One Day Left! Get an iPad, Tab A, or $250 Off with your OnDemand registration

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #56

July 16, 2013


Senate Issues Draft Cybersecurity Bill
WellPoint to Pay US $1.7 Million for HIPAA Violations
Malware Infects Files and Steals FTP Credentials


Mac Malware Uses Encoding Trick to Hide File Extensions
US Justice Department Revises Policies on News Media Data Seizure
California AG Breach Study Highlights Importance of Encrypting Data
Microsoft Video Codec Patch (MS 13-057) Reportedly Causing Problems
Sony Drops Fine Appeal
General Alexander's Focus on Large Scale Data Collection
ICO Fines NHS Surrey Over Patient Data on Resold Hard Drive
Chinese Cyberespionage Group Using Dropbox and WordPress

*********************** SPONSORED WhiteHat Security **********************
GARTNER REPORT: Business-tested, Gartner-approved: WhiteHat Security named a Leader in Application Security Testing in New Magic Quadrant Report. Download this report for a comprehensive review of the Application Security market and future looking trends.

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

- --Washington, DC (August 12-August 16)

- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.

- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!

- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.

- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.

- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?

- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.

- -- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling.

- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.

- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.

- -- Multi-week Live SANS training

- -- Looking for training in your own community?

- -- Save on On-Demand training (30 full courses) - See samples at

Plus Bangkok, Melbourne, Bangalore, and Baltimore all in the next 90 days.

For a list of all upcoming events, on-line and live:


Senate Issues Draft Cybersecurity Bill (July 12, 2013)

The US Senate is circulating a draft cybersecurity bill. A similar measure failed last year. The bill aims to establish voluntary cybersecurity standards for organizations that operate elements of the country's critical infrastructure. It also calls for increased research and development in cybersecurity defenses and increased software vulnerability information sharing.


[Editor's Note (Henry): As someone who has been "behind the curtain" and watched these deliberations from the inside over the past seven years, this is frustrating. As a private citizen and a taxpayer, it's frightening. I understand how hard a problem this is and I recognize the competing interests, but some things are of such concern we must step outside our comfort zones and make meaningful decisions, regardless of the political fallout.
(Pescatore): If 18 year olds read newspapers, they would have been able to read this story every year since they were first able to read. ]

WellPoint to Pay US $1.7 Million for HIPAA Violations (July 11 & 12, 2013)

WellPoint, an Indianapolis-based health insurance provider, will pay the US Department of Health and Human Services (HHS) US $1.7 million for violations of the Health Insurance Portability and Accountability Act (HIPAA). The charges stem from WellPoint's weak database security that exposed the personal records of more than 600,000 people. The database was reportedly accessible between October 2009 and March 2010, exposing patients' names, Social Security numbers (SSNs), and health data. WellPoint reported the issue as required under HIPAA rules; a subsequent investigation conducted by HHS found that WellPoint was using inadequate policies and procedures to protect access to online data. In 2011, WellPoint was ordered to pay US $100,000 to the state of Indiana to settle charges resulting from a breach that exposed personal information of 32,000 Indiana patients.



[Editor's Note (Pescatore): While $1.7M sounds like a big number, the likely full cost of dealing with allowing the records of 600,000 people to be exposed will likely end up above $20M. This case seemed to point out more systemic problems - no one security control or process would have prevented all the problems. But the cost of preventing the incident will likely end up to be less than 20% of the ultimate cost of suffering the incident. ]

Malware Infects Files and Steals FTP Credentials (July 15, 2013)

File-infection malware that spreads through drive-by downloads also has the capacity to steal file transfer protocol (FTP) credentials from the FileZilla FTC client. The malware, a variant of EXPIRO, exploits known Java vulnerabilities to infect users' computers. The Java flaws were patched in June 2012 and March 2013. The majority of infections appear to be in the US. This particular variant searches for .exe files on local, removable, and networked drives, and injects malicious code into those files.


[Editor's Note (Murray): ftp is "historically broken." For those who persist in using it, this is only one of many problems.]

*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company.

2) NEW Whitepaper: Top Lessons Learned From Real Attacks. This whitepaper details lessons learned about cyber attacks from extensive interviews with security analysts. Learn More

3) Digital Forensics in Modern Times: A SANS Survey, Thursday, July 18, 1 PM EDT


Mac Malware Uses Encoding Trick to Hide File Extensions (July 15, 2013)

Malware that targets Mac OS X uses a right-to-left override ploy to avoid detection. The trick is used to hide the actual extension of executable files. The malware, known as Janicab, is signed with what appears to be a valid Apple Developer ID. It takes screen shots and records audio through infected machines, and sends the data to a command-and-control server. It also maintains contact with the command-and-control server for instructions. Janicab spreads through spearphishing and spam.


[Editor's Note (Shpantzer): How long does it usually take for Apple to revoke the Developer ID?]

US Justice Department Revises Policies on News Media Data Seizure (July 15, 2013)

Revised guidelines from the US Department of Justice limit the government's access to journalists' records except in cases in which the journalist is the subject of a criminal investigation. Ideally, journalists are protected by the First Amendment regarding freedom of the press and the Fourth Amendment regarding unreasonable search and seizure, as well as the privacy Protection Act and other laws. The need for a revised and clarified policy became evident when the government launched an inquiry that characterized a journalist as a spy, criminalizing his efforts to obtain information from a source; and when the government obtained phone records for AP journalists.


California AG Breach Study Highlights Importance of Encrypting Data (July 15, 2013)

A report from California's attorney general found that in 2012, 2.5 million California residents had their personal information compromised in the 131 security breaches that were reported to the AG's office. The report also notes that had companies encrypted their stored data, 1.4 million people would not have had their personal information exposed. Under state law, breaches do not need to be reported if the data affected are encrypted.

Press Release:

[Editor's Note (Pescatore): There is good data in this report but the encryption analysis is way too simplistic. Encrypting data would have prevented a breach in about 28% of the incidents - but only if the encryption was done right. The low hanging fruit (most promising technology) here is laptop and portable media encryption, which has the least barriers to success - lost or stolen devices/media accounted for 80% of those preventable data breaches.
(Shpantzer): I agree with John on this, that removable media and laptop encryption is usually easier than on the server side, where a little database and application security goes a long way. ]

Microsoft Video Codec Patch (MS 13-057) Reportedly Causing Problems (July 15, 2013)

One of the patches (MS 13-057) Microsoft released last week has been causing problems for a number of products. The patch is for a vulnerability in Microsoft's WMV codec that is used by WMF Runtime 9 and 9.5; Runtime 11; and Windows Media Player 11 and 12. The flaw could be exploited by using a maliciously crafted media file to crash the features and allow attackers to execute arbitrary code. The patch is reportedly causing the top half of videos to be blacked out in playback. Microsoft has not yet acknowledged the issue.

Sony Drops Fine Appeal (July 12 & 15, 2013)

Sony has abandoned its appeal of a GBP 250,000 (US $376,000) fine imposed after a 2011 PlayStation Network (PSN) hack. The UK Information Commissioner's Office (ICO) fined Sony in January 2013, after finding the company negligent for inadequately protecting PSN user data. Sony initially said it would appeal the fine, but has since changed its position, citing the company's "commitment to protect
[ing ]
the confidentiality of
[its ]
network security from disclosures in the course of the proceedings." Sony has stated that it remains opposed to the decision.

[Editor's Note (Pescatore): In 2011 Sony publicly admitted that its failure to protect the PlayStation Network had direct costs of $170M, and I remember doing an estimate at the time that put it closer to $300M. A fine of $376K is rounding error - which is the case with most medium to large disclosure events. ]

General Alexander's Focus on Large Scale Data Collection (July 14, 2013)

National Security Agency (NSA) chief General Keith Alexander has had success with collecting huge amounts of data and scouring them for information to solve problems. In an effort to stop attacks harming US troops in Iraq in 2005, Alexander ordered the collection of Iraqi text messages, phone calls, and email communication. The program, which was called the Real Time Regional Gateway, significantly reduced the number of deaths within three years. A former senior US intelligence official described Alexander's approach like this: "Rather than look for a single needle in the haystack, his approach was, 'Let's collect the whole haystack.'" Alexander became head of the Pentagon's US Cyber Command in 2010 while remaining in his position at NSA.

ICO Fines NHS Surrey Over Patient Data on Resold Hard Drive (July 12 & 14, 2013)

NHS Surrey has been fined GBP 200,000 (US $302,000) over data remaining on a hard drive sold on eBay. The storage device held records of nearly 3,000 patients and had been given to a third-party for secure destruction. The drive in question was in a PC that was part of a lot provided to the data destruction company. All the hard drives and data were supposed to be destroyed, and the company had provided certificates saying that the actions agreed upon had been taken. The ICO chastised the hospital for providing inadequate oversight of the data destruction company.


[Editor's Note (Shpantzer): Data and devices have a lifecycle and many orgs ignore the disposal phase altogether, so it's sad to see stories like these where there was even a consideration of the disposal phase. I'd like to see ICO (or whoever does that in the UK) going after the seemingly-fraudulent data disposal company, who issued 'certificates' of destruction, which either never happened or was not properly done. Assuming that this company has other customers who thought their drives were properly disposed of, is ICO (or whoever does that in the UK) pulling on that thread?]

Chinese Cyberespionage Group Using Dropbox and WordPress (July 10, 2013)

A Chinese cyberespionage group has reportedly begun using Dropbox and WordPress to spread malware and further its forays into target computer networks. The group is the same one believed to have been responsible for attacks on the New York Times. The attackers register for a Dropbox account, upload the specially crafted content, and share it with targeted users. A memo that purported to be from the US-ASEAN (Association of Southeast Asian Nations) business council was used as bait. Once the targets opened the file, the embedded malware contacts a WordPress blog for commands to reach a command-and-control server.


[Editor's Note (Pescatore): Sort of a "dog bites man" story, no? A far more interesting story ("man bites dog") would be: "For the first time in recorded history, going back to the Stone Age, bad guys decided *not* to use the same technology the good guys are using."
(Henry): We've monitored this adversary for several years, and this latest tactic demonstrates their continued evolution. Defenders filter outbound ports, and the adversary uses C2 sites that are difficult or impossible for administrators to block...yet another example of electronic "cat and mouse." ]

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit