Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #1

January 5, 2018


SANS NewsBites               January 5, 2018                Vol. 20, Num. 001



Spectre and Meltdown Affect Intel, AMD, and ARM Processors

Breach Compromised Personal Data Belonging to 240,000 Current and Former DHS Employees

US Federal Website DMARC Adoption Nears 50 Percent (Sort of)

US Securities and Exchange Commission Will Update Breach Reporting Guidelines


Guilty Plea Expected in NSA Document Theft Case

SWIFT Security Framework Takes Effect

VMware Releases Fixes for vSphere Data Protection

No Fix Yet for Old macOS Flaw

NSA Losing Engineers, Cyber Talent

Suspect Arrested in Fatal SWATting Attack

States May Wait Months for DHS Election Systems Assessments

FERC Proposes Expanded Incident Reporting Rule


***************************  Sponsored By Splunk  ***************************

What Will The Future Bring? Splunk Security Expert Haiyan Song's 2018 Security Insights.  At Splunk, our experts don't read palms, but they do look into the future. The future of artificial intelligence (AI) and machine learning (ML), IT operations, security, and IoT. Join us once again as we connect with our renowned experts to capture their predictions for the next big thing in their fields. Download the e-book to read the full predictions.  http://www.sans.org/info/200965



-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018

-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018

-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a 10.5" iPad Pro or an HP ProBook 450 G4, or take $400 Off with OnDemand and vLive Training when you register by January 10. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




Spectre and Meltdown Affect Intel, AMD, and ARM Processors

(January 2, 3, & 4, 2018)

Intel says it plans to have software and firmware updates available by January 12 to address the Spectre and Meltdown vulnerabilities in 90 percent of the affected processors sold since 2013. The flaws affect all processors sold for the past 20 years; Intel says that fixes for older processors will be available in the future. Many companies have issued advisories about the flaws.

[Editor Comments]

[Ullrich] There are two reasons to consider not to install this patch: First of all, some anti virus products may not work after it is installed, or may even crash the system. Microsoft tried to cover this part and will disable the patch on affected systems. Secondly, systems may suffer a performance hit, in particular if they use software that heavily relies on syscalls (typically heave IO workloads). This isn't a remote code execution, so I would test carefully and don't fall into panic mode. Prioritize exposed shared systems.

[Honan]  All devices that use these chips are affected, so we also need to think about network security devices that may be vulnerable: firewalls, proxy servers, routers, etc.  Best to contact the vendors of these devices to get information from them on how they are handling it

Read more in:

ISC: Meltdown and Spectre - understanding and mitigating the threats


Dark Reading: Critical Microprocessor Flaws Affect Nearly Every Machine


Cyberscoop: Intel rushes to deploy firmware updates for critical CPU bug by end of next week


Reuters: How a researcher hacked his own computer and found 'worst' chip flaw


US-CERT: Meltdown and Spectre Side-Channel Vulnerability Guidance


ISC: Spectre and Meltdown: What You Need to Know Right Now


Microsoft: January 2018 Security Updates


Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs


ZDNet: Major Linux redesign in the works to deal with Intel security flaw




Breach Compromised Personal Data Belonging to 240,000 Current and Former DHS Employees

(January 3 & 4, 2018)

A data security breach at the US Department of Homeland Security (DHS) that was detected in May 2017 compromised personal information belonging to more than 240,000 current and former DHS employees. The breach may also have compromised information belonging to people who were the subject of DHS Office of Inspector General (OIG) investigations between 2002 and 2014. The incident did not involve an external cyber attack; instead, in the course of a criminal investigation, DHS OIG discovered that a former DHS OIG employee was in possession of an unauthorized copy of the organization's investigative case management system.

[Editor Comments]

[Pescatore] Several issues here: (1) detecting when someone has done a bulk download of a database and investigating; and (2) removing server-side access to all apps when an employee leaves. With the increased use of cloud services, security processes need to be updated for both issues.

[Neely] Bravo to DHS for offering three years of credit monitoring, and after the OMB breach, they should already have both monitoring and frozen their credit.  This incident calls attention to insider threat and the need for DLP measures. Do you know what sensitive or proprietary information employees have on their personal systems? Do you have DLP measures to track movement of your data outside your boundary? Finally, does your employee checkout procedure include not only an NDA, but also verification that all company data is indeed returned?

Read more in:

DHS: Privacy Incident Involving DHS Office of Inspector General Case Management System


The Register: US Homeland Security breach compromised personal info of 200,000+ staff


ZDNet: 240,000 Homeland Security employees, case witnesses affected by data breach


CNET: Homeland Security breach exposes data on 240,000 employees


 --US Federal Website DMARC Adoption Nears 50 Percent (Sort of)

(January 2, 2018)

Nearly half of US federal websites have adopted Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies as required in an October 2017 Department of Homeland Security (DHS) directive. DMARC helps detect and block spoofed email, thus helping to lessen the incidence of phishing.

[Editor Comments]

[Pescatore] The good news is the DHS directive did kick start more government agencies to move toward enabling email authentication via DMARC. However, 84% of government agencies are still not actually implementing quarantine or reject policies. This is like installing a water filtration system but not actually inserting the filters - good start, but the water is still polluted.

[Neely] The hard part is building confidence that legitimate email will not be lost.  Most agencies should be busy reading their DMARC reports to fix issues with legitimate email being incorrectly tagged. Expect hesitance to turn on blocking, even of externally tagged messages, until that process completes.  Additionally, the requirement implement STARTTLS for SMTP sessions, is also delaying DMARC efforts as while it is the lower risk activity, it is likely consuming the same resources that are working to build confidence in their DMARC reports.

Read more in:

FCW: Email hygiene mandate takes hold at agencies



US Securities and Exchange Commission Will Update Breach Reporting Guidelines

(December 29, 2017)

The US Securities and Exchange Commission will update breach reporting requirements for publicly traded companies. Organizations will likely be required to disclose more information than they have in the past and may be required to provide evidence that they have implemented security measures, according to Matt Rossi, a former assistant chief litigation counsel to the SEC and currently an attorney specializing in securities litigation and enforcement and data privacy.

[Editor Comments]

[Pescatore] I doubt there will be much enforcement oomph here, mostly just law firms trying to drum up FUD.  The SEC didn't disclose its own security breach for over a year and does not seem to be actively focusing on enforcing existing regulations. Not much indicating the tiny bit of bark will result in any bites.

Read more in:

GovInfoSec: SEC Plans Cybersecurity Guidance Refresh: What to Expect


**************************  SPONSORED LINKS  ********************************

1) "Third Party Risk Assessment: Using BitSight for Consistent and Continuous Risk Rating" with John Pescatore: http://www.sans.org/info/200970

2) Register for "DNS: An Asset, Not a Liability" and be among the first to receive the associated whitepaper written by Matt Bromiley. http://www.sans.org/info/200975

3) Did you miss "Who Owns ICS Security? Fusing IT, OT, & IIoT Security in the Corporate SOC." View the archive: http://www.sans.org/info/200980




Guilty Plea Expected in NSA Document Theft Case

(January 3 & 4, 2018)

Former NSA contractor Harold Martin plans to plead guilty to one count of willful retention of national defense information. Martin allegedly took at least 50 terabytes of data home from his government contractor jobs over the course of at least two decades. Martin is scheduled to appear at a federal court in Baltimore, Maryland on January 22, 2018.

Read more in:

Nextgov: Former NSA Contractor Admits to Stealing Confidential Documents


Reuters: Ex-U.S. NSA contractor to plead guilty to massive theft of secret data


Politico: Ex-NSA contractor accused of hoarding classified info to plead guilty


Politico: Re: United States v. Harold T. Martin, III, MJG-17-0069




SWIFT Security Framework Takes Effect

(January 3, 2018)

The SWIFT Customer Security Controls Framework took effect on January 1, 2018. The framework requires all member banks to adopt a set of cyber security controls. Sixteen of the controls are mandatory; another 11 are optional but could become mandatory in the future. All organizations on the SWIFT network will be able to see whether each bank has adopted the required security measures.

Read more in:

SC Magazine: SWIFT framework took effect Jan. 1




VMware Releases Fixes for vSphere Data Protection

(January 2 & 3, 2018)

VMware has released patches for three flaws in its vSphere Data Protection backup and recovery product. One of the flaws has been rated critical; the other two are rated important. The critical flaw is a remote authentication bypass vulnerability that could allow attackers to gain root access to affected systems. The other flaws are a remote arbitrary file upload scenario and a path traversal vulnerability.

Read more in:

The Register: Attention, vSphere VDP backup admins: There is a little remote root hole you need to patch...


SC Magazine: VMware repairs three critical bugs in vSphere Data Protection


Threatpost: VMware Issues 3 Critical Patches for vSphere Data Protection




No Fix Yet for Old macOS Flaw

(January 2, 2018)

A flaw in MacOS can be exploited to gain root access to machines. The local privilege escalation (LPE) flaw dates back to 2002 and can be exploited only of an attacker has local access to a machine or has already infected the machine in another way. There is currently no patch available for the vulnerability.

[Editor Comments]

[Ullrich] This vulnerability (and the exploit) were released over New Years with no prior notification to Apple. For a privilegeescalation vulnerability, I would not expect an emergency patch. Likely, a patch will be released sometime this year.

Read more in:

Threatpost: macOS LPE Exploit Gives Attackers Root Access


Bleeping Computer: macOS Exploit Published on the Last Day of 2017




NSA Losing Engineers, Cyber Talent

(January 2, 2018)

Over the past several years, the US National Security Agency (NSA) has lost hundreds of engineers, hackers, data scientists to private sector jobs that offer better pay and more overall flexibility. Another factor in the departures is likely reorganization within the NSA that has left some workers feeling that their missions have been marginalized. Some groups within the NSA have lost more than half of their staff. While the NSA is able to fill many vacated positions, most of the new employees lack the experience of those who have left.

[Editor Comments]

[Pescatore] I think I first read this article in 1980, when I left NSA because promotions were slow and the aftermath of the Nixon abuses was still a factor.... Getting new blood into government agencies (or companies, for that matter) is rarely a bad thing when turnover occurs gradually. But, a rapid leap in resignations is a good indication that something is wrong.]

Read more in:

Washington Post: NSA's top talent is leaving because of low pay, slumping morale and unpopular reorganization




Suspect Arrested in Fatal SWATting Attack

(December 29, 2017 & January 2, 2018)

A Kansas man was fatally shot by police after they were summoned to his home by a phony report of a hostage situation, (practice) known as SWATting. The Kansas SWATting was the outcome of an argument between players of the online game Call of Duty. The man who was killed was not involved in the argument. Authorities in California have arrested and charged a suspect who has a history of swatting and has served a prison sentence for making a bomb threat against an ABC affiliate.  

[Editor Comments]

[Northcutt] If the man is found guilty, it would seem logical to restrict his access to computers and phones for as long as possible. There is legal precedent for this and technology to enforce.

Read more in:

KrebsOnSecurity: Kansas Man Killed In 'SWATting' Attack


KrebsOnSecurity: Serial Swatter "SWAuTistic" Bragged He Hit 100 Schools, 10 Homes




States May Wait Months for DHS Election Systems Assessments

(December 29, 2017)

US states wanting a risk and vulnerability assessment of their elections systems from the Department of Homeland Security (DHS) may have to wait as long as nine months, pushing some of the assessments up to the last several weeks before the 2018 mid-term elections. The assessments take two to three weeks and are provided at no cost to the states.

[Editor Comments]

[Pescatore] Hey, commercial security consulting, vulnerability assessment and managed bug bounty companies: how about offering state governments free assessments while they wait for DHS?

Read more in:

Politico: The latest 2018 election-hacking threat: 9-month wait for government help




FERC Proposes Expanded Incident Reporting Rule

(December 28, 2017)

The US Federal Energy Regulatory Commission (FERC) has proposed a change to its cyber incident reporting rule that would require energy companies to report all attempts to breach its networks. Currently, energy companies must report only incidents that disrupt core processes. The change in the definition of what constitutes a reportable cyber incident was proposed in part because of "the lack of any reported incidents in 2015 and 2016 suggests a gap in the current mandatory reporting requirements."

[Editor Comments]

[Neely] The proposed change is intended to increase transparency by adding ICS-CERT and an annual anonymized report to the incident reporting process, as well as setting reporting timelines. The change also focuses on increased use of malware protections and better password management processes, and calls attention to the risks of pivoting. The change to the reporting requirement to include any attempted breach is intended to support the Energy Information Sharing and Analysis Center (E-ISAC) mission to bring resources to help address cyber risks, but care must be taken to avoid false positives, causing responders to miss the real breach.

Read more in:

Fifth Domain: FERC proposes rule to expand cyber incident reporting




SANS Special Webcast: Meltdown and Spectre - understanding and mitigating the threats


ISC Diary with Links to Patches


Analyzing TNEF Files


Obfuscated RTF Files


2017 Flood of CVEs


Sonos/Bose Smart Speaker Flaws


Web Trackers Exploit Login Managers


Backdoored Wordpress Plugins


Extracting URLs From PDFs


Privilege Escalation Exploit for macOS


34C3: Chaos Communications Congress


Vulnerabilities in Online Geolocation Services



Intel CPU Vulnerablity


Crypto Coin Mining Pool IP List


Phishing to Rural America Leads to Six-figure Wire Fraud Losses



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create