Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #5

January 17, 2012


NSA Implementing 20 Critical Controls To Lead By Example in Cybersecurity
Defense Industrial Base Cyber Pilot Produces "Mixed Results"


Cyber Conflict in the Middle-East Escalating
UK Student Faces Extradition to US to Face Copyright Infringement Charges
Malware Has Been Lurking on City College of San Francisco System for a Decade
Japanese Aerospace Agency Data Compromised
Oracle's Critical Patch Update for January 2012
Malware Steals DoD Smartcard PINs Hit by Customer Data Breach
White House Opposes DNS Manipulation Provisions in SOPA and PIPA; SOPA Now Stalled
NHS Trust Challenging Large Fine Over DPA Violations

************************** SPONSORED BY WinMagic Inc. *******************

WinMagic Invites you to join PBConnex Webinar - The Next Generation of Data Encryption Management As regulatory requirements continue to burden IT organizations, IT managers struggle to contain costs and complexity while protecting users and maintaining compliance. Learn how to improve user experience, enhance security and reduce total cost of ownership.


- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP PenTesting: Current Threats and Methods; and Helping Small Businesses with Security.

- --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012

- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.

- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...

SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN March 12-15, 2012 Summit: March 12-13, 2012 Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners will discuss the best approaches to this new and evolving challenge. Organizations who have developed successful mobile device security programs will share how they developed and gained management support for their plans.

- --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.

- --Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Atlanta, Bangalore, San Francisco, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: ************************************************************************


NSA Implementing 20 Critical Controls To Lead By Example in Cybersecurity (January 16, 2012)

The National Security Agency (NSA) is developing an internal cyber security program for its own computer systems that can serve as the "gold standard" and a model for other military organizations and contractors that seek to operate their computers in a cost effective, but secure manner. NSA's program which is being developed by a 38-member team, is based on the Twenty Critical Security Controls for Effective Cyber Defense. The list was developed by a team led by former Air Force CIO John Gilligan who had grown weary of audits in which he was told that penetration testers could break into his systems but was not provided with guidance on how to prevent attacks and intrusions.
[Editor's Note (Murray): One size does not fit all. In government such attempts result in watering down controls. Moreover, the security problem in the US government is a problem of bureaucratic will, not knowledge. New guidelines will not help.
(Paller): Bill Murray is frequently right, but not this time. If one size did not fit the needs of thousands and thousands of large and small organizations, there would be no Red Hat Linux or Windows or Android or OS-X; each used effectively by millions of people in tens of thousands of organizations. In fact, one agreed-upon set of attack-informed, automatable controls is the single greatest advance necessary to bring about cost-effective cyber security. That's why the UK government announced last week it was adopting the 20 Critical Controls as a national initiative, why NSA is adopting them to lead by example in showing how effective security can be done, why John Streufert (just named to head the US National Cyber Security Division at DHS) automated them at the US State Department and reduced measured cyber risk by over 90%, why hundreds of large companies are adopting them, and why Inspectors General in two government agencies are moving to audit automation of the 20 Critical Controls instead of auditing traditional, wasteful FISMA reporting. Note, you can download the 20 CritiaclControls poster at

Defense Industrial Base (DIB) Cyber Pilot Produces "Mixed Results" (January 12, 2012)

A government cyber threat information sharing pilot program has produced mixed results, according to a study commissioned by DoD and conducted by Carnegie Mellon University. The program, the Defense Industrial Base cyber pilot, used National Security Agency (NSA) data to help defense contractors protect their networks from cyber attacks. On the positive side, the program demonstrated that carriers could be trusted to handle NSA data; that the government did not need to directly monitor private networks; and that the program was especially helpful to companies with less developed cyber security resources. On the negative side, the program used malware signatures from NSA that were already dated when the program began. Often, the information provided did not help the companies prevent attacks that they were not already prepared to handle without the extra information.

[Editor's Note (Pescatore): This pretty much just points out once again that the Intelligence Community and DoD are generally not better at blocking attacks than private industry. They are better at following attacks and gathering intelligence information, or striking back after a successful attack, but prevention is a very different thing.
(Paller): Agreed; the ISPs are the right organizations to block attacks. Then the question becomes: who should provide the signatures. A closer look at the data from the DIB pilot shows that the program was quite successful for DIB companies that were not in the business of selling cyber security services. Carnegie Mellon and other large security service providers already knew about some (but definitely not all) of the NSA signatures, but they were *not* making effective use of those signatures to actively block attacks against the rest of the DIB. It appears that the only organizations who saw "mixed results" were those who wanted it to fail. Cybersecurity leaders in industrial organizations with whom I have spoken feel MUCH better about relying on NSA and DHS to provide more complete signatures than depending on subsets of signatures that the big defense contractors can provide. ]

************************** SPONSORED LINK ****************************
1) Don't miss SANS Webcast: Advanced Persistent Threats - Cutting Through the Hype. Sign up at

2) Analyst Webcast: Needle in a Haystack? Attribution in Control Systems,
February 22, 1:00 PM EDT


Cyber Conflict in the Middle-East Escalating (January 16, 2012)

Cyber attackers have hit the websites of the Israeli stock exchange, El Al airlines, and several banks. The activity began last week with the posting of stolen Israeli credit card details. An Israeli hacker then retaliated by posting personal information hundreds of Saudis, Egyptians, and Syrians online. The most recent spate of attacks did not interrupt trading or scheduled flights.


UK Student Faces Extradition to US to Face Copyright Infringement Charges (January 13 & 16, 2012)

Judge Quentin Purdy of the Westminster Magistrates Court in the UK has ruled that university student Richard O'Dwyer may be extradited to the US to face charges of copyright infringement. O'Dwyer established, a site that provided links to websites where users could download copyrighted digital content. The US government alleges that the site has been profitable for O'Dwyer, earning him more than US $230,000 through advertising revenue. O'Dwyer's attorney plans to appeal the ruling.



Malware Has Been Lurking on City College of San Francisco System for a Decade (January 16, 2012)

Students, faculty, and staff at City College of San Francisco (California) are being urged to change their passwords, refrain from using computers at the school to conduct financial transactions or any activity that requires a password, and check their home computers for infection following the detection of malware on the school's computer system. It appears that at least seven different strains of malware have been on the system for years. The problem was detected in November 2011, when those responsible for monitoring network activity noticed anomalous traffic patterns. An investigation revealed that malware had been stealing data for more than a decade. The compromised information includes banking data.
[Editor's Note (Murray): A decade ago Richard Clarke said that 75% of the attack traffic in the Internet could be traced back to a compromised system in a college or university. Closing and securing a college or university network is not a trivial task. Many schools lack the will or resources. ]

Japanese Aerospace Agency Data Compromised (January 13 & 16, 2012)

A malware infection on a computer at the Japan Aerospace Exploration Agency (JAXA) has resulted in stolen data. The employee whose computer was found to be infected works on an unmanned vehicle that transports cargo to the International Space Station. The malware appears to have harvested data from the infected machine. In August 2011, JAXA detected malware on the same machine and removed it, but began monitoring the machine for anomalies. JAXA said that the infected machine sent out some data between July 6 and August 11, 2011.


Oracle's Critical Patch Update for January 2012 (January 13 & 16, 2012)

On Tuesday, January 17, Oracle will release its quarterly Critical Patch Update, which includes nearly 80 fixes. Twenty seven patches address issues in MySQL; one of the MySQL flaws has the potential to be exploited over a network without the need for login credentials. The update also includes 11 patches for Fusion Middleware; of those flaws, five can be exploited without user authentication.


Malware Steals DoD Smartcard PINs (January 13 & 16, 2012)

A variant of the Sykipot Trojan has stolen personal identification numbers (PINs) associated with US Department of Defense smartcards. The cards are used by DoD employees to log in to computers and websites as part of a two-factor authentication scheme. The malware makes its way onto computers through PDF attachments that accompany spear phishing emails; the maliciously crafted documents exploit a zero-day flaw in Adobe Reader.



[Editor's Note (Murray): The purpose of the PIN is to resist the use of lost or stolen cards in the short term. The permanent resistance of lost or stolen cards is to disable them. This software might lower the cost of a man-in-the-middle attack. ] Hit by Customer Data Breach (January 15 & 16, 2012)

Online shoe sales giant is notifying customers of a data security breach that affects names, email addresses, password hashes and in some cases, the last four digits of credit card numbers. The breach affects as many as 24 million customers. Zappos was blocking international access to its website on Monday morning; it is unclear how long the block will be in place. Users' passwords have been forcibly expired and must be reset. Zappos is handling customer support through Twitter and email; the company has temporarily shut off their phones because the expected volume of calls following this event would likely overwhelm the system.



White House Opposes DNS Manipulation Provisions in SOPA and PIPA; SOPA Now Stalled (January 14, 2012)

The Obama administration has spoken out against certain provisions in the anti-piracy bills that are currently generating controversy in the House and Senate. The White House said that "proposed laws must not tamper with the technical architecture of the Internet through manipulation of the Domain Name System (DNS)." The White House did not touch on other issues raised in the bills, such as granting the US government the authority to bring lawsuits against websites and obtain court orders requiring search engines to exclude links to the offending websites in their results. Representative Lamar Smith (R-Texas), chief sponsor of SOPA, has removed the DNS altering provision from that bill. Senator Patrick Leahy (D-Vermont) has removed a similar provision from PIPA.

Late breaking news: SOPA appears to be stalled in the US House of Representatives. Representative Darrell Issa (R-California), an opponent of the proposed legislation, said that House Majority Leader Eric Cantor (R-Virginia) has said that he will not bring SOPA to the floor without a consensus.

The link to the Whitehouse statement is at;

NHS Trust Challenging Large Fine Over DPA Violations (January 13 & 17, 2012)

An NHS Trust is challenging a large fine imposed by the UK Information Commissioner's Office (ICO) for violating the Data Protection Act (DPA). The ICO is proposing to fine the Brighton and Sussex University Hospitals NHS Trust GBP 375,000 (US $576,000) after some of its patient records were discovered on hard drives that were being offered for sale on eBay. The Trust had contracted with a contractor to destroy 1,000 hard drives. While the disks were in the contractor's possession, 232 of them were stolen and offered for sale on eBay.

[Editor's Note (Honan): This appears to be a classic example in information security of where you can outsource a task but you cannot outsource the responsibility. As a data controller under the UK Data Protection Act, organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". This includes that you take the necessary steps to ensure that any third parties, termed under the act as Data Processors, acting on your behalf also take the appropriate "appropriate technical and organisational measures" to secure your data. ]


The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit