Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #34

May 01, 2015


US Legislators: Encryption Backdoors Undermine Security
Ryanair Investigating EURO 4.6 Million Electronic Bank Theft
SANS ICS Defense Use Case (DUC) 3: Analysis of recent claims suggesting a large number of Iranian ICS Cyber Attacks


Mumblehard Malware Affects Computers Running Linux and FreeBSD
Flaw Affects Trendnet and D-Link Routers
Rutgers University DDoS Under Investigation
Charges Dropped After Woman Changes Plea to Not Guilty in Case Involving Stingray
Pilots' iPad Glitch Delays American Airlines Flights
Chrome Password Alert Extension
Proof-of-Concept Exploit Skirts Password Alert
Romanian Authorities Make Arrests in ATM Fraud Case

************************* Sponsored By RSA ******************************
See Everything. Fear Nothing. Detect threats with complete visibility from the endpoint to the cloud with RSA Security Analytics 10.5. See it in action at the virtual launch event on May 6th. Learn more & register:


-Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials

-SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.

-SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 30 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.

-SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.

-SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 41 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.

-Can't travel? SANS offers LIVE online instruction. Day (Simulcast - and Evening (vLive - courses available!

-Multi-week Live SANS training
Mentor -

-Looking for training in your own community?
Community -

-Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - Plus Melbourne, Bangkok, and Dublin all in the next 90 days.

For a list of all upcoming events, on-line and live:



US Legislators: Encryption Backdoors Undermine Security (28, 29, & 30 April, 2015)

A hearing at the House Government Oversight and Reform Committee's Information technology subcommittee saw heated discussion regarding encryption. Law enforcement officials argued that stronger encryption is aiding criminals and impeding their ability to gather evidence; they are concerned about encryption available on new smartphones. Legislators said that the FBI's request for mandatory encryption backdoors in smartphones would put all users of those devices at risk because they create vulnerabilities that could be exploited by criminals. Legislators pointed out that there is no way to create a backdoor that is accessible only to "good guys." Representative Ted Lieu (D-California) noted that the companies that are providing the stronger encryption are doing so in answer to demand from citizens who are fed up with having their fourth amendment rights violated.





[Editor's Note (Ullrich): I think the real sad part is that even 20 years after the death of the clipper chip, the US national security leadership is still sufficiently technologically challenged to believe a crypto backdoor is feasible.
(Murray): The government argued at the RSA Conference that they are not asking for "backdoors" but for "front doors" that can be opened only with a warrant. However, they still want to be able to open the door surreptitiously, without the knowledge of the citizen whose "persons, houses, papers, and effects" they intend to "search and seize."
(Weatherford): It astonishes me that we continue to have this conversation but at least there are a couple of Legislators asking the right questions. Dumbing down security by weakening encryption or providing backdoors to law enforcement will only make our security problems more difficult by providing bad guys new avenues to exploit. ]

Ryanair Investigating EURO 4.6 Million Electronic Bank Theft (April 29 & 30, 2015)

Ireland-based, low fare airline Ryanair was the target of an attack last week in which thieves stole EURO 4.6 million (US $5.15 million) from a company bank account. The money was sent to a bank account in China, and the funds have reportedly been frozen.


[Editor's Note (Murray): If the funds are "frozen" the theft is not yet successful. Forward wire transfers, like those on the S.W.I.F.T. network, and unlike those on the ACH network, are not normally reversible except in cases of "fraud." Mere assertion of fraud may be sufficient to freeze funds but not necessarily to get them back.
(Honan): Some newspaper reports claim that the theft was the result of a hack but Ryanair have issued no details on how the attack happened and indeed it was the result of a hack. If it was the result of a hack I would not be surprised if it was due to a spear phishing attack enabling criminals to gain access to key corporate PCs. ]

SANS ICS Defense Use Case (DUC) 3: Analysis of recent claims suggesting a large number of Iranian ICS Cyber Attacks (April 23, 2015)

The third Defense Use Case from the SANS ICS team is an analysis of the recent report from Norse and the American Enterprise Institute that makes claims of an increase in attacks against Industrial Control Systems. The DUC evaluates what can be learned from the Norse report while also taking the opportunity to illustrate what the cyber security community would typically deem to be a cyber attack on ICS. The DUC, available for .pdf download via the link below, is our best understanding of information that is publicly available.
[Editor's Note (Assante): Some of the activity noted in the analyzed report may actually be the initial stage of future intrusion attempts. In this DUC we review the data and offer more specificity in our definitions and explanation of an ICS attack. It is important to consider all the steps an attacker will take when conducting an intrusion or attacking an ICS for a desired effect. Better understanding of what actually constitutes an attack of an ICS provides opportunities to best position defenses and prepare an effective response. ]

**************************** SPONSORED LINKS ******************************
1) Threat Intelligence: Going from Theory to Practice: Friday, May 15 at 1:00 PM EDT (17:00:00 UTC) with Dave Shackleford and Andy Manoske.

2) Protecting the Things, Including the Ones You Already Have (and don't know about). Monday, May 18 at 1:00 PM EDT (17:00:00 UTC) with Tom Byrnes and Johannes Ullrich.

3) What IS and ISN'T working in Incident Response? Take 2015 Survey & Enter to Win a $400 Amazon Gift Card!


Mumblehard Malware Affects Computers Running Linux and FreeBSD (April 30, 2015)

Malware known as Mumblehard has infected machines running Linux and FreeBSD operating systems, making them participate in a botnet responsible for sending spam. Mumblehard is believed to have been around for five years, and the majority of infected machines are used to run websites.

Flaw Affects Trendnet and D-Link Routers (April 28, 29 & 30, 2015)

A vulnerability in Trendnet and D-Link routers could be exploited to execute code remotely with root privileges. The flaw lies in a firmware component in the Realtek software development kit (SDK) for RTL81xx chipsets.



[Editor's Note (Ullrich): These type of home routers have done a lot to improve home user network security. But the total disregard of manufacturers for security testing and software security in general turns them more and more against the user. In addition, a short support life-span results in many deployed vulnerable devices without a chance for a patch. ]

Rutgers University DDoS Under Investigation (April 30, 2015)

The FBI is investigating distributed denial-of-service (DDoS) attacks that have targeting systems/the network at Rutgers University in New Jersey. The attacks affected the school's Wi-Fi and email and contingency plans are being made for online exams.


[Editor's Note (Honan): Given the prevalence of DDoS attacks it is time for organisations to include these type of attacks, and indeed other cyber-attacks, as part of their Business Continuity Planning and implement controls to mitigate and to provide resilience in the event of an attack. ]

Charges Dropped After Woman Changes Plea to Not Guilty in Case Involving Stingray (April 29, 2015)

A Missouri woman who initially pleaded guilty to charges stemming from her alleged role in a robbery changed her plea to not guilty after learning that the charges against her co-defendants were dropped after it became known that cell site simulation technology known as Stingray was used in the case. While a spokesperson for the St. Louis Circuit Attorney's Office has denied that the charges were dropped because of the use of Stingray, federal authorities have urged state and local law enforcement to drop charges in cases rather than be put on the spot of having to provide testimony about their use of the technology.

Pilots' iPad Glitch Delays American Airlines Flights (April 29, 2015)

An app on iPads used by American Airlines pilots caused the devices to crash, delaying several dozen flights on April 28. The trouble is being blamed on "a faulty iPad navigation app." American Airlines was the first commercial carrier airline to adopt digital flight bags, discontinuing the use of paper navigation charts in 2013.


[Editor's Note (Assante): Applications necessary for flight should be near the top of the list for American Airlines business impact assessments. It appears that wireless access to the Internet is necessary to recover the app and to obtain the proper navigation charts. Airline planners should include scenarios of mass application corruption, tablet attacks, and data poisoning in their next round of cyber defense exercises. (Weatherford): Fortunately in this case it was only an "Availability" problem. An "Integrity" problem would be an entirely different story. ]

Chrome Password Alert Extension (April 29, 2015)

Google has added an extension to Chrome that warns people when they use their Google password on other sites. Password Alert aims to help thwart phishing attacks and forces users into having different passwords for other sites. Password Alert does not check to see whether the site is malicious - only whether the same password is being used.





Proof-of-Concept Exploit Skirts Password Alert (April 30, 2015)

Less than 24 hours after Google announced the Password Alert extension, a proof-of-concept exploit to circumvent it has been released.

[Editor's Note (Murray): "Ars fully trusts the researcher,..." not to do what? Not to publish the exploit code that they just published. I expected better of Ars Technica. ]

Romanian Authorities Make Arrests in ATM Fraud Case (April 28, 2015)

Authorities in Romania have arrested 25 people in connection with a cyber crime organization allegedly responsible for US $15 million in fraudulent withdrawals. The scheme involved more than 34,000 transactions in 24 countries. The thieves stole payment card information, raised the withdrawal limits on those accounts, and made withdrawals from ATMs around the world.

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit