Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: The SANS Institute (NewsBitessans.org)
Date: Fri Jan 06 2012 - 13:39:49 CST
-----BEGIN PGP SIGNED MESSAGE-----
SANS NewsBites January 6, 2012 Vol. 14, Num. 002
TOP OF THE NEWS
Federal Agencies Don't Expect to Meet FISMA Continuous Monitoring Deadline
SQL Injection Attack Spreads
Federal Judge Says No Warrant Needed for GPS Tracking
THE REST OF THE WEEK'S NEWS
Pastebin Recovering from DDoS Attack
Federal Prosecutors Seek Order to Force Colorado Woman to Decrypt Computer
Apple Tackling Pirated Apps
Malware Infection Results in Retrial for Man Convicted of Murder
Ramnit Worm Stealing Facebook Login Credentials
Israeli Credit Card Data Stolen, Posted to Internet
Microsoft Sues Company for Allegedly Selling Counterfeit Windows
First Microsoft Patch Tuesday of 2012 to Address Eight Flaws
Hands-On Learning Serves Information Security Education Well
********************** SPONSORED BY Palo Alto Networks ******************
Palo Alto Networks Recognized as a Leader in the Gartner Magic Quadrant
for Enterprise Network Firewalls. According to Gartner, vendors in the
leaders quadrant "lead the market in offering new safeguarding features,
providing expert capability, rather than treating the firewall as a
commodity, and having a good track record of avoiding vulnerabilities
in their security products."
--SANS Security East 2012, New Orleans, LA January 17-26, 2012
11 courses. Bonus evening presentations include Advanced VoIP
PenTesting: Current Threats and Methods; and Helping Small Businesses
--SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012
Gain the most current information regarding SCADA and Control System
threats and learn how to best prepare to defend against them. Hear
what works and what doesn't from peer organizations. Network with top
individuals in the field of SCADA security. Return from the summit
with solutions that you can immediately put to use in your
Pre-Summit courses: January 21-25, 2012
Summit: January 26-27, 2012
Post-Summit Courses: January 28-29, 2012
--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012
6 courses. Bonus evening presentations include Who Do You Trust? SSL
and TLS Under Attack; and IOS Programming Demo.
--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012
7 courses. Bonus evening presentations include Desktop Betrayal:
Exploiting Clients Through the Features They Demand; and Windows
Exploratory Surgery with Process Hacker.
--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012
5 courses. Bonus evening presentations include Introduction to Windows
Memory Analysis; and Why Our Defenses are Failing Us: One Click is All
It Takes ...
--SANS 2012, Orlando, FL March 23-39, 2012
42 courses. Bonus evening presentations include Exploiting
Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving
Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
--Looking for training in your own community?
http: sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
Plus Atlanta, Bangalore, San Francisco, Stuttgart, and Nashville, all
in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
--Federal Agencies Don't Expect to Meet FISMA Continuous Monitoring Deadline
(January 3, 2012)
A survey of US federal agencies found that fewer than half expect to be
compliant with Federal Information Security Management Act (FISMA)
continuous monitoring requirements by the September 2012 deadline.
While respondents feel that the move will help improve security overall,
bringing about the changes to meet the requirements is proving to be
difficult. Agencies need to find ways to bring together information from
various systems to provide the necessary set of data. Many agencies
lack the necessary overview of their IT environments to implement the
[Editor's Note (Pescatore): Continuous monitoring and reporting (and
other changes in 800-53 rev 3) was an enormous unfunded mandate for most
government agencies. A few agencies were able to increase staff and
funds, but most could not - or at least did not. FY 2012 budgets are in
even worse turmoil - rev 3 deficiencies overall will likely carry well
(Paller): It's never been about the money. Ever since both Senate and
House hearings and White House leadership have called upon agencies to
replace C&A reporting with continuous monitoring and mitigation, two
barriers have consistently blocked broad adoption: (1) the contractors
who are earning $350 million every year writing out-of-date and unread
security reports for certification and accreditation updates, and who
don't want to give up that money even though they know they are wasting
federal funds, and (2) the IGs who give the contractors cover because
they don't know how to, and have not tried to measure continuous
monitoring and mitigation systems. A phone call I had with the IG from
a major agency this week says that the second barrier is falling across
several agencies. There is more than enough money wasted in C&A report
writing to fully fund continuous monitoring and mitigation.]
--SQL Injection Attack Spreads
(January 4 & 5, 2012)
An SQL injection attack appears to have infected more than 1 million
URLs. Some say the reported number of infections may be inflated, as the
counts may include pages discussing the attack, although the number of
infected URLs was significantly smaller in early December 2011. The
malware is called lilupophilupop. The attack appears to be partly
automated and partly manual. The .NL domain (the Netherlands) has the
greatest number of infections.
Internet Storm Center: http://isc.sans.edu/diary.html?storyid=12304
[Editor's Note (Murray): Unchecked Inputs continues to be the most
wide-spread vulnerability having now surpassed default passwords.
SQL-injection attacks are at least among the top three in frequency and
success. I wish checking inputs was easy; it isn't. However, using the
OWASP Enterprise Security API Library is easy.]
--Federal Judge Says No Warrant Needed for GPS Tracking
(January 3, 2012)
A US federal judge in Missouri has ruled that a warrant was not needed
for the FBI to surreptitiously affix a GPS device to a suspect's
automobile to track his location for two months. The defendant, Fred
Robinson, was accused of falsifying his time sheets while employed at
the city of St. Louis. Magistrate David Noce wrote in his ruling that
Robinson had no reasonable expectation of privacy. The GPS device
revealed the location of the suspect's vehicle, but nothing more.
"Under these circumstances [set forth in the ruling], installation of
the GPS tracker device was not a search within the meaning of the Fourth
Amendment." The US Supreme Court is expected to rule on an unrelated
case regarding the same issue in the next few months.
[Editor's Note (Pescatore): I've lost track of the precedent cases from
back in the day, but with the old vehicle tracking systems used in the
pre-GPS 1980s we were able to attach them and monitor them without a
warrant - as long as we did not use the vehicle's power or anything else
existing in the vehicle. I'm sure this distinction will come up soon as
so many cars are coming with GPS built into them.
(Liston): I don't see that there is much difference between slapping a
GPS tracker on a car and simply assigning a beat-cop to "tail" a
suspect. Actually, it seems *less* invasive, because if you get out of
your car and *walk* somewhere, the GPS doesn't know it.]
************************** SPONSORED LINK ****************************
1) Take the SANS 8th Annual Log and Event Management Survey
Be a part of this industry leading survey and be entered to WIN a $250
American Express Card. http://www.sans.org/info/96454
2) What devices are accessing what resources and by whom?
Take the SANS first annual mobility survey and be entered to win a $250
American Express Card Giveaway when results are announced in late March
at SANS 2012!
Follow this link to the survey: http://www.sans.org/info/96459
THE REST OF THE WEEK'S NEWS
--Pastebin Recovering from DDoS Attack
(January 4, 2012)
Pastebin.com is back online after a distributed denial-of-service (DDoS)
attack hit the file sharing service earlier this week. The site has been
used by the loosely organized hacking collective known as Anonymous to
post information stolen in their exploits and to announce plans for
future attacks. Though Pastebin has been used by Anonymous, however,
there is no evidence of a connection between the attack and the use of
the site by Anonymous.
[Editor's Note (Pescatore): Global warming has tended to cause more
extremes in weather resulting in more power outages, pointing out the
wisdom of having backup power for business critical services. Now, I
tend to doubt that the growth in DDoS attacks can really be blamed on
global climate change, but the growth is there - pointing out the need
for making sure Internet connectivity is as reliable as electrical
--Federal Prosecutors Seek Order to Force Colorado Woman to Decrypt Computer
(January 4, 2012)
Federal prosecutors in Denver, Colorado are seeking a court order that
would force Ramona Fricosu to enter the password to decrypt her laptop
computer. They believe that the machine contains evidence that would
help convict Fricosu and her former husband in a bank fraud case. The
pair was allegedly involved in a complex mortgage fraud scheme that
stole more than US $900,000 from banks in the Colorado Springs area.
Prosecutors say that Fricosu does not have to divulge her password; she
can enter the password without it being noted as long as they eventually
gain access to the information on the computer.
[Editor's Note (Murray): The court is entitled to the best evidence. It
cannot force one to make a record. However, once a record is made, one
may not conceal it from the court. The intent of the 5th amendment was
to prevent "witch trials," the conviction of one on only their own
coerced testimony. The written or electronic record, on the other hand,
says what it says.
--Apple Tackling Pirated Apps
(January 4, 2012)
Apple is taking steps to thwart the availability of pirated applications
for the company's devices. By sending Digital Millennium Copyright Act
(DMCA) takedown notices to Apptrackr, Apple hopes to cut off access to
the pirated apps. In response, Apptrackr has moved its server outside
of the US and has deployed technology that does not use direct links to
the applications. The developer of Apptrackr claims his site is designed
to allow users to test apps before they buy them, but admits that it is
often used by people who never intend to purchase the apps.
[Editor's Note (Murray): Apple is defending the right of everyman to at
least one orderly computing environment. Steve Jobs, if he were still
with us, might say, "If you want pirated software, if you want porn, if
you want leakage from and contamination of your devices, get an
--Malware Infection Results in Retrial for Man Convicted of Murder
(January 1 & 5, 2012)
A Florida man who was convicted of second degree murder will get a new
trial because a computer virus destroyed transcripts of the court
proceedings. Normally, court stenographers make both paper and
electronic records to proceedings, but in this case, the stenographer
did not bring enough paper and recorded the proceedings only digitally.
The digital records were then transcribed onto her own personal computer
and deleted from the stenograph. Her PC then became infected with a
computer virus resulting in the loss of the court records. Randy
Chaviano's legal team filed an appeal after he was given a life sentence
in July 2009; because the transcripts of the trial were incomplete, the
Third District Court of Appeals ordered that Chaviano be granted a new
trial. The stenographer involved has been subsequently fired.
--Ramnit Worm Stealing Facebook Login Credentials
(January 5, 2012)
A worm known as Ramnit is stealing Facebook login credentials. The
malware infects Windows executables, Microsoft Office, and HTML files
and has the capacity to be used as a backdoor, allowing attackers to
take further action on compromised machines. A Ramnit command and
control server containing sets of login credentials for 45,000 Facebook
accounts has been found. Most of the users affected appear to be from
the UK and France.
--Israeli Credit Card Data Stolen, Posted to Internet
(January 3 & 4, 2012)
A group in Saudi Arabia, believed to have ties to the Anonymous hacking
group, has stolen Israeli credit card account data and posted them to
the Internet. The group claimed to have compromised 400,000 card
accounts, but an Israeli credit card company said that most of the data
were invalid or incorrect, and that the number of exposed accounts was
much lower. Israeli banks have frozen the compromised accounts, which
are believed to number about 14,000. Most of the stolen data appear to
have been taken from a sports website, One.co.il.
--Microsoft Sues Company for Allegedly Selling Counterfeit Windows
(January 4, 2012)
Microsoft is suing UK company Comet for allegedly selling counterfeit
copies of Windows Vista and Windows XP recovery disks. Comet has
countered with a statement saying that they were acting in their
customers' best interests because users of Microsoft products were
"adversely affected by the [software company's] decision to stop
supplying recovery disks with each new Microsoft operating system based
computer." Microsoft responded by saying that the PCs' hard drives
already contained recovery software and that Comet sold disks for GBP
14.99 (US $23.24) that Microsoft would have provided at a much lower
cost or even at no cost at all. Comet has about 250 stores in the UK.
--First Microsoft Patch Tuesday of 2012 to Address Eight Flaws
(January 5, 2012)
On Tuesday, January 10, 2012, Microsoft plans to issue seven security
bulletins that address a total of eight flaws. The vulnerabilities
affect Microsoft Windows and Microsoft Developer Tools and Software.
Just one of the bulletins carries a maximum severity rating of critical;
the other six have severity ratings of important. All currently
supported versions of Windows are affected by flaws fixed in the January
2012 update. One of the vulnerability impacts is listed as "secure
feature bypass," a term that has not been used before in this context.
Microsoft declined to say whether it will be issuing a fix for the
SSL/TLS vulnerability; the company had planned to fix that flaw in
December 2011, but pulled the patch at the last minute due to
compatibility issues with SAP.
Internet Storm Center: http://isc.sans.edu/diary/January+2012+Patch+Tuesday+Pre-release/12331
--Hands-On Learning Serves Information Security Education Well
(January 3, 2012)
Although jobs in information security are more stable than those in most
other sectors, fewer students are pursuing STEM (science, technology,
engineering, and math) majors in college. Some of the reluctance to
pursue STEM majors may arise from the assumption that information
security jobs will be outsourced or from a lack of strong foundation at
the high school level; in addition, colleges often neglect providing
STEM students with valuable research opportunities. Many colleges toss
security in with general computer science; it is rare that security is
taught as a specialty at the college level. But that is beginning to
change. Alex Levinson, who is now a security software engineer at Zynga,
spoke to the value of hands on experience and learning, noting that
"doing simulation, competition, and application of skill in a live
environment is a really good indicator of where their skill set is at,
where their talent lies." Levinson participated in the National
Collegiate Cyber Defense Competition and did well enough to earn a spot
in the US Cyber Challenge, where he and his team took first place. But
even after people have acquired the skills necessary to be effective
cyber security professionals, placement can be difficult because
companies have trouble articulating what it is they need. An initiative
led by the Federal Office of Personnel Management aims to develop a
taxonomy for cyber security professionals to help address that problem.
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Ed Skoudis is co-founder of InGuardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
Clint Kreitner is the founding President and CEO of The Center for
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----