SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #62

August 03, 2012


Senate Cybersecurity Bill Vote Falls Short
DHS Seeks Ways to Attract and Retain Skilled Cyber Professionals


Bill Seeks to Limit Warrantless Wiretapping in US
RIM Denies India's Claims That it Has Encryption Keys for Enterprise Customers
Software Malfunction Costs Trading Firm US $440 Million
Dropbox Customer eMail Breach Explained
Retired Congressional Staffer Suing Government Over Whistleblowing Case
Air Force to Open Cyberwarfare Program to Other Agencies, Schools
Proposed Legislation Would Have Plaintiffs in Unsuccessful Patent Cases pay Defendants' Costs
Ransomware Pretends to Come from UK Police eCrime Unit
Microsoft Warns of Oracle Code Flaws that Affect Exchange Server 2007 and 2012

**************************** SPONSORED BY Zscaler *************************
WEBCAST: Are Your Corporate Secrets in Dropbox? Securely Enabling Cloud Based Apps. Join Phil Hochmuth, Research Director at IDC and Jay Chaudhry, CEO at Zscaler, for this 1-hour webcast to learn the best practices for ensuring that your sensitive corporate data is safe in the cloud. AUGUST 14 at 10am PST/ 1pm EST.
- --SANS Boston 2012 Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.

- --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012

- --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?

- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012 - --SANS Crystal City 2012 Arlington, VA September 6-11, 2012 6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.

- --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 45 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.

- --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.

- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 6 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.

- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.

- --Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at

Plus San Antonio, Melbourne, Prague, Singapore, Dubai, and Johannesburg all in the next 90 days. For a list of all upcoming events, on-line and live:


Senate Cybersecurity Bill Vote Falls Short (August 2, 2012)

The US Senate has blocked passage of the Cybersecurity Act of 2012. President Obama had called for the legislation, saying it would help the country protect crucial networks against "the cyber threat to our nation." The bill, which was first introduced earlier this year, would have set cybersecurity standards for elements of the country's critical infrastructure; organizations that met those requirements would be immune from legal action. Experts have expressed concern that the organizations would not implement strong security practices without requirements, but lobbyists representing the interests of the businesses that would be affected said the bill would impose heavy government regulation. The American Civil Liberties Union (ACLU) has been opposed to the bill since its inception due to privacy concerns.


DHS Seeks Ways to Attract and Retain Skilled Cyber Professionals (August 2, 2012)

The US Department of Homeland Security (DHS) is urging Congress to balance pay packages for DHS and Pentagon cyber professionals. DHS says that higher salaries for cyber professionals in that agency would help them attract and retain skilled employees. The change is part of the Cybersecurity Act of 2012. Because the passage of major cybersecurity legislation is unlikely until 2013, DHS is exploring other avenues to attract new employees with desirable skills.

************************** Sponsored Links: ****************************
1) Enter to win one of TWO $200 American Express Cards by taking SANS 2nd Survey on Mobility/BYOD Policy and Management. Results released in October.
2) Special Webcast: Why Sys Admins Are Not Interested in Security. Friday, August 10, 2012 at 1:00 PM EDT - Featuring John Strand.
3) Special Webcast: Why hypervisor security does not scale into public space, Featuring Chris Brenton. Wednesday, August 22, 2012 at 1:00 PM EDT.


Bill Seeks to Limit Warrantless Wiretapping in US (August 2, 2012)

US Senator Jeff Merkley (D-Oregon) has introduced legislation that would limit the government's warrantless wiretapping powers. The proposal would amend the Terrorist Surveillance Program adopted by the Bush administration following the September 11, 2001 attacks. The program was formally authorized by Congress under the Foreign Intelligence Surveillance Act (FISA) Amendment Act; it allows the National Security Agency (NSA) to eavesdrop on communications of US citizens if it believes the person is receiving communications from a foreign country. Currently, the secret FISA Court is expected to grant all requests. In the rare instance that a request is denied, the government can still gather information during the appeals process. Merkley's proposal would require the government to "immediately stop the information acquisition and
[forfeit the use of ]
any information collected from Americans ... in legal proceeding" if the secret FISA court rejects a request for eavesdropping. It would also require any data gathered on US citizens be accessed only with a probable-cause warrant.

RIM Denies India's Claims That it Has Encryption Keys for Enterprise Customers (August 2, 2012)

BlackBerry parent company Research in Motion (RIM) is refuting India's claims that the company has provided the Indian government with encryption keys that allows it to access communications between BlackBerry enterprise customers. RIM has reiterated that it "cannot access information encrypted through BlackBerry Enterprise Server as
[it ]
is not ever in possession of the encryption keys." History supports RIM's assertions. The company has in the past refused to relinquish customer data and has refused law enforcement requests to build back doors into its products. What is likely is that India now has a Blackberry Enterprise Server (BES) located there for consumers who don't connect to a corporate BES.

[Editor's Note (Honan): Interesting to see that this article from the Indian Times claims a third party vendor is able to access Blackberry encrypted communications and contradicts the claims made by RIM

Software Malfunction Costs Trading Firm US $440 Million (August 1, 2012)

A glitch in stock trading software at New Jersey-based Knight Capital caused the prices of 140 stocks traded on the New York Stock Exchange to fluctuate wildly for a time on Wednesday, August 1. The issue will cost the trading company US $440 million. Knight said that the problem arose after it installed new trading software that cased "erroneous orders" to be sent. Knight's own stock value has dropped 75 percent in two days. Two financial institutions have announced that they have stopped trading with Knight for the time being.



[Editor's Comment (Northcutt): The Forbes article is particularly telling. As errors like the flash crash and the Facebook problems accumulate and you add the rogue traders at Barings, UBS and Societe Generale followed by blunders like JP Morgan and MF Global, people have to be wondering why they should invest their hard earned money in any part of the stock market.]

Dropbox Customer eMail Breach Explained (August 1, 2012)

Dropbox has confirmed a security breach that exposed customer data. Last month, Dropbox users in Europe reported receiving spam email advertising online casinos. The customer data were contained in a document that was stolen from the Dropbox account of one of the company's employees. The intruder managed to gain access to the account because of a different attack on another website; the account holder used the same password for both accounts. Dropbox says it plans to introduce two-factor authentication in the coming weeks, but did not offer any specific information.


[Editor's Note (Honan): This Dropbox incident is a good example to CSOs to use password breaches at third party web sites, especially consumer sites, as part of their security awareness program on why you should not reuse passwords across multiple systems, especially on your corporate systems. ]

Retired Congressional Staffer Suing Government Over Whistleblowing Case (August 1, 2012)

Former congressional staffer Diane Roark is suing the US government, alleging that her constitutional rights have been violated because it seized her computer five years ago in connection with a whistle-blowing case and has not returned the machine. Roark also alleges that the government is refusing to clear her name. Roark was a senior staffer at the House Intelligence Committee, and as such, was privy to the warrantless wiretapping program the government began after the September 11, 2001 attacks. She says that she urged "everybody ... to put civil liberties protections on it or eliminate it." The feds seized Roark's computer because they believed that she was the person who had leaked information of the program to the New York Times, which broke the story in December 2005. Roark denies that she is responsible for the leak.

Air Force to Open Cyberwarfare Program to Other Agencies, Schools (August 1, 2012)

In mid-January, 2013, the US Air Force will open its virtual cyberwarfare program to other federal agencies, additional military commands, and certain schools. The Air Force Integration Center Joint Cyberspace Operations Range is part of the Pentagon's Joint Cyberspace Operations Range (JCOR) that trains and accredits troops and offers simulated warfare exercises. The program could be cut if the Defense Department is faced with significant budget cuts.

Proposed Legislation Would Have Plaintiffs in Unsuccessful Patent Cases pay Defendants' Costs (August 1, 2012)

New legislation introduced in the US House of Representatives would require plaintiffs who launch unsuccessful computer hardware and software patent litigation to cover defendants' legal costs. The bill also marks the first time that Congress has defined a software patent.

In a separate story, the judge in the Apple v. Samsung patent case provided the jury with detailed information about the issues they will be required to decide.

[Editor's Note (Murray): This proposal will not fix a patent system that is overwhelmed by innovation. However, it will resist the "patent trolls" who sue in the hope that settling will be cheaper than defending. ]

Ransomware Pretends to Come from UK Police eCrime Unit (August 1, 2012)

UK police have discovered ransomware that purports to be from the Metropolitan Police's Central eCrime Unit (PCeU). The malware, which freezes up infected computers, has reportedly infected 1,100 machines, and 36 people have paid the ransom. The malware causes a message to appear telling users that they must pay a fine to the PCeU to unlock their machines.

[Editor's Note (Honan): This malware is doing the rounds across a lot of different countries. It is coded to use geolocation to detect which country the infected computer is in and to use the logos etc. of the relevant Law Enforcement Organisation for that jurisdiction. Europol has issued a warning on this scam

Microsoft Warns of Oracle Code Flaws that Affect Exchange Server 2007 and 2012 (July 31, 2012)

Microsoft warned administrators of critical flaws in Oracle code that could allow hackers to gain access to systems running Exchange Server 2007 and Exchange Server 2010. Oracle addressed the issues in a July 17 update; the flaws lie in the "Oracle Outside In" code libraries. Microsoft Exchange and FAST Search Server 2010 for SharePoint use the libraries to display file attachments in browsers. Microsoft said it is working on an update for the issue. Internet Storm Center:




The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit