Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #27

April 05, 2013

Tony Sager was the top cyber defender at NSA and John Pescatore was the
top security analyst at Gartner, and both joined SANS in the last year.
On April 18, for the very first time, you can hear them discussing
solutions that work (and don't) at a breakfast workshop on April 18 (in
Washington or simulcast for people around the world). It is likely to
be the single most useful half-day seminar on effective cyber security
(for stopping the targeted attacks doing all the damage) and the cost
is right - it is free for Government attendees. Register at:
To register for this event via simulcast, visit


PS If you work in a major consulting firm or medium-large enterprise,
and have adopted the Critical Security Controls as you framework for
effective cybersecurity, please email me at because
there is a request from the White House and Commerce Department where
your innovation may add value.


Google Challenging National Security Letter
FBI Wants Broader Realtime Surveillance Authority
Government Seeks Veterans to Fill Cybersecurity Positions


Bitcoin Exchanges Hit by DDoS
Court Grants Class Action Status in ComScore Privacy Lawsuit
Microsoft Will Release Nine Bulletins in Next Week
Japanese Internet Portals Hacked
European Security Report Finds Skimming Thieves Targeting Ticket Kiosks and Parking Meters
Harvard Secret eMail Search Prompts Privacy Policy Review
Firefox 20 Improves Private Browsing
Nationwide Insurance Takes Steps to Keep Breach Information Secret
Attacks on Financial Institutions Meant to be Destructive

*********************** SPONSORED BY BIT9 ********************************
Webcast: Next-Generation Security Solutions: How Integrating Server/Endpoint and Network Tools will Improve Your Security Posture. Are you using or considering next-generation network security tools such FireEye and Palo Alto Networks? You can multiply the value of next-gen network security tools by integrating them with a solution that gives you real-time visibility into all threats across your network and servers/endpoints from a single console. Register Today:

- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.

- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.

- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.

- -- SANSFIRE 2012 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.

- -- SANS Secure Europe 2013 Amsterdam, Netherlands April 15-April 27, 2013 10 courses.

- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.

- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.

- -- Looking for training in your own community?

- -- Save on On-Demand training (30 full courses) -
See samples at

Plus Seoul, Bangalore, Johannesburg, and Malaysia all in the next 90 days.

For a list of all upcoming events, on-line and live:


Google Challenging National Security Letter (April 4, 2013)

Google has filed a petition challenging a National Security Letter (NSL), a demand for information about a user or users issued by government agencies. Most NSLs include a gag order, prohibiting the recipient from discussing its contents or even the fact that it was received. The petition was filed late last month under seal in US District Court of Northern California. Earlier in March a US District Judge in that state ruled that NSLs are unconstitutional because of the gag order. Judge Susan Illston's ruling ordered the government to stop issuing NSLs and to cease enforcement of gag orders for those that have already been issued. The Google NSL challenge has been assigned to Judge Illston.
[Editor's Note (Murray): It took someone with Google's clout and courage to finally get the government into court over a law that is, at least arguably, unconstitutional.]

FBI Wants Broader Realtime Surveillance Authority (March 26, 2013)

Speaking at a meeting of the American Bar association last month, FBI general counsel Andrew Weissmann said that a "top priority" for his agency this year is increasing its wiretapping authority to include a broader range of Internet communications and storage. The increase in the use of email and social media has presented problems for the FBI, which wants to monitor communications in realtime.

Government Seeks Veterans to Fill Cybersecurity Positions (April 1, 2013)

The government is recruiting veterans to help defend the country's critical systems from cyberattacks. Earlier this year, the Pentagon said it plans to recruit 4,000 "skilled cyberwarriors ... to conduct operations in cyberspace." Returning veterans face a tough job market, but because many of them already have security clearances necessary for Pentagon work, they are sought after for these positions. Veterans are being invited to enter cybersecurity competitions in which top performers receive scholarships to cybersecurity training programs.

*************************** Sponsored Links: ******************************
1) Attend the SANS 20 Critical Security Control Briefing, Thursday, April 18, 2013 in Washington, DC at the JW Marriott. Tony Sager and John Pescatore will provide an overview of the 20 CSC, showcase the 20 CSC In Action, and also moderate a Vendor Panel. Event is free to Government attendees. For more information go to To register for this event via simulcast, visit

2) Datacenter Virtualization from a Security Perspective, Wednesday, May 1, featuring Dave Shackleford

3) Take the New SANS Survey on the Critical Security Controls and enter to win a new iPad!


Bitcoin Exchanges Hit by DDoS (April 4, 2013)

Mt. Gox, a major exchange for the virtual currency Bitcoin, has come under a distributed denial-of-service attack. The attack has significantly affected the price of Bitcoin. Tokyo-based Mt. Gox processes 80 percent of Bitcoin trades in US dollars and 70 percent of Bitcoin trades in other currencies. The Instawallet website, which also trades in Bitcoin, has been knocked offline by an attack. The attacks are presumed to be an attempt to game the trading system.

[Editor's Note (Pescatore): Since Bitcoin's business model pretty much requires very high availability of Internet connectivity, you would think they would have denial of service protection on that connectivity - - much they way I'm sure they have uninterruptible power supplies on their data centers. ]

Court Grants Class Action Status in ComScore Privacy Lawsuit (April 4, 2013)

A court in Chicago has granted class action status to a lawsuit filed against an Internet tracking company. The lawsuit alleges that ComScore collected and sold Internet user's personal data, including credit card and Social Security numbers (SSNs), and passwords. ComScore says that it collects data about users, strips them of identifying information, and sells the results to its clients. The lawsuit alleges that comScore altered security settings and installed back doors on users' computers and used the access to steal information from word processing documents, email messages, and PDFs.

[Editor's Note (Pescatore): Anonymizing user information is good practice, but only on information the user agreed to allow to be collected. Imagine if office cleaning crews that service Comscore's buildings copied business information from Comscore CEO, CFO, etc. desks - - I don't think Comscore would be fine with that if the cleaning company said "well, we stripped it of all identifying information" ]

Microsoft Will Release Nine Bulletins in Next Week (April 4, 2013)

On Tuesday, April 9, Microsoft plans to issue nine security bulletins to address vulnerabilities in a number of its products, including Windows, Internet Explorer, Office, and Microsoft Server Software. Two of the bulletins have been given maximum severity ratings of critical; these bulletins address flaws in Windows and Internet Explorer.

Japanese Internet Portals Hacked (April 4, 2013)

Two Japanese Internet portals were hacked recently, prompting one of them, Goo, to lock 100,000 accounts to prevent unauthorized access. Yahoo Japan detected malware on its servers that was attempting to steal user data, but the attack was stopped before the information made it out of the network.

European Security Report Finds Skimming Thieves Targeting Ticket Kiosks and Parking Meters (April 3, 2013)

Thieves bent on skimming payment card information are branching out from ATMs, according to a report from the European ATM Security Team (EAST). Skimming devices have been found on transportation ticket kiosks in at least five European countries. Parking meters and point-of-sale terminals at fuel stations have also been targeted. The majority of card skimming occurs in countries that have not yet adopted chip-and-PIN security technology.

Harvard Secret eMail Search Prompts Privacy Policy Review (April 3, 2013)

In the wake of an email snooping scandal, Harvard University President Drew Faust has launched a review of the school's email privacy policies. Earlier this year, a story broke about Harvard administrators searching the email accounts of 16 resident deans; the search was conducted because administrators were looking for the source of an information leak regarding a cheating scandal. It now appears that the searches of the deans' email accounts were broader than initially acknowledged, and Faust is also asking an outside lawyer to investigate the extent of the searches.


Firefox 20 Improves Private Browsing (April 2 & 3, 2013)

Mozilla has released Firefox 20, which fixes 13 security issues and makes private browsing easier. Five of the vulnerabilities are deemed critical and could be exploited to run malicious code or install software without user interaction. Firefox 20 also allows users to switch browser privacy status without closing or restarting Firefox; users can instead open a private window while the regular window is open. Firefox should update automatically for users with existing versions of the browser on their computers. Firefox 20 is available for Windows, Mac OS X, and Linux.


[Editor's Note (Pescatore): The Interactive Advertising Bureau (IAB) and Association of National Advertisers (ANA) sort of attacked Mozilla for future plans to give users a default setting to block third party cookies in a future Firefox release. The basic argument seems to be that advertising is vital for the survival of the Internet, advertising requires tracking for some reason, but if users have to click to choose such valuable tracked/targeted advertising, for some reason they won't. It is sort of like broadcast TV services saying, "if TVs don't automatically come up on an ad-supported channel, users will never change the channel to watch advertising supported TV." ]

Nationwide Insurance Takes Steps to Keep Breach Information Secret (April 1 & 3, 2013)

Nationwide Insurance has taken an interesting route to keeping details of its October 2012 security breach out of the public eye. The company has hired a legal firm to investigate the incident, which exposed the personal information of 1.1 million people. Because the law firm is conducting the investigation, the findings will be granted the secrecy afforded by attorney-client privilege. Nationwide is not the first company to take this route; some law firms are starting to specialize in data breach investigation. While this measure protects the details of nationwide breach from becoming public knowledge for the time being, state and federal officials who are investigating the breach could mandate a third-party investigation. Those results would be public.


[Editor's Note (Murray): While the work product of attorneys may be privileged, that does not extend to all information about the breach. Since the breach might result in tort liability, engaging lawyers early is only prudent. In the absence of other evidence, the inference that the intent of doing so is to conceal evidence is unwarranted. ]

Attacks on Financial Institutions Meant to be Destructive (March 28, 2013)

The cyberattacks launched against US financial institutions over the past six months appear to be designed to disrupt financial transactions. Intelligence officials and investigators suspect that the group behind the attacks is connected to Iran's government. While the attacks that appear to be coming from China are aimed at cyberespionage, these attacks aim to be destructive. South Korean banks were recently targeted in a cyberattack; the perpetrator in that case is suspected to be North Korea.

[Guest Editor's Note (Kevin Liston): Will our response plan differ if it's state-sponsored? No? Let's not waste intelligence resources on that, and focus on the nature of the attack then. ]

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit