Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #24

March 26, 2013

OOOPS: Contrary to the implication in our note, Oracle has not acquired SAP.
The note about Oracle and SAP in the March 22 issue should have said
that courses on securing both (not just SAP) were available or being
considered. The new SANS course on Auditing Security and Controls of
Oracle Databases is getting great reviews: "I manage security audits and
this course has shown me an effective way to create/edit our test plans
against database." (Roland Espinoza, Wyndham Worldwide); "Very relevant
and timely!" (Cynthia Ayala, Rent-A-Center). It will be offered at
Cybercon, April 22nd-April 27th:

And the demand for a SANS course on SAP security appears huge; we'll get
that one into development now.


Malware Logic Bomb that Hit South Korean Companies Was Spread Through Corporate Patching Systems
Full Scholarships For Top Cyber Talent; Governors McDonnell and Christie Launch Governor's Cyber Challenges
Apple Introduces Two-Factor Authentication, Fixes Flaw That Allowed Account Hijacking


Australian Legislative Committee Hears Thoughts on Cybersecurity Education for Users
Technical Papers Co-Authored by Chinese Academics and PLA Unit Linked to Cyberespionage
Tweets in Japan Contain Links That Freeze Browsers
Skimmer Steals Payment Card Data From Windows Point-of-Sale Terminals
Former College Student Pleads Guilty in Data Stealing, Vote-Rigging Case
Proposed Legislation in US Would Require Warrants for GPS Tracking
NASA Tightens Security Measures in Wake of Contractor's Arrest
Tallinn Manual on the International Law Applicable to Cyber Warfare
Appeals Court Says BitTorrent Site Violates US Copyright Law

*********************** SPONSORED BY SYMANTEC *****************************
Symantec Endpoint Protection 12 and Critical System Protection are positioned highest in Gartner's Magic Quadrant for completeness of vision and the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned. Learn More.

-- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.

-- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.

-- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.

-- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.

-- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.

-- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.

-- Looking for training in your own community?

-- Save on On-Demand training (30 full courses) - See samples at

Plus New Delhi, Seoul, Bangalore, Johannesburg, and Malaysia all in the next 90 days.
For a list of all upcoming events, on-line and live:


Malware Logic Bomb that Hit South Korean Companies Was Spread Through Corporate Patching Systems (March 25, 2013)

A security firm says it now believes that the malware that wiped out files on computers at South Korean banks and media companies was planted on corporate patching systems and, disguised as a legitimate security update, was then pushed out to computers at the affected organizations. Earlier, an IP address was erroneously identified as being the source of the attack; later it was learned that the IP address belongs to one of the victims of the attack. The malware was programed to activate at a certain time on March 20.
[Editor's Note (Assante): One of the more significant cyber incidents to prepare for are threats that target cross-cutting and horizontal mechanisms that provides the means for an intelligent cyber attacker to reach and impact multiple assets. The ability to quickly touch hosts is a design feature of IT management solutions and we have traditionally used administrative controls to make sure only authorized and trained staff could use these powerful tools. These same tools, to apply a military term, can become a force multiplier for a cyber attacker. This incident demonstrates the importance of learning about attacks and informing defensive practices. Ask yourself, what can an attacker leverage if they are inside of your network
(Northcutt): The best write up is the Sophos blog, link below. The interesting thing is that with this attack, and also Shamoon the wiper that destroyed 30k systems at Saudi Aramco, the experts say the attack is not very sophisticated. How sophisticated do you have to be to overwrite a hard drive? In any case, this attack vector is probably here to stay so start thinking about the data that is NOT backed up by writing to the network drive:
(Pescatore): There are way too many security companies offering up theories of how this one worked - I plan to delete before reading future articles until some accounts from an actual incident response effort/analysis come out. ]

Full Scholarships For Top Cyber Talent; Governors McDonnell and Christie Launch Governor's Cyber Challenges (March 23-25, 2013)

Virginia and New Jersey Governors' launched Cyber ACES Challenges in which students and veterans are showing they have the talent to help close the U.S. cybersecurity skills gap. A front page story in Monday's New York Times profiles the national need and the type of students being sought and discovered in Virginia; two other stories profile the New Jersey competition in which the winners earn full scholarships for immersion training and guaranteed residencies if they can complete the training.



Apple Introduces Two-Factor Authentication, Fixes Flaw That Allowed Account Hijacking (March 22 & 23, 2013)

Apple has introduced two-factor authentication to help prevent Apple accounts from being hijacked. The new measure will be rolled out first in the US, the UK, Ireland, New Zealand, and Australia. The scheme involves sending a four-character identification code in an SMS; users must enter the code from a trusted device to access their accounts. Apple will also provide users with a 14-character recovery key that they should print out and keep in a safe place in case they do not have access to their trusted devices or if they forget their password, as Apple support staff will be unable to reset users Apple IDs. The new scheme does not prevent users from receiving the verification codes on the same devices on which they use their Apple IDs. Apple has also addressed a vulnerability that could be exploited to hijack accounts that use single-factor authentication. That flaw was being exploited in active attacks. The vulnerability emerged just as Apple was rolling out the new two-factor authentication.


[Editor's Note (Pescatore): The good news is that for people logging in from PCs, using text messaging as a second factor is a good thing and a really good thing to get users to accept. The not-so-good news is that it will just be false security when people are doing web stuff from smartphone, as an actual second factor (the second device) will no longer be part of the equation. But, this may still carry us through the current phase where tablets may replace only the PC/laptop, and phones will still provide a second factor. "Phablets" are gaining rapid adoption in some parts of the world, though - which means only one device. Maybe when Apple comes out with one of those, they will include the biometrics technology they acquired a while back. ]

*************************** Sponsored Links: ******************************
1) eBook: Detecting and Stopping Advanced Threats. Today's cyber threat has changed in sophistication, in focus, and in its potential impact on your business. This eBook will tell you how today's advanced attacks require automatic detection and incident response. You will learn how you can most effectively protect your business. Download Today

2) Analyst Webcast: NAC Applied to SANS Critical Security Controls Wednesday, April 03, 2013 at 1:00 PM EDT (1700 UTC/GMT) Featuring: G. Mark Hardy and Scott Gordon.

3) Take the New SANS Survey on the Critical Security Controls and enter to win a new iPad!


Australian Legislative Committee Hears Thoughts on Cybersecurity Education for Users (March 25, 2013)

Representatives from Australian telecommunications company Telstra told legislators that laws requiring the company to educate users about cybersecurity issues and risks would be "useless." Speaking to members of the Australian Parliament's Joint Select Committee on Cyber-Safety, Telstra's director of corporate security and Internet trust and safety said that users already have ample information about the risks associated with online activity and that forcing the company to provide additional education would be like "taking a horse to water." Sydney University of Technology's Communications Law Centre director Michael Henry Fraser said he thought that Telstra could provide its users with more information about cyber security issues, though there are currently no legal requirements that it do so.


Technical Papers Co-Authored by Chinese Academics and PLA Unit Linked to Cyberespionage (March 25, 2013)

A Reuters report found that three technical papers on computer network security and intrusion detection were co-authored by Chinese university faculty members and a unit of the China's People's Liberation Army that has been linked to cyberespionage activity by US security company Mandiant. There is no evidence suggesting that the academic authors of the papers are in any way involved with cybercrime or military operations. Chinese officials have denied the allegations in Mandiant's report.


Tweets in Japan Contain Links That Freeze Browsers (March 25, 2013)

There are reports of malicious links spreading through Twitter Japan; the links cause browsers to crash. The tweets appear to come from phony accounts; the accompanying messages urge recipients to visit a blog. When users click on the provided link, they enter an endless JavaScript loop. Machines do not appear to be harmed.

vSkimmer Steals Payment Card Data From Windows Point-of-Sale Terminals (March 22, 2013)

The vSkimmer Trojan horse program steals payment card data from point-of-sale (POS) terminals. The malware has the capacity to steal the data from cards' magnetic strip, which contains account numbers, expiration dates, and security codes; it is being used in targeted attacks. vSkimmer targets Windows machines and sends the data it steals to a remote server. vSkimmer does not work on cards that use the EMV, also known as chip-and-pin authentication standard. HTtp://

Former College Student Pleads Guilty in Data Stealing, Vote-Rigging Case (March 22, 2013)

Matthew Weaver, a former California college student, has pleaded guilty to wire fraud, access device fraud, and unauthorized use of a computer. Weaver, who was a student at Cal State University in San Marcos, used a keystroke logger to harvest other students' personal data, including account access credentials. He used the stolen information to cast votes for himself and for friends in campus elections.

Proposed Legislation in US Would Require Warrants for GPS Tracking (March 21 & 22, 2013)

Legislation introduced in the US House and Senate would require law enforcement agents to obtain warrants before placing GPS tracking devices on suspects' vehicles. The Geolocational Privacy and Surveillance (GPS) Act would also require a warrant to use a cell site simulator to detect an individual's location, or obtain geolocation information from a third-party. The American Civil Liberties Union (ACLU), a supporter of the legislation, issued a statement that says, in part, "Police routinely get people's location information with little judicial oversight because Congress has never defined the appropriate check and balances." The bills were introduced the day after the Obama administration argued before a federal appeals court that tracking suspects with GPS without warrants is helpful because it can "gather information to establish probable cause." GPS Act provisions allow exceptions for emergencies, including national security under the Foreign Intelligence Surveillance Act (FISA).


NASA Tightens Security Measures in Wake of Contractor's Arrest (March 21, 2013)

NASA has tightened remote access restrictions to its computers following the arrest of a Chinese citizen who was a NASA contractor. Bo Jiang was arrested aboard a plane at Dulles International airport last week as he attempted to leave the country with several digital media devices. Jiang was working on high tech imaging project at NASA's Langley Research Center. He was employed by the National Institute of Aerospace, a non-profit research and education institute. According to an affidavit, Jiang was under investigation for possible violations of the Arms Control Act when he was arrested. He is being charged with lying to federal authorities about the number of devices he had with him on the plane. The affidavit also said that Jiang had made a previous trip to China with a NASA laptop that is believed to contained sensitive information. As part of an investigation into the issue, NASA administrator Charles Bolden has temporarily shut down a publicly available technical research database known as the NASA Technical Reports Server. Bolden has also ordered a review of access that foreign nationals from certain countries have to NASA facilities and has placed a moratorium on allowing further access to citizens of China, Iran, North Korea, and other countries.


[Editor's note (Henry): Chinese, Iranian, and North Korean citizens can't have access to sensitive high-tech NASA facilities anymore? I'm outraged ... before you know it the FDA will stop allowing foxes to guard henhouses. ]

Tallinn Manual on the International Law Applicable to Cyber Warfare (March 21, 2013)

The Tallinn Manual is the product of a three-year study by NATO experts "to examine how extant international law norms apply to
[cyber warfare ]
." The project "identifies the international law applicable to cyber warfare and sets out ninety-five 'black-letter rules' governing such conflicts."

[Editor's Note (Honan): According to NATO researchers using the Tallinn Manual the Stuxnet attack on Iran was an illegal 'Act of Force'

Appeals Court Says BitTorrent Site Violates US Copyright Law (March 21, 2013)

A three-judge panel of the 9th US Circuit Court of Appeals has ruled that BitTorrent filesharing service isoHunt violates US copyright law. IsoHunt offered pointers to copyrighted digital content, including music, movies, and software. The site's operator, Gary Fung, maintains that isoHunt is a search engine, like Google, and is therefore protected under the safe harbor provisions of the Digital Millennium Copyright Act, which grants certain companies immunity from prosecution for copyright violations due to content posted by users and provided the offending links are removed upon request. The judges said that isoHunt does not meet the necessary criteria for safe harbor protections under (DMCA) because its business model is built specifically for copyright infringement.

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit