Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #43

May 31, 2013


Analysis: First Return on Investment (ROI) Analysis for the Critical Security Controls
Federal Magistrate Reverses Ruling, Requires Wisconsin Man to Decrypt Storage Devices
Google Cuts Grace Period on Actively Exploited Vulnerabilities to Seven Days
Response: Private Organizations Engaging in Cyber Retaliation is "A Remarkably Bad Idea"


Known Flaw in Ruby on Rails is Being Actively Exploited
PayPal Fixes Cross-Site Scripting Flaw, Defends Decision Not to Award Teen Bug Bounty
Drupal Resets Passwords After Breach
Chinese Military Drill to Include Digital Warfare Exercises
FTC Asks Judge to Reject Wyndham Hotels' Motion to Dismiss Complaint
Jeremy Hammond Pleads Guilty to Stratfor Data Theft
Harvard College Dean Who Authorized eMail Searches Stepping Down
Texas Legislature Passes Strong eMail Privacy Bill

************************** SPONSORED BY Symantec ************************
Strategies for Moving Beyond Antivirus Join us for an upcoming webcast to find out how you can move beyond antivirus and adopt a proactive approach to endpoint protection. We will cover best practices amidst a rapidly changing threat landscape and also strategies for deploying unrivaled protection for both physical and virtual systems.
Register Now.

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.
--Houston, TX (June 10-June 15)
--Washington, DC (August 12-August 16)

- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 43 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
Security Impact of IPv6 Summit Washington, DC June 14-16 Held in conjunction with SANSFIRE 2013, the Security Impact of IPv6 Summit offers discussions and panels with IPv6 security experts, ISPs, early adopters, and industry vendors. You will come away with best practices from those who have already implemented IPv6. A two-day, post-summit class follows:">

- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.

- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!

- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.

- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.

- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors.

- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.

- -- Multi-week Live SANS training

- -- Looking for training in your own community?

- -- Save on On-Demand training (30 full courses) - See samples at

Plus Malaysia, Canberra, Austin and Mumbai all in the next 90 days. For a list of all upcoming events, on-line and live:



Analysis: First Return on Investment (ROI) Analysis for the Critical Security Controls (May 30, 2013)

John Pescatore compares Idaho State University's (ISU) projected cost of settling HIPAA violations with the US Department of Health and Human Services (HHS) to what it would have cost the university to implement security controls that could have (helped) protect its systems from breaches. The estimated cost to ISU, including the fine, the costs of managing the breach, and the implementation of a Corrective Action Plan is US $1 million over two years. Putting in place certain Critical Security Controls that would have detected the issue that exposed patient data would cost an estimated US $75,000. Even adding in extras like vulnerability assessments and monitoring would put the cost at US $500,000, equivalent to one year's share of the above cost.

Federal Magistrate Reverses Ruling, Requires Wisconsin Man to Decrypt Storage Devices (May 28, 2013)

US Magistrate William Callahan Jr. has ordered a Wisconsin man suspected of possessing child pornography to decrypt hard drives that law enforcement authorities seized from his home. In early April, Callahan ruled that to order Jeffrey Feldman to decrypt the devices would be a violation of his Fifth Amendment rights. At that time, prosecutors had been unable to crack the encryption on any of the devices. But since that ruling, prosecutors managed to decrypt a portion of one of the devices and found content linking Feldman to them. So Callahan reversed his order, writing, "the government has now persuaded me that it is a 'foregone conclusion' that Feldman has access to and control over the subject storage devices" and that "Fifth Amendment protection is no longer available to" the defendant. Callahan has ordered Feldman to either provide prosecutors with the passwords necessary to decrypt the data storage devices or provide decrypted copies of everything on those drives.

[Editor's Note (Pesctore): Court decisions have generally gone this way, dating back to the days of the courts recognizing that people should be required to open safes or locked lockers harboring physical evidence.
(Northcutt): Several similar cases are floating through the legal system. Here are a couple more links on the topic, but keep in mind these are from journalists, not legal scholars. Apparently the Washington Post author is not familiar with Boucher, the first case in this genre. The cryptome analysis is the best I have found to date:


Also keep in mind that while child pornography and terrorism are abhorrent and inexcusable, the case law being established will apply to other unrelated use cases like divorce, tax evasion and even potentially traffic accidents:

Google Cuts Grace Period on Actively Exploited Vulnerabilities to Seven Days (May 29 & 30, 2013)

Google has announced that it will give software vendors whose products are being actively exploited just seven days to issue a fix or an advisory that includes workarounds or other mitigation suggestions. After the week-long grace period, the company said it would make details of the flaw public in such a way as to allow users to protect their systems. Prior to the announcement, Google gave vendors 60 days before going public. Google acknowledges that its new stance is "aggressive," but maintains that one week is sufficient time to release risk mitigation advice. Google says it will abide by the same requirements to address bugs in its own products.




[Editor's Note (Pescatore): Making the software vendors feel more pain has over time proven to be a good thing in getting them to invest in better development and patching processes, but I think 7 days is too short for complex software, such as operating systems or databases, or embedded or specialty apps like industrial control systems and the like. Thirty days would make more sense. Pushing out bad mitigation advice quickly is not a great thing. ]

Response: Private Organizations Engaging in Cyber Retaliation is "A Remarkably Bad Idea" (May 29, 2013)

The Center for Strategic and International Studies (CSIS) has released commentary responding to a recently released report from the Commission on the Theft of American Intellectual Property suggesting that private organizations be allowed to retaliate against cyberthieves. James Lewis, senior fellow and director of the technology and public policy program at CSIS, wrote, "Our goal is to make cyberspace more stable and secure, not less. Endorsing retaliation works against that goal in many ways, all damaging." The US has been making an effort to build consensus for the idea that "states are responsible for the actions of those resident on their territory and must take action against cybercrime." Furthermore, the US government has backed the Budapest Convention on Cybercrime, under which private retaliation would be a crime.

[Editor's Note (Murray): Vigilantes are thugs who have abandoned the Rule of Law and are not entitled to its protections.
(Honan): It astounds me how people in companies that cannot protect their own systems think they have the skills to identify and retaliate against their attackers.
(Shpantzer): There's a lot of room between doing nothing and 'retaliation.' See some of Dave Dittrich's thoughts (book coming soon) here

*************************** Sponsored Links: ******************************
1) Attend the SANS Industrial Controls Systems Security Briefing, Monday, June 10, 2013 in Houston, TX at the Westin Houston Memorial City. Featuring Mike Assante, Eric Cornelius, Lior Frenkel, Bart Pestarino and Jonathan Knudsen. This event is free to Oil & Gas constituents. For more information go to To register for this event via simulcast, visit

2) Mobile Application Security: New SANS Survey Results Revealed Results to be released during a June 6 webcast held at 1 PM EDT, featuring SANS analyst and mobility expert, Kevin Johnson! Register at

3) Leveraging the First Four Critical Security Controls for Holistic Improvements featuring SANS Analyst James Tarala, co-author of the CSCs Wednesday, June 12, 1 PM EDT


Known Flaw in Ruby on Rails is Being Actively Exploited (May 28, 29, & 30, 2013)

A known vulnerability in the Ruby on Rails web application framework is being exploited to force unpatched servers into joining a botnet. A patch for the flaw has been available since January, but the success of recent exploits suggests that the patch has not been widely installed. Users are urged to make sure that the versions of Ruby on Rails that they are running are 3.2.11, 3.1.10, 3.0.19, 2.3.15 or later. If updating immediately is not an option, users can also employ workarounds to protect their servers.




PayPal Fixes Cross-Site Scripting Flaw, Defends Decision Not to Award Teen Bug Bounty (May 30, 2013)

PayPal has fixed a cross-site scripting (XSS) hole security in its portal that could have been exploited to steal users' access information. The flaw allowed attackers to inject JavaScript code into the site; the vulnerability had been public for five days before it was addressed. The flaw was disclosed by a 17-year-old, who was denied participation in PayPal's bug bounty program because he was not yet 18. He gave the company a week before he released details of the vulnerability. The teen says he later received a message from PayPal notifying him that someone else had informed the company about the issue earlier then he had.

[Editor's Note (Murray): "Cross-site scripting" is an attack, not a "hole." The hole, or vulnerability is incomplete parameter checking. The practice, no matter how popular and common, of naming vulnerabilities for the attacks that exploit them perpetuates the coding practices that lead to the vulnerability. Complete parameter checking is difficult at best, requires special knowledge and skill, and must be done at every layer; it cannot all be done in the application layer. The requisite knowledge and skill is not being taught, recognized, or rewarded. The result is that instances of successful SQL injection attacks, cross-site scripting, buffer over-flows, and other attacks that exploit incomplete parameter checking persist or increase. ]

Drupal Resets Passwords After Breach (May 29 & 30, 2013) has reset all account passwords after discovering that intruders had gained unauthorized access to information on its servers. The intrusion was made through unspecified third-party software on the organization's servers. Nearly one million accounts are affected.



Chinese Military Drill to Include Digital Warfare Exercises (May 29, 2013)

In late June, China's People's Liberation Army "will conduct an exercise ... to test new types of combat forces including units using digital technology amid efforts to adjust to informationalized war." According to Chinese news agency Xinhua, the PLA says that the exercise will be the first time it "has focused on combat forces including digitalized units, special operations forces, army aviation, and electronic counter forces."


FTC Asks Judge to Reject Wyndham Hotels' Motion to Dismiss Complaint (May 29, 2013)

The US Federal Trade Commission (FTC) has filed documents asking a US District Court to toss out Wyndham Hotels' motion to dismiss an FTC complaint against the company after it suffered a number of data security breaches. Wyndham argued that the FTC is exceeding its authority because it is trying to make cybersecurity issues into consumer protection issues, saying the FTC "wants to turn a statute designed to protect consumers from unscrupulous businessmen into a tool to punish businesses victimized by criminals." But court documents say "the FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers' information such that hackers were able to steal it." The case is significant because "in the absence of comprehensive cybersecurity legislation ... the only effective method for cybersecurity regulation by the government is to use the FTC's enforcement authority."


[Editor's Note (Pescatore): There is actually a lot of existing legislation that allows multiple government agencies to go after companies that expose privacy-related information. HHS has finally started to take enforcement actions, FTC has been a shining example. The issue has not been lack of legislation; it has been lack of enforcement. I'm hoping the courts do agree that businesses that fail to take basic precautions to protect their customer's personal information are indeed "unscrupulous." ]

Jeremy Hammond Pleads Guilty to Stratfor Data Theft (May 28 & 29, 2013)

Jeremy Hammond has pleaded guilty to a number of charges, including hacking and conspiracy to commit access device fraud, for stealing data from global intelligence company Stratfor, which counts the US Department of Defense, Lockheed Martin, and Bank of America among its clients. The stolen data included credit card information and more than five million email messages. Some of the messages have been published by WikiLeaks, and some of the compromised credit card accounts were used to make US $700,000 in fraudulent charges. Hammond told the judge that in each case, he "knew what
[he ]
was doing was against the law." Hammond is allegedly a member of a hacking group that has ties to Anonymous.


Harvard College Dean Who Authorized eMail Searches Stepping Down (May 28, 2013)

The Harvard College dean who authorized secret searches of residential deans' email messages will step down this summer. Evelynn M. Hammonds acknowledged that she authorized the searches, which were aimed at identifying the source of an information leak about a cheating scandal that emerged at the school in 2012. Hammonds and other administrators maintained that automated searches were made only of email subject lines to determine who had shared a confidential message with someone at the Harvard Crimson newspaper, and that the searches were conducted in an effort to protect the privacy of the students involved in the cheating scandal. The administrators also acknowledged that it was a mistake not to notify the deans of the search either before or after the fact.


Texas Legislature Passes Strong eMail Privacy Bill (May 28, 2013)

Texas state legislators have passed a bill that would require law enforcement officials to obtain a warrant to access all emails, regardless of whether or not they have been opened, and regardless of how old they are. Governor Rick Perry has until June 16 to sign or veto the bill. If he does not take action, it will automatically become law on September 1, 2013. If it does become law, it would be the strongest email privacy law in the country. The law would not affect federal investigations.

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit