Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVI - Issue #65

August 15, 2014


Tennessee Company Suing Bank Over Funds Stolen by Online Account Hijacking
Most Companies Unsatisfied with Their Security Incident Response
FCC Task Force Investigating Stingray Use


Korea Develops Information Security Readiness Rating Systems
Older Routers May Cause Network Slowing or Instability
Microsoft Delays ActiveX Blocking in IE Until September
NSA's MonsterMind Aims to Detect and Stop Cyber Attacks Instantly
Adobe Updates Flash, Reader, and Acrobat
Microsoft Releases Fixes for 37 Security Issues
Chinese Authorities Arrest Suspect in Android Heart App Malware Case



************************ Sponsored By Dell KACE **************************
In Case You Missed it: Simple, Effective Patch Management: From Dilemma to Done Deed - with Jason Tolu. Join Dell KACE customer, Chino Valley School District and learn how they use the Dell (TM) KACE (TM) appliance to simplify patch management.

- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by August 27 and save $400. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.

- --SANS Virginia Beach 2014 | Virginia Beach, VA | August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?

- --SANS Chicago 2014 | Chicago, IL | August 24-29, 2014 7 courses. Bonus evening presentations include The Security Impact of IPv6; Continuous Ownage: Why You Need Continuous Monitoring; and Infosec Rock Star: How to be a More Effective Security Professional.

- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.

- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.

- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses.

- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza

- --Can't travel? SANS offers LIVE online instruction. Day ( and Evening courses ( available!

- --Multi-week Live SANS training

- --Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at

Plus Bangkok, Tallinn, Hong Kong, and Sydney all in the next 90 days.

For a list of all upcoming events, on-line and live:



Tennessee Company Suing Bank Over Funds Stolen by Online Account Hijacking (August 13, 2014)

A Tennessee company is suing its bank to recover nearly US $200,000 lost in an electronic theft from its account there. Tennessee Electric Company, Inc., now known as TEC Industrial, is alleging that TriSummit Bank was negligent and breached its contract with the company. In May 2012, criminals stole $327,800 from TEC Industrial's bank accounts, using dozens of money mules. The bank managed to retrieve about $135,000 of the funds.
[Editors' Note (Paller and Murray): Krebs' report and the comments are perhaps the most thorough, informative and useful analysis of this issue assembled in one place. ]

Most Companies Unsatisfied with Their Security Incident Response (August 14, 2014)

A SANS study found that just nine percent of organizations believe that their response to security incidents is "highly effective." More than a quarter of those responding said they were dissatisfied with their incident response. Among the impediments to effective response programs are lack of review and practice of response procedures, and insufficient budgets.

[Editor's Note (Murray): In a world in which attacks are inevitable, often continuous, and their effectiveness increasing with time to detection and remediation, effective incident response is an essential part of any security program. ]

FCC Task Force Investigating Stingray Use (August 11 & 12, 2014)

The US Federal Communications Commission (FCC) has formed a task force to investigate the use of cell phone tracking and interception technology known as an IMSI catcher, but often referred to by the trade name of a particular device called Stingray. The task force's mission "is to develop concrete solutions to protect the cellular networks systemically from ... unlawful intrusions and interceptions." The task force will examine how criminal gangs and foreign intelligence agencies are using the technology against US citizens.



[Editor's Note (Pescatore): We are just about at the 20th anniversary of CALEA - the Communications Assistance for Law Enforcement Act, which came about when law enforcement was having difficulties legally tapping and monitoring digitized telephone calls. The same challenges hit later for cellphone calls, VoIP streams like Skype, Twitter, SnapChat, etc. Periodically we have to revisit the balance between communications privacy for the honest and law enforcement's ability to monitor the criminal. The process of arriving at the compromise always works best when done transparently - it would be good for the task for to have broad participation.
(Murray): Big job but necessary and timely. Even the use of such "false flag" technology by law enforcement is questionable and the vulnerability to its use by others represents a deficiency in both policy and network architecture. As the availability of such technology increases, it will represent a risk. ]

**************************** SPONSORED LINKS ******************************
1) How to Detect System Compromise & Data Exfiltration Wednesday, September 03 at 1:00 PM EDT (17:00:00 UTC)with Tom DAquino.

2) New SANS survey looks at security and compliance in managing data center server assets. Take survey and enter to win an iPad. Results Webcast on 10/29.

3) Compromises Happen: Learn about the five-stage system lifecycle defense model in Aug 20 Webcast!


Korea Develops Information Security Readiness Rating Systems (August 15, 2014)

Korea's Ministry of Science, ICT, and Future Planning along with the Korea Internet & Security Agency (KISA) have introduced an information security readiness system. The guidelines can be used to help organizations determine their grade on an index, from B through AAA. The Korean government is considering offering tax breaks to companies with high scores.

Older Routers May Cause Network Slowing or Instability (August 14, 2014)

Some older Internet routers used to support the Internet have reached memory limits of the number of routes they can use to send data. The routers keep track of the possible paths for data to travel. The problem grew out of the increasing number of connections between different networks. When the number of possibilities exceeds the capacity of the machines, then there are problems. The situation poses risks of slowing down, losing data, and becoming unstable, and is already being blamed for intermittent outages and disruptions. Internet Storm Center:


[Editor's note (Northcutt): You can call this a limit of BGP, but at the end of the day it is a limit of IPv4. For Cisco equipment there is a workaround, (for now), but the day is coming when we won't be able to keep the old familiar IPv4 Internet working.]

Microsoft Delays ActiveX Blocking in IE Until September (August 13 & 14, 2014)

Microsoft has delayed implementation of its plan to block outdated versions of Java in Internet Explorer (IE) until next month. Customers complained that the change was happening too soon, so instead of blocking the plug-ins in this month's update, Microsoft released a guide to manage the upcoming change. The actual changes will arrive in September's patch Tuesday, when updated versions of the browser will block outdated ActiveX controls.


NSA's MonsterMind Aims to Detect and Stop Cyber Attacks Instantly (August 13 & 14, 2014)

An NSA program known as MonsterMind, currently under development, is being designed to detect and stop cyber attacks against the US; the system would also be capable of launching retaliatory cyber attacks. Described in broad terms, the program would analyze metadata to detect anomalous network traffic.

[Editor's Note (Murray): Interesting "aim." However, it smacks of the infamous Internet "kill switch," is very dangerous, and its use might probably exceed the authority of the NSA. Operation of the Internet is best left in the hands of those professionals who do it minute by minute and day by day. ]

Adobe Updates Flash, Reader, and Acrobat (August 13, 2014)

Adobe has issued security updates for Flash, Reader, and Acrobat. The fixes address eight vulnerabilities, one of which is being actively exploited in isolated attacks. That flaw can be exploited to circumvent sandbox protection in Reader and Acrobat X and XI to execute code with elevated privileges.


Microsoft Releases Fixes for 37 Security Issues (August 12, 2014)

Microsoft has issued nine security bulletins to address a total of 37 security issues in its products. The bulletins include a cumulative update for Internet Explorer (IE) and fixes for vulnerabilities in Windows, Office, Share Point Server, SQL Server software, and .NET Framework. Internet Storm Center:



Chinese Authorities Arrest Suspect in Android Heart App Malware Case (August 12 & 13, 2014)

Police in China have arrested a 19-year-old man for his alleged role in creating malware that targets Android devices. The malware, known as the Heart App, spreads quickly by pretending to be an invitation to arrange a date. Instead, when users click on the link, the malware sends SMS messages to the first 99 people on the device's contacts list. The malware sent out 20 million SMS messages and infected 100,000 devices. Heart App also steals information from the devices it infects.


Logging AppLocker Events in OSSEC 2.8

Threats to Virtual Environments

Synolocker Crew Sells of Encryption Keys in Bulk

iOS Malware Steals Ad Revenue

Apple Safari Updates

SOHOplessley Project Uncovers 15 new flaws in 4 routers

Details about Finfisher Attack

Google restricts use of foreign characters for domains in GMail

LastPass Outage

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit