SANS Live Training is Available In-Person OR Live Online! Explore Upcoming Events.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #31

April 20, 2018

Cloud InSecurity headlined the RSA conference (see the first story in Top of The News).  Apparently users are making major (bet your business) mistakes and dont know they are mistakes. Three of the U.S.s top cloud security experts, led by Facebooks Ben Hagan, spent the last month compiling a list of ten of the most dangerous mistakes and solutions. They will share the mistakes, and refine them and their mitigation strategies, in workshops with cloud architects from large organizations all over the country in Washington in 7 weeks and in Austin. If you are moving any important applications to the web (AWS in this round), it would be prudent to join the conversation.  

Washington, June 8:

Austin TX, June 11:


SANS NewsBites               April 20, 2018                Vol. 20, Num. 031



  RSA Keynote: The Five Most Dangerous New Attack Techniques at RSACloud InSecurity and Data

FDA Publishes Medical Device Safety Action Plan

Facebook Makes End Run Around GDPR for Non-EU Customers


Oracles Critical Patch Update

Security Flaws in Treasury Dept. Bureaus Information System Controls

Cisco Releases WebEx Patches

Google Releases Chrome 66 to Stable Channel

UK and US: Russia Targeting Network Infrastructure

US Taxpayers Get Extra Day to File Returns Due to IRS Website Outages

NIST Updates Cybersecurity Framework



***************************  Sponsored By Risk Lens  *************************

Cyber Risk Quantification was the talk of RSA 18. Translating cyber risk into financial terms wakes the business to the threats that matter most and blows open the door for the funding you need. Boards, the

C-suite and regulators such as the SEC demand this level of visibility. FAIR and RiskLens make this possible. Download this e-book for more!



-- SANS Security West 2018 | San Diego, CA | May 11-18

-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8

-- SANS Melbourne 2018 | May 14-26

-- SANS Northern VA Reston Spring 2018 | May 2025

-- SANS Amsterdam May 2018 | May 28-June 2

-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9

-- SANS London June 2018 | June 4-12

-- DFIR Summit & Training 2018 | Austin, TX | June 7-14

-- SANS Cyber Defence Canberra 2018 | June 25-July 7

-- SANS OnDemand and vLive Training The SANS Training you want with the flexibility you need. Special Offer: Get an iPad Pro with Smart Keyboard, a Microsoft Surface Pro or Take $350 Off with OnDemand or vLive Training until May 2.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive

-- Anywhere, Anytime access for 4 months with OnDemand format

-- Single Course Training

SANS Mentor

Community SANS

-- View the full SANS course catalog and Cyber Security Skills Roadmap



RSA Keynote: The Five Most Dangerous New Attack Techniques at RSACloud InSecurity and Data

(April 18, 2018)

At the Keynote Panel at the RSA Conference in San Francisco on Wednesday, SANSs Ed Skoudis, Johannes Ullrich, and James Lyne spoke about the most dangerous new attack techniques. Skoudis spoke about the security risks posed by the cloud, noting There is leakage when you have data stored in the wrong repositories or not stored correctly, for example, misconfigured Amazon S3 buckets. There have been many attacks, Verizon twice, Time Warner and Uber and the U.S. Army leaked over 100 gigabytes of data because of a bug in an Amazon S3 storage bucket. Skoudis suggested that organizations step up to track and manage data assets, not just systems. Ullrich spoke about the shift from stealing or locking up data to stealing processing power through cryptocurrency mining. Ullrich also showed why assuming that hardware is inherently trustworthy is increasingly dangerous.

Read more in:

RSA Session and summary of their remarks:

eWeek: Security Experts Warn of New Cyber-Threats to Data Stored in Cloud

Fifth Domain: Future cyber threats will come from inside the architecture

Infosecurity Magazine: #RSAC: The Five Most Dangerous New Attacks According to SANS


FDA Publishes Medical Device Safety Action Plan

(April 19, 2018)

The US Food and Drug Administrations (FDAs) Medical Device Safety Action Plan says that the agency wants to mandate that medical devices include built-in update mechanisms and to require device manufacturers to provide a Software Bill of Materials for each of their products. The FDA also plans to explore the development of the CyberMed Safety (Expert) Analysis Board (CYMSAB), a public-private partnership that would complement existing device vulnerability coordination and response mechanisms. 

[Editor Comments]

[Pescatore] I like the cybersecurity aspects of the FDAs plan; most of the elements are directly applicable to other Internet of Things vertical areas. My one hope is that the medical device industry has Facebooks security problems top of mind and reacts to FDAs plan by saying Lets support this and hold back the political lobbying antibodiesbetter to prevent our CEOs from having to do the Congressional perp walk after a billion dollar catastrophe.

[Murray] Update mechanisms dramatically increase the attack surface. For many devices, it may be a better  to simply replace it. The Bill of materials is a great idea and could be extended to many other products.

Read more in:

Document Cloud: FDA Medical Device Safety Action Plan

Bleeping Computer: FDA Wants Medical Devices to Have Mandatory Built-in Update Mechanisms


Facebook Makes End Run Around GDPR for Non-EU Customers

(April 18 & 19, 2018)

Facebook has changed its terms of service, which will exempt 1.5 billion Facebook users from protection under the European Unions General Data Protection Regulation (GDPR). While Facebook users in Canada and the US have never been subject to EU rules, the 1.5 billion Facebook users in Latin America, South America, Africa, Asia, and Oceania have until now been governed by Facebooks Irish terms of service, but now they will be governed by Facebooks US terms of service. The move reduces Facebooks GDPR liability; Under GDPR rules, EU regulators can fine companies that collect or use personal data without users consent. Facebook maintains that they apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc. or Facebook Ireland.

[Editor Comments]

[Honan] During Mark Zuckerberg's recent congressional hearing testimony he made a commitment to better protect the privacy of Facebooks users. This move seems to fly counter to that statement and really underlines the saying that if you are not paying for the product you are the product.

Read more in:

Reuters: Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law

Facebook: Complying With New Privacy Laws and Offering New Privacy Protections to Everyone, No Matter Where You Live

ZDNet: Facebook moving 1.5 billion users away from GDPR protection

BBC: Facebook to exclude billions from European privacy laws

SC Magazine: Looking to reduce GDPR liability, Facebook ports 1.5B non-U.S. users to domestic HQ

The Register: Facebook puts 1.5bn users on a boat from Ireland to California

**************************  SPONSORED LINKS  ********************************

1) Don't Miss: "Fighting Account Takeover - Change The Battle and Win" Register:

2) SANS Analyst and pen-testing professional Serge Borso discusses the insights he gained during his hands-on testing of the BreakingPoint appliance. Register:

3) How do complex systems affect the cost of your endpoint management? Take our survey:




Oracles Critical Patch Update

(April 19, 2018)

Oracles April security update includes fixes for more than 250 flaws in a range of products. The update includes patches for Spectre-related issues in Solaris systems. Thirty-nine of the patches flaws affect Fusion Middleware, and 14 affect Java.

Read more in:

Oracle: Oracle Critical Patch Update Advisory - April 2018

The Register: Oracle whips out the swatter, squishes 254 security bugs in its gear



Security Flaws in Treasury Dept. Bureaus Information System Controls

(April 17 & 19, 2018)

A report from the US Government Accountability Office (GAO) says that the Treasury Departments financial reporting system contains vulnerabilities that could allow government spending data to be altered. Eight flaws in the departments Bureau of Fiscal Services information system controls could increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs and disruption of critical operations. The system publishes annual financial reports for every federal agency.

Read more in:

GAO: Improvements Needed in the Bureau of the Fiscal Service's Information System Controls

GAO: Management Report: Improvements Needed in the Bureau of the Fiscal Services

Information System Controls

Nextgov: Security Gaps Could Let Hackers Edit Government Spending Data, Watchdog Says


Cisco Releases WebEx Patches

(April 18 & 19, 2018)

Cisco has released updates to address an insufficient input validation flaw in its WebEx software. The vulnerability could be exploited to remotely execute arbitrary code through maliciously-crafted Flash files. The flaw affects Cisco WebEx Business Suite (WBS31) client builds prior to T31.23.2; Cisco WebEx Business Suite (WBS32) client builds prior to T32.10; Cisco WebEx Meetings with client builds prior to T.32.10; and Cisco WebEx Meetings Server builds prior to 2.8 MR2.

Read more in:

Cisco: Cisco WebEx Clients Remote Code Execution Vulnerability

The Register: Flash! Ah-ahhh! WebEx pwned for all of us!


Google Releases Chrome 66 to Stable Channel

(April 18, 2018)

Google has released Chrome 66. The newest stable version of the browser includes a number of security-related changes. Chrome 66 will display SSL certificate errors for Symantec certificates issued prior to June 1, 2016. Chrome 70, slated for October 2018 release, will distrust all Symantec certificate. Chrome 66 also has the Strict Site Isolation feature switched on by default, and will warn users when third-party software is injecting code into Chrome processes.

[Editor Comments]

[Stephen Northcutt] Site Isolation is a wonderful thing, but there is no such thing as a free lunch, it takes memory. Most people that I know have plenty to spare, but poorly equipped older machines with users that keep 15 windows open may experience issues as they upgrade to 66.

Read more in:

Bleeping Computer: Google Chrome 66 Released Today Focuses on Security


UK and US: Russia Targeting Network Infrastructure

(April 16, 18, & 19, 2018)

The US and the UK have issued a joint technical alert, warning that Russia has been targeting network infrastructure devices like switches and routers to help them launch other attacks. The attacks have been going on for more than a year; they have targeted Internet service providers (ISPs), government networks, private companies, and organizations that provide critical infrastructure. The US-CERT alert notes that affected systems include Generic Routing Encapsulation (GRE) enabled devices, Cisco Smart Install (CSI) enabled devices, and Simple Network Management Protocol (SNMP) enabled network devices.   

[Editor Comments]

[Williams] While I don't doubt that Russia is targeting routers, including SOHO devices, this report from DHS appears oddly timed. SOHO router exploits have been occurring regularly for years. Our SOC has not observed an uptick in the number of exploit attempts against SOHO and corporate routers. There is little doubt that Russia is targeting routers, but they are far from the only ones doing so. If the timing of the message is not politically driven, then perhaps there is another intelligence driver for releasing the warning now. One possibility is that US/UK intelligence has indications that Russia intends to use these accesses to perform some type of DDoS attack.

[Honan] This is not the first time a nation state has been caught hacking the infrastructure of another country "Britain's GCHQ Hacked Belgian Telecoms Firm"

Read more in:

US-CERT: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

SC Magazine: Critical infrastructure needs shoring up after U.S., U.K. blame Russia for attacks

FCW: U.S. and U.K. say Russia targeted network infrastructure worldwide

eWeek: U.S. UK Government Say Russia Increasing Infrastructure Attacks


US Taxpayers Get Extra Day to File Returns Due to IRS Website Outages

(April 17, 2018)

The US Internal Revenue Service (IRS) gave taxpayers an extra dayuntil midnight Wednesday, April 18to file their returns due to outages that rendered certain Internal Revenue Service (IRS) web pages unavailable for several hours on April 17. The outages were caused by hardware issues, according to an IRS spokesperson. Some of the IRSs IT systems are nearly 60 years old.   

Read more in:

Ars Technica: IRS E-File system crashes on Tax Day [Updated]

Nextgov: Taxpayers Get Extra Day To File After IRS Online Tools Go Down


NIST Updates Cybersecurity Framework

(April 17, 2018)

The US Institute of Standards and Technology (NIST) has released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity. Version 1.0 was released more than four years ago, in February 2014. The newest version of the framework includes updated guidelines for authentication and identity, cybersecurity risk self assessment, supply chain security management, and vulnerability disclosure.   

[Editor Comments]

[Murray] We have no greater opportunity to improve our overall security than by improving authentication and identity. 

Read more in:

NIST: NIST Releases Version 1.1 of its Popular Cybersecurity Framework

NVL: Framework for Improving Critical Infrastructure Cybersecurity

Cyberscoop: NIST releases updated cybersecurity framework



Guildwars Monitors Processes

IRS Extends Tax Filing Deadline Due to Outages

F5 BigIP Patches


New Webshell


WebEx Flash Vulnerability

XiaoBa Ransomware Turns to (broken) Cryptocoin Miner

XSS Issue in CKFinder image2 Plugin Affects Drupal

Oracle Quarterly Critical Path Update

LinkedIn Autofill Clickjacking Vulnerability

Third Party Access to "Login With Facebook" Data


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit