third party service provider Serco was hacked. The FBI informed FRTIB and Serco of the breach in April. The compromised machine was shut down and FRTIB and Serco conducted forensic analysis to determine who was affected. There have also been steps taken to improve security. The compromised data include names, addresses, Social Security numbers (SSNs) and in some cases, financial account and routing numbers.


Former Nokia Siemens Employee Stole and Resold Old Routers (May 28, 2012)

A man who once worked as an engineer at Nokia Siemens has admitted to stealing routers from his former employer and posting them for sale on eBay. Dewaldt Hermann netted GBP 6,000 (US $9,400) in the scheme before police seized the remaining equipment from his garage. Hermann was employed at the time of the theft. His activity was detected when he left his work computer logged in to his eBay account. The stolen routers were among those that had been returned to the company and Hermann apparently believed that they were going to be discarded. The total value of the stolen equipment was estimated to be GBP 7,000 (US $10,960). The judge sentenced Hermann to community service and ordered him to pay court costs. The company is not seeking compensation.

NSA to Establish Centers of Academic Excellence in Cyber Operations (May 28, 2012)

The National Security Agency (NSA) has designated four US universities as National Centers of Academic Excellence in Cyber Operations. NSA aims to identify students with an interest in and talent for cyber security. The agency will offer summer seminars for students who show potential. The identified schools are Dakota State University in South Dakota, the Naval Postgraduate School in California, Northeastern University in Massachusetts, and the University of Tulsa in Oklahoma. The schools will be required to use an integrated cyber security curriculum and to offer a course on the legal and ethical issues inherent in cyber security.

DHS Releases List of Keywords Used to Monitor Online Media (May 26, 2012)

A Freedom of Information Act (FOIA) request filed by the Electronic Privacy Information Center (EPIC) has forced the US Department of Homeland Security (DHS) to reveal a list of words and phrases it uses while monitoring social networking sites and other online media for possible threats against the country. Apart from the obvious words, like "terrorism," and "dirty bomb," the list also includes words that appear to be innocuous, such as "cloud," and "pork." The analysis are trained to look for evidence of emerging threats that include not only terrorism, but natural disasters, public health issues, and other threats.

[Editor's Note (Murray): The list should be required reading for information security professionals because it contains many terms that we use routinely in our work. Some of this work does take place in dialogues and forums that the DHS would classify as "social media." However, more important than the content of the list is that DHS is "monitoring social media." DHS "insisted the practice was aimed not at policing the internet for disparaging remarks about the government and signs of general dissent, but to provide awareness of any potential threats." Unfortunately, there is no bright line between the two. ]

Texas School District to Use RFID Chips in Student IDs (May 25 & 26, 2012)

A school district in San Antonio, Texas, plans to put RFID chips in student ID cards. A spokesperson for the Northside Independent School District said, "We want to harness the power of technology to make schools safer, know where our students are all the time in a school, and increase revenues." Two Houston school districts have already put similar programs in place and have increased their revenues, as school funding in Texas is based in part on attendance numbers. The RFID chips will reportedly work only while the students are on school property. Parents' reactions to the proposed plan are varied; some are supportive, citing safety concerns, while others are wary of the potential invasion of privacy.


Massachusetts Hospital to Pay US $750,000 Over Data Security (May 24 & 25, 2012)

South Shore Hospital in South Weymouth, Massachusetts, will pay US $750,000 to settle allegations that it did not take adequate precautions to protect patient data. The case involves three boxes of tapes containing unencrypted patient data that were shipped in February 2010 to a third-party contractor that would erase the data and resell the tapes. South Shore Hospital learned in June 2010 that the contractor received just one of the three boxes sent. The data on the taped included SSNs, birth dates, health plan information, diagnoses, and treatments. A statement released by the Massachusetts Attorney General's office said that South Shore Hospital violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to notify the contractor about the sensitive nature of the data on the tapes and by not ensuring that the contractor had appropriate security measures in place to protect those data. South Shore Hospital has since taken steps to improve data security practices.


[Editor's Note (Murray): The large fines in the healthcare industry do not seem to be having the intended results. Trying to salvage, rather than destroy, used magnetic media is losing proposition, even without large fines. ]

New Jersey Mayor and Son Arrested in Recall Website Hack (May 24 & 25, 2012)

The mayor of West New York, New Jersey, Felix Roque, and his son, Joseph Roque, have been arrested in connection with a cyber attack on a website that had been created by people organizing a recall effort aimed at removing Roque from office. Joseph Roque allegedly reset the password for the email account associated with the domain name, took screen shots of messages he accessed, reset the password for the Go Daddy account used to administer the site, and cancelled the domain name. Felix Roque allegedly tried to intimidate several people associated with the website.


Cloud Services Can Receive FedRAMP Approval Without Real-Time Threat Reporting (May 24, 2012)

The US General Services Administration (GSA), which manages the cloud services accreditation program known as FedRAMP says that companies seeking FedRAMP certification will not have to submit automated real-time threat reports to DHS. Instead, the companies will be required to conduct real-time internal monitoring of their protection of government assets and submit reports summarizing that monitoring. FedRAMP certification is likely to be widely sought. The process can take from 30 says to three months, but once a company has had its product certified, all government agencies can use it. The program also saves the government money because it eliminates redundant assessments. FedRAMP will start accepting applications on June 16.

Gas Pipeline Security Questioned (May 24, 2012)

In a letter to the head of the American Gas Association, US Senator Jay Rockefeller (D-West Virginia) asked whether gas pipelines are vulnerable to cyber attacks. The letter comes in the wake of a news story about hackers attacking the networks that manage a number of gas pipelines. It is not known what if any damage the attacks caused. In his letter, Senator Rockefeller expressed concern that the gas companies may have not taken steps to secure their networks because of the associated costs. Senator Rockefeller chairs the Senate Commerce, Science, and Transportation Committee.

[Editor's Note (Murray): The answer to the "vulnerability" question must be "yes." It will always be yes. I would argue that the vulnerability, by itself, does not necessarily constitute an unacceptable risk, in part because the threat is low. Risk, not vulnerability, is the right question. That said, the vulnerability is much higher than it needs to be. There is a lot of "low-hanging fruit." An increase in threat may not come with either a warning or a cushion of time to prepare. ]

WHMCS Breached; Exploit Being Sold on Underground Forum (May 24, 2012)

The hackers who compromised computers at software provider WHMCS appear to have been selling information about a zero-day flaw in the company's software. The attackers compromised usernames, passwords, and credit card numbers of as many as half a million WHMCS customers. WHMCS offers a billing and support software suite used by web hosting providers. WHMCS said the attackers stole data, and deleted files, including a customer order backlog. The attack was conducted in part through social engineering. An attacker impersonated WHMCS's founder to the company's own web hosting provider and obtained the company's administrative credentials. WHMCS user forums are being besieged by an ongoing distributed denial-of-service (DDoS) attack. Customers are being urged to change their passwords. Journalist Brian Krebs learned through an underground forum that a hacker was offering an exploit for a zero-day flaw in WHMCS software that could be used to access administrators' passwords.


The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit