Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #91

November 16, 2018


SANS NewsBites              November 16, 2018               Vol. 20, Num. 91



Top of The News


- US NPPD is Now the Cybersecurity and Infrastructure Security Agency and Has an Elevated Mission

- Director of MIT Internet Policy Research Initiative Says Australian Assistance and Access Legislation Could Harm Research


The Rest of the Week's News


- November Patch Tuesday

- Firmware Patch Available for D-Link Router Vulnerability

- Siemens Patches Eight Security Issues

- Security Concerns Prompt DOD to Disable Filesharing Service

- US Plum Island Grid Attack Exercise

- Googles Internet Traffic Took an Inadvertent Detour Earlier This Week

- Guilty Plea in Fatal Swatting Case

- Internet Storm Center Tech Corner

- Cybersecurity Training Update


Internet Storm Center Tech Corner




The Rest of the Week's News

Cyber Defense Initiative(R) 2018 | Washington, DC | December 11-18

SANS Security East 2019 | New Orleans, LA | February 2-9


SANS San Francisco Fall 2018 | November 26-December 1


Tactical Detection & Data Analytics Summit & Training | Scottsdale, AZ | December 4-11


SANS Amsterdam January 2019 | January 14-19


Cyber Threat Intelligence Summit & Training 2019 | Arlington, VA | January 21-28

SANS London February 2019 | February 11-16

SANS Secure Japan 2019 | February 18-March 2


SANS Secure Singapore 2019 | March 11-23


SANS OnDemand and vLive Training


Get the ALL NEW 11" iPad Pro, or a Microsoft Surface Pro, or Take $350 Off with OnDemand and vLive Training. Offer ends December 5.


Single Course Training

SANS Mentor and Community SANS


View the full SANS course catalog and skills roadmap




Free technical content sponsored by SANS


Attend SANS Tactical Detection & Data Analytics Summit | Scottsdale, AZ | Dec 4-5


Learn firsthand from leading cybersecurity practitioners and top experts as they demonstrate how to leverage high-value log sources, monitoring tools, and sound analysis methods to detect attacks.




Top of the News


US NPPD is Now the Cybersecurity and Infrastructure Security Agency and Has an Elevated Mission

(November 14, 2018)

On Monday, November 12, the US House of Representatives agreed to a Senate version of the Cybersecurity and Infrastructure Security Agency Act. The bill, which is expected to be signed into law, will give the National Protection and Programs Directorate a new name: the Cybersecurity and Infrastructure Security Agency (CISA). The bill also elevates CISAs mission, making it an operational component alongside the Transportation Security Administration (TSA) and other agencies; CISA director Christopher Krebs will report directly to the DHS Secretary.


[Editor Comments]


[Henry] Ive long been an advocate of cybersecurity coordination across US government agencies; while there have been successes in prevention and deterrence, there needs to be much more collaboration to enable those responses to scale and move at the speed of the internet. A new agency means much more responsibility and obligation, but that requires authority. If CISA can bring organizations together in a more synchronized fashion and leverage agency authorities, capabilities, and expertise, there will be value. If it becomes another level of bureaucracy, then it becomes more of the same. I hope for the former, and time will tell.


Read more in:

- DHS cyber re-org clears Congress

- Congress Passes Long-Sought Bill to Rename DHS Cyber Agency


Director of MIT Internet Policy Research Initiative Says Australian Assistance and Access Legislation Could Harm Research

(November 16, 2018)

The Australian government is getting more pushback to its proposed Assistance and Access encryption legislation. Daniel Weitzner, director of the Massachusetts Institute of Technologys (MITs) Internet Policy Research Initiative (IPRI) told Australias Parliamentary Joint Committee on Intelligence and Security (PJCIS) that if enacted, the legislation could have a chilling effect on research. A written submission from IPRI dated October 11, 2018 says, As we understand the Bill, there would be substantial penalties for disclosing information about required changes to system design and implementation, whether through technical assistance notices or technical capacity notices. Such penalties would thwart the increasingly vital process of subjecting widely-used software to maximum public scrutiny so that third-party security researchers can have the best chance of discovering vulnerabilities. (IPRIs submission is #32 in the APH link below.)


[Editor Comments]


[Williams] Discouraging public disclosure of security research simply drives that disclosure underground.


Read more in:

- MIT to Oz: Crypto-busting laws risk banning security tests

- Submissions received by the Committee




Sponsored Links


Train in California's renowned wine region SANS Sonoma 2019 (Jan 14-19)! Choose from 4 courses in Core Security Essentials and Security Management. Learn more:


What role does artificial intelligence play in security? Help SANS examine how security professionals are leveraging AI by taking this survey, and enter to win a $400 Amazon gift card |


Does your vulnerability management program cover your organization's cloud workloads, partner access, IoT and industrial control systems? Take the SANS Survey and enter to win a $400 Amazon gift card |




The Rest of the Week's News


November Patch Tuesday

(November 13 & 14, 2018)

On Tuesday, November 13, Microsoft and Adobe released security updates for a variety of products. Microsofts 16 updates fix more than 60 vulnerabilities in Windows, Edge, Internet Explorer and other products. Among the vulnerabilities addressed are a zero-day vulnerability affecting Windows 7 and Windows Server 2008 that is being actively exploited, and a flaw in Bitlocker that could be exploited to access encrypted information. Adobe released updates for flaws in Flash Player, Acrobat and Reader, and Photoshop CC.


Read more in:

- Patch Tuesday, November 2018 Edition

- It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page

- Microsofts Patch Tuesday addresses Zero Day vulnerabilities

- Microsoft patches Windows zero-day used by multiple cyber-espionage groups

- Security updates available for Flash Player | APSB18-39


- Security updates available for Adobe Acrobat and Reader | APSB18-40

- Security updates available for Adobe Photoshop CC | APSB18-43


- Security Update Summary


Firmware Patch Available for D-Link Router Vulnerability

(November 15, 2018)

D-Link has made a firmware update available to address an authentication bypass vulnerability in its DIR-850L wireless router. Researchers at Synopsys write that the issue allows clients to communicate with the router without completing the full WPA handshake; attackers could exploit the flaw to gain unauthenticated access to the routers network from where they could launch further attacks. Synposys discovered the problem and notified D-Link in early August. D-Link published the firmware patch on November 6, 2018.


[Editor Comments]


[Williams] This is not nearly as concerning as some other recently publicized router vulnerabilities. This vulnerability would allow attackers to communicate on the network only using unencrypted packets. These packets should not be processed by other endpoints that have legitimately connected to the router, so the risk is minimal.


[Murray] This vulnerability is to the wireless side of these access points, where we do not see systematic attacks, but D-Link routers have been shown to be vulnerable to the wire side where we do see systematic attacks. Those responsible for large numbers of these routers should patch them. Those who use one or two should take this as the occasion to upgrade.


Read more in:

 - D-Link router vulnerability detailed

- CyRC analysis: CVE-2018-18907 authentication bypass vulnerability in D-Link DIR-850L wireless router

- DIR-850L ::H/W Revision A :: CVE-2018-18907 - WiFi encryption bypass


Siemens Patches Eight Security Issues

(November 13 & 14, 2018)

Siemens has released security updates to address eight vulnerabilities in its IEC 61850 System Configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC; Siemens S7-400 CPUs; Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal); SCALANCE S; SIMATIC S7; SIMATIC STEP 7 (TIA Portal); and SIMATIC IT Production Suite. The vulnerabilities include improper access control flaws, improper input validation, code injection, cross-site scripting, resource exhaustion, unprotected storage of credentials, improper authentication, path traversal, and open redirect vulnerabilities. The US Department of Homeland Securitys (DHSs) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released advisories about the flaws (ICSA-18-317-01 through ICSA-18-317-08).


Read more in:

- Siemens Patches Firewall Flaw That Put Operations at Risk


- ICS-CERT announces updates for several Siemens products


- ICS-CERT Advisories


Security Concerns Prompt DOD to Disable Filesharing Service

(November 12 & 15, 2018)

The US Department of Defense (DOD) has disabled the Army Aviation and Missile Research Development and Engineering Center Safe Access File Exchange, or AMRDEC SAFE filesharing service used by army aviation and missile research centers as a preventative measure after government-internal agencies identified potential security risks. In a message on the AMRDEC SAFE portal, DOD says that it is uncertain if the site will be reinstated.


[Editor Comments]


[Williams] There was obviously a need for this capability. It is almost certain that another solution (one not adequately controlled or monitored) will be found by users and if the Army doesn't move quickly to replace this capability. Like many platforms in production today, the SAFE tool was never developed to be used as a long term or widespread file sharing solution. The platform likely saw early success and experienced deployment scope creep without additional security testing.


Read more in:

- DOD disables file sharing service due to 'security risks'

- DOD file sharing tool disabled due to vulnerability


US Plum Island Grid Attack Exercise

(November 14, 2018)

The seven-day power grid cyberattack simulation that took place on Plum Island at the beginning of the month involved a black start: participants had to restart a grid that had been out for weeks, meaning that substation batteries would be drained batteries. Participants worked to restore power to the grid while coming under attack from a red team. The exercise was organized by the Defense Advanced Research Projects Agency (DARPA) and involved more than 100 people. (We covered this story earlier in the week and wanted to provide links to articles that are not behind a paywall.)


[Editor Comments]


[Murray] Widespread outages in the past have been the result of orderly shut-downs after component failures and/or changes in load. These shut-downs are designed to facilitate an early and orderly restart. This exercise shows the importance of early re-start. While instructive, and difficult, this exercise was very limited in scope. An attack is likely to be much wider in scope.


Read more in:

- The Hail Mary Plan to Restart a Hacked US Electric Grid

- Pentagon Researchers Test 'Worst-Case Scenario' Attack on U.S. Power Grid

Googles Internet Traffic Took an Inadvertent Detour Earlier This Week

(November 13 & 14, 2018)

On Monday, November 12, traffic that should have been routed through Googles Cloud Platform was instead routed through Russia, China, and Nigeria. The incident appears to have been caused by a border gateway protocol (BGP) filter configuration error at an Internet service provider (ISP) in Nigeria. The issue was remedied in just over an hour. The event caused some Google services to become temporarily unavailable.


[Editor Comments]


[Ullrich] You have no control about how your traffic reaches its destination once it leaves your network. This is why you *always* need to insist on robust encryption, integrity checks and authentication.


[Honan] An excellent example as to how fragile and insecure the underlying infrastructure for the Internet is, and a reminder as to the importance of ensuring sensitive data is encrypted so it remains protected in the event of a reoccurrence of this issue, whether that occurrence is malicious or accidental.


Read more in:

- Google Internet Traffic Wasn't Hijacked, But It Was Out Of Control

- Google goes down after major BGP mishap routes traffic through China

- Google hit with IP hijack taking down several services

 - Google traffic hijacked via tiny Nigerian ISP

- What Happens When Your Data Gets Redirected to China


Guilty Plea in Fatal Swatting Case

(November 13 & 14, 2018)

Tyler Barriss has pleaded guilty to charges of making a false report resulting in a death, cyberstalking, and conspiracy for his role in swatting attacks, including one that led to the death of a man in Kansas in December 2017. Barriss faces a minimum prison sentence of 20 years.


Read more in:

- Calif. Man Pleads Guilty in Fatal Swatting Case, Faces 20+ Years in Prison

- Man pleads guilty to swatting attack that led to death of Kansas man

- Scumbag who phoned in a Call of Duty 'swatting' that ended in death pleads guilty to dozens of criminal charges

- California Man Pleads Guilty In Deadly Wichita Swatting Case



Internet Storm Center Tech Corner


Microsoft Patch Tuesday


Adobe Security Bulletins


Details about Zero Day Exploit Taking Advantage of Win32k Vuln.


PacSec Pwn2Own Results

(day one)

(day two)


More Spectre/Meltdown Flaws (PDF)


Emotet Spreading IcedID Banking Malware


Crypto Miners Abusing Insecure Docker Installs


GPS Watches Can Be Used To Track Kids


Firefox Will Notify Users of Breached Sites


David Kennel: All-Seeing Eye or Blind Man? Understanding the Linux Kernel Auditing System




The Editorial Board of SANS NewsBites


Alan Paller

Brian Honan

David Hoelzer

David Turley

Dr. Eric Cole

Ed Skoudis

Eric Cornelius

Gal Shpantzer

Jake Williams

Dr. Johannes Ullrich

John Pescatore


Lee Neely

Mark Weatherford

Mason Brown

Michael Assante

Rob Lee

Sean McBride

Shawn Henry

Stephen Northcutt

Suzanne Vautrinot

Tom Liston