Online Training Special Offer: Get an iPad (32G), Galaxy Tab A, or $250 Off Online Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #28

April 09, 2013

The editor's note from Mike Assante in the first story is important.
Mike is the dean of the industrial control system (ICS) security
community having served as CSO at the giant American Electric Power,
head of the team at INL that found the vulnerability that allows
rotating equipment (like centrifuges and power generators) to be
destroyed through remote cyber attacks, and CSO of NERC - The North
American Electric Reliability Corporation. The threats he is discussing
are not hypothetical; individual employees inside power companies and
other critical infrastructure organizations have been successfully
targeted and the attacks are accelerating. Mike has nearly completed a
poster that illuminates the cyber risks for the ICS community and has
completed a new security awareness program for employees in
organizations that are subject to NERC CIP regulations as well as oil &
gas and other companies that rely on ICS. If you work for such a
company and would like the poster or information about the interactive,
animated security awareness program, email either
(with your organization name and a surface mailing address - it is a
paper poster) or to find out about a trial/demo
of the awareness program.]



ICS-CERT Warns of Exploitable Security Issue in SCADA Product
Android Trojan Spreading Through Spam


California Lawmakers Consider Consumer Data Bill
Apple's iMessage Frustrates Drug Enforcement Administration Investigation
Tech Contractors Say Restrictions on Chinese Equipment Could be Counterproductive
DHS Warning: Personal Data on Public Websites Could be Used in Phishing Attacks
Hackers Steal Passwords from Scribd User Database
Australian Teen Charged in Connection with Anonymous Hacking Activity
Film Studios Want Google to Take Down Links to DMCA Takedown Notices
Alleged Carberp Mastermind and Developers Arrested in Ukraine
IsoHunt Operator Wants Jury Trial

***************** SPONSORED BY the JOHN and TONY SHOW *******************
Join John and Tony for breakfast as they discuss what actually works and should be prioritized in protecting important systems and data. Tony Sager (after 34 years leading cyber defense at NSA) and John Pescatore (after 14 years leading the cyber security analysts at Gartner) both recently joined SANS. Together in public for the first time, they will provide an overview of the most promising approaches to protecting computer systems and discuss results from the initial deployments of the Critical Security Controls. They will also moderate a panel of vendors who seem to be the leaders in helping organizations implement the 20 most important controls. Attend in person or via the web. No cost for government; $50 for others at the breakfast. Thursday, April 18, 2013 in Washington, DC at the JW Marriott. For more information on attending in person, see To register for this event via simulcast, see

- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.

- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.

- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.

- -- SANSFIRE 2012 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.

- -- SANS Secure Europe 2013 Amsterdam, Netherlands April 15-April 27, 2013 10 courses.

- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.

- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.

- -- Looking for training in your own community?

- -- Save on On-Demand training (30 full courses) - See samples at

Plus Seoul, Bangalore, Johannesburg, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live:


ICS-CERT Warns of Exploitable Security Issue in SCADA Product (April 3, 2013)

The ICS-CERT has issued a warning about a heap-based buffer overflow vulnerability in Mitsubishi MX, which is a supervisory control and data acquisition/human machine interface (SCADA/HMI) product. The flaw could be exploited remotely by targeting specific employees inside any company using that industrial control system.
[Editor's Note (Assante): Note the warning comes from the ICS-CERT and the concern here is the ability to target specific people in an attempt to intrude upon Industrial Control System (ICS) networks. I have participated on a number of assessments that were able to quickly identify operations and technical staff that interact with ICS. The attacker's goal is to find a viable path of least resistance and in many cases it involves your people. Staff authorized to access ICS can have false confidence in the fact that their systems are not internet facing or are protected by firewalls.
(McBride): The DHS report is six months after the incident; if you are relying on DHS for this type of information you are well behind the curve. The key information used in these attacks was identified by Critical Intelligence who reported it to the ES-ISAC in October 2012 when the incident took place. DHS learned of it from ES-ISAC.
(Paller): As part of the new ICS security awareness and other information services described at the top of this issue, ICS using organizations will probably receive earlier access to news of this type because the organizations that discover the problems (before DHS hears of them) are nearly all partners in the ICS security network assembled by Mike Assante. ]

Android Trojan Spreading Through Spam (April 8, 2013)

The Cutwail botnet is sending out spam that attempts to infect Android devices with a Trojan horse program. The malware, which is being called Stels, also takes steps to infect other operating systems. When users click on the provided link in messages that appear to be from legitimate sources, such as the Internal Revenue Service (IRS), a script checks to see if the user is on an Android device. If Android is detected, users are shown an Adobe Flash Update page, which installs the malware. If the user is not on an Android device, the script redirects them to a webpage that serves up the Blackhole exploit kit.


*************************** Sponsored Links: ******************************
1) Webcast! Meeting the need for speed (and resiliency) in Security Management Systems, Thursday, April 18

2) Take the New SANS Survey on the Critical Security Controls and enter to win a new iPad!


California Lawmakers Consider Consumer Data Bill (April 8, 2013)

State legislators in California are considering a bill that would allow consumers to find out which of their personal data are being stored by data brokers, websites, and mobile app providers. The bill, which is called "The Right to Know Act," would require businesses to provide consumers with a list of third party entities with which their data have been shared. The bill is "about transparency and access, not new restrictions on data sharing," according to an Electronic Frontier Foundation (EFF) blog post.

Apple's iMessage Frustrates Drug Enforcement Administration Investigation (April 4, 5, & 6, 2013)

A US Drug Enforcement Administration (DEA) investigation ran into problems when the suspects under surveillance started using Apple's iMessage system, according to a leaked memo. The DEA was unable "to intercept the iMessages between two Apple devices
[with ]
traditional trap and trace, pen register devices, or wiretapping data collection." The issue is an illustration of what the FBI calls the "going dark" problem. The 1994 Communications Assistance for Law Enforcement Act (CALEA), which requires telecommunications companies to ensure that law enforcement agencies can tap targeted communications with a court order, applies to hardware, but not software. The FBI has been asking for a CALEA extension to cover the new technologies.


Tech Contractors Say Restrictions on Chinese Equipment Could be Counterproductive (April 5 & 8, 2013)

US government technology contractors say that a rule requiring companies to check purchases of security systems for components made in China will leave agencies more vulnerable to security breaches. They are also concerned that refusing to purchase Chinese components could incur retaliation. Assessing every IT purchase "will likely slow the federal acquisition process and put impacted federal agencies behind the security innovation curve." The mandate was signed on March 26, 2013, and applies to the Justice Department, the Commerce Department, NASA, and the National Science Foundation.


DHS Warning: Personal Data on Public Websites Could be Used in Phishing Attacks (April 5, 2013)

The US Department of Homeland Security (DHS) is warning organizations not to post business and personal information on publicly accessible web pages because the data could be exploited in spear phishing attacks. The alert grew out of an incident last fall in which spear phishing campaigns targeted energy sector organizations. The attacks used information from a list of conference attendees that included names, email addresses, and organizational affiliation, that had been posted on a public website.

Hackers Steal Passwords from Scribd User Database (April 5, 2013)

Document-sharing website Scribd says that hackers compromised as many as one million user passwords. The data were stored with an old hashing algorithm. A Scribd software engineer said that no accounts had been compromised. The company has contacted affected users and instructed them about how to change their passwords and make them more secure.


Australian Teen Charged in Connection with Anonymous Hacking Activity (April 5, 2013)

Australian Federal Police (AFP) have charged a 17-year-old in connection with his alleged involvement with the Anonymous hacking group. The unnamed teenager has been charged with unauthorized modification of data to cause impairment; unauthorized access with intent to commit a serious offence; possession of data with intent to commit a computer offence; and unauthorized access to restricted data.


AFP media Release Statement:

[Update from Editor Honan: Today in the UK, three members of Luzsec pleaded guilty to their involvement in attacks against the websites of the CIA and SOCA

Film Studios Want Google to Take Down Links to DMCA Takedown Notices (April 5, 2013)

Two film studios have asked Google to remove links to DMCA takedown notices they sent the company. Google posts all the DMCA takedown notices it receives - about 20 million every month. Some have criticized the practice, saying that the notices identify sites where pirated content can be found. Universal Studios and Fox have asked Google to remove the links to old takedown notices. It is possible that the takedown notices for the takedown notices were generated by automated tools that search for URLs associated with pirated content.

Alleged Carberp Mastermind and Developers Arrested in Ukraine (April 4 & 5, 2013)

Ukrainian authorities have arrested the alleged ringleader of the Carberp banking Trojan group along with 20 alleged malware developers. Those involved with the Carberp gang allegedly stole US $250 million from Russian and Ukrainian bank accounts. The arrests were the result of a collaborative effort between Russian and Ukrainian authorities.




IsoHunt Operator Wants Jury Trial (April 4, 2013)

Gary Fung, who operates filesharing service IsoHunt, was recently found to have violated copyright law by a three-judge panel of the 9th US Circuit Court of Appeals. Fung is now demanding a jury trial. The panel ruled against Fung and for the Motion Picture Association of America (MPAA) based on the merits of the case. Fung claims he is just a search engine like Google and therefore protected by the safe harbor provision of the DMCA because he took down files when requested to do so. The court said his business model was based on the assumption that people would willfully infringe copyright and that his site induced people to do just that. Fung is asking that the appeals court rehear his case with an en banc panel of nine judges to decide if he should get a jury trial.

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit