Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #52

July 3, 2018


SANS NewsBites                July 3, 2018                 Vol. 20, Num. 052




White House Unhappy with NDAA Provisions Restricting Presidential Authority Over Military Cyber Units


House Bill Aims to Protect Critical Infrastructure Industrial Control Systems


Pentagons Defense Digital Service Brings Together Private Sector and Military Cyber Talent



More Facebook API Restrictions


Facebook Blocking Bug


Former Equifax Employee Settles Insider Trading Charges


Gentoo GitHub Breach


Girls Who Code Releases Policy Agenda


Lithuania Leads Formation of European Cyber Rapid Response Force


House Committee Approved Bill That Would Reestablish State Dept. Cyber Post

***************************  Sponsored By CyberX    ************************

Don't Miss: "All Your Network Traffic Are Belong to UsVPNFilter Malware and Implications for ICS" with Tim Conway, Doug Wylie and Phil Neray Register: http://www.sans.org/info/205105


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018

-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018

-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018

-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- SANS London September 2018 | September 17-22  https://www.sans.org/event/london-september-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Best Offers of the Year: Get a 12.9 iPad Pro with Smart Keyboard, HP ProBook 450 G5, or take $400 Off with Any OnDemand or vLive Course, Offer Ends July 18.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






White House Unhappy with NDAA Provisions Restricting Presidential Authority Over Military Cyber Units

(June 28, 2018)

The current version of the National Defense Authorization Act (NDAA) includes provisions that place restrictions on the presidents authority to direct generals to launch cyberattacks. NDAA in its current form also requires the president to develop and abide by a cyberwarfare strategy document that describes which activities merit cyber retaliation. It also could limit retaliatory attacks by the military without a certain level of confidence in attribution. 

[Editor Comments]

[Williams] Placing limits on who can initiate a cyber attack (and under what circumstances) is an undeniably good thing. The potential for collateral damage through cyber attacks targeting integrity and/or availability of systems should deter us from using them in all but the most serious of situations. All too often military cyber operations are seen as an alternative to kinetic action, when in reality they should be seen as a x capability (that have the potential for every bit as much damage). Cyber attribution is notoriously difficult (and often flawed). Requiring only the highest levels of attribution before allowing a cyber attack is paramount to ensuring that we don't create new conflicts by indiscriminately attacking innocent parties.


Read more in:

Cyberscoop: As the military's cyber units change guard, a battle over control rages on



House Bill Aims to Protect Critical Infrastructure Industrial Control Systems

(June 25, 2018)

The US House of Representative has passed the DHS Industrial Control Systems Capabilities Enhancement Act of 2018, which would make official work that the Department of Homeland Security (DHS) is currently doing to identify and mitigate threats to industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used to protect the countrys critical infrastructure. There is currently no companion bill in the Senate.

[Editor Comments]

[Murray] Our dependence upon infrastructure, particularly electrical, cannot be exaggerated. It is an existential vulnerability. Most of that infrastructure is owned and operated by the private sector. Local, rate-based, regulation encourages low operating cost over long-term resilience. The Federal Government can and must redress that imbalance.  

Read more in:

The Hill: House passes bill to addressing industrial cybersecurity




Pentagons Defense Digital Service Brings Together Private Sector and Military Cyber Talent

(July 2, 2018)

A partnership between US Army Cyber talent and the Defense Departments Defense Digital Service has produced anti-drone technology useful to soldiers on active duty in the Middle East and at a cost far below what military contractors have been paid to address the same problem. The team was able to field test the technology with soldiers in Afghanistan, which resulted in a major redesign of the tool. One member of the testing group said of the project, This was really the first time Ive ever seen a procurement process like this, where they came to us with an initial concept and said, Before we start putting this into production, we want your input.

[Editor Comments]

[Neely] This was a remarkable process where existing restrictions were overcome. Developers purchased computers in parts, not only because available resources didnt permit the work needed for the project but also because procurement restrictions made acquisition of the needed hardware non-viable. The point is that while standards and policies are necessary, they need examination and revision to ensure they dont prevent achievement of mission objectives, disallow innovation, or drive development of shadow IT and other workarounds.

[Paller] This story is a great example of how the Defense Departments Defense Digital Service has produced remarkable results. I have seen others, as well. The exceptions however are just as dramatic where, for example in a case in Army cyber manpower, the outside digital experts got wrapped up in wanting to show they were stars and disdained obvious solutions for which they could not see a way to take credit.  

Read more in:

Wired: The Pentagon is Building a Dream Team of Tech-Savvy Soldiers


**************************  SPONSORED LINKS  ****************************

1)  Learn how Red Canary built and executed a new training model to reinvent personnel training and professional development.  Register:  http://www.sans.org/info/205110

2) "Cloud Security Visibility: Establishing security control of the cloud estate" with David Shackleford.  Register:  http://www.sans.org/info/205115

3) How is your incident response team coping with protecting their organization? Take the SANS 2018 Incident Response Survey at http://www.sans.org/info/205120 and enter to win a $400 Amazon gift card!




More Facebook API Restrictions

(July 2, 2018)

Facebook has implemented changes to its platform that further limit developer access to user data. Effective immediately, public content discovery APIs will be limited to page content and public posts on certain verified profiles. Anyone using Marketing API will be required to undergo an app review.

Read more in:

Engadget: Facebook puts more limits on developer access to user data


ZDNet: Facebook rolls out API restrictions, discloses blocking bug


Facebook: A Platform Update




Facebook Blocking Bug

(July 2, 2018)

Facebook has disclosed a bug that unblocked some people users had blocked. The bug allowed people who had been blocked to view some content that the people who had blocked them had posted. The bug did not allow blocked individuals to view private posts or posts shared with friends only. Facebook has since fixed the problem. The issue affected roughly 800,000 users of Facebook and Messenger.                                                        

Read more in:

CNET: Here's the latest Facebook bug that (slightly) compromised your privacy


BBC: Facebook bug unblocked unwanted users


Facebook: Letting People Know About a Blocking Bug




Former Equifax Employee Settles Insider Trading Charges

(June 29, 2018)

A former Equifax employee who was recently charged with insider trading has settled those charges. Sudhakar Reddy Bonthu has agreed to repay $77,333.79 USD (plus interest) he made through a transaction conducted based on information about the massive Equifax breach that was not yet public.

[Editor Comments]

[Murray] And still faces criminal charges.

Read more in:

BankInfoSecurity: Equifax Coder Settles Insider Trading Charges With SEC




Gentoo GitHub Breach

(June 28 & 29, 2018)

Attackers who breached the Gentoo Linux GitHub repository on June 28, 2018, planted malicious code designed to erase users files into the operating systems distributions. Gentoo developers locked down the project.

[Editor Comments]

[Neely] While the breach only lasted about nine hours, its not clear what was and wasnt compromised. If you downloaded anything from their GitHub site on or after June 28th and before June 30th, roll back to the older versions to be safe. The Gentoo non-GitHub sites were not impacted. Check their infrastructure status site for status on the remediation: infra-status.gentoo.org/notice/20180629-github: Summary as of 2018-06-30 06:15 UTC



Read more in:

Gentoo: Github Gentoo organization hacked - partially resolved


Wiki Gentoo: Github/2018-06-28


Bleeping Computer: File-Wiping Malware Placed Inside Gentoo Linux Code After GitHub Account Hack


eWeek: Gentoo Linux Reports Hack of GitHub Mirror Site


The Register: Et tu, Gentoo? Horrible gits meddle with Linux distro's GitHub code




Girls Who Code Releases Policy Agenda

(June 25, 28, & 29, 2018)

Of the 64,000 students who graduated with computer science degrees in 2016, just 18 percent are women. Girls Who Code, a non-profit organization committed to closing the gender gap in technology, has released a comprehensive policy agenda detailing recommendations for attracting girls in grades K-12 computer science and retaining them in that field. The four policy recommendations are to track and report data on computer science participation; to expand computer science courses to all middle schools; to increase exposure to women and other underrepresented minorities in tech; and to fund professional development with a focus on gender inclusion.

[Editor Comments]

[Pescatore] When I think back on some of the worst business decisions Ive experienced or participated in, the common denominators are (1) not having, or ignoring, actual relevant data; and (2) group think, where lack of diverse opinions and viewpoints often resulted in ignoring actual relevant data. More diverse coders, with better data about threats and what makes code safer, would be a very good thing for security overall.

[Neely] The most effective development teams Ive worked with were both gender and ethnically diverse. How can you do this? One way is introducing students to positive female role models at an early age to show them what is possible. Example - the Expanding Your Horizons program has female role models leading math and science hands-on workshops; this introduces science to young women in a more personal, non-threatening and constructive way.


[Murray] It has been a long time since I managed development and perhaps memory fails. However, my recollection is that my most productive coders were women.

Read more in:

Girls Who Code: Girls Who Code Releases Comprehensive Policy Agenda



Girls Who Code Releases Policy Agenda

to Address Gender Gap


The Hill: Girls Who Code unveils new plan for closing tech's gender gap




Lithuania Leads Formation of European Cyber Rapid Response Force

(June 22, 25, 27, & 28, 2018)

Lithuania, along with several other European Union (EU) countries, plan to establish a European Cyber Rapid Response Force. Lithuania made the initial proposal; the Declaration of Intent was signed by Estonia, the Netherlands, Croatia, and Romania in June. Finland, France, Spain, and Poland plan to join by the end of the year. Four additional countriesGermany, Slovenia, Belgium, and Greecewill participate as observers.

Read more in:

Kam: EU member states to develop European cyber response force proposed by Lithuania


Baltic Course: 9 EU member states agree to create a cyber rapid response force


The Register: EU summons a CYBER FORCE into existence


CBROnline: Lithuanian Leads Seven EU Countries in Forming a Cybersecurity Response Team




House Committee Approved Bill That Would Reestablish State Dept. Cyber Post

(June 26, 2018)

The US Senate Foreign Relations Committee has advanced the Cyber Diplomacy Act, legislation that would, among other things, reestablish a renamed functioning cybersecurity office within the State Department. The Office of Cyberspace in the Digital Economy would be headed by a presidential appointee who would have the rank of ambassador.

Read more in:

FCW: Senate panel votes to revive State cyber office





MacOS Malware Targeting Slack/Discord Crypto Communities


New LTE Attacks Made Public


Rowhammer Attacks Against Android


Odd PHP Exploit Attempt


Diameter Security Report


Attack Against Trezor via DNS or BGP


Symantec Offers VPNFilter Check



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create