45+ Cyber Security Courses at SANS 2019 in Orlando! Save up to $200 thru 2/27.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #57

July 20, 2018


SANS NewsBites               July 20, 2018                Vol. 20, Num. 057




Energy Companies Face New FERC Breach Reporting Requirements


House Bill Would Amend Homeland Security Act to Include CDM


Dept. of Interior OIG Completes Second Part of Hydroelectric Dam Cybersecurity Investigation



DOJ Digital Task Force Report Includes Plan to Alert Companies and Individuals to Foreign Malicious Cyber Operations


Cisco Releases 25 Security Updates


Leaky AWS S3 Bucket at Political Robocalling Form


Judge Rebukes FBI Agent Over Improper Stingray Use


Oracle Critical Patch Update


LabCorp Discloses Security Incident in SEC Filing


Microsoft Patches Patches



***************************  Sponsored By A10 Networks **********************

DDoS attackers have evolved by weaponizing IoT devices. However, defenders continue to depend on technologies developed in the 2000s that lack the precision, scalability or automation needed to fight in the current cyber battlefield. Join us on this webinar with John Pescatore and Don Shin, Security Advocate at A10 Networks, to learn the techniques you must incorporate into your security strategy. Register: http://www.sans.org/info/205420


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018

-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018

-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018

-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- SANS London September 2018 | September 17-22  https://www.sans.org/event/london-september-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Best Offers of the Year: Get a 12.9 iPad Pro, Microsoft Surface Pro, or take $350 Off with Any OnDemand or vLive Course, Offer Ends August 1.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






Energy Companies Face New FERC Breach Reporting Requirements

(July 19, 2018)

The Federal Energy Regulatory Commission (FERC) has issued a ruling that directs the North American Electric Reliability Corporation (NERC) to develop expanded rules for cyber incident reporting to require utility companies to report more information about cyberattacks. Utilities will be required to report not only attacks that result in compromise or cause disruption, but also attempted cyberattacks that could pose harm [to the] reliable operation of the nations bulk electric system.

Read more in:

Cyberscoop: Utilities will have stricter cybersecurity reporting requirements under new ruling


Reuters: U.S. energy regulator wants more disclosure of cyber attacks


FERC: FERC Requires Expanded Cyber Security Incident Reporting




House Bill Would Amend Homeland Security Act to Include CDM

(July 19, 2018)

US Representative John Ratcliffe (R-Texas) has introduced a bill that would make the Department of Homeland Securitys (DHSs) Continuous Diagnostics Mitigation (CDM) program law. The Advancing Cybersecurity Diagnostics and Mitigation Act would amend the Homeland Security Act of 2002 to include CDM. The bill would also require regular improvement of the CDM program to incorporate new modifications and technologies.

[Editor Comments]

[Pescatore] While the stated goals of the proposed bill (improve CDM program management and reduce the insanity around the funding and procurement processes) are badly needed, I cant really think of an example in federal security where a bill ever actually improved the security level of government agencies. There is also a glaring lack in the proposed legislation: there is no mandate for measuring and reporting actual improvements in securityshowing reduced damage, lowering of time to detect/respond/restore, etc.key metrics that every security program needs.

[Neely] While the bill will help with those currently electing to opt-out of CDM, two big challenges are keeping the list of products that meet CDM requirements current, and providing funding, not only for licenses but also for implementation and ongoing-maintenance. Currently funding has been offered for licenses with first year maintenance and integration support needed for reporting into federal dashboards, leaving agencies to find the resources for ongoing maintenance and lifecycle.

[Paller] The principal error being made by some CDM observers (apparently by people who have never successfully made major improvements in security but think they are experts) is in demanding that CDM should simultaneously measure large numbers of controls before deploying system by system daily/weekly improvement in security. All the security improvements from CDM will come about when system administrators make the most important security improvements every day. That can happen only if CDM is monitoring a subset of critical security controls that can be automatically measured very frequently. The subset can grow as agencies make major progress.

Read more in:

Nextgov: Governments Cyber Monitoring Program Would Become Law Under House Bill


SC Magazine: Proposed legislation would empower DHS to modernize Continuous Diagnostics Mitigation cyber program


FCW: New CDM bill aims for flexibility, newer tech


Ratcliffe: Advancing Cybersecurity Diagnostics and Mitigation Act



Dept. of Interior OIG Completes Second Part of Hydroelectric Dam Cybersecurity Investigation

(July 17, 2018)

The Inspector General for the US Department of the Interior has completed the second part of [its] series to evaluate the U.S. Bureau of Reclamation's (USBR's) practices for protecting critical hydropower dams from emerging cyber threats. The report evaluates potential cybersecurity concerns at five USBR-managed hydroelectric dams. The first part of the report was released in June 2018.

Read more in:

FCW: Dam cyber: Interior IG closes out audit of hydroelectric control systems


DOIOIG: Evaluation of the U.S. Department of the Interior's Cybersecurity Practices for Protecting Critical Infrastructure


DOIOIG: U.S. Bureau of Reclamation Selected Hydropower Dams at Increased Risk From Insider Threats



**************************  SPONSORED LINKS  ********************************

1) Don't Miss: "Windows Defender ATPs Advanced Hunting: Using Flexible Queries to Hunt Across Your Endpoints" with Matt Bromley. Register: http://www.sans.org/info/205425

2) To understand risks and control the attack surface, you need visibility. But what is visibility and why is it critical? How do you get it? Find Out: http://www.sans.org/info/205430

3) Unisys cybersecurity experts will introduce you to a new software-defined network microsegmentation that enables dynamic perimeters to isolate the critical assets without the cost and complexity of static controls. Register: http://www.sans.org/info/205435




DOJ Digital Task Force Report Includes Plan to Alert Companies and Individuals to Foreign Malicious Cyber Operations

(July 19, 2018)

In a speech earlier this week, US Deputy Attorney General Rod Rosenstein told attendees at the Aspen Security Forum in Colorado that the Justice Department (DOJ) plans to alert US companies, private organizations, and individuals when it detects a hacking threat posed by foreign actors. This policy is part of DOJs Cyber Digital Task Force Report, which describes categories of cyberthreats and what DOJ is doing to mitigate them.

Read more in:

The Hill: Rosenstein warns of growing cyber threat from Russia, other foreign actors


CNET: US to alert public to foreign operations targeting Americans


DOJ: Report of the Attorney Generals Cyber Digital Task Force (download)




Cisco Releases 25 Security Updates

(July 19, 2018)

On July 18, Cisco released 25 security updates to address issues in Cisco Policy Suite, Cisco Nexus 9000 Fabric Switchers, and other product. Four of the flaws in Cisco Policy Suite are rated critical security risks; they affect issues with authentication requirements.

Read more in:

Cisco: Cisco Security Advisories and Alerts


Threatpost: Critical Authentication Flaws in Cisco Policy Suite Patched


ZDNet: Cisco patches critical vulnerabilities in Policy Suite


Bleeping Computer: Cisco Removes Undocumented Root Password From Bandwidth Monitoring Software




Leaky AWS S3 Bucket at Political Robocalling Form

(July 18, 2018)

A misconfigured AWS S3 bucket at a political robocalling company has exposed personal information of hundreds of thousands of US voters. The leaky bucket held voters names, addresses, political party affiliations, birth years, and demographics including ethnicity, education levels, and languages.

[Editor Comments]

[Neely] While AWS has increased awareness of insecure S3 configuration choices when creating new buckets, this data was in a bucket created prior to those changes. As security in the cloud is continuously evolving, regular review and continuous monitoring of security configurations to keep pace with best practices is needed.

Read more in:

The Register: Who's leaving Amazon S3 buckets open online now? Cybercroooks, US election autodialers


SC Magazine: Open AWS S3 bucket at political robocall firm exposes 2,600 files


ZDNet: Thousands of US voters' data exposed by robocall firm


Cyberscoop: Hundreds of thousands of voter records exposed on misconfigured server, researcher says




Judge Rebukes FBI Agent Over Improper Stingray Use

(July 18, 2018)

A federal judge chastised an FBI agent for improper use of a stingray, also known as a cell-site simulator or IMSI catcher, and an improper search of a cellphone. In April 2016, an FBI agent sought and obtained warrants from a county superior court judge in California to search a suspects cellphone and to use a stingray to locate a second suspect. California law does not permit state judges to sign off on warrants for federal agents. Court documents also show that the FBI agent misled the judge about what a stingray does.

Read more in:

Ars Technica: Judge slams FBI for improper cellphone search, stingray use


SC Magazine: Federal Judge scolds FBI agent for improper stingray use




Oracle Critical Patch Update

(July 18, 2018)

On Wednesday, July 18, Oracle issued a Critical Patch Update that incudes fixes for 334 security issues. Sixty-one of the fixes are rated critical. Overall, 37 percent of the fixes in the July Critical Patch Update are for third-party components.

[Editor Comments]

[Murray] Not to worry: they fixed them all. Testing is complete when the programmer can no longer find any more of his own errors.

Read more in:


Oracle Critical Patch Update

Advisory - July 2018


eWeek: Oracle Patches 334 Flaws in July Critical Patch Update


Threatpost: Oracle Sets All-Time Record with July Critical Patch Update




LabCorp Discloses Security Incident in SEC Filing

(July 17 & 18, 2018)

Medical testing and diagnostics company LabCorp shut down some of its systems after it detected suspicious activity on its network last weekend. LabCorp disclosed the incident in a July 16, 2018 Securities and Exchange Commission (SEC) filing, noting that the company expected to have systems functioning properly within several days. Reports not confirmed by LabCorp suggest that the incident may have compromised data. 

Read more in:

SC Magazine: Suspicious network activity could be symptom of breach at diagnostics firm LabCorp


The Register: Blood test biz LabCorp pulls plug on systems over hacker fears


PHX: United States Securities and Exchange Commission Form 8-K: Laboratory Corporation of America Holdings




Microsoft Patches Patches

(July 17, 2018)

Nearly a week after Patch Tuesday, Microsofts scheduled monthly security update release, the company has issued 27 additional patches for Windows. The new fixes address four flaws introduced in the July Patch Tuesday release.

[Editor Comments]

[Neely] In the modern threat landscape, weve moved to a mindset of continuous patching, and operating systems such as Windows 10 which work to keep themselves continuously patched have increased our reliance on the vendor QA process. Where regression testing is still performed, often there is little time for comprehensive testing. Remember it is still key, particularly for server updates.

Read more in:

Computerworld: Stung by a festering pile of bugs on Patch Tuesday, MS releases 27 more patches





Searching for Geographically Improbable Login Attempts


Typo3 CMS Update


GitHub Expands Security Scanner to Python


Money Laundering Scheme Exposed by Open Mongo Database


Increase in Scans for Port 15454


Oracle Quarterly Critical Patch Update


Venmo Public Transaction API


Credential Stuffing Responsible for Majority of Login Attempts


Cisco Patches


Diqee Smart Vacuum Vulnerabilities


Instagram About to Release 2FA Update


Reporting Malicious Websites



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create