Ending Soon! Get an iPad (32G), Galaxy Tab A, or $250 Off with OnDemand or vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #96

December 8, 2017


SANS NewsBites               December 8, 2017                Vol. 19, Num. 096



NIST Releases Second Draft of Cybersecurity Framework

NiceHash Bitcoin Wallet Stolen

Stanford University Chief Digital Officer Loses Job Over Silence on Breach


Google Releases Chrome 63        

Critical Flaw in Microsoft Malware Protection Engine

Additional Uber Breach Details

US Army Will Recruit Civilian Cybersecurity Experts

Intel ME Flaw Detailed at Black Hat

Apple Updates macOS High Sierra to Version 10.13.2, Releases Details About iOS 11.2 Security Content

December Android Security Bulletin

Apache Struts Updates

New US Homeland Security Secretary Has Extensive Cybersecurity Experience


***************************  Sponsored By Netsparker  ***********************

Do you have too many web applications but you cannot check the security posture of all of them?  Netsparker developed a scalable vulnerability assessment solution that can can thousands of web applications for vulnerabilities such as XSS and SQL Injection in just days instead of months. It also automatically proves the identified vulnerabilities are real and not false positives, thus making it possible to improve the security posture of all your web applications within a reasonable amount of time. http://www.sans.org/info/200575



-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018

-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018

-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Get a 10.5" iPad Pro with Smart Keyboard, or an ASUS Chromebook Flip, or take $400 Off OnDemand or vLive Training when you register by December 13. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




NIST Releases Second Draft of Cybersecurity Framework

(December 6, 2017)

The US National Institute of Standards and technology (NIST) has released the second draft of its Framework for Improving Critical Infrastructure Cybersecurity. The new draft document includes changes to existing guidelines concerning cybersecurity risk self-assessment, as well as new guidelines regarding authorization, authentication, identity proofing, and vulnerability disclosure. The document is open for public comment through Friday, January 19, 2018.  

[Editor Comments]

[Paller] Excellent timing and a great start for 2018. The same week that consensus was reached among the U.S., Australian and UK definitions of "minimum acceptable practice (MAP)" in cyber hygiene, NIST's framework points directly to the US version of that consensus: The CIS Critical Security Controls. NIST lists the CIS Controls as a reference along with NIST SP800-53 Rev. 4.  Nothing will be published on the multi-national MAP consensus until early in 2018, but knowing you will have powerful external consensus support for getting business units to implement the top 5 CIS critical security controls (plus number 10) should make 2018 a much more productive year for security officers who have long struggled to make broad, important improvements in cyber hygiene.]

NIST: Framework for Improving Critical Infrastructure Cybersecurity: Version 1.1 Draft 2 (PDF)


Dark Reading: NIST Releases New Cybersecurity Framework Draft


SC Magazine: NIST 1.1 tackles cybersecurity metrics, supply chain



NiceHash Bitcoin Wallet Stolen

(December 6 & 7, 2017)

Cryptocurrency mining marketplace NiceHash says that a breach of its Bitcoin wallet earlier this week led to the theft of 4,700 Bitcoin, or roughly $70-80 million USD worth of the cryptocurrency. The company says it is working to recover the stolen Bitcoin. NiceHash allows users to buy and sell resources to mine cryptocurrency. (Note: The WSJ story is behind a paywall.)

Read more in:

The Register: NiceHash diced up by hackers, thousands of Bitcoin pilfered


Bleeping Computer: Largest Cryptocurrency Mining Market NiceHash Hacked


BBC: Millions 'stolen' in NiceHash Bitcoin heist


WSJ: Hackers Steal $70 Million in Bitcoin



Stanford University Chief Digital Officer Loses Job Over Silence on Breach

(December 6, 2017)

A Stanford University official has stepped down from his job as Chief Digital Officer (CDO) of the University's Graduate School of Business after failing to disclose a breach that affected student financial aid application data and employee data.

Read more in:

Cyberscoop: Stanford U. official ousted after keeping quiet about huge exposure of sensitive data


**************************  SPONSORED LINKS  ********************************

1) Did you miss it? "Using Anti-Evasion to Block Stealth Attacks with Minerva Labs" Register: http://www.sans.org/info/200580

2) ICYMI:  "Breaking Down the Data: How Secure Are You and Your Supply Chain?" View the Archive:  http://www.sans.org/info/200585

3) "Stop All Imposter Threats Coming Into and Going Out of your Organization" with John Pescatore and Ryan Terry.  Register: http://www.sans.org/info/200590




Google Releases Chrome 63        


(December 7, 2017)

Chrome 63 has been moved to the stable channel for Windows, Mac, and Linux. The newest version of Google's browser includes fixes for 37 security issues. One of the flaws, an out-of-bounds write in QUIC (Quick UDP Internet Connections), is considered critical. Other changes to Chrome include new site isolation capability, and a feature that lets admins restrict access to browser extensions based on permissions.      

Read more in:

Bleeping Computer: Google Chrome 63 Released for Android, Linux, Mac, and Windows


eWeek: Enterprise Chrome Users Get New Browser Security Features


SC Magazine: Google patches 37 security issues in Chrome


Chrome: Stable Channel Update for Desktop




Critical Flaw in Microsoft Malware Protection Engine

(December 7, 2017)

Microsoft has fixed a critical remote code execution flaw in its Malware Protection Engine (MPE). The issue arises when affected versions of MPE incorrectly scan a specially-crafted file. The fix requires no action from users.

Read more in:

Cyberscoop: Critical vulnerability found in Microsoft Malware Protection Engine


Microsoft: Microsoft Malware Protection Engine Remote Code Execution Vulnerability




Additional Uber Breach Details

(December 6 & 7, 2017)

The massive data breach at Uber was reportedly the work of 20-year-old Florida man. The company appears to have paid the man $100,000 USD through a bug bounty program to destroy the data he allegedly stole. Two anonymous sources say that Uber had the man sign a non-disclosure agreement and that the company conduced a forensic examination of his computer to ensure that the data had been removed.     

Read more in:

Reuters: Exclusive: Uber paid 20-year-old Florida man to keep data breach secret - sources


Ars Technica: Uber used bug bounty program to launder blackmail payment to hacker


SC Magazine: Uber paid Florida hacker responsible for breach $100K through bug bounty program


CNET: Florida man, 20, reportedly behind massive hack at Uber




US Army Will Recruit Civilian Cybersecurity Experts

(December 5 & 7, 2017)

The US Army has launched a program to directly recruit civilian cybersecurity experts into its cybersecurity workforce. The US Army Cyber Command plans to directly commission five civilians over the next few months, and to continue to commission five additional officers every year for five years.   

Read more in:

Stars and Stripes: Army launches direct commissioning program for civilian cybersecurity experts




Intel ME Flaw Detailed at Black Hat

(December 6, 2017)

In a presentation at Black Hat Europe, researchers described how a stack buffer overflow flaw in Intel Management Engine (ME) firmware can be exploited to take control of a vulnerable machine, even when the machine is turned off. The exploit requires physical access to the machine. Intel has released a fix for the issue.

Read more in:

BlackHat: How to Hack a Turned-Off Computer, Or Running Unsigned Code in Intel Management Engine


Dark Reading: How the Major Intel ME Firmware Flaw Lets Attackers Get 'God Mode' on a Machine


The Register: Intel Management Engine pwned by buffer overflow


eWeek: Newly Revealed Flaw in Intel Processors Allows Undetectable Malware




Apple Updates macOS High Sierra to Version 10.13.2, Releases Details About iOS 11.2 Security Content

(December 6 & 7, 2017)

Apple's newest version of macOS, High Sierra 10.13.2, includes a fix for the root password security issue that allowed anyone with physical access to a computer running an earlier version of macOS to log in as an administrator. Although Apple released 1OS 11.2 on December 2, the company waited until the release of macOS 10.13.2 to make details about the security content of the iOS update public.   

[Editor Comments]

[Northcutt] Haste makes waste. Since this flaw requires physical access to the Mac and because there have been some early problem reports, I recommend that organizations take time to test this update before implementing. If you feel you have to hurry, make sure to have a full backup:


Read more in:

eWeek: Apple Updates iOS and macOS With Patches for Critical Security Flaws


Ars Technica: macOS High Sierra 10.13.2 is here with enterprise and security updates


Softpedia: macOS High Sierra 10.13.2 Out with Permanent Fix for Root Password Security Flaw


Apple: About the macOS High Sierra 10.13.2 Update


Apple: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan




December Android Security Bulletin

(December 4, 5, & 6 2017)

Google has released the

December Android Security Bulletin

, which addresses nearly 50 vulnerabilities affecting Nexus and Pixel devices. Google notified partners about the security issues at least one month ago.  

Read more in:

ZDNet: Android security: Google details Pixel and Nexus vulnerabilities in December bulletin


Threatpost: Google Patches Critical Encryption Bug Impacting Pixel, Nexus Phones


The Register: Google prepares 47 Android bug fixes, ten of them rated Critical


Android: Android Security Bulletin-December 2017




Apache Struts Updates

(December 5, 2017)

The Apache Software Foundation has released two updates to fix vulnerabilities in Apache Struts versions 2.5 to 2.5.14. One of the flaws could be exploited to take control of unpatched systems. Users are urged to upgrade to

Read more in:

SC Magazine: Updates address vulnerabilities in Apache Struts versions 2.5 to 2.5.14


US-CERT: Apache Software Foundation Releases Security Updates


Apache: A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin


Apache: Vulnerability in the Jackson JSON library




New US Homeland Security Secretary Has Extensive Cybersecurity Experience

(December 5, 2017)

The US Senate has confirmed Kristjen Nielsen to be the new Secretary of the Department of Homeland Security (DHS). Nielsen is the former chief of staff to former DHS Secretary John Kelly. Nielsen has extensive experience as a private sector cybersecurity consultant.

Read more in:

Nextgov: Cyber Pro Confirmed as Homeland Security Secretary




AI.Type Data Exposed in MongoDB Database


Mailsploit Makes it Easier to Spoof From Headers in E-Mails


StorageCrypt Ransomware Encrypts NAS Devices


Android December Update



Apple Updates Everything


NiceHash Hacked


Do Not Trust Reverse DNS. And here is an example why


Positive Technologies Demonstrates Intel ME Exploit at Blackhat Europe


Tracking Users Without GPS


Process Doppelgaenger Anti-Malware Bypass




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create