Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #23

March 21, 2017


FBI and NSA Warn That Russia Will Likely Target US Elections in 2018, 2020
US-CERT Warns of Dangers of httpS Inspection Tools
Cisco Discloses Flaw Leaked in Vault 7


James Lyne on ICS Security and Ransomware
Atlassian Makes Struts Patches Available
Git Moving in Direction of Replacing SHA-1
Mozilla Fixes Critical Flaw in Firefox in Less Than a Day
Man Arrested for Allegedly Sending Seizure-Inducing Tweet
Minnesota Police Obtain Warrant Asking Google to Identify People Who Searched for Man's Name
Bill Would Designate Election Systems as Critical Infrastructure
Reasons for Microsoft's Patch Delay Still Vague
UK Inter-ACE Cybersecurity Challenge



*************************** Sponsored By Sophos Inc. ********************
Botnet attacks can cause severe disruption. Organizations are being targeted with bespoke malware to compromise networks and add their servers and devices to malicious botnets. Visit our Botnets hub page and learn how to stay protected so your organization doesn't become part of the net Botnet. Learn More:


-- SANS 2017 | Orlando, FL | April 7-14 |

-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 |

-- SANS Baltimore Spring 2017 | April 24-29 |

-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 |

-- SANS Security West 2017 | San Diego, CA | May 9-18 |

-- SANS San Francisco Summer 2017 | June 5-10 |

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 |

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |

-- SANS London July 2017 | July 3-8 |

-- SANS Cyber Defence Singapore | July 10-15 |

-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand -
vLive -

-- Single Course Training
SANS Mentor
Community SANS
View the full SANS course catalog



FBI and NSA Warn That Russia Will Likely Target US Elections in 2018, 2020 (March 20, 2017)

Testifying before the US House Intelligence Committee Committee, FBI Director James Comey and NSA Director Michael Rogers cautioned that Russia is likely to interfere in US elections in 2018 and 2020 because of its success interfering in the 2016 presidential election. The FBI and the NSA are working with European counterparts to help prevent Russian interference in elections there.

Read more in:

Computerworld: Russia will strike U.S. elections again, FBI warns
CyberScoop: FBI Director: U.S. should expect Russian interference in 2018, 2020 elections

US-CERT Warns of Dangers of httpS Inspection Tools (March 16 & 17, 2017)

The US Department of Homeland Security's (DHS's) US-CERT has issued an alert warning that httpS interception can weaken TLS security. Some httpS inspection tools fail to properly validate certificates, potentially exposing users to man-in-the-middle attacks.

[Editor Comments]

[Neely] Implementation of httpS inspection must include validation of the certificates prior to re-encryption as well as distribution of the intermediate CA public key to users so you are neither training them to accept certificates inappropriately nor raising the trust level for sites inappropriately. With httpS becoming the norm for web sites, httpS inspection can provide the visibility necessary to continue to protect users online. The alternative is to depend on endpoint controls.

Read more in:

Computerworld: US-Cert: Some
httpS inspection tools could weaken security
Dark Reading: US-CERT Warns That httpS Inspection Tools Weaken TLS
US-CERT: Alert: httpS Interception Weakens TLS Security

Cisco Discloses Flaw Leaked in Vault 7 (March 19 & 20, 2017)

Cisco has disclosed a vulnerability that affects more than 300 of its switches. The flaw could be exploited to remotely take control of vulnerable devices. No fix is currently available; Cisco plans to develop patches. The issue lies in Cisco Cluster Management Protocol processing code in its IOS and IOS XE software. Cisco uncovered the issue during its own "analysis of documents related to the Vault 7 disclosure."

[Editor Comments]

[Murray] I fail to see the good in talking about a vulnerability for which one does not have a fix or a work-around. What am I missing?

[Williams] The leaked documents offer insight into the mindset and tradecraft of nation state hackers, but this Cisco vulnerability specifically offers never before seen insight into the Vulnerabilities Equities Process (VEP0. If a vulnerability this serious and widespread wasn't disclosed through the VEP, one must wonder exactly how high the bar is for disclosure.

Read more in:

The Register: Cisco reports bug disclosed in WikiLeaks' Vault 7 CIA dump
Ars Technica: A simple command allows the CIA to commandeer 318 models of Cisco switches
V3: Cisco issues warning over telnet zero-day flaw in 300 switch products
ThreatPost: Cisco Warns of Critical Vulnerability Revealed in 'Vault 7' Data Dump
Cisco Advisory: Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability
*************************** SPONSORED LINKS *****************************
1) Thinking about replacing your antivirus? Download this free proof of concept checklist for selecting a next-gen antivirus solution - Download now:
2) Why is the US NIST Cybersecurity Framework being quickly adopted around the globe? Learn More:
3) Don't Miss: Forensic State Analysis: A New Approach to Threat Hunting - with Alyssa Torres. Register:


James Lyne on ICS Security and Ransomware (March 15, 2017)

James Lyne talks with NBC's Tom Costello about the preponderance of unprotected industrial control systems in the US and the growing threat of ransomware.

Read more in:

Today: US infrastructure is at 'red alert' for hacking, expert says
Sophos: US infrastructure is at 'red alert' for hacking, James Lyne warns on the Today Show

Atlassian Makes Struts Patches Available (March 20, 2017)

Atlassian has made available patches for the Apache Struts 2 vulnerability. Fixes are available for Atlassian's Bamboo, Crowd, and HipChat Server products. Atlassian has already patched its cloud services.

Read more in:

The Register: Atlassian admins, your Struts 2 patch has landed
Atlassian: Bamboo, Crowd, and HipChat Server - Critical Security Advisory

Git Moving in Direction of Replacing SHA-1 (March 20, 2017)

Git is starting to move away from SHA-1 hash function after Google announced that it hade developed a SHA-1 collision attack. Although Linus Torvalds has observed that in the Git community, SHA-1 is used for version control rather than security, he did raise the question of the best way to replace SHA-1.

[Editor Comments]

[Murray] The "best way to replace SHA-1" is efficiently rather than urgently. What the Google demonstration proved is that, while perhaps easier than previously thought, finding collisions is still too expensive to constitute an efficient attack against most applications and will be so for a while.

[Northcutt] Everybody is right. We have known this day was coming since 2005 and at this point it is still really computationally expensive to force a collision. But now they will start working on improving the techniques till you can do this with an iPhone App.

Read more in:

The Register: Git sprints carefully towards SHA-1 deprecation

Mozilla Fixes Critical Flaw in Firefox in Less Than a Day (March 20, 2017)

Mozilla has fixed a critical flaw in its Firefox browser 22 hours after the issue was discovered at the Pwn2Own competition last week. The vulnerability is fixed in Firefox 52.0.1, released on Friday, March 17. Those who found the bug received a USD 30,000 bounty. Firefox was the first vendor to fix a bug discovered at last week's Pwn2Own.

[Editor Comments]

[Williams] Kudos to the folks are Firefox for fixing this bug so quickly. 22 hours is a great turn around time for patching the vulnerability and testing the release.

Read more in:

Softpedia: Mozilla Fixes Critical Vulnerability in Firefox 22 Hours After Discovery
Computerworld: Mozilla beats rivals, patches Firefox's Pwn2Own bug

Man Arrested for Allegedly Sending Seizure-Inducing Tweet (March 17 & 18, 2017)

US federal authorities have arrested a man for allegedly knowingly sending a tweet containing a strobing image to Newsweek writer Kurt Eichenwald, who has epilepsy. The tweet triggered a seizure. John Rayne Rivello has been charged with cyberstalking.

Read more in:

BBC: US man held for sending flashing tweet to epileptic writer
Ars Technica: Man accused of sending a seizure-inducing tweet charged with cyberstalking [Updated]

Minnesota Police Obtain Warrant Asking Google to Identify People Who Searched for Man's Name (March 17, 2017)

Police in Minnesota are asking Google to identify people who searched for certain terms associated with a crime they are investigating. Edina police are working in a bank fraud case in which USD 28,500 was wired out of an individual's account earlier this year. The perpetrator used a passport photo possibly obtained online. The warrant applies only to residents of Edina and only to searches conducted between December, 2016 and January 7, 2017.

[Editor Comments]

[Williams] Granting this warrant demonstrates a fundamental lack of understanding, by the judge, about the underlying technology.

Read more in:

Computerworld: Minn. Police seek data on who Googled a victim's name
Tony Webster: Minnesota judge signs a search warrant for personal information on anyone who Googled someone's name
Softpedia: Judge Wants Google to Tell Cops Everyone Who Googled One Man's Name

Bill Would Designate Election Systems as Critical Infrastructure (March 17, 2017)

Legislation introduced in the US House of Representatives would designate election systems as critical infrastructure. Its would also fund upgrades for the systems and look to the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) for security standards. The bill would cover storage facilities, polling places, voter databases, voting machines, and other systems involved in the election process.

Read more in:

FCW: House bill would keep election systems 'critical'
The Hill: Dem bill would codify elections as critical infrastructure
GCN: Election systems security under increasing scrutiny

Reasons for Microsoft's Patch Delay Still Vague (March 16, 2017)

Dan Goodin writes that Microsoft has not adequately explained the recent month-long delay of its security patches. Patch Tuesday has been a regular event for more than 13 years and has never, until last month, been cancelled. The reason given for February's delay was an unspecified "last-minute issue." Goodin writes that "even if the cancellation was for the most banal of reasons, Microsoft's silence is just wrong. If protecting customers is truly Microsoft's top priority, company officials should explain exactly why they delayed critical bug fixes for four weeks."

Read more in:

Ars Technica: Microsoft's silence over unprecedented patch delay doesn't smell right

UK Inter-ACE Cybersecurity Challenge (March 20, 2017)

A team of students from Imperial College London, UK, has won the Inter-ACE cybersecurity competition, besting teams from 11 other universities. All universities that sent teams to the competition have been named Academic Centres of Excellence in cybersecurity. The competition was hosted by the University of Cambridge. Members of the winning team are guaranteed spots in the Cambridge2Cambridge (C2C) competition later this year, an event held jointly by the University of Cambridge and the Massachusetts Institute of Technology (MIT).

Read more in:

SC Magazine UK: Students crowned UK's most talented in cyber-security


An Example of a Multiple States Dropper

Real-World Wiretapping Attacks Against ZRTP

Authenticating Against MySQL Server Using a Hashed Password

CISCO Releases Advisory with Details Regarding CMP Vulnerability

Pwn2Own Contest Leads to Exploits Against All Browsers (and VM!)

Git Moving Away from SHA1 (likely to SHA3)

Proxy Security

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here:

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit