Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #19

March 9, 2018

A smile: If you have daughters or nieces and think they might enjoy exploring a career in cybersecurity, here are two short TV news piece on what a good idea that is:

Washington DC: http://wjla.com/features/inspire/inspire-local-maryland-all-girls-team-wins-national-cybersecurity-challenge

Las Vegas NV:




SANS NewsBites               March 9, 2018                Vol. 20, Num. 019



Government Agencies Should Look to Retrain Their Own Employees for Cybersecurity Positions

OIG Audit: DHS Needs to Improve Network Protection

UK Government IoT Security Guidelines


Windows Defender Blocks Cryptocurrency Miner Installation Attempt

Cisco Releases Fixes for Two Critical Flaws and Other Security Issues

Google Releases Chrome 65

FOIA Request Reveals Geek Squad Informs FBI About Child Pornography Found on Computers

Fix Available for Exim Flaw

Legislators Press Voting Machine Companies on Security

FinTech Cybersecurity Consortium

Commissioning Rules Hinder US Military Efforts to Hire Cyber Experts from the Private Sector

ComboJack Malware Redirects Cryptocurrency Transactions

City Considering Cryptomining Moratorium



***************************  Sponsored By Cylance  **************************

Get the free Cylance ebookIntroduction to Artificial Intelligence for Security Professionals.  Learn about AI and machine learning techniques and methods in practical situations that have proven most successful in predicting and preventing cyberattacks.





-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018

-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018

-- SANS Northern VA SpringTysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018

-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018

-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018

-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018

-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018

-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad mini, ASUS Chromebook or take $250 Off your OnDemand or vLive training course by March 21. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




Government Agencies Should Look to Retrain Their Own Employees for Cybersecurity Positions

(March 8, 2018)

Speaking at the Association for Federal Information Resources Management's Cybersecurity Summit, National Security Council director of cybersecurity policy Tyson Meadors said that the national cybersecurity labor shortage could be addressed in part by agencies retraining some of their own employees. Meadors also noted that a broader education than just computer science benefits those looking to build a career in cybersecurity. "That 285,000 number of open jobs in the United States is not going to be filled by computer science undergraduates," he said. "It's going to have to be filed by a combination of things: apprenticeships, community college graduates, people who can be hired simply because they have some kind of individual aptitude/talent so that we can identify through nontraditional sources."

Read more in:

Fedscoop: Retrained agency employees can be a key source of cybersecurity talent, NSC official says


Nextgov: It Takes More Than Tech Skills To Be a Strong Cyber Leader



OIG Audit: DHS Needs to Improve Network Protection

(March 8, 2018)

A report from the Department of Homeland Security (DHS) Office of Inspector General (OIG) found that the agency is not adequately protecting its networks. Among the issues the audit found were use of unsupported operating systems (Windows Server 2003); workstations missing patches, including fixes for WannaCry, Flash, Shockwave, and Acrobat; and not consistently disabling anonymous access to shared network drives; and not consistently enabling registry auditing. The report notes that the chief reason that DHS had not met its security goals was lack of security talent.    

[Editor Comments]

[Pescatore] The good news is that overall DHS's security posture improved. The bad news is that most of that improvement came from one component, the US Secret Service (my alma mater!) Overall, 5 of the 10 DHS components improved while 5 got worse or stayed the same. One common thread was that DHS does not seem to have made much progress in implementing Continuous Diagnosis and Mitigation (CDM) controls, which of course is a DHS-managed program.

Read more in:

The Register: Audit finds Department of Homeland Security's security is insecure


OIG DHS: Evaluation of DHS' Information Security Program for FY 2017




UK Government IoT Security Guidelines

(March 7, 2018)

The UK government's Secure by Design review includes a proposed code of practice for Internet of Things (IoT) manufacturers, IoT service providers, mobile application developers, and retailers that includes not allowing universal default passwords, securely storing sensitive data, making it easy for consumers to configure the devices, updating software, and implementing a vulnerability disclosure policy.

[Editor Comments]

[Ullrich] Good guidelines, and not just for the IoT. See how Cisco just patched a "default credential" vulnerability this week.

Read more in:

Gov.uk: Secure by Design: Improving the cyber security of consumer Internet of Things Report


Gov.uk: New measures to boost cyber security in millions of internet-connected devices


ZDNet: New IoT security rules: Stop using default passwords and allow software updates


V3: Government to demand 'security by design' in new measures to tackle IoT security


**************************  SPONSORED LINKS  ********************************

1) "VMRay Analyzer, agentless malware analysis and rapid incident response: A SANS Product Review" with Matt Bromiley and Chad Loeven. Register: http://www.sans.org/info/202555

2) Don't Miss: "Dramatically Reduce Incident Response Time with Splunk and Bro" Register: http://www.sans.org/info/202560

3) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/202565




Windows Defender Blocks Cryptocurrency Miner Installation Attempt

(March 8, 2018)

Earlier this week, Microsoft's Windows Defender detected and stopped an attempt to infect 400,000 computers with a cryptocurrency miner. Windows Defender detected a malware downloaded known as Smoke Loader or Dofoil, which was attempting to drop an Electroneum cryptocurrency miner.

[Editor Comments]

[Ullrich] Crypto currency miners are by far the most popular payloads deployed by attackers these days. Many even skip data exfiltration and deploy only crypto currency miners. It is great that Microsoft starts to look for them. These miners usually do not try to hide and are not hard to find, but you have to look for them. For your non-Windows systems make sure that you have rules in place to detect them.

Read more in:

ZDNet: Windows security: Microsoft fights massive cryptocoin miner malware outbreak


Bleeping Computer: Microsoft Stops Malware Campaign That Tried to Infect 400,000 Users in 12 Hours




Cisco Releases Fixes for Two Critical Flaws and Other Security Issues

(March 8, 2018)

Cisco has released 22 security advisories to address issues in a variety of products. Two of the flaws are rated critical. The first is a hardcoded password in Cisco Prime Collaboration Provisioning (PCP) that a local attacker could use to attain root privileges. The issue affects only PCP 11.6, which was released in November 2016. The second is a Java deserialization issue in Cisco Secure Access Control System (ACS) that could be exploited remotely to execute arbitrary commands.    

[Editor Comments]

[Murray] Infrastructure providers should have controls in place to effectively resist "hardcoded passwords."  Relying on good intentions is not working.

Read more in:

Bleeping Computer: Hardcoded Password Found in Cisco Software


ZDNet: Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw


The Register: Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU


Cisco: Cisco Secure Access Control System Java Deserialization Vulnerability


Cisco: Cisco Prime Collaboration Provisioning Hard-Coded Password Vulnerability




Google Releases Chrome 65

(March 7, 2018)

Google has released Chrome 65 to the stable channel. In addition to fixes for 45 security issues, Chrome 65 takes additional steps to prevent users from being redirected to pages they do not want to visit. Chrome 65 also enables Transport Layer Security (TLS) version 1.3 by default.   

Read more in:

ZDNet: Chrome 65 rolls out: You're getting a stronger redirect blocker, 45 security fixes


Bleeping Computer: Google Chrome 65 Released with Tab-Under Blocking, New APIs, 45 Security Fixes


Chrome: Chrome Releases: Stable Channel Update for Desktop




FOIA Request Reveals Geek Squad Informs FBI About Child Pornography Found on Computers

(March 7, 2018)

According to documents obtained by the Electronic Frontier Foundation (EEF) through the Freedom of Information Act (FOIA), electronics chain store Best Buy's Geek Squad has been alerting the FBI when it finds child pornography on devices brought in for repairs. Best Buy maintains that it has a "moral, and, in more than 20 states, a legal obligation to report these findings to law enforcement. We share this policy with our customers in writing before we begin any repair."

[Editor Comments]

[Honan] This issue affects many security professionals and DFIR specialists. In some jurisdictions you are legally obliged to report Child Abuse Material to the authorities. In others, while there may not be a mandatory requirement to report this material, you may feel you have an ethical and moral obligation to do so. Before engaging with a new investigation or project you should clearly state to your client, including your own internal clients if you work within an organisation, what your policy is should you discover this type of material.

Read more in:

EFF: Geek Squad's Relationship with FBI Is Cozier Than We Thought


ZDNet: New documents reveal FBI paid Geek Squad repair staff as informants


Ars Technica: Best Buy defends practice of informing FBI about child porn it finds


SC Magazine: FBI used Best Buy's Geek Squad as confidential informants, FOIA docs show




Fix Available for Exim Flaw

(March 6 & 7, 2018)

A security flaw in the Exim mail transfer agent (MTA) could be exploited to remotely execute code. The vulnerability exists in all versions of Exim except 4.90.1, which was released in early February. Hundreds of thousands of email servers are affected. A fix has been released, but patching is likely to take weeks.

Read more in:

ZDNet: Open-source Exim remote attack bug: 400,000 servers still vulnerable, patch now


Ars Technica: 400k servers may be at risk of serious code-execution attacks. Patch now


Bleeping Computer: Vulnerability Affects Half of the Internet's Email Servers




Legislators Press Voting Machine Companies on Security

(March 6 & 7, 2018)

US legislators are questioning voting machine manufacturers about the security of their products. Senator Ron Wyden (D-Oregon) sent a letter to Elections Systems & Software (ESS) asking if the company has sold machines with pre-installed remote access software, and if ESS officials or technical support staff have ever recommended that their customers install such software. ESS has issued a statement saying that it "does not sell or distribute products with remote access software installed." In a separate story, Senators Amy Klobuchar (D-Minnesota and Jeanne Shaheen (D-New Hampshire) have sent a letter to ESS, Dominion Voting Systems, and Hart Intercivic asking if they have shared their source code or other sensitive information with any Russian entity.

[Editor Comments]

[Pescatore] This is another area where DHS has moved very slooowly. In January 2017, DHS declared election systems were part of the Critical Infrastructure, but it wasn't until October 2017 that they convened the first meeting of the Sector Coordinating Council. Since then there has been near zero externally visible signs of any actual progress towards increasing the security of election processes and systems before the November 2018 elections.

Read more in:

Ars Technica: US senator grills CEO over the myth of the hacker-proof voting machine


The Hill: Wyden presses leading US voting machine manufacturer on potential hacking vulnerabilities


The Hill: Dem senators ask voting machine vendors if they shared code with Russian entities


Reuters: Senators ask vote machine vendors about Russian access to source code




FinTech Cybersecurity Consortium

(March 6, 2018)

The World Economic Forum will lead a consortium of financial institutions that will develop cybersecurity standards for financial technology (FinTech) firms. Banks and other financial institutions have been increasing relationships with FinTech companies to help keep their financial services in step with digital developments. (Please note that the WSJ story is behind a paywall.)

[Editor Comments]

[Honan] Oh great, just what we need: yet another cybersecurity standard!! We should concentrate on the standards we already have and where necessary improve them rather than develop more standards.

Read more in:

Reuters: World Economic Forum leads creation of fintech cyber security consortium


WSJ: Citigroup, Kabbage Form Consortium on Fintech Cybersecurity




Commissioning Rules Hinder US Military Efforts to Hire Cyber Experts from the Private Sector

(March 6, 2018)

Lt. General Paul Nakasone, commander of Army Cyber Command, told legislators that military programs established to hire cyber experts from the private sector are finding their efforts stymied by the military's inability to commission the new hires at ranks that reflect their experience. Because the people with these skills are in such high demand, private sector salaries are many times greater than the initial pay they would be offered in the military.

Read more in:

FNR: Military seeks seasoned industry professionals as next cyber warriors, but they'll have to start at the bottom




ComboJack Malware Redirects Cryptocurrency Transactions

(March 6, 2018)

ComboJack malware steals several different cryptocurrencies by replacing a transaction's destination wallet address with one controlled by the attackers. ComboJack changes the address when users have copied it to the infected device's clipboard. The malware initially spreads through a phishing email that tries to get recipients to allow an embedded file to run; it also exploits a known Windows vulnerability that was patched in September 2017.  

Read more in:

SC Magazine: ComboJack malware steals digital payments, cryptocurrency, by modifying info saved to clipboards


ZDNet: ComboJack malware tries to steal your cryptocurrency by changing the data in your clipboard




City Considering Cryptomining Moratorium

(March 5 & 6, 2018)

The city of Plattsburgh, New York is considering a moratorium on new cryptomining operations because of concerns about excessive power consumption. Plattsburgh is home to two legitimate cryptomining operations. While power consumption has not yet been excessive, nearby Massena, NY, is home to a much larger cryptomining operation and there are concerns that even more companies could open shop there. Plattsburgh plans to hold a public hearing on March 15.  

[Editor Comments]

[Murray] Like Iceland, northern New York is attractive to crypto miners because of an abundance of low cost electric energy. Plattsburgh would prefer enterprises that employee people.  

Read more in:

WCAX: Plattsburgh considers ban on bitcoin mining


CoinDesk: US City Mulls 18-Month Moratorium on Bitcoin Mining


SC Magazine: Legal cryptocurrency mining operation's power draw creates concern




Exploit for CVE-2018-6789


Hundreds of Bitcoin Mining Servers Stolen in Iceland


Several Android Mail Apps Send Password To Developer (article in German)



Apache Solr Vulnerability used to Install Cryptocoin Miner


Microsoft Fixes USB Issues Introduced By February Patches


123 Reg Loses Backups


Android March Security Bulletin



Ransomware News: GlobeImposter Gets A Facelift, GandCrab is Still Out there


How to Break Encryption


Bypassing Adobe Flash Security Protections




Cisco Patches


Any.Run Malware Analysis Tool



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create