Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #48

June 15, 2012


Germany Has Top Secret Cyberwarfare Unit
Pentagon Contractors Posting Jobs for Black Hat Hackers
DHS to Present Standards for Finding and Fixing Vulnerabilities In Cloud Providers Within 72 Hours
Apple's Java Update Released the Same Day as Oracle's Java Updates


US Grand Jury Indicts UK Man on Hacking Charges
Global Payments Says Merchant Applicants' Data May Have Been Exposed in Breach
Retired Judge Will Work to Get Megaupload Users Access to Their Files
Microsoft Patches 27 Vulnerabilities
UK Street View Investigation Reopened
FTC Fines Spokeo US $800,000
Facebook Must Reveal IP Addresses of Users Who Harassed British Woman
Man Charged in Credit Card Theft

***************************** SPONSORED BY SANS ***************************
Tool Talk Webcast: DFIR Techniques using the SIFT Workstation (the coolest new forensics software - and free) SANSFIRE 2012 - Washington Monday, June 18, 2012 at 1:00 PM ED
--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.

--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.

--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.

--SANS Boston 2012, Boston, MA August 6-11, 2012 9 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.

--Looking for training in your own community?

--Save on On-Demand training (30 full courses) - See samples at

Plus Malaysia, Bangkok, San Diego, San Antonio, and Melbourne all in the next 90 days. For a list of all upcoming events, on-line and live:


Germany Has Top Secret Cyberwarfare Unit (June 5, 2012)

A German parliamentary document reveals that the country's military has an operational top secret cyberwarfare unit. The document provided no details about the unit's size, location, or its capabilities beyond noting that "the initial capacity to operate in hostile networks has been achieved." The unit was established in 2006. Legislators were surprised by the revelation, and some questioned whether the military had the authority to launch cyberattacks without first obtaining parliamentary clearance.

Editor's Comment (Northcutt): Well it is not a secret anymore! There is a bit more info from a Slashdot post:

(Honan): The German legislators are correct to raise their concerns. In the real world a civilised country's military forces are controlled by many legislative safeguards to prevent rogue military actions. The rules should equally apply to cyber space.
(Murray): The world military seems bent on killing the goose that lays the golden eggs. This is not their space to contaminate and it is high time that the "civil authority" said so.
(Paller): Bill Murray's suggestion seems about as feasible as asking the commercial world to stop using the Internet because "it wasn't created for them and they pollute the Internet with commercialism."
(Ullrich): Rule of thumb: if a nation has an air force, they probably have some kind of cyberwarfare unit as well (offensive and defensive). ]

Pentagon Contractors Posting Jobs for Black Hat Hackers (June 15, 2012)

Forbes Magazine reporter Andy Greenberg has ferreted out a significant shift in hiring by government contractors. Even as they are laying off certification and accreditation specialists they are looking for offensive cyber warfare and other very technical skills.

DHS to Present Standards for Finding and Fixing Vulnerabilities In Cloud Providers Within 72 Hours (June 14, 2012)

Later this month, the US Department of Homeland Security (DHS) will provide federal computer contractors and cloud services companies with standards for detecting and mitigating vulnerabilities within 72 hours. The standards aim to add an ingredient that was missing from the practice of automated continuous monitoring; merely knowing about the vulnerabilities does not improve network security. The standards will be part of the FedRAMP certification process for contractors and cloud providers. The practice could eventually be required of government agencies.

[Editor's Note (Murray): Fixing things in the order of their discovery, rather than in the order of their importance, is never efficient and only rarely effective.
(Paller): Bill Murray is correct; the article created a misperception. I was in attendance. What DHS Deputy Undersecretary Weatherford said was that security in systems offered by approved cloud service providers will be measured every 72 hours and mitigation will be as important as monitoring. Since John Streufert (who moved to DHS from the Department of State) is running the program, his approach is likely to be used. It is an elegant system that ensures the most important problems are fixed first and makes the operations people partners with the security people. It caused rapid and prolonged risk mitigation in 220,000 systems in 24 time zones and enabled unparalleled speed in responding to new threats. ]

Apple's Java Update Released the Same Day as Oracle's Java Updates (June 13 & 14, 2012)

In what many are hoping will be a precedent-setting achievement, Apple released a Java update for Mac OS X on the same day that Oracle released updates for Java in Windows, Linux, and Solaris. Apple issued two separate updates - one for OS X 10.7 and another for OS X 10.6 - to fix 11 vulnerabilities in each edition. The Oracle updates for other operating systems address 14 vulnerabilities. Two of the flaws that Oracle's updates addressed do not pertain to Java for Apple; it is unclear why the third issue was not addressed in the Apple update. Earlier this year, Apple's habit of waiting weeks after Oracle updated Java to issue its own updates for its OSes caused problems when attackers exploited a Java flaw that was patched in other versions to infect Apple machines with the Flashback malware.

[Editor's Note (Ullrich): Apple is making some long overdue improvements to its security response process.

************************* Sponsored Links: *************************
1) Top 5 Reasons to Choose SolarWinds(R) Log & Event Manager Over Splunk(R) SolarWinds LEM with node-based licensing is an affordable alternative to volume-based pricing from Splunk. Powerful SIEM software for log collection, analysis and event management, SolarWinds LEM protects your IT environment before, during, and after an attack.
2) Server Security and Compliance Plus a Review of McAfee's Product Portfolio for Server Security, Tuesday, July 31, 1 PM EDT


US Grand Jury Indicts UK Man on Hacking Charges (June 13 & 14, 2012)

A US federal grand jury has indicted a UK man on charges of conspiracy and hacking. Ryan Cleary, who allegedly has ties to the Anonymous hacking collective LulzSec subgroup, allegedly hacked computer systems of US television shows, music companies, and government agencies.. According to the indictment, Cleary's objectives were to deface web sites and steal personal information. The indictment alleges that Cleary operated a botnet used to launch distributed denial-of-service (DDoS) attacks against various targets. Cleary was arrested a year ago on charges in the UK of launching DDoS attacks against the UK's Serious Organized Crime Agency (SOCA), the International Federation of the Phonographic Industry, and the British Phonographic Industry. He is presently in custody in the UK.


Global Payments Says Merchant Applicants' Data May Have Been Exposed in Breach (June 12, 13, & 14, 2012)

Earlier this year, payment card processing company Global Payments acknowledged a security breach that compromised 1.5 million payment card accounts. The company says that the attack has been contained, but recently added that the intruders had access to servers that contain merchant account application data as well. The breach was initially reported to have occurred between January 21, 2012 and February 25, 2012, but an investigation suggests that it may date back to January 2011.





Retired Judge Will Work to Get Megaupload Users Access to Their Files (June 13, 2012)

A retired New York federal judge is donating his legal expertise and services to help Megaupload users regain access to their legitimately owned content. The files were rendered inaccessible when the US government shut down the file sharing site and seized associated domain names. The US Department of Justice said that the government is not obligated to help users access their files. Retired federal judge Abraham David Sofaer, who is also a former US State Department legal adviser, said the situation illustrates "how
[the government is ]
failing to apply traditional standards in the new context." Sofaer has joined the Electronic Frontier Foundation (EFF) in pushing for a US federal court to set up a system that allows Megaupload customers to get their legitimate content back.

Microsoft Patches 27 Vulnerabilities (June 13, 2012)

The Microsoft security update for June addresses 27 security flaws in several products; 13 of the vulnerabilities affect Internet Explorer (IE). A cumulative update for IE addresses flaws that were found as part of the Pwn2Own competition. Another of the updates fixes denial-of-service and remote code execution vulnerabilities in the Remote Desktop features on all currently supported versions of Windows. ISC:



[Editor's Note (Honan): And just after patch Tuesday rolled by Google issued a warning that an unpatched vulnerability in Internet Explorer is being actively exploited by 'State-sponsored attackers' to hijack gmail accounts

Microsoft has subsequently issued an updated advisory on this
[ullrich ]
: Microsoft also released an interesting certificate updater tool addressing some of the recent issues with having to blacklist bad certificates quickly.

UK Street View Investigation Reopened (June 12, 2012)

The UK information Commissioner's Office (ICO) has reopened its investigation into Google's Street View data collection. Google vehicles gathering images and data for its Street View feature on Google Maps were also found to be gathering personal information from unsecured wireless networks. In a letter to a Google executive, the ICO's head of enforcement has asked for answers to several questions about why the company was able to collect the extra information. A recent finding from the UK Federal Communications Commission (FCC) said that the data were "likely
[to have been ]
deliberately captured." The letter says that the ICO now believes that Google's earlier statements that the data were collected in error were misleading and asks when Google executives became aware that the software would gather extra data.


FTC Fines Spokeo US $800,000 (June 12, 2012)

The US Federal Trade Commission (FTC) has fined data broker Spokeo US $800,000 for marketing information to human resources departments for background screenings without first ensuring that the data were correct and without abiding by the Fair Credit Reporting Act. According to the FTC, Spokeo also allegedly posted what it claimed were customer endorsements on various websites and blogs, but the endorsements were actually written by Spokeo employees. Spokeo aggregates personal data from a variety of sources.

Facebook Must Reveal IP Addresses of Users Who Harassed British Woman (June 11 & 12, 2012)

A judge in Britain has granted a court order that compels Facebook to reveal the identity of users who harassed a woman on the social networking site. British Justice Secretary Ken Clarke said that "it will be very important to ensure that these measures do not inadvertently expose genuine whistleblowers." Facebook will provide the IP addresses of the users who posted the defamatory content; the associated names will be obtained through Internet service providers. Once the woman has the information, she can file a private lawsuit against the individuals.

Man Charged in Credit Card Theft (June 11 & 12, 2012)

A Dutch man appeared in federal court is Seattle earlier this week for allegedly breaking into computers and stealing at least 44,000 credit card numbers. David Benjamin Schrooten entered a plea of not guilty to a 14-count indictment that include charges of access device fraud, bank fraud, and aggravated identity theft. Schrooten was arrested in Romania in March and arrived in Seattle on June 9. The 44,000 credit card numbers are believed to have come from one site and may be "just the tip of the iceberg." Another man, Christopher A. Schroebel, was arrested in the US in connection with the attacks in November 2011. He pleaded guilty and will be sentenced in August. Schroebel allegedly placed malware in computerized sales systems at dozens of businesses.

The 2012 National Cybersecurity Innovation Awards

The 2012 National Cybersecurity Innovation Awards will recognize 12 more innovations than last year's program and will reach out even further into the cybersecurity community. Executives from 40 major companies will help identify innovators, whose achievements will then be reviewed by a prestigious and trusted panel of judges who know what actually works. In all, there will be 25 awards for proven innovation and 10 more awards for promising innovations.
The winners will be featured at a special plenary session at the National Cybersecurity Conference in October 2012. By presenting their innovations and lessons learned along the way, these award-winning professionals will help others follow in their footsteps. Substantial web and press coverage will serve to disseminate their innovations as widely as possible.
View the 2011 award winners at

View the Criteria & Tips for Nominators at

Nomination Form:


The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit