Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 14 Num. 43 : UK Tracking Law Takes Effect; Flame Malware Much More Sophisticated

  • From: The SANS Institute
  • Date: Tue May 29 15:09:38 2012

Hash: SHA1

SANS NewsBites                 May 29, 2012              Vol. 14, Num. 043
  UK Tracking Law Takes Effect
  Flame Cyber Espionage Malware Called the "Next Phase" of Cyber Warfare
    Federal Thrift Savings Plan Data Breached
    Former Nokia Siemens Employee Stole and Resold Old Routers
    NSA to Establish Centers of Academic Excellence in Cyber Operations
    DHS Releases List of Keywords Used to Monitor Online Media
    Texas School District to Use RFID Chips in Student IDs
    Massachusetts Hospital to Pay US $750,000 Over Data Security
    New Jersey Mayor and Son Arrested in Recall Website Hack
    Cloud Services Can Receive FedRAMP Approval Without Real-Time
      Threat Reporting
    Gas Pipeline Security Questioned
    WHMCS Breached; Exploit Being Sold on Underground Forum

************************* SPONSORED BY SANS ***************************

Special Webcast: SEC575 Webcast Series: Session 1: A Taste of SANS
Security 575 - Invasion of the Mobile Phone Snatchers.
Friday, June 01, 2012 at 1:00 PM EDT.

 --SANS Rocky Mountain 2012, Denver, CO  June 4-9, 2012
10 courses. Bonus evening presentations include Adjusting Our Defenses
for 2012; and Why Do Organizations Get Compromised?
 --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012
Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012
Techniques and solutions to aid organizations and agencies responding
to crimes and attacks.  Maximize your training by also attending one or
more of the 4 pre-summit courses.
 --SANS Canberra 2012, Canberra, Australia   July 2-10, 2012
5 courses. Bonus evening presentations include Penetrating Modern
Defenses; and Tales From the Crypt: TrueCrypt Analysis.
 --Security Impact of IPv6 Summit, Washington, DC July 6, 2012
Walk away with best practices from some who have already implemented
IPv6, in large networks, for a few years.
 --SANSFIRE 2012, Washington, DC   July 6-15, 2012
44 courses. Bonus evening presentations include Authentication Issues
Between Entities During Protocol Message Exchange in SCADA Systems;
Critical Infrastructure Control Systems Cybersecurity; and Why Don't We
Consider Our Cars Critical Infrastructure?
 --SANS San Francisco 2012, San Francisco, CA   July 30-August 6, 2012
9 courses. Bonus evening presentations include All Your Hash Are Belong
to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing
and Targeted Attacks; and Assessing Deception.
 --Looking for training in your own community?
http: Save on On-Demand training
(30 full courses) - See samples at
Plus Malaysia, Bangkok, Boston, and San Antonio all in the next 90 days.
For a list of all upcoming events, on-line and live: 

 --UK Tracking Law Takes Effect
(May 26 & 28, 2012)
As of May 26, UK-based websites are required to notify visitors if they
will be tracked in any way. Despite the legislation's nickname of the
"cookie law," it applies to all forms of site visitor tracking, not just
cookies. The date the law was scheduled to take effect has been known
for a year, but the BBC said that most sites would not be in compliance
by the target date. The law requires sites to obtain "informed consent"
from visitors to use tracking technology. The UK's Information
Commissioner's Office (ICO) has the authority to fine violators up to
GBP 500,000 (US $783,000), but for the time being, the ICO appears to
be focusing on notifying administrators of sites that are not in

 --Flame Cyber Espionage Malware Called the "Next Phase" of Cyber Warfare
(May 28, 2012)
Researchers at Kaspersky Lab say they have detected an espionage toolkit
called Flame that appears to be far more sophisticated than Stuxnet.
Flame is believed to have gone undetected for at least two years and has
been found on computers in the Middle East and North Africa. It is being
called the "next phase" of malware. It appears to be designed to steal
information. Because Flame is so complex, there is speculation that is
the product of a government-backed effort rather than a group of
[Editor's Note (Murray): This kind of rhetoric is unnecessary, unseemly
and provocative. Based upon what is on the Kaspersky blog, it is both
premature and hyperbolic.
(Honan): The worrying aspect of this piece of malware is that is went
undetected for up to 2 years.]

**************************  SPONSORED LINK  ***************************

1) Join us at SANSFIRE 2012 - Washington, DC July 7 - 15.


 --Federal Thrift Savings Plan Data Breached
(May 25 & 28, 2012)
The personal information of more than 123,000 participants in the US
Federal Retirement Thrift Investment Board's (FRTIB) Thrift Savings Plan
was exposed when a computer belonging to third party service provider
Serco was hacked. The FBI informed FRTIB and Serco of the breach in
April. The compromised machine was shut down and FRTIB and Serco
conducted forensic analysis to determine who was affected. There have
also been steps taken to improve security. The compromised data include
names, addresses, Social Security numbers (SSNs) and in some cases,
financial account and routing numbers.

 --Former Nokia Siemens Employee Stole and Resold Old Routers
(May 28, 2012)
A man who once worked as an engineer at Nokia Siemens has admitted to
stealing routers from his former employer and posting them for sale on
eBay. Dewaldt Hermann netted GBP 6,000 (US $9,400) in the scheme before
police seized the remaining equipment from his garage. Hermann was
employed at the time of the theft. His activity was detected when he
left his work computer logged in to his eBay account. The stolen routers
were among those that had been returned to the company and Hermann
apparently believed that they were going to be discarded. The total
value of the stolen equipment was estimated to be GBP 7,000 (US
$10,960). The judge sentenced Hermann to community service and ordered
him to pay court costs. The company is not seeking compensation.

 --NSA to Establish Centers of Academic Excellence in Cyber Operations
(May 28, 2012)
The National Security Agency (NSA) has designated four US universities
as National Centers of Academic Excellence in Cyber Operations. NSA aims
to identify students with an interest in and talent for cyber security.
The agency will offer summer seminars for students who show potential.
The identified schools are Dakota State University in South Dakota, the
Naval Postgraduate School in California, Northeastern University in
Massachusetts, and the University of Tulsa in Oklahoma. The schools will
be required to use an integrated cyber security curriculum and to offer
a course on the legal and ethical issues inherent in cyber security.

 --DHS Releases List of Keywords Used to Monitor Online Media
(May 26, 2012)
A Freedom of Information Act (FOIA) request filed by the Electronic
Privacy Information Center (EPIC) has forced the US Department of
Homeland Security (DHS) to reveal a list of words and phrases it uses
while monitoring social networking sites and other online media for
possible threats against the country. Apart from the obvious words, like
"terrorism," and "dirty bomb," the list also includes words that appear
to be innocuous, such as "cloud," and "pork." The analysis are trained
to look for evidence of emerging threats that include not only
terrorism, but natural disasters, public health issues, and other
[Editor's Note (Murray): The list should be required reading for
information security professionals because it contains many terms that
we use routinely in our work.  Some of this work does take place in
dialogues and forums that the DHS would classify as "social media."
However, more important than the content of the list is that DHS is
"monitoring social media."  DHS "insisted the practice was aimed not at
policing the internet for disparaging remarks about the government and
signs of general dissent, but to provide awareness of any potential
threats."  Unfortunately, there is no bright line between the two.]

 --Texas School District to Use RFID Chips in Student IDs
(May 25 & 26, 2012)
A school district in San Antonio, Texas, plans to put RFID chips in
student ID cards. A spokesperson for the Northside Independent School
District said, "We want to harness the power of technology to make
schools safer, know where our students are all the time in a school, and
increase revenues." Two Houston school districts have already put
similar programs in place and have increased their revenues, as school
funding in Texas is based in part on attendance numbers. The RFID chips
will reportedly work only while the students are on school property.
Parents' reactions to the proposed plan are varied; some are supportive,
citing safety concerns, while others are wary of the potential invasion
of privacy.

 --Massachusetts Hospital to Pay US $750,000 Over Data Security
(May 24 & 25, 2012)
South Shore Hospital in South Weymouth, Massachusetts, will pay US
$750,000 to settle allegations that it did not take adequate precautions
to protect patient data. The case involves three boxes of tapes
containing unencrypted patient data that were shipped in February 2010
to a third-party contractor that would erase the data and resell the
tapes. South Shore Hospital learned in June 2010 that the contractor
received just one of the three boxes sent. The data on the taped
included SSNs, birth dates, health plan information, diagnoses, and
treatments. A statement released by the Massachusetts Attorney General's
office said that South Shore Hospital violated the Health Insurance
Portability and Accountability Act (HIPAA) by failing to notify the
contractor about the sensitive nature of the data on the tapes and by
not ensuring that the contractor had appropriate security measures in
place to protect those data. South Shore Hospital has since taken steps
to improve data security practices.
[Editor's Note (Murray): The large fines in the healthcare industry do
not seem to be having the intended results.  Trying to salvage, rather
than destroy, used magnetic media is losing proposition, even without
large fines.]

 --New Jersey Mayor and Son Arrested in Recall Website Hack
(May 24 & 25, 2012)
The mayor of West New York, New Jersey, Felix Roque, and his son, Joseph
Roque, have been arrested in connection with a cyber attack on a website
that had been created by people organizing a recall effort aimed at
removing Roque from office. Joseph Roque allegedly reset the password
for the email account associated with the domain name, took screen shots
of messages he accessed, reset the password for the Go Daddy account
used to administer the site, and cancelled the domain name. Felix Roque
allegedly tried to intimidate several people associated with the website.

 --Cloud Services Can Receive FedRAMP Approval Without Real-Time Threat Reporting
(May 24, 2012)
The US General Services Administration (GSA), which manages the cloud
services accreditation program known as FedRAMP says that companies
seeking FedRAMP certification will not have to submit automated
real-time threat reports to DHS. Instead, the companies will be required
to conduct real-time internal monitoring of their protection of
government assets and submit reports summarizing that monitoring.
FedRAMP certification is likely to be widely sought. The process can
take from 30 says to three months, but once a company has had its
product certified, all government agencies can use it. The program also
saves the government money because it eliminates redundant assessments.
FedRAMP will start accepting applications on June 16.

 --Gas Pipeline Security Questioned
(May 24, 2012)
In a letter to the head of the American Gas Association, US Senator Jay
Rockefeller (D-West Virginia) asked whether gas pipelines are vulnerable
to cyber attacks. The letter comes in the wake of a news story about
hackers attacking the networks that manage a number of gas pipelines.
It is not known what if any damage the attacks caused. In his letter,
Senator Rockefeller expressed concern that the gas companies may have
not taken steps to secure their networks because of the associated
costs. Senator Rockefeller chairs the Senate Commerce, Science, and
Transportation Committee.
[Editor's Note (Murray): The answer to the "vulnerability" question must
be "yes."  It will always be yes.  I would argue that the vulnerability,
by itself, does not necessarily constitute an unacceptable risk, in part
because the threat is low.  Risk, not vulnerability, is the right
question.  That said, the vulnerability is much higher than it needs to
be.  There is a lot of "low-hanging fruit."  An increase in threat may
not come with either a warning or a cushion of time to prepare.]

 --WHMCS Breached; Exploit Being Sold on Underground Forum
(May 24, 2012)
The hackers who compromised computers at software provider WHMCS appear
to have been selling information about a zero-day flaw in the company's
software. The attackers compromised usernames, passwords, and credit
card numbers of as many as half a million WHMCS customers. WHMCS offers
a billing and support software suite used by web hosting providers.
WHMCS said the attackers stole data, and deleted files, including a
customer order backlog. The attack was conducted in part through social
engineering. An attacker impersonated WHMCS's founder to the company's
own web hosting provider and obtained the company's administrative
credentials. WHMCS user forums are being besieged by an ongoing
distributed denial-of-service (DDoS) attack. Customers are being urged
to change their passwords. Journalist Brian Krebs learned through an
underground forum that a hacker was offering an exploit for a zero-day
flaw in WHMCS software that could be used to access administrators' passwords.

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top
producer of cyber ranges, simulations, and competitive challenges, now
used from high schools to the Air Force. He is also author and lead
instructor of the SANS Hacker Exploits and Incident Handling course, and
Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses ( and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.