Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #50

June 22, 2012


Whitelisting More Effective Than Anti Virus, Says AV Maker McAfee
XML Vulnerability Being Actively Exploited


Fifth European Parliament Committee Rejects ACTA
Office of Special Counsel Urges Caution in Employee Monitoring
TSA Seeks Employee Monitoring Technology
AutoCAD Worm
Japanese Researchers Develop Real-Time Monitoring System
The Pirate Bay Users Circumvent UK ISP Blocks
Google "Surprised" that ICO Reopened Street View Investigation
Flame Appears to Have Been Scout for Stuxnet
Man Arrested, Charged with Trying to Sell Access to Hacked Government Computer

******************* SPONSORED BY Palo Alto Networks **********************
Download Free Modern Malware for Dummies eBook and learn how to stop the most dangerous threats facing your network. This book provides an in-depth analysis of how modern malware works and outlines the specific actions and technologies needed in order to regain control over today's malware.
--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012 Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.

--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.

--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.

--SANS Boston 2012, Boston, MA August 6-11, 2012 9 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.

--Looking for training in your own community?

--Save on On-Demand training (30 full courses) - See samples at

Plus Bangkok, San Antonio, Melbourne, and Arlington, VA all in the next 90 days. For a list of all upcoming events, on-line and live:


Whitelisting More Effective Than Anti Virus, Says AV Maker McAfee (June 21, 2012)

The Pacific Northwest National Laboratory and McAfee report that whitelisting and related technologies are the best solution for securing computers in the critical infrastructure. New types of attacks using zero-day vulnerabilities cannot be stopped by traditional AV technology. The researchers conclude that it is time to switch from blocking bad code to allowing only good code.

[Editor's Note (Paller): These findings are identical to the groundbreaking findings of the Australian Defense Signals Directorate that showed whitelisting to be critical to protecting against targeted intrusions (APT) while anti-virus had much less too offer. See:
. Though the PNNL/McAfee findings would claim to apply to industrial control systems, they are just as important in general systems in any organization subject to theft of valuable military or civilian intellectual property and/or financial data. ]

XML Vulnerability Being Actively Exploited (June 20 & 21, 2012)

Attackers are actively exploiting a vulnerability in Microsoft XML Core Services (MSXML) 3.0, 4.0, and 6.0. The flaw was disclosed earlier this month when Microsoft issued its scheduled security update. The company did not provide a patch, but did suggest workarounds, including a "Fix it" solution to prevent the flaw from being exploited on user's computers. The flaw, which is exploited through Internet Explorer (IE), is particularly dangerous because users need only visit compromised websites to become infected. At least two compromised sites have been detected: an aeronautical parts supplier and a medical company. Both are European companies.


Microsoft's advisory:

************************* Sponsored Link: **************************
1) Special Webcast: Endpoint Visibility, Control and Remediation Leveraging NAC. Leveraging NAC Tuesday, July 10, 2012 at 1:00 PM EDT


Fifth European Parliament Committee Rejects ACTA (June 21, 2012)

A European parliamentary committee has voted to reject the Anti-Counterfeiting Trade Agreement (ACTA). UK MEP David Martin, who is a member of the European Parliament's International Trade Committee, said that they "believe Europe does have to protect its intellectual property, but ACTA was too vague a document." For example, the proposed agreement does not explain how Internet service providers (ISPs) are involved in policing the Internet. The committee was also concerned that the proposed sanctions for copyright violations were too harsh. Because this committee is the fourth to recommend rejection of ACTA, it is unlikely that the legislation will pass when it comes before the full European Parliament in July.


Office of Special Counsel Urges Caution in Employee Monitoring (June 21, 2012)

The Office of Special Counsel (OSC) has sent a memo to all US government executive departments and federal agencies, cautioning them to examine their employee monitoring policies. Special Counsel Carolyn Lerner writes that "agency monitoring specifically designed to target protected disclosures to the OSC and inspectors general is highly problematic
[because it ]
undermines the ability of employees to make confidential disclosures." Although the memo mentions no specific incidents, the US Food and Drug Administration (FDA) is currently under investigation for monitoring employees' communications with OSC, legislators, and the media. The US Office of Special Counsel is an independent federal investigative and prosecutorial agency.



TSA Seeks Employee Monitoring Technology (June 21, 2012)

The Transportation Security Administration (TSA) is seeking software that it can use to snoop on its employees. Specifically, TSA wants to be able to detect inside threats. It is looking for technology capable of monitoring and logging keystrokes, chat activity, email, attachments, websites, network activity, files transferred, and documents. It must be able to perform these functions without revealing itself to the employees being monitored.


[Editor's Comment (Northcutt): This type of capability has existed for over twenty years. The CIA pioneered the concept; the IRS followed with a home grown insider misuse detection system. DOD funded Silent Runner, originally through the SBIR program. Misuse detection is built into most electronic health care record system. Plenty of solutions are available. The bigger problem is similar to the principal problem with data leakage protection solutions; they generate so much information that effective analysis becomes infeasible. ]

AutoCAD Worm (June 21, 2012)

A worm that steals AutoCAD drawings has been detected. The industrial espionage malware has appeared mainly in Peru and neighboring countries where it appears to have infected more than 10,000 computers. The firm that first detected the malware is calling it ACAD/Medre.A; it appears to have stolen tens of thousands of drawings, sending them to an email address registered with a Chinese provider. The email accounts that were being used in the attack have been closed.


Japanese Researchers Develop Real-Time Monitoring System (June 20, 2012)

Researchers at Japan's National Institute of Information and Communications Technology (NICT) have developed a real-time monitoring and alert system it calls DAEDALUS (Direct Alert Environment for Darknet and Livenet Unified Security). DAEDALUS works by monitoring unused IP addresses, which it calls the darknet; it alerts security teams when active IP addresses within their organizations are attempting to send packets to an IP address in the darknet.

The Pirate Bay Users Circumvent UK ISP Blocks (June 20, 2012)

Earlier this week, BT became the last of the UK's major ISPs to block access to the Pirate Bay to comply with a High Court ruling. Virgin Media, Sky, TalkTalk, and others blocked the file sharing site earlier this year. However, users reportedly managed to circumvent the block "within minutes," despite BT having taken steps to block known proxy sites. The registry that manages the Swedish top-level domain, .SE, which The Pirate Bay is currently using, says that "the method used to block a domain are all relatively easy to circumvent and thus essentially ineffective
[and that ]
the domain name itself is not an accomplice in act of copyright infringement."

Google "Surprised" that ICO Reopened Street View Investigation (June 19, 20, & 21, 2012)

Google has expressed "surprise" at the UK Information Commissioner's Office's (ICO) decision to reopen its Street View investigation. The ICO's decision was prompted by recent findings released by the US Federal Communications Commission (FCC) indicating that it was likely that Google had known about the extra data being collected yet continued to collect them. Google maintains that it did not try to hide what it knew about the amount and type of data being collected by Street View vehicles. Instead, says Google, just a few people learned about the issue and did not become aware of it until May 2010. Specifically, Google has denied altering the data that it provided to the ICO in the earlier investigation.



Flame Appears to Have Been Scout for Stuxnet (June 19, 2012)

Emerging reports suggest that the US and Israel worked together to develop Flame, a sophisticated piece of espionage malware designed to gather information needed to formulate plans to thwart Iran's nuclear program. Flame collected detailed information about the structure of computer networks in Iran. Flame infiltrated computers and evaded detection by disguising itself as a Microsoft software update. The purloined data were used to develop and launch malware like Stuxnet.

Man Arrested, Charged with Trying to Sell Access to Hacked Government Computer (June 18 & 21, 2012)

A Pennsylvania man has been arrested for allegedly breaking into networks at the US Energy Department (DOE), the University of Massachusetts, and other organizations. Andrew James Miller also allegedly attempted to sell access to the compromised networks. The attacks occurred between 2008 and 2011; Miller allegedly tried to sell root access to the DOE system to an undercover FBI agent. An indictment charges Miller with conspiracy, computer fraud, and access device fraud.



The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit