iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #90

November 14, 2017


SANS NewsBites               November 14, 2017                Vol. 19, Num. 090



Girl Scouts of the USA Will Introduce 18 Cybersecurity Badges

US States Are Buying Cyber Insurance

Shadow Brokers


Firefox 57 Will Have Better Sandboxing for Linux Users

AV Vulnerability Lets Attackers Restore Quarantined Files

Google Study: Phishing is Biggest Threat to Account Hijacking

DoD Vulnerability Disclosure Program

Brad Smith Renews Call for Digital Geneva Convention

WikiLeaks Claims CIA Used Phony Certs to Impersonate Kaspersky

Man Charged for Allegedly Using DoS-for-Hire Services Against Former Employer

Electronic Frontier Foundation Has Some Ideas for Congressional Response to Equifax Breach


***************************  Sponsored By AlienVault  ***********************

Learn how organizations with limited budget and staff can set up a successful Security Operations Center (SOC) without costly services. Get practical advice in this free eBook. Download now. http://www.sans.org/info/199665



-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017

-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS OnDemand and vLive Training | Receive a 12.9" iPad Pro, Surface Pro 4 or take $400 Off your OnDemand or vLive course when you register by November 22nd. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




Girl Scouts of the USA Will Introduce 18 Cybersecurity Badges

(November 13, 2017)

The Girl Scouts of the USA (GSUSA) will introduce 18 new cybersecurity badges next year. GSUSA is partnering with Palo Alto networks to develop the curriculum. The partnership was announced in June 2017.

[Editor Comments]

[Paller]  Wonderful! 2018 may be a watershed year for young women in cyber. The Girl Scouts program will launch soon after the 2018 High School Girls CyberStart program (in February) sponsored by the governors of 9 states, along with top cybersecurity and other tech and financial companies who lead in bringing STEM opportunities to young women.

[Henry] This is outstanding.  Getting young girls interested in cybersecurity, often before they've begun to search career choices, is an opportunity to bring more females into this field.  The existing and ever-growing shortage of cybersecurity specialists necessitates exposure to all youngsters in order to identify those interested in pursuing this career option further.   

[Pescatore] Great stuff. Chasing Cub Scout badges caused me to build a small crystal radio receiver, which got me into ham radio, which led to choosing Electrical Engineering in college and taking a job in security at NSA when I graduated!

Read more in:

CSO: A rocket scientist hacks the cybersecurity labor crisis


GSA June 2017 Press Release: Palo Alto Networks and Girl Scouts of the USA Announce Collaboration for First-Ever National Cybersecurity Badges


Palo Alto Networks June 2017 Press Release: Palo Alto Networks and Girl Scouts of the USA Announce Collaboration for First-Ever National Cybersecurity Badges



US States Are Buying Cyber Insurance

(November 10, 2017)

The number of US states that have purchased cyber insurance has grown from 10 in 2015 to 19 in 2016, according to information gathered from state CIOs. The policies usually cover costs associated with investigations and data restoration, as well as customer notification, legal and public relations services, and credit monitoring.    

[Editor Comments]

[Pescatore] I remain skeptical about the value of cyber insurance and the experience in Utah tends to reinforce my feeling. They are paying $230K/year for $10M coverage with a $1M deductible. They started paying this *after* experiencing a breach of 780,000 citizen records, which likely had a real cost in the range of $75M. Many policies have "existing condition" and other limiting clauses - if Utah had the insurance in place before the 2012 breach, the policy may not have paid off at all. But, even it did, at most it would have resulted in saving $8.77M out of the $75M in cost. I'll bet that if they had spent $1.23 million in 2011 (the deductible and just one year's premium) they could have avoided the breach.


[Henry]  I've worked with insurance companies over the past two years, and I've seen the market change substantially.  The biggest impact has been the accumulation of better actuarial data, enabling insurers to better assess their risk, and make their products more affordable and better suited for their customers' needs.  This is especially helpful in the case of small and medium businesses with limited budgets; cash-strapped states often fit into this category.

[Northcutt] Well researched article, worth a read. Take note of the differences between premiums and level of coverage. Also, make sure to read the 2016 SANS cyber insurance survey and this related new risk management paper:



Read more in:

Pew Trusts: Worried About Hackers, States Turn to Cyber Insurance




Shadow Brokers

(November 9, 12, & 13 2017)

Shadow Brokers

began releasing batches of US intelligence cyberweapons more than a year ago, in August 2016. Former defense secretary and CIA director Leon Panetta has called the leaks "incredibly damaging." With morale at the agency reportedly plummeting, some NSA employees have left for the private sector. Not only has

Shadow Brokers

leaked stolen information, but it has also identified at least one former member of the NSA's elite Tailored Access Operations (TAO) hacker team.

[Editor Comments]                                             

[Pescatore] The telling elements in this article: "We have had a train wreck coming," said Mike McConnell, the former N.S.A. director and national intelligence director. "We should have ratcheted up the defense parts significantly."   Offense informs defense, yes. But intelligence agencies in charge of defense too often results in defense being pushed down the priority list.   


Read more in:

NYT: Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core


The Hill: ShadowBrokers probe hurting NSA morale: report


***************************  SPONSORED LINKS  *******************************

1) Don't Miss:  "Breaking Down the Data: How Secure Are You and Your Supply Chain?"  Register:  http://www.sans.org/info/199670

2) Intezer Analyze and SANS' Jake Williams demonstrate how finding code reuse of known malware enables you to improve and accelerate incident response plans. http://www.sans.org/info/199675

3) Attend the SOC Brief in Boston on 11/17 for a chance win a $400 Best Buy gift card.  Learn More:  http://www.sans.org/info/199680





Firefox 57 Will Have Better Sandboxing for Linux Users

(November 13, 2017)

Mozilla plans to release Firefox 57 on Tuesday, November 14. The newest version of the browser will include improved sandbox security for users running Firefox on Linux. Mozilla has already made improvements in Firefox sandbox for Windows; the newest release will bring the Linux version on par with the Windows version.   

[Editor Comments]

[Northcutt] Sandboxing browsers ought to be automatic:


Read more in:

Bleeping Computer: Firefox 57 Brings Better Sandboxing on Linux




AV Vulnerability Lets Attackers Restore Quarantined Files

(November 13, 2017)

A flaw that affects most major antivirus products can be exploited to place malicious files on systems running the vulnerable software by moving "a previously quarantined file to any arbitrary filesystem location." The exploit requires local administrative privileges. Several companies have already taken steps to fix the vulnerability.  

[Editor Comments]

[Williams] The linked article is incorrect that the vulnerability requires local administrator permissions. It most definitely does not. The vulnerability abuses NTFS directory junctions. It would be relatively difficult to abuse in the wild, but doing so would result in full system compromise.  This vulnerability highlights how obscure features like directory junctions can be abused by attackers. The problem is that most developers creating applications don't know about directory junctions and definitely don't have them as part of their threat model.


Read more in:

V3: Major anti-virus packages vulnerable to exploit that can 'spring' suspicious files from quarantine




Google Study: Phishing is Biggest Threat to Account Hijacking

(November 10 & 11, 2017)

A study from Google and researchers at the University of California Berkeley says that phishing, not ransomware or data breaches, poses the largest threat to Google account security.  

[Editor Comments]

[Pescatore] And phishing is enabled by reusable passwords. What Google calls "Advanced Protection" for personal accounts (two factor authentication) needs to be "Standard Protection" for business accounts. A recent survey showed something like 28% of online users now use 2FA for at least one online account - consumer adoption is higher than business adoption. Users are routinely using fingerprint authentication on Apple and Android phones, but at work they are entering reusable passwords!


Read more in:

Engadget: Google study shows how your account is most likely to be hijacked


The Register: How did someone hijack your Gmail? Phishing, keylogger or password reuse, we're guessing


Threatpost: Phishing Biggest Threat to Google Account Security


SC Magazine: Google study finds phishing attacks more efficient than data breaches


ZDNet: Google: Our hunt for hackers reveals phishing is far deadlier than data breaches


eWeek: Google Study Finds Phishing Most Likely Cause of Account Takeovers


Google: Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials (PDF)




DoD Vulnerability Disclosure Program


(November 9, 10, & 13, 2017)

The US Department of Defense's (DoD's) vulnerability disclosure policy (VDP) has resulted in the identification and patching of more than 2,800 security issues in public facing DoD websites and applications hosted on those websites. The program has been running for just under a year. Unlike the Hack the Pentagon program, VDP does not offer bounties for vulnerabilities that are submitted.   

[Editor Comments]

[Pescatore] Good to see the DoD mixing a passive vulnerability disclosure program with active bug bounty programs. Key point 1: these vulnerabilities were found mostly in systems that had already successfully gone through the government Certification and Accreditation process. Key point 2: In private industry, managed bug bounty programs are being extended to pre-production code -finding vulnerabilities earlier is always cheaper/better.


Read more in:

HackerOne: Hack The Pentagon Turns One on HackerOne


HackerOne: DoD Vulnerability Disclosure Policy


SCMagazine: Defense Department's vulnerability disclosure program racks up 2,837 security flaws


Wired: The Pentagon Opened Up to Hackers-and Fixed Thousands of Bugs




Brad Smith Renews Call for Digital Geneva Convention

(November 10, 2017)

Speaking at the United Nations in Geneva, Switzerland last week, Microsoft president Brad Smith reiterated his call for a cyber Geneva Convention. Smith stated that "governments should agree not to attack civilian infrastructures, such as the electrical grid or electoral processes" and should also agree not to steal intellectual property.  

[Editor Comments]

[Henry] I have long said that the threat from cyber attacks is similar in many ways to nuclear proliferation, and that it continues unchecked unless there is nationstate-to-nationstate discussion on the acceptable rules.  Brad Smith uses the term "Geneva Convention" to describe "standards of international law," and he's absolutely correct.  There are human beings behind every single cyber attack, and every one of them resides in, works at, or is sponsored by a nationstate.  There is a need for those nations to take responsibility for and/or control their citizens (or their own state actions) if we ever expect to have relative safety in this forum.

[Honan] - This has been suggested before; many have called for such a convention including as Marcus J Ranum at the IRISSCERT conference in 2012 https://photopol.blogspot.ie/2012/11/irisscon-2012.html

[Paller] Yes others have made the recommendation. Maybe the problem is recognized at a higher level now so this time a Geneva Convention could be possible.

Read more in:

The Register: Microsoft president says the world needs a digital Geneva Convention


Cyberscoop: Microsoft's Smith adds 'IT Red Cross' to his 'digital Geneva Convention' call




WikiLeaks Claims CIA Used Phony Certs to Impersonate Kaspersky

(November 9 & 10, 2017)

WikiLeaks has released what it says is source code for a US intelligence cyber tool known as Hive that WikiLeaks says the CIA uses to hide its activity while installing malware on targeted systems. Hive uses phony digital certificates to impersonate other organizations, including Kaspersky Lab.

Read more in:

The Register: WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab


SC Magazine: WikiLeaks: CIA impersonated Kaspersky Labs as a cover for its malware operations


Motherboard: WikiLeaks Starts Releasing Source Code For Alleged CIA Spying Tools




Man Charged for Allegedly Using DoS-for-Hire Services Against Former Employer

(November 10 & 13, 2017)

US federal prosecutors have charged a man for allegedly using vDOS service, which launches attacks for its customers against specified websites. John Kelsey Gammell allegedly used vDOS and other services to launch attacks against websites belonging to his former employer and several other companies. Gammell has been charged with intentional damage to a protected computer.   

Read more in:

KrebsOnSecurity: Hack of Attack-for-Hire Service vDOS Snares New Mexico Man


SCMagazine: Man charged for using vDOS hacker for hire against Minnesota firm


SC Magazine: Criminal Complaint (PDF)




Electronic Frontier Foundation Has Some Ideas for Congressional Response to Equifax Breach

(November 7, 2017)

The Electronic Frontier Foundation offers advice for how US legislators should respond to the Equifax data breach. The suggestions include establishing a federal victims advocate within the executive branch, either as an official or as a department, to offer support to victims of data breaches; granting the Federal Trade Commission (FTC) rule making authority to establish and enforce security standards; and mandating credit freezes rather than credit monitoring for breach victims.

Read more in:

EFF: Here's How Congress Should Respond to the Equifax Breach




Auditing TLS Root Certificates on Windows


How Google Accounts Are Hijacked


Battling E-Mail Phishing


Hacking Airplanes



Various URL Validation and HTTP Request Libraries Allow SSRF (PDF)


Using Heart Rhythm As Biometric ID



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create