Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #19

March 08, 2013


Report Says US Military Systems Not Prepared for Serious Cyber Conflict
White House Hides Report on Cybersecurity Flaws in Government
Aircraft Connectivity Raises Security Concerns
Google Releases Information About National Security Letters


DARPA Ends Cyber Fast Track Program
EU Members Seek Changes in Proposed Data Protection Laws
FTC Cracking Down on Text Message Spammers Offering "Free" Gift Cards
Microsoft's March Patch Tuesday to Include Seven Bulletins
Feds Ask Judge to Dismiss Surveillance Lawsuit
Proposed Legislation Would Amend Outdated Portions of Electronic Communications Privacy Act
Former Executive Guilty of Hacking Company's Network to Steal Information
MiniDuke Espionage Malware Dates Back to at Least June 2011

*************************** SPONSORED BY Bit9 *****************************
WEBCAST - Best Practices to Successfully Converge Your Compliance and Security Goals. Too often, businesses struggle to find the right balance between meeting regulatory compliance goals and ensuring infrastructure is well protected against a wide range of advanced threats and malware. Learn how a trust-based security solution can help your organization become both compliant and more secure. Register Today

- -- SANS 2013 Orlando, FL March 8-March 15, 2013 47 courses. Bonus evening sessions include Please keep Your Brain Juice Off My Enigma: A True Story; InfoSec in the Financial World: War Stories and Lessons Learned; and Finding Unknown Malware.

- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.

- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.

- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.

- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.

- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.

-- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.

- -- SANS Pen Test Berlin 2013 Berlin, GermanyJune 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test courses and summit day.

- --Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at

Plus Abu Dhabi, New Delhi, Seoul, Bangalore, and Johannesburg, all in the next 90 days.

For a list of all upcoming events, on-line and live:


Report Says US Military Systems Not Prepared for Serious Cyber Conflict (March 5 & 7, 2013)

A study conducted by the Defense Science Board found that the US military is not prepared to engage in a serious cyber-conflict with a well-equipped adversary. The report recommends that US intelligence agencies increase their information gathering about other countries' cyber-capabilities. The report calls Pentagon efforts to manage sophisticated cyberattacks "fragmented." The report says that protecting all military systems from cyberattacks is unrealistic, and that critical systems should be identified, isolated, and protected with "advanced defensive measures."


White House Hides Report on Cybersecurity Flaws in Government (March 7, 2013)

U.S. Senator Tom Coburn of Oklahoma said at a hearing on Thursday that the only reason the White House had not released the annual report on federal cybersecurity (required March 1 by the FISMA legislation) is that the report shows weaknesses that "are embarrassing." The hearing featured DHS Secretary Napolitano and NIST Director Gallagher testifying about implementation of the new Executive Order on cyber security.

[Editors Note (Paller): Most of the security weaknesses pointed out in the as yet unreleased report are very low priority, process flaws, rather than actual security flaws exploited by nation states to take over government systems. The security flaws are there, but the auditors have not been looking for them because they were wasting time trying to read reports that follow 600 pages of NIST guidance. The auditors explain that OMB requires them to do these content-free audits. Even the contractors who prepare the useless reports agree they do not improve security. The underlying cause of a large fraction of the flaws in cybersecurity in government can be traced to the Office of Management and Budget's active refusal to ask the agencies to stop spending $1 billion a year writing NIST-driven reports about security, and use the money instead to by secure code and fix the security flaws, and to ask auditors to make sure they are implementing those fixes. If you know OMB's Steve Van Roekel or Lisa Schlosser, ask them why they are ignoring Senator Carper's data (he is the Chairman of the Senate Homeland Security and Government Affairs Committee) and continuing to force agencies to waste more than $80 million every month, $3 million every work day, doing the wrong things in cybersecurity. ]

Aircraft Connectivity Raises Security Concerns (March 6, 2013)

Panelists at an aviation security conference expressed concern about new aircraft's increased connection to data networks and the Internet. Many of the new aircraft have wi-fi systems for passengers as well as increased data uplinks and downlinks. Michael Garrett, director of aviation security in Boeing's commercial airplanes division, said his company provides airlines with guidance about protecting the planes from cyberthreats, but in the end, it is the airlines implementation of the guidance that counts. Steve Jackson, who is the group head of security and facilitation at Qantas, is concerned about wi-fi because as presently configured, it "opens everything up." Qantas will not activate passenger wi-fi until the company has looked into the security implications.

[Editor's Note (Pescatore): The aircraft world has DO-178B, Software Considerations in Airborne Systems and Equipment Certification and a recent DO-178C update, that basically define the requirements and process for certification of software to run on aircraft. It has had a pretty good track record from a reliability point of view - in 20 years there has been one accident and a handful of incidents attributed to software defects in aircraft. However, as we have learned with PC and server software, reliable is very different from attack-proof. This is another example of "The Internet of Things" exposing more types of software to external connectivity that was never envisioned during the initial design phase. We have already seen medical machinery, ATM machines and the like get impacted by relatively simple malware. This is another area for emphasis on the Critical Security Controls. ]

Google Releases Information About National Security Letters (March 5, 2013)

Google released information about National Security Letters (NSLs) in an addition its Transparency Report issued on March 5. Because the government prohibits companies from disclosing that they have received NSLs, Google worked out an arrangement that allows the company to provide ranges for each year since 2009. In that year, and again in 2011 and 2012, Google received NSLs for between 1,000 and 1,999 users or accounts. In 2010, the figure was between 2,000 and 2,999. NSLs allow the FBI to request user information from companies that is relevant to a national security investigation, and they do not require court approval. NSLs can be used to demand information from financial institutions, credit bureaus, travel agencies, and telecommunications companies.


*************************** Sponsored Links: ******************************
1) Take the Mobile Application security Survey! Enter to Win an iPad!

2) Analyst Webcast: Secure Configuration in Action Featuring new deployment information from the City of Oregon.


DARPA Ends Cyber Fast Track Program (March 7, 2013)

The US Department of Defense's Defense Advanced Research Projects Agency (DARPA) is ending the Cyber Fast Track program. The program aimed to develop responses to cyberdefense issues quickly by using the expertise of reformed hackers and other cybersecurity specialists. DARPA's mission statement for Cyber Fast Track said, "The government needs agile cyber projects that are smaller in effort, have a potential for large payoff, and result in a rapid turnaround, creating a greater cost to the adversary to counter." Cyber Fast Track was launched in fall 2011; over the 18 months that Cyber Fast Track was in operation, the program received nearly 400 proposals and awarded 101 grants. Cyber Fast Track manager Peiter Zatko said that the program "is ending because it was an experiment." The last day the program will take submissions is April 1, 2013.


EU Members Seek Changes in Proposed Data Protection Laws (March 7, 2013)

Several European Union member states are urging the European Commission to make changes to proposed data protection and privacy laws. Measures in the proposals could allow for the imposition of fines of as much as two percent of a company's global revenue for data breaches. There are complaints about the "level of prescriptiveness" in the draft legislation. Viviane Reding, Vice-President of the European Commission and Commission for Justice, Fundamental Rights and Citizenship, says the concerns are overblown.


FTC Cracking Down on Text Message Spammers Offering "Free" Gift Cards (March 7, 2013)

The US Federal Trade Commission (FTC) is cracking down on text message spammers. The FTC is focusing in particular on the phony messages that tell recipients that they could win gift cards. If clicked on, the messages ask the recipients for their personal information. The data are collected and sold to third parties. So far, the FTC has charged 29 defendants in eight complaints. More than 180 million spam messages were sent to random numbers; some were received by people who had to pay to receive the text message.

Microsoft's March Patch Tuesday to Include Seven Bulletins (March 7, 2013)

On Tuesday, March 12, Microsoft plans to issue seven security bulletins, four of which will address critical vulnerabilities. The updates will affect Internet Explorer (IE), Windows, Office, SharePoint Server and Silverlight media software.


Feds Ask Judge to Dismiss Surveillance Lawsuit (March 6, 2013)

The Obama administration has asked a federal judge to dismiss a lawsuit that accuses the government of secretly intercepting electronic communications of citizens without a warrant and providing the information to the National Security Agency (NSA). The filing cites a recent US Supreme Court decision to halt a legal challenge to a government warrantless surveillance program because the plaintiffs had no legal standing: their claim could not be supported by "actual evidence" but was based on speculation. The filing also says that "... plaintiffs here must set forth specific facts establishing their standing i.e., facts establishing that the Government has surveilled their communications as alleged in the complaint. This plaintiffs cannot do without information that is properly subject to the state secrets privilege."

Proposed Legislation Would Amend Outdated Portions of Electronic Communications Privacy Act (March 6, 2013)

Legislation introduced this week in the US House of Representatives would require law enforcement to obtain warrants before accessing private online messages or mobile device location data. The law would amend the 1986 Electronic Communications Privacy Act (ECPA), which allows police to access emails that have been read that are more than 180 days old with just a subpoena. When ECPA was passed more than 25 years ago, email was downloaded, not stored on third-party servers, so messages that were 180 days or more old were considered abandoned. The law as written does not take into account new services that allow users to store their communications in the cloud. Most email providers say they require warrants before turning over customers' private messages.


Former Executive Guilty of Hacking Company's Network to Steal Information (March 5, 2013)

A former executive of a transportation logistics company has been found guilty of breaking into servers at his old company to steal information for a new business. Michael Musacchio was president of Exel from 2002 through 2004, when he left the company to start a competing firm called Total Transportation Services. Between 2004 and 2006, Musacchio and two accomplices, Joseph Roy Brown and John Michael Kelly, accessed the Exel network "to obtain ... confidential and proprietary business information and use it to benefit themselves and their new" company. Brown and Kelly, who were also former Exel employees, have pleaded guilty to charges stemming from the attacks.

[Editor's Note (Pescatore): What the former executive did was illegal and he should be prosecuted. However, most of these types of incidents require very little "hacking" - usually the former executive's account was never disabled. Yes, the executive will get punished - but the damage to the business was done. Most audits show on the order of 20 - 30% of corporate accounts are "dead accounts" where access should have been removed - and the problem is getting significantly worse as companies increase their use of cloud services. It is not uncommon for Software as a Service accounts to be active long after corporate email and intranet accounts have been disabled. User provisioning processes and security controls need to reviewed when any cloud-based services are approved. ]

MiniDuke Espionage Malware Dates Back to at Least June 2011 (March 4 & 5, 2013)

Researchers at two laboratories have found an early sample of the MiniDuke espionage malware that dates back to June 2011. MiniDuke uses malicious PDFs to exploit a vulnerability in Adobe Reader; Adobe issued a patch for the flaw on February 20. The malware has been used to steal information from research institutions, think tanks, and government agencies in 59 countries.


The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit