Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #41

May 24, 2016

Emerging cybersecurity leaders are being recognized in the "Ones to Watch in Cybersecurity Awards," to be presented at the SANS Security Leadership Summit in Dallas on in September. Details: see the story at the end of the issue.


Federal Government HR and Cybersecurity
New Japanese Government Agency Will Protect Critical Infrastructure from Cyberattacks
US House Legislators Advise Colleagues to Upgrade to Basic Security Hygiene


US Medicare Agency Introduces Data Guardians Program
Thieves Steal Millions Through ATMs in Japan
Active Attacks are Exploiting recently Patched Flash Flaw
Adobe Patches Flaw in Connect for Windows
Cerber Ransomware Variant Uses Windows Script Files
Man Arrested for Reporting Vulnerabilities in Police Communication System
New Botnets Used for "Low and Slow" Credential Testing
SWIFT Will Encourage Threat Information Sharing Among Member Banks
Many Ubiquiti Wireless Devices Still Vulnerable
Recognizing Emerging Cybersecurity Leadership - Nominations Sought

************************ Sponsored By AlienVault *************************

Discover the various open source IDS tools available to you. Download the Beginner's Guide to Open Source Intrusion Detection Tools.



- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!

- --Security Operations Center Summit (Crystal City, VA)

Information Security Training Crystal City, VA from SANS Institute. Cybersecurity training courses in Crystal City

- --SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!

- --DFIR Summit & Training | Austin, TX | June 23-30, 2016 | DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!

- --SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.

- --SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.

- --SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.

- --SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.

- --Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - and Evening (vLive - courses available!

- -- Multi-week Live SANS training
Mentor -

- --Looking for training in your own community?
Community -

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more:

Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:



Federal Government HR and Cybersecurity (May 20, 2016)

The White House plans to issue HR strategy for federal government HR (human resources) departments for recruiting cybersecurity talent. Although the need to change hiring practices to attract cybersecurity professionals has been stated again and again, many agencies are not adequately addressing the issue. In a survey of federal cybersecurity executives, 39 percent said that their HR departments rate cybersecurity "unimportant" or "very unimportant."

[Editor's Note (Henry): The fact that such a large portion of HR departments within the federal government assess cybersecurity as "unimportant" or "very unimportant" is a reflection on leadership. I spent 24 years in the federal government, and as an executive I participated substantially in budget/hiring formulation for the enterprise. The HR department didn't unilaterally determine the hiring requirements of the agency; those priorities and objectives were driven by senior leadership...always. Additionally, this should be a top-down mandate from the administration. There was a government-wide plan for hiring cybersecurity expertise...and it was developed eight years ago. It appears to not have been effectively implemented, unfortunately. ]

New Japanese Government Agency Will Protect Critical Infrastructure from Cyberattacks (May 20, 2016)

Japan plans to establish a new government agency to protect the country's critical infrastructure from cyberattacks. The Industrial Cybersecurity Promotion Agency (ICPA) would become operational in 2017; the government wants the agency to be capable of defending critical systems by the time Tokyo hosts the Olympic Games in 2020. ICPA will comprise two divisions: one for research and one for active response.

US House Legislators Advise Colleagues to Upgrade to Basic Security Hygiene (May 23, 2016)

US Representatives Ted Lieu (D-California) and Will Hurd (R-Texas) have written a "Dear Colleagues" letter to their fellow legislators, warning them about cybersecurity threats and offering concrete advice for protecting information. Cautioning their fellow legislators that their "devices will be subject to continuing cyber attacks," Lieu and Hurd advised using complex passwords, two-factor authentication, and to connect only to trusted networks. They also recommended that lawmakers use messaging apps with end-to-end encryption.


[Editor's Note (Pescatore): Great to see Representatives Lieu and Hurd recommended basic security hygiene to their colleagues and reportedly talking to the House CIO as well. But, I'd also urge them to more formally look into what percentage of government email is encrypted, after over 15 years of spending on the federal PKI Infrastructure and related efforts? ]

*************************** SPONSORED LINKS *****************************
1) SECURITY WEBCAST: Thursday May 26th at 2pm ET. Turning Threat Intelligence Into Action:

2) Why So Many Endpoint Attacks Are Still Going Undetected - And What You Can Do About It. Wednesday, May 25th, 2016 at 1:00 PM EST with John Pescatore, Chris Ahearn, and Mark Stacey.

3) What types of CYBER THREATS are driving the IT community to take action?? Tell us in SANS Survey


US Medicare Agency Introduces Data Guardians Program (May 23, 2016)

Following a spear phishing attack that targeted the US Centers for Medicare and Medicaid Services (CMS), the agency's chief information officer (CIO) David Nelson created the job of data guardian. Each of CMS's components has its own data guardian, which is a volunteer position. The data guardians are "stewards of CMS privacy and security policy." They are briefed on the current threat landscape and they train coworkers and contractors.

[Editor's Note (Pescatore): In private industry, there is often a "security liaison" role in business units for similar purposes. But, I like the idea of motivated volunteers - in every office there is always one person (not in IT) that everyone usually goes to for help in getting their PC or iPhone to do something, good to get those kind of people helping co-workers on avoiding phishing. ]

Thieves Steal Millions Through ATMs in Japan (May 23, 2016)

Thieves used data stolen from a South African bank to steal 1.4 billion yen (US $12.8 million) via ATMs in Japan. The fraudulent withdrawals occurred during a three-hour window on May 15. The scheme was carried out on a day that banks were closed; those behind the operation were also aware of which ATMs accept cards issued outside the country.

[Editor's Note (Murray): While banks are equipping ATMs to read EMV cards, and BoA and others are piloting cardless (mobile) ATMs, the fundamental vulnerability is that all banks continue to issue and accept cards with the credit card number in the clear on magnetic stripes. There is not even a plan or a schedule for discontinuing this high-risk practice. ]

Active Attacks are Exploiting recently Patched Flash Flaw (May 23, 2016)

A recently patched vulnerability in Adobe Flash Player is being actively exploited in targeted attacks. Adobe released the fix for the flaw earlier this month, two days after being notified of its presence.

[Editor's Note (Williams): This fix demonstrates the speed with which vendors can get patches out into the wild. It also demonstrates how quickly attackers can develop exploits for vulnerabilities once they are known. Those without aggressive third party patching programs should take note of this and other recent examples demonstrating that the time between patch release and publicly available exploit is shrinking. ]

Adobe Patches Flaw in Connect for Windows (May 23, 2016)

Adobe has patched an untrusted search path flaw in Adobe Connect for Windows. The vulnerability affects version 9.5.2 and earlier. Users are urged to upgrade to version 9.5.3; users running Adobe Connect versions 8.x and 9.x must update to 9.5.x prior to applying the patch.

Cerber Ransomware Variant Uses Windows Script Files (May 23, 2016)

A new variant of Cerber ransomware markets uses Windows Script files to infect computers. Previous versions of Cerber were distributed through exploit kits or macro-enabled Word documents.

Man Arrested for Reporting Vulnerabilities in Police Communication System (May 23, 2016)

Police in Slovenia have arrested a man who found security flaws in the system the police used to communicate. Dejan Ornig was given a suspended sentence. He found that the Tetra system, which is used not only by Slovenian police, but also by the country's military, intelligence and other agencies, did not always encrypt communications. Ornig notified authorities of the issues a year ago; after nothing was done to mitigate the problem, Ornig publicly disclosed the flaws in March.

[Editor's Note (Williams): Tetra is widely used and just like the P25 vulnerabilities (mostly misconfigurations) revealed at DEFCON a few years back, we can expect that the Slovenians aren't the only ones impacted by this. It's also possible that the Slovenians didn't move on fixing the Tetra vulnerabilities because they were using the same vulnerabilities to eavesdrop on others and valued that intelligence. ]

New Botnets Used for 'Low and Slow' Credential Testing (May 23, 2016)

Botnets are being used to test account access credentials. By checking the validity of the credentials over the course of several days, the fraudulent login attempts evade detection. Once a set of credentials proves to be valid, criminals then use it to try to access financial or ecommerce accounts that may use the same password.

[Editor's Note (Northcutt): The interesting thing is that it has taken the criminals this long to get here. Sophos reports that 55% of users use the same password for everything, or at least most things:
We are security people, we know better than that. Well maybe not; cybersecurity company HBGary was taken down by that very thing, (amongst others):
There are a lot more of us now than there used to be, take ten minutes and forward this story to your mom and dad, next door neighbor, and a couple co-workers who are not in security with a short note about the importance of unique logon credentials. ]

SWIFT Will Encourage Threat Information Sharing Among Member Banks (May 20, 23, and 24 2016)

While SWIFT maintains that its systems were not compromised in recent attacks, the organization plans to launch a five-point security plan to help member banks protect their systems and transactions. SWIFT is also asking member banks that have experienced fraudulent transfers that used SWIFT credentials to be forthcoming with the information; the terms of the banks' contracts with SWIFT require them to report these incidents.




[Editor's Note (Henry): This has been a risk for several years, and the sharing of threat intelligence is a bare-minimum requirement. Adversaries recognize the vulnerabilities of our critical infrastructure, and Financial Services is, without a doubt, one of the most critical areas to be secured. (Honan): The original speech by SWIFT's CEO is posted here:

In the speech, the CEO acknowledges that there have been a number of successful attacks against some of its member banks. He says SWIFT is "aware of at least two, but possibly more.." cases. (Williams): So basically SWIFT is setting up an ISAC. We regularly recommend to clients that they adjust their contracts to require vendors and partners to share data about compromises. Setting up private ISACs consisting of vendors servicing your organization is also a good idea for ensuring threat and compromise data sharing among your partners. ]

Many Ubiquiti Wireless Devices Still Vulnerable (May 20 and 23, 2016)

Owners of Ubiquiti wireless devices are being urged to apply a patch that the company released last year; the flaw it fixes is being actively exploited. The vulnerability affects AirOS firmware. Ubiquiti has made available a tool that removes the malware from infected devices.



Ubiquiti Warning:

[Editor's Nte (Ullrich): While you are checking your Ubiquity devices for the latest firmware, please also verify that the default password was changed. "ubnt", the default password, was the #7 most frequently recorded password in our ssh honeypots last month. ]

Recognizing Emerging Cybersecurity Leaders - Nominations Sought (May 23, 2016)

Are you a CISO or senior security leader who has a promising team member you'd like to recognize? We want to hear about and recognize emerging cybersecurity leaders through our first annual Ones to Watch in Cybersecurity Awards, which will be presented at the SANS Security Leadership Summit in Dallas, TX on September 27 & 28, 2016. To be eligible as an emerging leader in the Someone One to Watch in Cybersecurity, the person must: - -- Show leadership and an ability to drive key elements of the security program. - -- Institute and manage change within the organization. - -- Understand and be able to articulate business drivers for information security. - -- Develop process and technological improvements leading to new security innovations. - -- Display an ability to lead, motivate, and inspire others. For more details:

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit