Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 93 : Weatherford takes over cyber at DHS - heralding more balance with NSA; Details emerge about water utility hack; Anonymous gets forensics mail list archive

  • From: The SANS Institute
  • Date: Tue Nov 22 16:39:22 2011

Hash: SHA1

Good News! 
Yesterday, Mark Weatherford took over as Deputy Undersecretary for Cyber
Security at the U.S. Department of Homeland Security. For the first time
in many years, the U.S. cybersecurity program will be run by a
technologist rather than by a lawyer. There are good reasons to believe
that this change will herald an era of greater balance in national
cybersecurity leadership between NSA and DHS. DHS has made five very
important advancements in cybersecurity leadership, driven by
technologists. The most important one shifts over $400 million per year
away from paper-based checklist security and toward technology-based,
automated, continuous monitoring of security, providing continuous
situational awareness - a goal that DHS and NSA share. By combining the
buying power of civilian agencies through DHS and of military agencies
through NSA/DISA, total situational awareness and rapid risk reduction
can be made very inexpensive across the federal government.  That
change, driven by DHS technologists, is in paragraph 28 of the directive
posted at the White House site:

Paragraph 28 in this White House directive answers the question: "Is a
security reauthorization still required every 3 years or when an
information system has undergone significant change as stated in OMB
Circular A-130?" Answer: "No. Rather than enforcing a static, three-year
reauthorization process, agencies are expected to conduct ongoing
authorizations of information systems through the implementation of
continuous monitoring programs. Continuous monitoring programs thus
fulfill the three year security reauthorization requirement, so a
separate re-authorization process is not necessary."

PS Because of the enormous security improvements to be gained through
continuous monitoring, and the huge potential cost savings, and because
of the powerful role played by Inspectors General (IGs) in determining
what security initiatives are given priority, an independent oversight
group has been established to evaluate IG and GAO reports on security
over the next several years, measuring how well the IGs assess the
continuous monitoring programs and how effectively they press agencies
to move away from the discredited three-year static process. The
independent group is led by Franklin Reeder who was the top IT official
and Chief of Information Policy at OMB (where he led the development of
the Privacy Act of 1974 and the Computer Security Act of 1987).

SANS NewsBites              November 22, 2011             Vol. 13, Num. 93
  More Details Emerge About Cyber Attack at Water Utility
  Anonymous Gains Access to Computer Forensics Specialists Mailing List Archive
  Wyden Says He Will Filibuster Protect IP Act if it Gets to the Floor
  Legislators Investigating Possibility that Chinese Telecom Equipment
    Enables Spying

    Bradley Manning Court Date Set
    UK Police Shut Down 2,000+ Websites for Piracy and Theft
    Deadline Extended for HIPAA Transaction Standard Compliance
    Chrome Update Addresses JavaScript Flaw
    AT&T Notifying Customers of Attempted Information Theft
    Senate Will Vote on Cyber Security Legislation in 2012
    Judge Says Warrant Required to Obtain Cell Phone Data
    SOPA Support Dwindling

*************************** Sponsored By IBM ***************************

Register today for SANS Analyst webcast sponsored by IBM, "Integrating
Security into Development, No Pain Required" FREE SANS Analyst Paper
also available at


- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011
Pre-Summit Courses November 26-30, 2011
Post-Summit Courses December 3-4, 2011
Gain the most current information regarding SCADA and Control System
threats and learn how to best prepare to defend against them.
- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011
7 courses.  Bonus evening presentations include Effective Methods for
Implementing the 20 Critical Security Controls; and Assessing
Deception: Are They Lying to You?
- --SANS London 2011, London, UK, December 3-12, 2011
18 courses.  Bonus evening presentations include IPv6 Challenges for
Intrusion Detection and Understanding How Attackers Bypass Network and
Content Restrictions.
- --Incident Detection & Log Management Summit, Washington DC,
December 7-8, 2011
Learn the latest techniques to detect breaches and intrusions!
- --SANS CDI 2011, Washington, DC, December 9-16, 2011
27 courses.  Bonus evening presentations include Emerging Trends in
Data Law and Investigations, and Critical Infrastructure Control
Systems Cybersecurity.
- --SANS Security East 2012, New Orleans, LA January 17-26, 2012
11 courses.  Bonus evening presentations include Advanced VoIP Pen
Testing: Current Threats and Methods; and Helping Small Businesses
with Security.
- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012
6 courses.  Bonus evening presentations include Who Do You Trust? SSL
and TLS Under Attack; and IOS Programming Demo.
- --SANS Phoenix 2012, Phoenix, AZ  February 13-18, 2012
7 courses.  Bonus evening presentations include Desktop Betrayal:
Exploiting Clients Through the Features They Demand; and Windows
Exploratory Surgery with Process Hacker.
- --Looking for training in your own community? Save on On-Demand training (30 full
courses) - See samples at
Plus Perth, Atlanta, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live:

 --More Details Emerge About Cyber Attack at Water Utility
(November 19 & 21, 2011)
A hacker reportedly gained access to a Supervisory Control and Data
Acquisition (SCADA) system at a water utility in Illinois and tampered
with a water pump, causing it to burn out. The attack used IP addresses
that originated in Russia. The exploit was conducted through the
phpMyAdmin open source tool, which has a significant number of known
vulnerabilities; questions are arising about why this particular piece
of software was being used at the water utility. Federal authorities are
investigating the incident. In a separate incident, a hacker using the
online handle "pr0f" claims to have launched an attack against a SCADA
system at a Houston, Texas, water treatment facility. That attack,
according to the hacker, was made possible through "gross stupidity,"
as the software he exploited was protected with a three-character

 --Anonymous Gains Access to Computer Forensics Specialists Mailing List Archive
(November 19, 2011)
Members of the hacking collective known as Anonymous have gained access
to the Google account of a retired supervisor of a cyber crime
investigation organization in southern California and released 38,000
emails taken from that account. Among the information exposed in the
hack is the International Association of Computer Investigation
Specialists mailing list archive, which includes discussions from
specialists around the world.

 --Wyden Says He Will Filibuster Protect IP Act if it Gets to the Floor
(November 21, 2011)
US Senator Ron Wyden (D-Oregon) says he will filibuster the Senate's
Protect IP Act (PIPA), which is similar to the House's Stop Online
Piracy Act (SOPA). Wyden put a hold on the bill earlier this year, but
there are rumors that there are enough votes to override the hold
after the Thanksgiving recess.
[Editor's Note (Murray): This bill is very unpopular with the public.
Demand Progress asserts that 20000 of their members have asked Senator
Wyden to read their names as part of his threatened filibuster.  On the
other hand, the bill is popular among the legislators because it is
backed by the very generous RIAA and MPAA.  The rights of publishers,
no matter how legitimate, do not trump all other interests.  The
legitimacy of the rights that one asserts is not measured by the
contribution that accompanies the assertion. ]

 --Legislators Investigating Possibility that Chinese Telecom Equipment
    Enables Spying
(November 17 & 21, 2011)
The US House Permanent Select Committee on Intelligence (HPSCI) will
conduct an investigation into the possibility that Chinese
telecommunications companies operating in the US are conducting cyber
espionage. The committee will examine the possibility that Chinese
telecommunications equipment - servers, routers and switches - could be
used to help the Chinese government obtain sensitive information from
the US.


 --Bradley Manning Court Date Set
(November 21, 2011)
More than a year-and-a-half after he was arrested, Pfc Bradley Manning,
who allegedly leaked classified documents to WikiLeaks, will have a
public hearing at Ft. Meade in Maryland. The Article 32 hearing is set
for December 16; it is similar to a civilian court grand jury hearing
in that the judge will hear evidence to determine if there are
sufficient grounds for a court-martial. If convicted on all charges,
Manning could face life in prison. The hearing will be open to the media
and the public except when classified information is discussed.

 --UK Police Shut Down 2,000+ Websites for Piracy and Theft
(November 18 & 21, 2011)
Police in the UK have shut down more than 2,000 websites believed to be
selling counterfeit or non-existent merchandise. The goods offered for
sale include clothing, jewelry and sporting equipment. In some cases,
payment was taken but the merchandise was never delivered. UK domain
registrar Nominet helped pinpoint and shut down the offending sites. In
a separate but related story, proposed changes to Nominet policy would
allow the organization to deny requests for site takedowns unless
provided with a court order or the site allegedly puts the public at
risk, for instance, by selling questionable medications.

 --Deadline Extended for HIPAA Transaction Standard Compliance
(November 17, 2011)
Federal officials are giving healthcare providers an additional three
months to comply with the new version of the Health Insurance
Portability and Accountability Act (HIPAA) transaction and code set
standards. Initially, the deadline was set for January 1, 2012, but now
providers have until March 31, 2012 to comply. The standard applies to
medical transaction processing, and is aimed at helping to track
diagnoses and treatment.

 --Chrome Update Addresses JavaScript Flaw
(November 17 & 18, 2011)
Google's latest Chrome update addresses a vulnerability in the browser's
JavaScript engine. The out-of-bounds write flaw could be exploited to
allow remote code execution, but because Chrome uses native sandboxing,
the vulnerability is considered less severe. Google Chrome 15.0.874.121
is available for Windows, Mac OS X, and Linux.

 --AT&T Notifying Customers of Attempted Information Theft
(November 21, 2011)
AT&T is letting its customers know that attackers attempted to steal
online account data; the company does not believe that any information
was actually obtained. The "organized and systematic" effort to gather
the data was conducted with the help of auto-script technology to see
which AT&T phone numbers are linked to which AT&T online accounts.  AT&T
spokesman Mark Siegel wrote in an email to customers that an
investigation is underway.
[Editor's Comment (Northcutt): I am an ATT customer and I have not
received anything by email. The news stories say it was one percent of
customers. We will see what next week brings. ]

 --Senate Will Vote on Cyber Security Legislation in 2012
(November 17, 2011)
Senate Majority Leader Harry Reid (D-Nevada) has informed House
Republicans that he will bring cyber security legislation to the floor
early next year. In a letter to Senate Minority Leader Mitch McConnell
(R-Kentucky), Reid wrote that "given the magnitude of the threat [of
cyber attacks and cyber espionage] and the gaps in the government's
ability to respond, we cannot afford to delay action on this critical

 --Judge Says Warrant Required to Obtain Cell Phone Data
(November 17, 2011)
US District Judge Lynn Hughes has upheld a 2010 ruling that federal
authorities need a search warrant to gain access to cell phone data that
could be used to track the user's whereabouts. The earlier ruling from
a magistrate judge denied three separate requests for cell phone
companies to provide the information without a warrant. Hughes's ruling
says that the information sought is constitutionally protected and
requires a search warrant to be obtained. The authorities were
requesting the information under the Stored Communications Act.

 --SOPA Support Dwindling
(November 17 & 18, 2011)
Opposition to the House's Stop Online Piracy Act (SOPA) is on the rise.
Legislators on both sides of the aisle have voiced opinions that the
legislation would not work as currently drafted. According to
Representative Darrell Issa (R-California), original sponsors of the
bill are showing less support for it as they learn about the impact its
provisions could have on the Internet. Issa has called the measure
extreme and said that he "didn't like the way [it] was being assembled,"
acknowledging the need for flexibility because "any rule you write has
to assume innovation will make it obsolete quickly." The Department of
Energy's Sandia National Laboratory has said that SOPA would thwart the
deployment of DNSSEC. Sandia's mission includes research on
infrastructure security and cyber security. A hearing on the issue
earlier this week drew criticism for heavily favoring supporters of the
measure in representation. Organizations that felt unrepresented at the
hearing raised public outcry, asking people to contact their legislators
and let their opinions be known.

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses ( and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.