OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVI - Issue #70

September 02, 2014

Three key courses for cybersecurity career preparation now available free for colleges and high schools and their students.

With a $1.3 million grant from the SANS Institute, CyberAces is releasing the three foundation courses required for cybersecurity (Networking, Operating Systems, and Secure System Administration) for open, no-cost on-line use by high schools, colleges, and their students. You cannot be good at technical (highly paid) roles in cybersecurity without mastering the skills covered in these courses. SANS top instructors (led by Ed Skoudis) built them. The on-line courses are accompanied by periodic on-line national quizzes that enable each student to see where s/he stands relative to all others who are taking (and have taken) these courses. More than 10,500 people used earlier versions of the courses; top scorers in past years were recognized by their state governors and two dozen earned $25,000 scholarships funded by SANS and NSF. By providing funds to make these courses more widely available at no cost, we at SANS hope to accelerate the flow of talented people into the field. See cyberaces.org for details and access.



Apple Patches Flaw in Find My iPhone
Watering Hole Attack Targets Industrial Software Company Website Visitors
Phishing Attack Targets Norwegian Oil and Gas Industry


Mozilla Stepping Up Security in Wake of Two Data Exposure Incidents
College Professor Clarifies Medical Center Data Exposure Story
Syrian Malware Team Using BlackWorm Remote Access Trojan
CryptoWall More Prolific Than CryptoLocker
Man Pleads Guilty to DoS Attack on Metropolitan Police Website
US Cities Seek to Upgrade Stingray Before Providers Drop 2G Network

************************* Sponsored By SANS *****************************
Secure your Database Data without touching the code, featuring Dave Shackleford Tuesday, September 16, Special Time of 3 PM EDT.


--SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by September 17 and save $200. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.

--Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.

--SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.

--DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.

--Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza

--SANS London 2014 | London, UK | November 15-24, 2014 16 courses.

--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!

--Multi-week Live SANS training
Contact mentor@sans.org

--Looking for training in your own community?

--Save on On-Demand training (30 full courses) - See samples at

Plus Hong Kong, Sydney, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org



Apple Patches Flaw in Find My iPhone (September 1 & 2, 2014)

Apple has fixed a vulnerability in its Find My iPhone service that was reportedly exploited to steal personal photos of celebrities from iCloud accounts. A proof-of-concept brute force password exploit for AppleID was posted to the Internet shortly before the photo thefts.

[Editor's Note (Murray): Apple continues to have fewer reported problems and more timely response than the industry as a whole. This vulnerability requires physical possession to fully exploit and demonstrates the difficulty of designing and testing mechanisms for exceptional conditions.
(Honan): If, as many reports suggest, this breach was due to poor passwords on behalf of those affected then we as an industry need to focus on ourselves and not the users. If we cannot built security solutions into our services and systems so that it is transparent and easy for people to understand and use then we will continue to hear these type of tales. ]

Watering Hole Attack Targets Industrial Software Company Website Visitors (September 1, 2014)

A watering hole attack on the website of an unnamed industrial software company used reconnaissance malware to gather information about site visitors, possibly for use in future attacks. Most watering hole attacks attempt to infect site visitors' computers with malware. The tool used in this attack gathers information about site visitors' browsers, IP address, operating system, as well as what security programs are being used. The reconnaissance tool has been named Scanbox and was detected by AlienVault Labs.


Phishing Attack Targets Norwegian Oil and Gas Industry (August 27 & 31, 2014)

Norway's oil and gas industry has been targeted in a coordinated attack that has targeted computers at as many as 300 companies in that industry there. Fifty of those companies are known to have suffered attacks; the National Security Authority Norway (NSM) is warning the other 250. Phishing emails targeted "key functions and key personal" at the companies; if the recipients opened the attachment, their computer became infected with malware that checks for vulnerabilities in the systems.

**************************** SPONSORED LINKS ******************************
1) Are insiders and electronic health records still top concerns among health care orgs? Take 2nd SANS Health Care Security Survey and enter to win an iPad. http://www.sans.org/info/166755

2) How to Detect System Compromise & Data Exfiltration Wednesday, September 03 at 1:00 PM EDT (17:00:00 UTC) with Tom DAquino. http://www.sans.org/info/166760

3) Get Smart: Consuming Threat Intelligence to Advance your Cyber Security Program Thursday, September 04 at 2:00 PM EDT (18:00:00 UTC) with Harry Sverdlove and Dave Shackleford. http://www.sans.org/info/166765


Mozilla Stepping Up Security in Wake of Two Data Exposure Incidents (August 30, 2014)

Following a pair of incidents earlier this year that exposed the personal data of people who use the Mozilla Developer Network and the Bugzilla testing system data, Mozilla is taking steps to ensure that the data are more secure. One of the incidents is believed to have occurred when the Bugzilla bug tracking platform exposed user data, including encrypted passwords, exposed for about three months. This happened during a migration of a testing server with a database dump. Mozilla's testing process will no longer include database dumps.

College Professor Clarifies Medical Center Data Exposure Story (August 29, 2014)

A City College San Francisco professor who was described in reports as having demonstrated to a class how to break into a medical center's server has clarified his actions. Sam Bowne says he found sensitive information exposed on the Internet when he conducted a Google search, which turned up an open FTP server containing medical data. Bowne also said that he was not teaching a class when this occurred and that he did not demonstrate the activity. After discovering that the information was accessible through a search, Bowne sent emails to people responsible for the server, telling them what he found, which included evidence that the server had been compromised, that data had been added, and that data had been copied by FTP search engines.

[Editor's Note (Murray): "Ethical" describes behavior, not motive. The lessons here for those who intend to be seen as "ethical" hackers include do not work alone and have a letter of agreement with the owners of target systems. This leak, like many documented in the Verizon Data Breach Incident Report (DBIR), was from an "orphan" server. The lesson for security people is maintain control over your data. ]

Syrian Malware Team Using BlackWorm Remote Access Trojan (August 29, 2014)

The Syrian Malware team, a group with alleged ties to the Syrian Electric Army, is believed to be using the BlackWorm remote access Trojan in attacks on communications websites. The newest variant of BlackWorm, known as the Dark Edition, includes new features such as the ability to bypass user account control, disable firewalls, and spread through network shares. Researchers at FireEye detected the attacks.


CryptoWall More Prolific Than CryptoLocker (August 29, 2014)

Analysis from Dell SecureWorks Counter Threat Unit shows that CryptoWall ransomware has passed infection rates of its relative, CryptoLocker. In just five months, CryptoWall infected an estimated 625,000 computers around the world, collecting more than US $1.1 million in ransom.

Man Pleads Guilty to DoS Attack on Metropolitan Police Website (August 29, 2014)

A 19-year-old UK man has pleaded guilty to charges of impairing a computer for launching a denial-of-service (DoS) attack against the Metropolitan Police's website in August 2013, which caused the site to crash. Jordan Jones launched the attack from a computer in his home.


US Cities Seek to Upgrade Stingray Before Providers Drop 2G Network (September 1, 2014)

Several US cities are seeking to upgrade cell phone surveillance systems commonly known as stingray. The controversial technology has been shrouded in secrecy, e.g., law enforcement agencies allegedly misleading the courts about the technology. Stingrays are capable not only of determining a target's location, but also of intercepting communications contents. One of the techniques the technology uses is to force targeted devices to resort to using the 2G network by jamming 3G and 4G network signals because 2G network security is not as strong as that of later generation networks. Most providers will stop supporting the 2G network within the next few years, which means current stingrays will no longer work.

[Editor's Note (Murray): The issue here is not so much the technology as the secrecy and deception surrounding its funding, acquisition, and use, not to say misuse and abuse. In her book, Licensed to Lie, author Sydney Powell documents a pattern of Federal prosecutors lying to courts about illegal investigations and hiding of exculpatory evidence. ]

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/