Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #32

April 21, 2012


House Information Sharing Bill (CISPA) Raises Privacy Concerns
Attackers Exploiting Instagram's Popularity to Target Android Devices
Google Warns Sites of Redirect Infections


Latest Flashback Attack Started on WordPress Sites
Man Charged in Online Brokerage Account Hacks
Piracy for Dummies
Austrian Police Arrest 15-Year-Old for Hacking
Grand Jury Charges Two With Software Piracy
US Dept. of Energy Lab Releases Network Attack Detection Tool
Comcast's Bandwidth Cap Exemption for Xfinity Xbox 360 App is Questioned

************************ SPONSORED BY Firemon **************************
Every security pro faces the same challenge each morning - "what to do first?" Upcoming infrastructure upgrades, the latest breach headlines, and urgent requests for system access compete for attention every day. How can you and your team be the most effective? Special Webcast: Highway Congestion, Risk Prevention & Business Unit Requests: How Effective Security Engineers Get It Done: Thursday, April 26th 1:00 EDT
- - --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.

- - --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.

- - --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 10 courses.

- - --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.

- - --SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.

- - --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?

- - --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.

- - --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Tales From the Crypt: TrueCrypt Analysis.

- - --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.

- - --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?

- - --Vulnerability Management Summit & Training, San Antonio, TX August 14-17, 2012 Listen to strategies and best practices that allow network administrators and asset owners to understand the best approaches to creating vulnerability management strategies.

- - --SCADA Security Advanced Training, Houston, TX August 20-24, 2012 5 day course combining advanced topics from SCADA and IT Security into the first hands-on Ethical Hacking course for Industrial Control Systems.

- - - - --Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Johannesburg, Atlanta, Brisbane, Jakarta, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live:


House Information Sharing Bill (CISPA) Raises Privacy Concerns (April 16, 17, & 18, 2012)

The White House has spoken out against the US House's Cyber Intelligence Sharing and Protection Act (CISPA) because of what it sees as a lack of adequate privacy protection measures as well as an absence of mandatory security standards for elements of the country's critical infrastructure. CISPA would allow Internet service providers (ISPs) and Internet companies to collect user data and share them with the government. The Business Software Alliance, which supports the proposed legislation, met with the Center for Democracy and Technology (CDT) to try and see if they could come to an understanding about CISPA. CDT and other groups concerned with civil liberties and privacy and led protests against the proposed legislation. The bill is likely to come before the House for a vote next week.




[Editor's Comment (Northcutt): The heart of this is privacy. Police can listen to cell phones without warrants. Until recently, track vehicles with GPS. Since 9/11 we have seen an unprecedented loss of privacy rights in the USA. Does it actually keep us safe, is there really a benefit? Not according to former DHS Cyber Security Division Director Purdy:


(Murray): The problem with CISPA is fundamental, not semantic. It conflates the issue of "intelligence sharing" with that of "intellectual property." That is not a problem that can be fixed by tweaking the language. Moreover it is motivated more by good intentions than by an understanding of the problem.
(Honan): Legislators might do well to recall Thomas Jefferson's words, ""Those who surrender freedom for security will not have, nor do they deserve, either one." ]

Attackers Exploiting Instagram's Popularity to Target Android Devices (April 19, 2012)

Attackers are exploiting the popularity of photo sharing app Instagram by creating phony websites to spread malware to Android mobile devices. Instagram has been the focus of significant attention in recent weeks. Originally developed for iOS devices, an Android version of Instagram was released earlier this month and was downloaded more than one million times in the first day it was available. Last week, Facebook acquired the company that developed Instagram. One of the phony Instagram sites includes Russian text and attempts to install a Trojan horse program on Android devices that sends SMS messages to premium rate numbers with no user interaction or notification.

[Editor's Note (Pescatore): I'd like to see the Android side of Google follow the lead of the search engine side of Google and make it much harder for users to get impacted by malware and compromised web sites. ]

Google Warns Sites of Redirect Infections (April 18 & 19, 2012)

Google has sent messages to 20,000 websites, informing them that they may have been injected with JavaScript that redirects visitors to other, maliciously crafted websites. Google has recommended that the site owners search for files containing a specific string, which would indicate an infection. The sites were also warned that the attackers may have compromised server configuration files.


[Editor's Note (Pescatore): I'd like to see the search engine side of Google evangelize the Android side of Google to make similar advances in security on the mobile app side... ]

*************************** Sponsored Links: ************************* 1) SANS First Mobility Security Survey featuring SANS mobility expert, Kevin Johnson
2) Special Webcast: PCI - Top 5 Issues and Best Practices Surrounding Privileged Passwords and PCI Compliance. Wednesday April 25th 1:00 EDT
3) New Analyst paper in the SANS Reading Room: A Review of Oracle Entitlement Server, by SANS Oracle Security expert, Tanya Baccam. Paper:


Latest Flashback Attack Started on WordPress Sites (April 19, 2012)

Researchers say that the initial vector of attack for the Flashback Trojan horse program, was WordPress sites that had been infected with malware. Between 30,000 and 100,000 WordPress sites were infected in February and March of this year; the attackers placed code on the sites that redirected users to a server that would attempt to infect vulnerable machines. Flashback managed to infect an estimated 700,000 Mac computers, but researchers say that because of the availability of a tool to scrub Flashback from computers, the number of infected machines has been reduced to an estimated 140,000.

Man Charged in Online Brokerage Account Hacks (April 18 & 19, 2012)

The US Department of Justice has charged Petr Murmylyuk with conspiracy to commit wire fraud, securities fraud, and unauthorized access to computers for allegedly breaking into online brokerage accounts and conducting fraudulent transactions. Murmylyuk is a Russian national living in New York. The affected brokerage firms say that the transactions cost them more them US $1 million. The Manhattan District attorney's office alleges that Murmylyuk also stole people's identities and used the information to file tax returns and collect US $450,000 in IRS refunds. Murmylyuk is presently in custody facing other charges.


Piracy for Dummies (April 18, 2012)

A US publisher has filed a lawsuit against four people who have allegedly copied the company's books. John Wiley & Sons, the publisher of the X for Dummies series of how-to books, says its books have been shared through peer-to-peer networks. Wiley is seeking a jury trial for four people it alleges have copied books to which it owns the rights. The company says that more than 74,000 copies of Photoshop CS5 All-In-One For Dummies have been obtained illegally.

Austrian Police Arrest 15-Year-Old for Hacking (April 17 & 18, 2012)

Authorities in Austria have arrested a 15-year-old for allegedly breaking into servers at more than 250 companies over a three-month period. The teenager allegedly bragged about his exploits and posted information he had stolen online. He confessed when he was arrested.


Grand Jury Charges Two With Software Piracy (April 18, 2012)

A US grand jury has charged two people from China with copyright infringement and illegal export of technology for allegedly selling pirated software online; the pirated software is worth an estimated US $100 million. Xiang Li and Chun Yan Li allegedly operated several websites that sold software pirated from 150 companies. Xiang Li was arrested in June; Chun Yan Li is still at large. In addition, a former NASA employee has pleaded guilty to conspiracy to commit criminal copyright infringement for purchasing more than US $1 million worth of pirated software from Xiang Li.

[Editor's Note (Murray): Assertions as to the value of software in criminal charges are often exaggerated. They refer more to the value of the application than to the cost to the victim or the value to the perpetrator. ]

US Dept. of Energy Lab Releases Network Attack Detection Tool (April 17 & 18, 2012)

A US Department of Energy lab has released an open-source tool that gathers information during cyber attacks. The Pacific Northwest National Laboratory's Hone tool is designed to help identify and pinpoint the source of malware's activity on networks.

[Editor's Note (Murray): This is a "network activity visualization" tool that enables network managers to both recognize and better understand attacks. It is an advance over Marcus Ranum's Network Flight Recorder. ]

Comcast's Bandwidth Cap Exemption for Xfinity Xbox 360 App is Questioned (April 16, 2012)

Netflix CEO Reed Hastings has said that Comcast is not abiding by net neutrality principles because it is exempting its Xfinity Xbox 360 video app from bandwidth limits. Customers who have the app can use it to watch movies and television shows On Demand. Comcast normally puts a monthly cap of 250 GB on consumers' accounts.


[Editor's Note (Murray): This is only one of the policy questions that will arise when ISPs attempt to meter traffic. I am convinced by George Gilder's argument that it is cheaper to provision the network to meet the traffic demand than to control the traffic. It also avoids a plethora of policy issues. The wireless companies argue that they have to limit traffic because of the fundamental limits of wireless spectrum. Gilder argues that spectrum can be infinitely reused by deploying more cells and reducing signal amplitude. Many other countries are adopting the Gilder strategies. The reasons that we do not are more historical and political than technical or economic. ]


The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit