OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #81

October 11, 2013

Yesterday I had to complete our annual security awareness training. Surprisingly, it was quick, informative, accurate, and valuable. And the monthly "spear phishing" testing our CISO has been running is well engineered (socially). I checked with the folks who built the automated system (a team led by Lance Spitzner, who is also the intellectual innovator behind honeypots and honeynets) and learned that other companies and agencies agree with my assessment about the speed and value. In the past 21 months, since they made the measured, automated security awareness training system available, 2,890,000 people in 915 companies and agencies got it. Apparently it is also a lot less expensive and more effective than the do-it-yourself training and the custom-built systems most organizations used before. There is a demonstration at http://www.securingthehuman.org/

Quick survey for the new systems-management-tool-based security benchmarking project SANS is launching with the Council on CyberSecurity for the top 4 Critical Security Controls. If you have more than 500 Windows computers, please answer the 4 questions listed at the end of this issue, so we can try to be sure it adapts to your organization. If you provide accurate answers, and you have sufficient systems, we'll give your organization early access to the beta test.



Government Shutdown Could Prove Problematic for Patching
Adobe Issues Security Updates for Reader, Acrobat, and RoboHelp
Microsoft Releases Eight Bulletins, Fixes Two IE Flaws Being Actively Exploited
Japan Needs 80,000 Infosec Professionals


Skimmers Found on Registers at Department Store in Florida
Criminal Hackers Exploiting Flaw in vBulletin to Install New Admin Accounts
Five-and-a-Half Year Sentence for Role in Phishing Scheme
Apple and Microsoft Reportedly Steeping Up the Tracking Game
Hackers Access Wichita, Kansas Electronic Procurement Website
NSA's FOXACID Helps Decide Which Exploits to Use in Cyberattacks
DNS Hijackers Hit Network Solutions Customers
Russian Authorities Arrest Alleged BlackHole Malware Kit Author




CYBERACES STATE LEADERBOARD (more than 10,000 registered)


NOMINATION DETAILS: People who made a difference in Security in 2013


SURVEY For New Top 4 Critical Security Controls Benchmarking Project

************************** Sponsored By Bit9 ****************************
Whitepaper: In the wake of the numerous server data breaches reported over the years, it is clear traditional signature-based blacklisting security strategies are inadequate in addressing today's cyber threats. These attacks happen fast - in less than 15-20 minutes - and are bypassing traditional security tools. Download this whitepaper to learn how cybercriminals are infiltrating corporate servers.

- --Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.

- --Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.

- --SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.

- --SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.

- --SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure.

- --SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.

- --SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.

- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.

- --Multi-week Live SANS training
Contact mentor@sans.org

- --Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at

Plus Bangalore, Tokyo, Ft. Lauderdale, Sydney, and San Diego all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org


Government Shutdown Could Prove Problematic for Patching (October 9, 2013)

The federal government shutdown could hinder the ability of agencies to apply patches in a timely manner, leaving systems vulnerable to attack through now-known security flaws. IT systems that have been identified as non-essential have been shut down, and IT staff at many agencies is "skeletal." Employee computers that have been shut off because of the shutdown will be missing patches when they are restarted.

Adobe Issues Security Updates for Reader, Acrobat, and RoboHelp (October 8, 9 & 10, 2013)

On Tuesday, October 8, Adobe released two security updates for Reader and Acrobat. The first update addresses a memory corruption flaw in RoboHelp 10 publishing software. The second update addresses a regression in Reader and Acrobat that affects Javascript security controls. Both updates are for Windows only. Internet Storm Center:



Reader and Acrobat:

Microsoft Releases Eight Bulletins, Fixes Two IE Flaws Being Actively Exploited (October 9, 2013)

On Tuesday, October 8, Microsoft released eight bulletins, four critical and four important, to address a total of 27 vulnerabilities in Windows, Internet Explorer (IE), Microsoft .NET Framework, Microsoft Office, Microsoft Server Software, and Silverlight. One of the four critical bulletins contains fixes for two flaws in IE that are being actively exploited. Internet Storm Center:

The combined bulletins initially indicated that they patched a total of 28 vulnerabilities, but Microsoft revised the description of MS13-080, saying that the 10th vulnerability patched in that bulletin was not actually included, but will "be addressed in a future security update."

Japan Needs 80,000 Infosec Professionals (October 9, 2013)

The Japanese government says it is facing a shortfall of information security professionals. A panel of experts met earlier this year and determined that the country needs 80,000 additional information security professionals to effectively defend critical systems. It also needs to provide additional training for more than half of the professionals already in the industry.
[Editor's Note (Paller): The character of the demand is changing. A decade ago - and even 5 years ago, general security knowledge taught at many colleges - was sufficient to qualify people for the jobs available in security. Now, the demand has shifted to people with advanced hands-on skills (pen testing, forensics, technical auditing, intrusion detection, vulnerability analysis, security-savvy programmers and security-savvy sysadmins, etc.) while the jobs of many of the generalists are disappeared at an increasing rate.
(Pescatore): This is one of the few reports that has an estimate of the size of an existing cybersecurity workforce - 260,000 existing in Japan, though I can't find how that number was obtained (any of our Japanese readers looked at the full study?). There seems to be a general feeling of a skills shortage in many countries like the US and the UK, but no reliable estimate of how many are actually currently on the job. ]

*************************** Sponsored Links: ******************************
1) Webcast: Take Control! 7 Steps to Prioritize Your Security Program. Wednesday, October 16 at 1:00 PM EDT with John Pescatore and Matt Hathaway. http://www.sans.org/info/140790

2) Attend the DHS Continuous Diagnostics & Mitigation (CDM) Award Workshop - November 6, 2013. http://www.sans.org/info/140520

3) Take our BYOD survey and share your influence with other thought leaders; also enter to win a new iPad! http://www.sans.org/info/140795


Skimmers Found on Registers at Department Store in Florida (October 10, 2013)

Skimmers were found on a half-dozen registers at a Florida Nordstrom department store. A closed-circuit camera captured images of three men tampering with registers at the store on October 5. The thieves worked as a team: two people distracted store staff while a third examined the registers. Later the same day, a different group of three people came to the store and again distracted employees while one of the group installed keylogging Ps2 connectors on the registers.
[Editor's Note (Pescatore): Notice that in retail, our oldest form of commerce, physical crime still exists, and businesses protect themselves to reduce how much crime succeeds, and law enforcement prosecutes the criminals - without needing a single government "framework" or new laws. Changing the focus on cyber attacks from cybercrime to cyberwarfare loses sight of the reality businesses will always face in reducing vulnerabilities and upgrading their own protections against attacks - just as retail and online retail are doing. ]

Criminal Hackers Exploiting Flaw in vBulletin to Install New Admin Accounts (October 10, 2013)

A vulnerability in Internet forum software vBulletin is being actively exploited by criminal hackers to create unauthorized administrative accounts. In August, vBulletin urged users to delete the "install" directory from their deployments, but the vulnerability was not specified at that time. The vulnerability affects vBulletin versions 4.x.x. and 5.x.x. The company has released updates for both versions.



vBulletin August Advisory:

Five-and-a-Half Year Sentence for Role in Phishing Scheme (October 10, 2013)

A UK court has sentenced Olukunle Babatunde to 66 months in prison for his role in a phishing scheme. Babatunde admitted to stealing more than GBP 750,000 (US $1.2 million) from more than 700 online bank accounts.


Apple and Microsoft Reportedly Steeping Up the Tracking Game (October 10, 2013)

The A7 chip in iPhone 5S has a motion sensor with gyroscope, compass, and accelerometer capabilities, "enabl
[ing ]
a new generation of health and fitness apps." Because the motion sensor occurs in a separate processor, the information can be collected in the background. Apple said the data are stored for no more than seven days.

Microsoft is rumored to be developing tracking technology that will replace the cookie. It would work not only on the Internet, but also on Windows-based mobile devices and on Xbox consoles.

Criminal Hackers Access Wichita, Kansas Electronic Procurement Website (October 8 & 10, 2013)

Criminal hackers gained access to the electronic procurement website of Wichita, Kansas. The breach affects current and former vendors who have done work for the city, as well as employees who have been reimbursed for expenses since 1997. The compromised information includes Social Security numbers (SSNs), taxpayer ID numbers, and bank account information. Wichita officials are investigating the incident along with the FBI, local police, and other law enforcement agencies.

[Editor's Note (Shpantzer): Government websites are a great place to go to for a central repository of sensitive information, as the S. Carolina Department of Revenue demonstrated last year. The much-awaited federal healthcare site for the Affordable Care Act/Obamacare applications, which had major functionality issues at launch on October 1, has some demonstrated application security issues, some of which are documented here:

NSA's FOXACID Helps Decide Which Exploits to Use in Cyberattacks (October 9, 2013)

In a blog post, Bruce Schneier describes the NSA's FOXACID, a group of servers the agency uses to launch cyberattacks. FOXACID has a system for deciding which exploit to use in a given attack. High value targets merit the use of rare zero day exploits, either purchased or developed by NSA. The zero-days would not be likely to be used against sophisticated targets as those targets pose a danger of reverse engineering and making the exploit more widely known. There are also rules for determining when attacks should be halted. While FOXACID illustrates the NSA's carefully thought out plans, the agency did not consider the risk of its activity "becoming front-page news."
[Editor's Note (Murray): Even if one accepts that NSA does not target US persons with these capabilities, ours is not the only nation state with these wholesale attack tools. Edward Snowden is not the only rogue within NSA. This software is no less likely to leak than the presentations that describe it. Act accordingly. ]

DNS Hijackers Hit Network Solutions Customers (October 8 & 9, 2013)

Several websites that use Network Solutions services have recently experienced DNS hijacking attacks. Avira, ACG, and Whatsapp have reported being hit with redirect attacks. Network Solutions is investigating the attacks. Leaseweb, a hosting company, has also reported that it was the victim of DNS hijacking. Internet StormCenter:



Russian Authorities Arrest Alleged BlackHole Malware Kit Author (October 8 & 10, 2013)

Authorities in Russia have arrested a man believed to be responsible for creating and distributing the BlackHole malware kit. BlackHole can be used to facilitate drive-by download attacks. BlackHole has not been updated since the arrest, although it had normally been updated once or twice a day. Because BlackHole is not being kept current, it is likely that users will migrate to other exploit kits.





More DNS Hijacks (google.com.my, and earlier today rapid7/metasploit).

This article includes a script to help you monitor your domain.

Cisco Patches

An older vBulletin Vulnerability is now exploited. There is a workaround, but no patch.

Monitoring your web servers SSL Logs and what you may learn by doing so

Some F5 load balancers use outdated firmware which does not support more current SSL versions.

Blackberry Update

Spiderlabs reporting more variations of IE "0 day" exploit

DNS ANY Queries for records with many A records


Students, Job Seekers, Active Duty Military enrolled as of October 11,

2013 at 0800 hours (last Friday's numbers in parentheses):

Illinois 3,131 (2,971)

Massachusetts 1,024 (826)

New York 937 (665)

New Jersey 882 (705)

Virginia 774 (618)

California 496 (478)

Delaware 530 (322)
[Leader per capita ]

Minnesota 370 (293)

Maryland 271 (231)

Florida 170 (135)

Texas 155 (130)

Total: 10,260 (8,898)

More data: Cyberaces.org


There is no shortage of publicity around failures in security - constant headlines detailing breaches and vulnerabilities at companies and government agencies. However, what you never hear about are the many organizations who aren't in the news because they have found ways to meet business and mission needs while protecting customer and business data from attackers. There are thousands of security practitioners out there who are quietly succeeding and making breakthroughs in advancing security.

On Monday 16 December at the SANS Cyber Defense Initiative conference in Washington DC, SANS plans on celebrating the most dedicated and innovative "People Who Made a Difference in Security in 2013."

We are soliciting nominations from the SANS community for names of individuals, teams and groups who implemented security processes or technology in 2013 that resulted in meaningful and measurable advances in security. The criteria for nomination are:

1. Must have led the implementation and deployment of security processes or controls in 2013 that either (a) made measurable increases in cybersecurity or (b) enabled new business initiatives (such as use of BYOD, cloud, Smart Grid, Digital Government, etc) while maintaining required security levels.

2. The deployed solutions must show advances or innovation over common levels of practice.

3. Must be willing, and have management approval, to be publicly acknowledged. Company or agency names can be kept anonymous if necessary.

Awards will be made in several categories, including but not limited to:

1. Enhancing the Security Workforce

2. Implementing the Critical Security Controls

3. Meaningful Security Metrics

4. Mitigating Advanced Threats

5. Securing the Human

6. Vertical Industry Difference Makers: ICS, Healthcare, Government, etc.

Submissions are due by 8 November 2013, and will be evaluated by a team from SANS, security industry analysts and thought leaders. Send your nominations or questions to trends@sans.org, full information is available at


Quick survey for the new systems management tool-based security monitoring project SANS is launching for the top 4 Critical Security Controls. If you have more than 500 Windows computers, please answer these 4 questions so we can try to be sure it adapts to your organization.

1. What Microsoft Systems Management platform are you running? If multiple ones, give approximate numbers.

___ SMS 2003,

___ Configuration Manager 2007

___ Configuration Manager 2012

2. Do you utilize the built-in functionality of this Microsoft platform to perform Operating System patching?

___ yes ___ no

3. Do you utilize the built in "SCUP" functionality of this platform to perform 3rd party Application patching or do you use a separate tool?

__ Use SCUP

__ Use another automated tool for application patching: name: ______________

Are you implementing any "whitelisting" with the native Microsoft tools such as a Software Restriction GPO or the newer AppLocker features?

___ GPO

___ AppLocker

___ Other (name: ___________________________)

Your organization industry ___________________________

Number of Windows computers: _______________________

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/