Kick off the New Year with SANS Security East 2017 in New Orleans (January 9-14)

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #49

June 23, 2015


Polish Airline LOT Flights Cancelled Due to Cyber Attack
Vulnerable Flight Plan Protocol Widely Used
NSA and GCHQ Sought to Reverse Engineer Security Software


OPM: Attackers Had Access to OPM Database for a Year
OPM: Fraud Protection Service Security Concerns
OPM: Breach Affected Two Different Systems
Competition Aims to Identify Cyber Security Talent with $30,000 Scholarships
Pentagon May Hold IT Users More Accountable for Cyber Security
eBay Patches Vulnerabilities in Magento
Flaw in Google Analyticator WordPress Plugin FIxed
The Dark Side of Proxy Servers
HP Releases Proof-of-Concept Code for Unpatched IE Flaw
European Police Aim to Take Down Social Media Accounts Linked to IS





************************** Sponsored By RSA *****************************
The RSA Incident Response Team made a recent malware discovery known as PNGRAT that retrieves its download instructions from Microsoft's Technet website. This technique of leveraging a trusted site to evade blocking has been referenced in recent reports about the "APT17" group. This blog describes how PNGRAT can be tracked with RSA Security Analytics.


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.

- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.

- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.

- -DFIR Summit & Training | Austin, TX | July 7-14, 2015 | 7 courses including the NEW FOR578, 2 Nights of NetWars challenges, @Night talks and two Summit days with James Dunn, Global Investigative & Forensic Services, Sony Pictures Entertainment to keynote!

- -Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.

- -Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.

- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - and Evening (vLive - courses available!

- -Multi-week Live SANS training
Mentor -

- -Looking for training in your own community?
Community -

- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - Plus Minneapolis, Delhi, and Milan all in the next 90 days.

For a list of all upcoming events, on-line and live:



Polish Airline LOT Flights Cancelled Due to Cyber Attack (June 22, 2015)

Polish airline LOT cancelled 10 flights from Chopin Airport in Warsaw on Sunday, June 21, after a cyber attack made it impossible to file flight plans. Another dozen flights were delayed. In all, the attack on the ground computer system affected 1,400 passengers. The issue was fixed after five hours.



[Editor's Note (Henry): There have been multiple reports on this. A spokesperson for the airline said it was a Denial of Service attack, which is in contrast to "vulnerable flight plan protocols" identified by other media outlets. The DOS is easier to address than an actual breach within their system, though it is still a vulnerability impacting their operations. ]

Vulnerable Flight Plan Protocol Widely Used (June 22, 2015)

The flight plan delivery protocol is used by virtually every airline. It does not require authentication. Earlier this month, United Airlines flights in the US were grounded for an hour; the airline did not offer many details, but the issue was reportedly with incorrect flight plans being sent to pilots.
[Editor's Note (Skoudis): I'm sure at the time of initial deployment, an unauthenticated protocol seemed fine. Today, that's certainly not the case. Security engineers and architects should look through their environments to find unauthenticated protocols in systems under their care. Decide whether each is acceptable, and whether you need better accountability and audibility. You probably do. For this specific instance, I hope engineers are scrambling, looking at how to retrofit it in. As a last ditch effort, perhaps IPSec can help.
(Murray): The network environment is often more hostile than the (paper) environment in which the application was formerly done. It is a rare network application that does not require (strong) authentication. ]

NSA and GCHQ Sought to Reverse Engineer Security Software (June 22, 2015)

According to a recent report in The Intercept, intelligence agencies in the US and UK made efforts to reverse engineer antivirus and security software, as it hindered their secret investigations. The report is based on documents leaked from the NSA. It appears that the agency and GCHQ focused their efforts on companies including Kaspersky Lab, F-Secure, Avast, Eset, BitDefender, and CheckPoint.


[Editor's Note (Skoudis): Analyzing how to bypass or evade an adversary's defenses is commonplace. Heck, if they didn't do this, it would have been malpractice on their part!
(Pescatore): Penetration of good guy systems, and reverse engineering of good guy security software can be a very good thing - if it leads to *improving* the security of those systems by having the offense *inform* the defense. However, having the offense *undermine* the defense is always a bad thing and is why national policy that combines the responsibility for cyber offense and defense has proven a failure.
(Paller): John Pescatore may be correct that the stresses created by having a single agency oversee both offense and defense have led to many failures. However, for the next decade at least, the shortage of very-highly-skilled vulnerability analysts (for mobile and IOT as well as for traditional IT systems) in the United States could well lead to both offense and defense being underskilled if one tried to separate the offense and defense. Even when the pipeline is producing sufficient skills, a careful analysis of the Israeli approach to combining offense and defense may illuminate a path forward that works better than separating the two. ]

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Breach Detection - What You Need to Know:

2) On-demand Webinar: Improve Data protection with User Activity Monitoring.

3) June 25 at 1:00 PM EST: Hear results of the 3rd annual State of Security in Control Systems Survey.


OPM: Attackers Had Access to OPM Database for a Year (June 18 & 20, 2015)

According to a report in The Washington Post, the attackers who breached the security of a database at the US Office of Personnel Management (OPM) had access to the data for at least a year. The database holds information gathered for national security clearances.


[Editor's Note (Pescatore): The most recent OMB FISMA report card claimed that OPM achieved a 97% score in continuous monitoring in FY13 and FY14, well above the average for the federal government as a whole. I guess the missing 3% were the mission critical, high value targets. Dark humor: the folks at Target are probably happy that all future security presentations will find/replace Target with OPM. (Paller) OMB is not measuring continuous monitoring and mitigation. They are measuring a pre-cursor. They are asking, "have you purchased sensor systems that you may one day use" rather than what is needed: "have you deployed a monitoring system that uses the sensors to find problems and a continuous mitigation system that systematically eliminates those problems as they are discovered." In other words, OMB never asked OPM to set up a CDM system - only to prepare to do so. OMB couldn't ask for rapid improvement because of financial shortages. OMB continues to force agencies to spend $500 million each year writing reports that admire the problems rather than fix the problems. If you are still with me and want to know how OMB "forces report writing," it is through a specific sentence in OMB A130 through which auditors (and consultants) force agencies to try to comply with NIST guidance. There are more than 12,000 pages of that guidance, and no agency, not even NIST or OMB, complies with it. Instead agencies write long reports about their problems - reports that are never read, but are demanded by auditors in a futile attempt to comply with OMB A130's flawed language."

OPM: Fraud Protection Service Security Concerns (June 19, 2015)

People whose personal information was compromised have complained that they have been required to provide sensitive personal information to the company that will provide fraud protection services to verify their identities. And there appears to be some question about whether or not this information is being or will be shared.

OPM: Breach Affected Two Different Systems (June 22, 2015)

Two different systems were breached at OPM: the Electronic Official Personnel Folder system and the central database for EPIC, the software suite that OPM's Federal Investigative Service uses to gather information for employee background investigations.

Competition Aims to Identify Cyber Security Talent with $30,000 Scholarships (June 19, 2015)

The SANS Institute's Cyber Aptitude Assessment competition offers top performers scholarships to the SANS Cyber Academy, an eight-week cyber security training boot camp. The assessment consists of roughly 40 questions that competitors will have 45 minutes to answer.



Pentagon May Hold IT Users More Accountable for Cyber Security (June 18, 2015)

DOD CIO Terry Halvorsen said that there are few if any consequences for users whose online behavior creates security problems for DOD systems. Halvorsen said that the Pentagon plans to start holding IT users and their commanders more responsible for violating cyber security rules.

[Editor's note (Henry): Leadership and Accountability. Yes, two necessary requirements for changing behavior. Thank you.
(Pescatore): Halvorsen mentioned some needed improvements in how the DoD attempts to increase user awareness of potential security problems, but most of what he focused on (rightly so) were IT governance/admin issues, not user actions. Example: he noted that DoD has spent a lot of money on CAC smart cards that industry doesn't use, and most DoD systems still use reusable passwords. Yelling at users who fail to close balsa wood doors rarely accomplishes much.
(Northcutt): The article has the key words training and testing. I think this is a good idea. People that violate security policy are a danger to themselves and others. This video is an oldie, but goody, Dr. Eric Cole talks about the triad of policy, training and awareness:

eBay Patches Vulnerabilities in Magento (June 22, 2015)

eBay has fixed a trio of vulnerabilities in its e-commerce system, Magento. The flaws could be exploited to hijack sessions and launch man-in-the-middle attacks.

[Editor's Note (Murray): eBay is an "Internet" enterprise. It must be held to a higher standard than "bricks and mortar" merchants. ]

Flaw in Google Analyticator WordPress Plugin Fixed (June 22, 2015)

A flaw in the Google Analyticator WordPress plugin that could be exploited to allow Cross-Site request Forgery has been fixed. The plugin allows users to view Google Analytics in the WordPress dashboard and has been downloaded more than 3.5 million times. The security issue lies in the plugin's cache settings.

The Dark Side of Proxy Servers (June 22, 2015)

One researcher tested nearly 450 open web proxies and found that 79 percent forced users to load pages in
or unencrypted mode, which means that the proxy owners could view the traffic in plain text. In addition, 16 percent of the proxy servers were found to be injecting ads into the content.

HP Releases Proof-of-Concept Code for Unpatched IE Flaw (June 22, 2015)

HP has released proof-of-concept code for an unpatched vulnerability in Internet Explorer (IE) that can be exploited to bypass Address Space Layout Randomization (ASLR) on 32-bit systems. HP said the decision to publish the code was made in accordance with its disclosure policy. HP notified Microsoft of the vulnerability but Microsoft decided not to issue a patch for it.


European Police Aim to Take Down Social Media Accounts Linked to IS (June 22, 2015)

Police across Europe will soon be working together to find and block social media accounts with ties to the Islamic State. Europol will also working with social media sites themselves, with the goal of shutting down identified accounts within two hours of when they are set up.
[Editor's Note (Murray): Which is, of course, why real hackers use compromised systems for proxies. ]


Large SMTP Brute Force Login Attempts

TOR Exit Nodes "Listening In"

MOVuscater Obfuscation Tool

Ubuntu Privilege Escalation Vulnerability Patched Last Week

Side Channel Attacks Against Crypto Keys


Stephen Northcutt just received a copy of The Florentine Deception by Carey Nachenberg, (Chief engineer at Symantec, one of the inventors of Norton Antivirus). It is a great read, a real thriller. I finished it and my wife has run off with it. The forward is by Dr. Gene Spafford, one of my role models in the field. It is technically accurate and it serves as an awareness guide to the world we deal with daily. The icing on the cake is that Carey donates a portion of the proceeds to charity and he is willing to add five dollars to the donations for SANS-generated purchases to help veterans. Buy the book, read it, and tweet with hashtag #FlorentineDeception4SANS.

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit