Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #50

June 26, 2015


OPM: Systems Lacked Logs
OPM: Security Measures Improperly Managed


Cisco Issues Fix for Hardcoded SSH Key Issue
Samsung Disables Microsoft Update
BlackShades Co-Creator Sentenced to Prison
Call Center Customer Data Breached
Google Removes Eavesdropping Extension from Chromium
Dyre an Emerging Threat
New Zealand Aircraft Grounded for Two Hours Due to Radar System Outage
Emergency Patch for Adobe Flash
Some US Navy Workstations Still Running Windows XP
LOT Airline Grounding Due to DDoS





******************** Sponsored By AlienVault ***************************
Don't Miss: How to Detect SQL Injection & XSS Attacks with AlienVault USM. Wednesday, July 15 at 1:00 PM EDT (17:00:00 UTC) featuring Mark Allen and Bjorn Hovd. Join us for this demo to learn more about how these attacks work and how AlienVault USM gives you the built-in intelligence you need to spot trouble quickly.


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.

- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.

- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.

- -DFIR Summit & Training | Austin, TX | July 7-14, 2015 | 7 courses including the NEW FOR578, 2 Nights of NetWars challenges, @Night talks and two Summit days with James Dunn, Global Investigative & Forensic Services, Sony Pictures Entertainment to keynote!

- -Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.

- -Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.

- -Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - and Evening
(vLive - courses available!

- -Multi-week Live SANS training
Mentor -

- -Looking for training in your own community?
Community -

- -Save on OnDemand training (30 full courses) - See samples at OnDemand
Specials -

Plus Minneapolis, Delhi, Milan, Amsterdam, and Seoul all in the next 90 days.

For a list of all upcoming events, on-line and live:



OPM: Systems Lacked Logs (June 25, 2015)

Investigators say it is difficult to assess the breadth and depth of the attack on OPM's systems and those of its contractors because the agency and the contractors lacked adequate computer logs. The breaches also occurred on the systems of KeyPoint Government Solutions and USIS.

[Editor's Note (Murray): No matter how fast or far the cost of storage falls, IT management continues to believe that it is too dear to use for logs. While the value of logs for forensic purposes is undeniable, Agency leadership does not insist upon them because they might provide unwanted transparency and accountability. ]

OPM: Security Measures Improperly Managed (June 24, 2015)

According to the Office of Personnel Management's (OPM's) inspector general, steps the agency was taking to improve the security of its computer systems actually put the systems at greater risk. Someone at OPM decided that the agency's systems needed security management software, but did not choose approved software and did not seek appropriate approval for the acquisition. The software was installed in April, but works on only some of the systems. IG issued a flash audit alert, which was directed to OPM leaders to draw attention to the seriousness of the situation.


[Editor's Note (Pescatore): I don't fault OPM for trying to move quickly after finding out they were compromised, but their after-incident action seems to be as badly misdirected as their pre-incident actions. The most recent OMB FISMA score card had OPM claiming to have 97% of their assets under continuous monitoring. If true, they were obviously monitoring the door to the attic while thieves went in and out the front door. ]

**************************** SPONSORED LINKS ******************************
1) In Case You Missed It: The Evolution of Network Security, and how Network Packet Brokers (NPBs) enable the Layered Security Era - with Icaro Vazquez and David Hoelzer.

2) New Whitepaper in the SANS Reading Room: Six Steps to Stronger Security for SMBs An Analyst Program whitepaper by Dr. Eric Cole describes a six-step approach that small and medium-size businesses can use as a template for enhancing their overall security posture.

3) In Case You Missed This Webcast: An updated look at security in our financial institutions:


Cisco Issues Fix for Hardcoded SSH Key Issue (June 25 & 26, 2015)

Cisco has pushed out a fix for several security appliances that shipped with hard-coded SSH keys. Cisco's Web Security Virtual Appliance, Email Security Virtual Appliance, and Security Management Virtual Appliance had default keys for remote support access. Versions of those products downloaded before Thursday, June 25, are vulnerable. The fix deletes preinstalled keys. Storm Center:



[Editor's Note (Pescatore): The bad news is there was a big hole in Cisco's security QA process enabling multiple products to ship with hardcoded SSH keys installed. The good news is Cisco's internal security testing found the problem first and better news will be when Cisco fixes the seriously broken process that allow the products to ship. ]

Samsung Disables Microsoft Update (June 24 & 25, 2015)

Microsoft has issued a statement "condemning" Samsung's decision to download software that keeps Windows Update from updating in the background on Samsung devices. Samsung maintains that it is simply giving its users "the option to choose if and when they want to update the Windows software on their products."



[Editor's Note (Pescatore): What Samsung did is wrong. But instead of dueling press statements, I'd rather see Microsoft work with the big PC hardware vendors to end this problem of Windows update trashing various drivers. Windows Update has progressed to its own form of bloatware - installing system tray icons to drive adoption of Windows 10, for example.
(Honan): This move by Samsung is bad on so many levels. Undermining the security architecture of an operating system to enable remote support for bespoke hardware drivers is not the way to address the problem. It also raises the question if Samsung can disable the Windows Update service how long will it be before criminals are using the same techniques. ]

BlackShades Purveyor Sentenced to Prison (June 23 & 25, 2015)

Alex Yucel has been sentenced to 57 months in US prison for selling the BlackShades remote access Trojan (RAT). Michael Hogue, who was also involved in distributing BlackShades, has pleaded guilty and has not yet been sentenced. Three other people associated with BlackShades have received prison sentences of between one and two years. BlackShades allegedly made its way onto more than half a million computers in 100 countries. People who bought BlackShades used it for a variety of purposes, including spying on people through their webcams, stealing personal data, and locking up computers and demanding ransom.


Call Center Customer Data Breached (June 25, 2015)

A computer tech support call center, Advanced Tech Support, has acknowledged that customer data have been misused. Some customers have reported receiving calls that appear to come from Advanced Tech Support; the callers tell the customers that they are eligible for refunds and must allow remote access to their computers. A notice on the company's website said that it "believes it has found the culprit and terminated the responsible party." Last year, the US Federal Trade Commission (FTC) sued Advanced Tech Support and several other companies for allegedly tricking callers into buying phony, overpriced support services and unnecessary software.

Google Removes Eavesdropping Extension from Chromium (June 24 & 25, 2015)

Google has removed an extension from its Chromium open source browser that allowed it to continuously listen to the computer's microphone. The extension is called Chrome Hotword and provides functionality for "OK, Google," which lets users search Google verbally.

Dyre an Emerging Threat (June 24 & 25, 2015)

According to a report from Symantec, criminals are using Dyre malware to target users of more than 1,000 banks. Calling Dyre an "emerging threat" in the financial fraud landscape, Symantec noted that its use increased significantly following the takedowns of other malware networks, like ZeuS. Dyre has close to 300 command-and-control servers operating largely in Russia and Ukraine; the attacks are focused on computers in other European countries.



[Editor's Note (Northcutt): The Symantec report referenced here is well written, clearly researched, and is not sensational. It answers the awareness program question, "what is in it for me", since it is the individual bank account that is targeted. I just wish that early in the document they would have included a couple of examples of the most successful spam emails. ]

New Zealand Aircraft Grounded for Two Hours Due to Radar System Outage (June 24, 2015)

All aircraft in New Zealand were grounded for two hours on Tuesday, June 23 after a radar system failed. The outage kept 200 flights from taking off, and air traffic controllers had to use radio systems to land the planes that were in the air when the system went out. Airways New Zealand COO Pauline Lamb said the problem was caused by equipment failure that prevented data from being sent to air traffic controllers.


Emergency Patch for Adobe Flash (June 23 & 24, 2015)

Adobe has released an emergency fix for a critical flaw in its Flash Player browser plugin that is being actively exploited in "limited, targeted attacks." The most up-to-date version of Flash is now for Windows and Mac and for Linux.


[Editor's Note (Murray): Our continued tolerance for Flash raises the question of whether or not we are serious about infrastructure security and resilience. ]

Some US Navy Workstations Still Running Windows XP (June 23, 2015)

The US Navy is still running Windows XP on some of its computers, paying Microsoft millions of dollars in fees to support the retired operating system. The Space and Naval Warfare Systems Command signed a US $9.1 million contract for continued support for Windows XP, Office 2003, Exchange 2003, and Windows Server 2003. The Navy began transitioning to newer operating systems two years ago, but as of last month still had 100,000 workstations running XP and other, outdated software.

[Editor's Note (Assante): Don't be so fast to judge as much of our critical infrastructure and industrial-base continues to run on Windows XP. The good news here is the Navy has planned to receive the necessary support to manage their growing risk. The Navy relies upon a host of industrial control systems for their ships and bases and has begun developing dedicated security programs, new architectures, and capabilities.
(Pescatore): From a security perspective, this is a "plane landed safely" story. The Navy did the right thing and paid for custom support. From a taxpayer perspective, it was a bad IT governance decision to stay on XP. From a security perspective, business said "we have to stay," security side said "it will cost $9M to manage residual risks" and the business side ponied up. When it works right, that is how it goes. ]

LOT Airline Grounding Due to DDoS (June 23, 2015)

Polish airline LOT says that the computer problems that grounded its flights over the weekend were due to a distributed denial-of-service (DDoS) attack that prevented flight plans from being delivered on time.

[Editor's Note (Murray): To date, most attacks against infrastructure have been isolated, rather than coordinated, denial of service attacks. While mitigation services are available, they remain expensive and many organizations continue to prefer to just wait them out. It remains to be seen whether or not a well planned and resourceful attack could deny most of the internet service. However, both the Morris Worm and Code Red attacks suggests that it might. We should be taking advantage of the falling cost of hardware to over provision our networks. (To paraphrase Parkinson, traffic will expand to fill the capacity available to carry it.) ]


Exploiting Cookie/Get Parameter Confusion in Web Applications

ESET Nod32 Antirvirus Remote Code Execution

AngularJS Expression Security Internals

Using Powershell to Audit User Accounts

Wind River VXWorks TCP Predictable Initial Sequence Numbers

June 30th DNSSEC Day In Germany

XOR DDOS Trojan Trouble

Spiceworks Social Login Fail

Facebook Extending Free osquery Tool to Detect XARA Exploits


Back in January 2002, then Microsoft CEO Bill Gates sent one of his annual all-hands emails to all Microsoft employees. This was after the Code Red and Nimda worms had brought down thousands of corporate networks by exploiting continuing streams of vulnerabilities in Windows and Gates recognized Microsoft had to change and focus on what he called "Trustworthy Computing." The part of his email I liked the best was this: "So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve."

That memo really did change the direction of Microsoft, and they made huge progress over the past 13 years - and like all software vendors, much more progress can and should be made to make computing safer for users and businesses.

In February 2014 Satya Nadella became CEO of Microsoft, replacing Steve Ballmer. Nadella has put out two all-hands emails to Microsoft employees that have been made public. The first one in July 2014 mentioned security only 8 times, starting with "And we will strike the right balance between using data to create intelligent, personal experiences, while maintaining security and privacy." The needle seemed to be tilting away from security-first and back towards features-first.

This week Nadella sent out another email across Microsoft. There was no mention of security or privacy or trust, not once.

Microsoft has to change and innovate to compete in an IT world where Google and Amazon and Apple are leading the way, but losing that focus on security first should NOT be part of that strategy. All vendors have to listen to their customers - make sure you are telling Microsoft (and every other vendor) you still want them to Choose Security - focus on safety and security and only ship features that are safer and more secure than the previous generation, since the attackers are not standing still.

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit