OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #22

March 20, 2018



SANS NewsBites               March 20, 2018                Vol. 20, Num. 022



US-CERT Alert on Russian Infiltration of Critical Infrastructure Systems

Facebook CISO Alex Stamos May Be Leaving the Company Later This Year

More US States Adopting Auditable Paper Trails to Safeguard Election Reliability


Ethereum Falls in Wake of SEC ICO Investigations

Cambridge Analytica Facing Investigations After Revelation of Facebook Data Harvesting

New York State Municipality Power Companies Can Charge Cryptocurrency Miners Higher Rates

Phantom Secure Executives Indicted on RICO Charges

Science Advocacy Group Urges NRC Not to Limit Cyber Security

Election Security ISAC Announced

Legislators Want to Fully Fund Dept. of Homeland Security's CDM Program

ICANN Considering Limiting Access to Domain Name Registration Data

EU Needs Single Vulnerability Disclosure Policy



***************************  Sponsored By Cylance  **************************

Get the free Cylance ebook - "Introduction to Artificial Intelligence for Security Professionals."  Learn about AI and machine learning techniques and methods in practical situations that have proven most successful in predicting and preventing cyberattacks. http://www.sans.org/info/202880



-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018

-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018

-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018

-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018

-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS Northern VA Reston Spring 2018 | May 20-25 | https://www.sans.org/event/northern-va-reston-spring-2018

-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018

-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad mini, ASUS Chromebook or take $250 Off your OnDemand or vLive training course by March 21. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




US-CERT Alert on Russian Infiltration of Critical Infrastructure Systems

(March 16, 2018)

Last week, the US Department of Homeland Security's (DHS's) US-CERT and the FBI issued a joint technical alert warning that "Russian government cyber actors ... targeted government entities and multiple U.S. critical infrastructure sectors." The alert notes that the targets were deliberately chosen rather than having been targets of opportunity. Federal regulators and the power industry say that the hackers did not compromise operations at US power plants. Experts speaking to the Washington Post said that the redundancy and distributed structure of the country's power grid mean that it is virtually impossible for the entire grid to be taken down in a cyber attack. One expert noted that the fact that the grid exists in an unreliable environment and goes down frequently is the key to its resilience.

Read more in:

US-CERT: Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors


eWeek: US-CERT Finds Russian Hackers Spent Months Inside Targeted Systems


Fifth Domain: US says Russian hack did not compromise power grid, plants


Washington Post: Why Russian hackers aren't poised to plunge the United States into darkness




Facebook CISO Alex Stamos May Be Leaving the Company Later This Year

(March 19, 2018)

The New York Times reported that Alex Stamos is leaving his position as chief information security officer (CISO) at Facebook because of disagreements over how the company handled Russia's use of the social media platform to spread misinformation. The report says Stamos plans to leave the company by August 2018. On Monday evening, Stamos tweeted "Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security."

[Editor Comments]

[Paller] I know of no other conflict that has caused as many CISOs to leave or be terminated than the question of how much to disclose in the aftermath of a breach. The only survival strategy we have seen is to find a way to keep the lawyer (and sometimes the communications director) out of the meetings. If that is possible, the CISO's key job is to encourage senior executives to understand how little chance there is that the company will be able to keep a lid on the information and how much worse late disclosure is than early disclosure.

Read more in:

NYT: Facebook Executive Planning to Leave Company Amid Disinformation Backlash


Ars Technica: Facebook's security chief to depart role over handling of misinformation [Updated]


Cyberscoop: Facebook CSO Alex Stamos to leave the company



More US States Adopting Auditable Paper Trails to Safeguard Election Reliability

(March 12, 2018)

US states are taking steps to make sure that their voting systems provide an auditable paper trail. Currently, there are five states that use only direct recording electronic voting machines (DREs), which do not include a paper trail. Other states have a mix of systems. While some states are moving quickly to make changes, others are incorporating the changes into the lifecycle of current equipment and may not have their auditable systems in place until 2020 or later. Two states, Colorado and Rhode Island, use entirely paper-based voting systems and both require post election risk-limiting audits.

Read more in:

Cyberscoop: Spooked by election hacking, states are moving to paper ballots


**************************  SPONSORED LINKS  ********************************

1) Learn how to stop advanced cyberattacks and remain compliant at your hospital. Register now! http://www.sans.org/info/202885

2) Register today for SANS Ask the Expert Webcast with AGARI. Registrants will receive a chance to win an Apple Watch http://www.sans.org/info/202890

3) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/202895




Ethereum Falls in Wake of SEC ICO Investigations

(March 18 & 19, 2018)

The value of Ethereum cryptocurrency fell below $500 USD over the weekend; the cryptocurrency was trading at more than $1,400 USD in January. The drop occurred after the US Securities and Exchange Commission (SEC) made clear that it intends to scrutinize initial coin offerings (ICOs). Other cryptocurrencies have taken a hit over the past several months as well.  

Read more in:

Ars Technica: Ether plunges after SEC says "dozens" of ICO investigations underway


Slate: Why Have Ethereum Prices Fallen By Nearly $1,000 This Year?




Cambridge Analytica Facing Investigations After Revelation of Facebook Data Harvesting

(March 18 & 19, 2018)

Cambridge Analytica allegedly gathered data illegally from 50 million Facebook users through an online quiz and used them to serve targeted advertisements aimed at discrediting Hillary Clinton and promoting Trump's presidential campaign. The UK 's Information Commissioner and the Massachusetts attorney general have launched investigations. Wikipedia describes Cambridge Analytica as "a privately held company that combines data mining and data analysis with strategic communication for the electoral process."

Read more in:

BBC: Cambridge Analytica: Warrant sought to inspect company


The Register: BOOM! Cambridge Analytica explodes following extraordinary TV expose


SC Magazine: Probes launched after Facebook boots professor, Cambridge Analytica for harvesting info on 50M Americans without permission


ZDNet: How Cambridge Analytica used your Facebook data to help elect Trump


NYT: Cambridge Analytica, Trump-Tied Political Firm, Offered to Entrap Politicians


Washington Post: Cambridge Analytica CEO appears to talk about using bribes and sex workers to sway elections on secretly recorded news video


Wired: Cambridge Analytica Execs Caught Discussing Extortion And Fake News




New York State Municipality Power Companies Can Charge Cryptocurrency Miners Higher Rates

(March 16, 2018)

The New York State Public Service Commission (PSC) has ruled that power companies in that state may charge cryptocurrency mining operations higher rates than other customers. Cryptocurrency miners have been attracted to New York because of the state's abundance of relatively inexpensive hydroelectric power. A group of 36 New York state municipalities petitioned the PSC to raise rated for these customers because the demands they place on local power grids is causing rate increases for local residents. Unlike other industries that may consume larger amounts of power, cryptocurrency mining does not bring economic development to the municipalities in which it operates.

Read more in:

Ars Technica: New York power companies can now charge Bitcoin miners more


UtilityDive: Munis to charge cryptocurrency miners higher power prices in New York


NYPSC: PSC Allows Upstate Municipal Power Authorities to Charge Higher Electricity Rates for Heavy Electricity-Using Cryptocurrency Companies (PDF)




Phantom Secure Executives Indicted on RICO Charges

(March 16, 2018)

A US federal grand jury has indicted executives from the company Phantom Secure on federal racketeering charges. The company allegedly "knowingly and intentionally participated in a criminal enterprise that facilitated the transnational importation and distribution of narcotics through the sale and service of encrypted communications." The company altered regular smart phones so they were encrypted and able to communicate only with similarly altered devices. The FBI worked with authorities around the world on the investigation.  

Read more in:

FBI: International Criminal Communication Service Dismantled


DOJ: Chief Executive and Four Associates Indicted for Conspiring with Global Drug Traffickers by Providing Encryption Services to Evade Law Enforcement and Obstruct Justice


Dark Reading: Phantom Secure 'Uncrackable Phone' Execs Indicted for RICO Crimes




Science Advocacy Group Urges NRC Not to Limit Cyber Security

(March 16, 2018)

The Union of Concerned Scientists, a non-profit advocacy organization, is urging the Nuclear Regulatory Commission to reject a petition from the Nuclear Energy Institute (NEI) industry group to ease cybersecurity requirements on systems that do not directly impact safety.

Read more in:

Reuters: U.S. nuclear power regulator urged to reject limits on cyber protections




Election Security ISAC Announced

(March 16, 2018)

The US Department of Homeland Security (DHS) has announced that the Center for Internet Security (CIS) will establish an Information Sharing and Analysis Center (ISAC) for state and local election security. The Elections Infrastructure ISAC will allow state and local election authorities to share threat and vulnerability information.

Read more in:

Cyberscoop: Election infrastructure ISAC created to share threats specific to voting systems




Legislators Want to Fully Fund Dept. of Homeland Security's CDM Program

(March 15 & 16, 2018)

Three US representatives have written to the House Appropriations Committee, asking them to fully fund the Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) program. The letter asks that the committee "include $237 million in the Fiscal Year 2019 Homeland Security Appropriations legislation to help the CDM program and DHS' overarching cybersecurity mission of providing federal departments and agencies with the capabilities and tools they need to secure networks and systems from intrusions."  

Read more in:

The Hill: Lawmakers press for $237 million to fully fund cybersecurity program


FCW: House cyber leaders push CDM funding


Ratcliffe: Letter to House Appropriations Committee Members (PDF)




ICANN Considering Limiting Access to Domain Name Registration Data

(March 15, 2018)

The Internet Corporation for Assigned Names and Numbers (ICANN) is considering limiting the scope of information about domain name registrations that will be publicly available. Currently, the names, addresses and contact information of entities who register domain names is usually publicly available. ICANN is considering limiting that information to basic website information, such as its location, to comply with European Union rules set to take effect in May 2018. The US government and technology companies are objecting to the proposed changes because they say it will make tracking down criminals more difficult.

[Editor Comments]

[Honan] The proposed changes to WHOIS as a result of GDPR is a move to protect the privacy of individuals who register their websites. ICANN's proposals will not make it impossible for researchers and law enforcement to access such data, but will make it less convenient.  The balance of privacy vs security will always be a challenge, but we should not simply give up on privacy because it is "too hard."

Read more in:

The Hill: Tech companies push back against internet watchdog's new privacy rules




EU Needs Single Vulnerability Disclosure Policy

(March 13, 2018)

A blue ribbon commission says that the European Union (EU) needs a consistent cybersecurity vulnerability disclosure policy to ensure that vulnerability research can move forward unimpeded by the uncertainty of a patchwork of rules that vary from country to country.  

Read more in:

Cyberscoop: EU needs one set of vulnerability disclosure rules, says expert task force




Wireshark and USB


ASMedia Flaws May Affect Intel Motherboards


Firefox Weak Master Password Hashing


Cloudflare Minifier Bug



Pwn2Own Contest


Detecting Static Reverse Engineering (PDF)


Tainted Google Suggestions (PDF)



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create