SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #93

November 27, 2018



SANS NewsBites               November 27, 2018                Vol. 20, Num. 93



  Microsoft Describes Causes of Last Weeks Multi-Factor Authentication Problems

  German Governments Draft Router Security Guidelines

  FBI Spoofed FedEx Site to Catch Scammers


  UK Government Seizes Facebook Documents Allegedly Containing Internal Communications Related to Cambridge Analytica

  Facebook Appealing 500,000 Fine in Cambridge Analytica

  USPS Shores Up Informed Visibility API Security

  Adobe Issues Patches for Flash Flaw

  Researchers Find a Way to Evade Error-Correcting Code Rowhammer Protection

  Identity Spoofing Flaw in German Government Smart ID Card Authentication SDK is Fixed

  Amazon Short on Details About Customer Data Exposure



-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get the ALL NEW 11" iPad Pro, or a Microsoft Surface Pro, or Take $350 Off with OnDemand and vLive Training. Offer ends December 5.

-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 |

-- SANS Security East 2019 | New Orleans, LA | February 2-9 |

-- SANS Amsterdam January 2019 | January 14-19 |

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 |

-- SANS Las Vegas 2019 | January 28-February 2 |

-- SANS London February 2019 | February 11-16 |

-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 |

-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 |

-- SANS Secure Singapore 2019 | March 11-23 |

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

-- Single Course Training

SANS Mentor |

Community SANS |

-- View the full SANS course catalog and Cyber Security Skills Roadmap


***************************  Sponsored By VMRay   ************************************

Get answers, not alerts. Learn how DFIR practitioners can speed up the investigation of a phishing attack from a matter of hours to as little as 15 minutes.




--Microsoft Describes Causes of Last Weeks Multi-Factor Authentication Problems

(November 26, 2018)

Microsoft has released details about the multi-factor authentication problems that affected users of Azure, Office 365, Dynamics, and other services last week. Microsoft identified three separate causes of the failure. The first two causesa latency in the systems front-end communication to cache services, and a race condition in processing responses from the back-end serverwere introduced in a code update that was rolled out to data centers between November 13 and 16. The third cause was triggered by the second and resulted in the back-end being unable to process requests from the front-end. Microsoft also acknowledged that telemetry and monitoring were not functioning properly, which delayed identification of the problems.

[Editor Comments]

[Honan] Kudos to Microsoft for being so open in their report and as with any incident you should not let it go to waste. Do read the report and see are there lessons from the report, or indeed, the incident that you can apply to your own environment.


Read more in:

Microsoft: Azure status history

ZDNet: Microsoft details the causes of its recent multi-factor authentication meltdown


--German Governments Draft Router Security Guidelines

(November 26, 2018)

The German government has published draft guidelines for home and small business router security. The guidelines were developed with input from vendors, telecoms, and others in the industry. Manufacturers will not be required to abide by the guidelines, but those that do will be permitted to attach a sticker signifying their compliance. The list of requirements was prompted by an incident two years ago when a failed attempt by a hacker to hijack Deutsche Telekom routers crashed hundreds of thousands of routers across the country. 

[Editor Comments]

[Murray] These standards are specific to routers and should not be applied to all appliances. They do not distinguish between the very different requirements of managed enterprise routers and unmanaged SOHO wireless access points.They assume passwords as the preferred and exclusive control, instead of strong authentication or the asymmetric key solution so effectively used by Apple. They are solution oriented rather than requirements oriented. Good first try but more work is indicated.  

Read more in:

ZDNet: Germany proposes router security guidelines BSI TR-03148: Secure Broadband Router (PDF)


--FBI Spoofed FedEx Site to Catch Scammers

(November 26, 2018)

Documents obtained by Motherboard indicate that the FBI spoofed the FedEx website in its efforts to catch scammers. According to the documents, the FBI also sent suspects Word documents that contained an image created to connect to an FBI server and reveal their IP address.

[Editor Comments]

[Henry] The use of tools to enable law enforcement to capture IP addresses of suspected criminals is not new, and their use has only increased with the widespread implementation of anonymizing technology. While the technique has had some success, it is labor intensive and sophisticated adversaries can often thwart it. The FBI would typically obtain a search warrant prior to deployment, adding to the effort and limiting the routine utility of this procedure.


Read more in:

Motherboard: The FBI Created a Fake FedEx Website to Unmask a Cybercriminal

**************************  SPONSORED LINKS  ********************************

1)  Everyday, we find data leaks where others don't. Where's your cybersecurity blindspot? Find out...

2) With the enSilo Endpoint Security Platform, the race against time is over. Download the November 2018 Endpoint Security Report by Cybersecurity Insiders.

3) Does your vulnerability management program cover your organization's cloud workloads, partner access, IoT and industrial control systems? Take the SANS Survey and enter to win a $400 Amazon gift card!




--UK Government Seizes Facebook Documents Allegedly Containing Internal Communications Related to Cambridge Analytica

(November 22, 25, & 26, 2018)

The UK parliament has seized Facebook documents related to the Cambridge Analytica data scandal. Mark Zuckerberg ignored a request to meet with UK parliament in May. The documents include emails exchanged by Facebook executives and Zuckerberg. Facebook has demanded that the documents be returned.

Read more in:

BBC: Facebook documents seized by MPs investigating privacy breach

ZDNet: UK gov't seizes documents Facebook wanted to keep private in Cambridge Analytica battle


--Facebook Appealing 500,000 Fine in Cambridge Analytica

(November 22, 2018)

In a separate but related story, Facebook is appealing a ruling from the UKs Information Commissioners office (ICO) fining the company 500,000 (US $640,600) for allowing application developers access to [user] information without sufficiently clear and informed consent, and fail[ing] to make suitable checks on apps and developers using its platform. Facebook says the penalty is not justified.

Read more in:

ZDNet: Facebook appeals 500,000 penalty over Cambridge Analytica scandal

ICO: ICO issues maximum 500,000 fine to Facebook for failing to protect users personal information (October 25, 2018)


--USPS Shores Up Informed Visibility API Security

(November 21, 22, & 26, 2018)

The US Postal Service (USPS) has fixed an authentication vulnerability in its Informed Visibility API that could have been exploited to access the personal information of 60 million people who have accounts. The Informed Visibility service is designed for bulk mail senders to make better business decisions by providing them with access to near real-time tracking data. Because the API lacked permission validation, anyone logged into could have queried the system for information about and requested changes to other users accounts. In a separate but related issue, the USPSs Informed Delivery service was the subject of an internal memo issued by the US Secret Service, which warned that thieves were exploiting weaknesses in the system to commit fraud. 

[Editor Comments]

[Pescatore] Since APIs dont have very visible front ends, standard web app security test tools and even many pen testing engagements dont effectively test them. Good to include specific requirements for demonstrating API vulnerability testing when looking at application security tools and services.

[Neely] Security evaluation of APIs and services has to be explicitly scheduled and performed as part of the SDLC because web/application scanners will not always discover and assess them.


Read more in:

KrebsOnSecurity: USPS Site Exposed Data on 60 Million Users

Nextgov: USPS Fixed Vulnerability That Exposed The Data of 60 Million People

ZDNet: USPS finally fixes website flaw that exposed 60 million users' data


--Adobe Issues Patches for Flash Flaw

(November 20 & 21, 2018)

Adobe has released fixes for a flaw in its Flash Player that could be exploited to execute code arbitrarily. Adobe has called the issue a type confusion vulnerability, meaning that Flash could potentially execute code without verifying its type. Updates are available for Windows, macOS, Linux, and Chrome OS.

[Editor Comments]

[Murray] It is now eight years since Steve Jobs wrote his criticism of Flash.  This product is historically and persistently broken and the evidence is sufficient to conclude that this product cannot be successfully secured. There is no solution to the problem that it represents other than to stop using it.  (Apple has never used Flash in iOS.  Whatever the penalty for that, Apple has paid it and is still here. While this writer has long since sold his Adobe stock, the stock market continues to love it, warts and all.)  We will never secure our infrastructure as long as dancing pigs trump a secure desktop.  Responsible people will not continue to use this porous product.  


Read more in:

Cyberscoop: Adobe issues fix for Flash bug allowing remote code execution

Adobe: Security updates available for Flash Player | APSB18-44


--Researchers Find a Way to Evade Error-Correcting Code Rowhammer Protection

(November 21 & 22, 2018)

Research published last week shows that the error-correcting code (ECC) enhancement built into memory chips as a precaution against Rowhammer attacks could be bypassed to manipulate a chips memory. ECC memory can repair bitflips. Rowhammer attacks, first documented in 2014, involve performing repeated reads or writes on specific memory locations so that they create an electrical field that flips some adjacent bits, altering the data in the memory chips. The researchers have devised a method they say can precisely flip bits in server RAM chips without triggering the ECC The issue lies in the way ECC checks for errors. One change prompts ECC to repair the flip; two flips causes ECC to crash the program. But three bits flipped would evade detection.

Read more in:

VUSec: ECCploit: ECC Memory Vulnerable to Rowhammer Attacks After All

Wired: An Ingenious Data Hack is More Dangerous Than Anyone Feared

The Register: 3 is the magic number (of bits): Flip 'em at once and your ECC protection can be Rowhammer'd

ZDNet: Rowhammer attacks can now bypass ECC memory protections

Ars Technica: Potentially disastrous Rowhammer bitflips can bypass ECC protections


--Identity Spoofing Flaw in German Government Smart ID Card Authentication SDK is Fixed

(November 21 & 22, 2018)

A vulnerability in the software that supports Germanys electronic ID card system that could have been exploited to spoof others identities has been fixed. The issue lies in the Governikus Autent software development kit (SDK) that websites use if they choose to support or exploit this federal electronic ID authentication. The firm that detected the issue notified Bund-CERT (Germanys Computer Emergency Response Team) in August 2018; the issue was fixed in October.

Read more in:

The Register: German e-government SDK patched against ID spoofing vulnerability

ZDNet: German eID card system vulnerable to online identity spoofing

SecLists: SEC Consult SA-20181121-0 :: Signature Bypass / Authentication Bypass in Governikus Autent SDK


--Amazon Short on Details About Customer Data Exposure

(November 21, 2018)

On Wednesday, November 21, some Amazon customers received email messages notifying them that the company inadvertently disclosed [their] name and email address due to a technical error. Few details have been provided, apart from a vague reassurance that the problem has been mitigated and that customers do not need to reset their passwords.

Read more in:

ZDNet: Amazon leaks users' email addresses due to 'technical error'

Ars Technica: Amazon customers names and email addresses disclosed by website error

Cyberscoop: Amazon keeps tight-lipped about pre-Black Friday security incident



Attacks Against Docker API

Mirai Like Attack Hitting Hadoop

New Rowhammer Variant Effects ECC Memory

ViperMonkey: VBA Maldoc Deobfuscation

Malicious NPM Libraries

Turning Your BMC Into A Revolving Door

Critical Flash Update

Thanksgiving Lure for Emotet



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit