OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #7

January 24, 2012

Can you make breakfast on Feb 2?
Jim Lewis, chair of the CSIS Commission on Cybersecurity for the 44th
Presidency, will be kicking off the Cybersecurity Insiders Breakfast
Series for 2012, with Shane Harris - the nation's best cybersceurity
story teller/journalist. They will provide fascinating and sometimes
funny insights into what went right and wrong in cybersecurity last year
and what to expect this year. They suggested several possible names for
the discussion: names for the breakfast: "year of triumph and tears,"
"year of strategies and squawks," and "year of laughter and forgetting."
But along with the fun will be two extraordinarily valuable insights
into changes in security coming in 2012 that will shape careers.
Sponsored by Government Executive Magazine and SANS. Registration
required, but there is no fee.

Register at: http://www.cvent.com/d/xcq9cb


EU Data Protection Directive Changes to Require Breach Disclosure Within 24 Hours
US Supreme Court Says GPS Tracking of Vehicles Requires a Warrant
Anonymous Launched DNS Poisoning Attack Against CBS.com


Cyber Insurance Policy Decisions Require Input From IT Department
Attack in December Affected Rail System in Northwest
NASA Hacker Gets Suspended Sentence, Still Faces Civil Charges
DreamHost Resets User Passwords After Intrusion Detected
UK High Court Judge Orders Search of News of the World's Computers
Votes on PIPA and SOPA Postponed Indefinitely
Secunia Drops Vulnerability Disclosure Grace Period to Six Months
Megaupload Seizure Fuels Both Sides of Anti-Piracy Legislation Debate

************************** SPONSORED BY SANS ***************************
What devices are accessing what resources and by whom?
Take the SANS first annual mobility survey and be entered to win a $250 American Express Card Giveaway when results are announced in late March at SANS 2012!
Follow this link to the survey: http://www.sans.org/info/97271


--SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012

--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.

--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.

--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...

SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN March 12-15, 2012 Summit: March 12-13, 2012 Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners will discuss the best approaches to this new and evolving challenge. Organizations who have developed successful mobile device security programs will share how they developed and gained management support for their plans.

--SANS 2012, Orlando, FL March 23-29, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.

- - --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.

--Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Bangalore, San Francisco, Stuttgart, Nashville, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************************************************************


EU Data Protection Directive Changes to Require Breach Disclosure Within 24 Hours (January 22 & 23, 2012)

Proposed changes to the European Union's Data Protection Directive, which is more than 15 years old, are expected to be announced this week. Under the new rules, organizations would be required to report security breaches to the affected individuals and data protection authorities without undue delay, likely to be within 24 hours. The new rules would also grant individuals the "right to be forgotten," allowing them to request that their personal information be erased. A "right to data portability" would make it easier for individuals to move their information from one company to another. The rules, expected to be announced on January 25, must still undergo the legislative process. Companies found to have violated the new rules could be fined up to one percent of their global revenue.

[Editor's Note (Murray): According to the Verizon Data Breach Incident Report, most breaches are weeks to months old before they are noticed and additional days and weeks may be needed to understand what really happened. All the regulation in the world cannot change that.
(Honan): If your company operates outside of the EU but has branch offices and/or subsidiaries based within the EU then these upcoming changes will impact on how you manage and secure the data of your customers and of your employees. ]

US Supreme Court Says GPS Tracking of Vehicles Requires a Warrant (January 23, 2012)

In a unanimous decision, the US Supreme Court said that US law enforcement agents need to obtain court-approved warrants before tracking suspects with GPS devices. The decision rejects arguments from the US Department of Justice (DOJ) that a four-week-long GPS tracking of a suspect's vehicle was within the law. The decision upholds a US Court of appeals decision that overturned the conviction of Antoine Jones. Justice Scalia wrote, "We hold that the government's installation of a GPS device on a target's vehicle, and its use of that device to monitor the vehicle's movements constitutes a 'search.'" The DOJ had argued that Jones had "no reasonable expectation of privacy."


Anonymous Launched DNS Poisoning Attack Against CBS.com (January 23, 2012)

The loosely organized hacking collective known as Anonymous has launched what appears to be a DNS poisoning attack on CBS.com, redirecting users to another server. Instead of the CBS.com main page, visitors were greeted with a directory structure containing one file, and any attempts to visit CBS sub-sites generated "404 Not Found" error messages. Some early reports suggested that the attackers had wiped CBS.com's servers, but this is not the case. Downtime for the site was estimated to have been 20 minutes.




************************** SPONSORED LINK ***************************
1) Take the SANS 8th Annual Log and Event Management Survey
Be a part of this industry leading survey and be entered to WIN a $250 American Express Card. http://www.sans.org/info/97276


Cyber Insurance Policy Decisions Require Input From IT Department (January 24, 2012)

The second annual Cost of Cyber Crime study from a private research organization reported that the median cost of a cyber attack is US $5.9 million. That figure includes regulatory fines, lawsuit costs, brand damage, and repair, recovery, and protection for hardware and software. Although insurance companies are starting to offer more policies that cover such attacks, the premiums are extremely high. Many executives believe, erroneously, that cyber attacks on their organizations are covered by standard corporate insurance and general liability policies. Even if they have cyber policies, they may not cover all costs associated with a breach. Organizations need to be clear about what coverage they need. Input from those responsible for running organizations' information security systems and others in the IT department can be helpful when deciding on types of policies and scope of coverage.
[Editor's Note (Paller): The cyber insurance policies are expensive, cover a shockingly small part of the damage associated with most cyber attacks, and as soon as the insurance companies have to pay damages under one of them, those premiums will go up substantially. Despite those weaknesses, it may make sense to force - through contract language or regulation - cyber insurance to be acquired by organizations handling sensitive data. Insurance can force changes in cybersecurity that few other forces can enable. Once fire insurance was mandatory, insurance companies made buildings less prone to fire; once car insurance was mandatory, insurance company requirements made cars much less dangerous to drive. ]

Attack in December Affected Rail System in Northwest (January 23, 2012)

An unnamed rail service in the northwestern US was the target of a cyber attack in early December 2011, according to a Transportation Security Administration (TSA) meeting summary. The attackers managed to disrupt rail signals on December 1 and 2, resulting in delays of about 15 minutes on the first day, but no delays on the second day.

NASA Hacker Gets Suspended Sentence, Still Faces Civil Charges (January 23, 2012)

Robert Butyka, the Romanian man who admitted hacking into NASA's computer network, will not be spending time in prison. Butyka was handed a three-year suspended sentence, and he still faces a civil lawsuit over the intrusion, which caused an estimated US $500,000 in damages.

DreamHost Resets User Passwords After Intrusion Detected (January 21 & 23, 2012)

Web hosting company and domain name registrar DreamHost has reset FTP and shell access passwords for all customers following a security breach of one of its databases. DreamHost has notified customers via email about the breach; users are being urged to change their passwords, and are warned that they may experience a delay while doing so because of the large number of users doing the same thing.




UK High Court Judge Orders Search of News of the World's Computers (January 19, 20, & 23 2012)

A UK judge has ordered a forensic search of News Group Newspaper's computers. High Court judge Mr. Justice Vos said that Rupert Murdoch's company has behaved irresponsibly by deleting email messages that could have been used to show that employees were engaged in phone and computer hacking. The computers that are ordered to be searched are believed to contain evidence that incriminating messages were deliberately destroyed.


Votes on PIPA and SOPA Postponed Indefinitely (January 20, 2012)

Votes on the Senate's Protect IP Act (PIPA) and the House's Stop Online Piracy Act (SOPA) have been postponed indefinitely in the wake of public outcry against the measures and an accompanying erosion of support among legislators. Mozilla says that its participation on the blackout last Wednesday in protest of the bills generated 360,000 email messages sent to legislators. Many other sites, including Wikipedia, Craigslist, and Google, also participated in the blackout.

Secunia Drops Vulnerability Disclosure Grace Period to Six Months (January 18 & 19, 2012)

Secunia says that as of the beginning of 2012, it will give vendors six months to issue fixes for vulnerabilities reported through the company's Vulnerability Coordination Reward Program (SVCRP). Previously, Secunia had allowed a year between the vulnerability's reporting and its disclosure; that time frame has been in place since 2003. Secunia has acknowledged that there may be circumstances under which it will grant an additional six months before making the vulnerability known - for example, if the fix requires architectural changes. Secunia does not release details of vulnerabilities, but the person who submitted the flaw to Secunia will be free to disclose the flaw after the agreed upon period of time.

[Editor's Note (Murray): It is arrogant to set one's self up as a judge when one has only part of the facts. While the NVPs know about the vulnerabilities that they discover, they may not know about all of them. They have no idea what the fix to their vulnerability may break. They seem to think that the vulnerabilities that they discover trump all other considerations.
(Paller): On the other hand, without a deadline, the incentives to delay too often outweigh the incentives to fix. ]

Megaupload Seizure Fuels Both Sides of Anti-Piracy Legislation Debate (January 19, 20, & 23, 2012)

US federal law enforcement agents have shuttered the Megaupload.com website, seized 18 domains connected to the site, and indicted seven executives and two companies. The company is based in Hong Kong. The executives face a number of charges, including criminal copyright infringement and conspiracy to commit money laundering. The government says that Megaupload allowed users to access movies before they were released in theaters, as well as music, television shows, e-books, and software, most in violation of copyright law. Megaupload has reportedly earned more than US $175 million. The FBI also seized company assets. While some have used the closure of Megaupload to point to the need for stronger anti-piracy laws, like SOPA and PIPA, others have pointed out that if the US government can shut down such a large operation, perhaps such laws are not necessary as they already have all the power they need.



[Editor's Note (Hinan): The Megaupload takedown has had ramifications amongst other file sharing sites as they fear the same fate

This takedown should also serve as a good lesson to those looking at cloud based file sharing services to ensure they include the loss of availability of those services, for whatever reason, as part of their business continuity planning. ]


The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/