Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVI - Issue #69

August 29, 2014


FBI, Secret Service Investigating Attacks on JPMorgan Chase and Other Financial Institutions
Commerce OIG Warns NOAA of Vulnerabilities in Satellite Ground Systems


Payment Card Industry Council Urges Businesses to Take Precautions Against Backoff
UK Information Commissioner Fines Ministry of Justice Over Unencrypted Prison Records
"Google Dorking" Exposes Sensitive Information
Malware Advertising Attack Hits Popular Websites
Netis Routers Have Backdoors with Hardcoded Passwords
Microsoft Reissues Dodgy Patch
Possible Dairy Queen Data Breach



******************* Sponsored By Magnet Forensics **********************
Webcast: Speeding up the Investigation of Employee Policy Violations - Monday, September 15 at 1:00 PM EDT (17:00:00 UTC) with Jad Saliba (CTO), Jamie McQuaid (Forensics Consultant) and Rob Lee. Designed for forensics professionals who work in a corporate environment, this webinar will arm you with the tools and techniques needed to speed up employee policy violation investigations to get them off your desk.

- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by September 17 and save $200. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.

- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.

- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.

- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.

- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza

- --SANS London 2014 | London, UK | November 15-24, 2014 16 courses.

- --Can't travel? SANS offers LIVE online instruction. Day ( and Evening courses ( available!

- --Multi-week Live SANS training

- --Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at

Plus Tallinn, Hong Kong, Sydney, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live:



FBI, Secret Service Investigating Attacks on JPMorgan Chase and Other Financial Institutions (August 27 & 28, 2014)

The FBI and the US Secret Service are working together on an investigation into the scope of attacks that affected several financial institutions, including JPMorgan Chase. The New York Times reported that the thieves stole "gigabytes" of data from JPMorgan Chase and four other financial institutions. A spokesperson for JPMorgan Chase noted that it "experience
[s ]
cyberattacks nearly every day," and did not confirm this recent report. Bloomberg's report suggests that Russia could be behind the attacks. Others are less eager to attribute the attacks to Russia, saying that data theft differs from the usual disruptive attacks launched in such cases. According to the most recent report, the attackers may have altered and deleted records at JPMorgan Chase.






[Editor's Note (Murray): You will not be surprised to learn that this attack, like many such attacks these days, began with a carefully and artfully crafted bait message sent via e-mail. The bait appeared to be an important encrypted announcement message from bank management. (It has been on cable TV since about noon Thursday, so it may be possible to find it on Google/YouTube by now.) Among other things, taking the bait generated a "security error message" saying that the system was unable to decrypt the message and prompting for, yes, you guessed it, UID and password. The layered security architectures of money center banks are the targets of daily and resourceful attacks. Almost by definition, some of these attacks enjoy at least limited success. If there were no success at all, the attackers would tire, retire, or seek softer targets. That said, such success should not, as in this case, include "gigabytes of sensitive data." That it did so suggests insufficient layers and monitoring. Strong Authentication should be the first layer. ]

Commerce OIG Warns NOAA of Vulnerabilities in Satellite Ground Systems (August 27, 2014)

According to an audit from the Office of Inspector General (OIG) of the US Department of Commerce, there are vulnerabilities in the Joint Polar Satellite System (JPSS) ground system that could be exploited to disrupt its mission. The JPSS ground system collects data from weather satellites and shares them with users worldwide. It operates under the purview of the National Oceanic and Atmospheric Administration (NOAA)

[Editor's Note (Paller): The satellite ground and uplink systems were not designed to withstand cyber attack. Sadly, the situation is not improving as fast as the attack landscaping is advancing. ]

*************************** SPONSORED LINKS *****************************
1) Kill Shot: Stopping Unknown Malware with Trust Based Application Control. Thursday, September 04 at 2:00 PM EDT (18:00:00 UTC) with Harry Sverdlove and Dave Shackleford.

2) Learn to Detect, Control and Manage the Insider Threat Risks in Law Enforcement Orgs in Sep. 5 Webcast.

3) SANS survey looks at security and compliance in managing data center server assets. Take survey and enter to win iPad. Results Webcast on 10/29.


Payment Card Industry Council Urges Businesses to Take Precautions Against "Backoff" (August 27, 2014)

Adding its voice to those of the US Department of Homeland Security (DHS) and the Secret Service, the Payment Card Industry Security Standards Council has issued a bulletin urging its retailers to examine their security controls to protect their systems from point-of-sale (POS) malware known as "Backoff" that has already infected more than 1,000 company networks. Backoff, which can scrape memory from the systems used in payment card transactions, was used in the attack on Target's systems. The advisory encourages retailers to update their antivirus products and to change default passwords, as well as to examine logs for anomalous or suspicious activity. It also recommends that retailers use encryption.

[Editor's Note (Murray): The issue is not the brand of malware. There is general agreement that these attacks are exploiting remote access facilities that are not protected by strong authentication. It is a stretch to think that hundreds of thousands of merchants are going to fix this, particularly if we do not tell them what to do. Many of these remote access facilities are installed for the benefit of those who sold the point of sale system to the merchants. The merchants may not even know that they are there, much less that they are a vulnerability. ]

UK Information Commissioner Fines Ministry of Justice Over Unencrypted Prison Records (August 26 & 27, 2014)

The UK Information Commissioner's Office (ICO) has fined Ministry of Justice GBP 180,000 (US $298,500) for losing a device that contains unencrypted prison records. In May 2012, the Prison Service issued new hard drives with encryption capabilities to all 75 prisons in England and Wales. The ministry, for which this is a repeat offense, was reportedly unaware that disk encryption needed to be switched on. The missing device contained personal data about nearly 3,000 inmates. The data include health information, visitor information, and prisoners' links to organized crime.

"Google Dorking" Exposes Sensitive Information (August 27, 2014)

In July, the US Department of Homeland Security (DGS) issued a warning to police, security, and public safety officers of an activity it calls "Google Dorking," which leverages advanced search techniques in Google to uncover sensitive business data and vulnerabilities in their IT systems. By searching for certain file types and keywords, potential attackers can uncover login credentials, bank account information, and website vulnerabilities. While the searches can be seen as malicious, the DHS warning was aimed largely at urging the recipients to examine their own websites.

[Editor's Comment (Northcutt): That is 15 years behind the times. Moreover, this is better thought of as power searching using Google. However, here is the main site and I certainly concur with DHS, all organizations should run the dorks against their own sites.

Malware Advertising Attack Hits Popular Websites (August 27 & 28, 2014)

Several popular websites have been targeted by maliciously-crafted advertisements to infect site visitors' computers with malware. At least eight sites have been affected, including,, and The attacks took place between August 19 and August 22. Dutch security company Fox-IT detected the attacks, and noted that the sites themselves were not compromised; instead, the malicious redirection activity came from advertisements.



Netis Routers Have Backdoors with Hardcoded Passwords (August 27, 2014)

Researchers at Trend Micro say that hardcoded passwords in Netis routers sold by Netcore, a Chinese company, could be exploited to change router settings and run arbitrary code in the devices. The issue lies in an open UDP port listening at port 53413. The hardcoded password in the router firmware is the same in every device; there is not a way for users to disable or modify the configuration. The issue could be used in man-in-the-middle attacks. Researchers used ZMap to locate the vulnerable routers; most are in China.


Microsoft Reissues Dodgy Patch (August 27, 2014)

Microsoft has reissued a patch (MS14-045) that it pulled 10 days ago after reports that it was causing the blue screen of death in some cases. The patch addresses kernel vulnerabilities in 47 Microsoft systems; they could be exploited to expose information and allow privilege elevation. At the same time it pulled this bulletin, Microsoft also pulled three non-security updates, which have not yet been reissued.


Possible Dairy Queen Data Breach (August 26, 2014)

There are reports that ice cream and fast food chain Dairy Queen may be a recent target of thieves targeting payment card data. Financial institutions have said that they are seeing patterns of fraud on cards recently used at Dairy Queen stores. While the company initially denied that its systems were compromised, it also acknowledges that most locations are franchises and there are no company policies requiring the franchises to report braches to headquarters. Dairy Queen has now confirmed that it was contacted by the US Secret Service regarding the breach and is investigating along with authorities.
[Editor's Note (Murray): One can say "possible" about almost any restaurant or fast food chain. DQ is simply this week's most visible victim. Neither these chains or the consumers that frequent them should have to bear the risk of this broken system. Where are the regulators and legislators? How long does this have to continue before we conclude that the credit card brands and issuers are waiting for their competitors to move first? How long before consumers lose faith? ]


Obfuscated Javascript: Good or Evil

Firefox 32 To Introduce SSL Cert Pinning

Honeynet Project introduces "Beeswarm"

More Memory Scraping in PoS Devices

Google Chrome 37 Released

Synology Software Update

Point of Sales Devices and PCI


Netflix Releases Security Tools

New Free Windows Firewall / Network Monitoring Systems

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He s also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit