OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #94

November 30, 2018

The first double Flash issue of NewsBites ever:

1. Around 6 AM ET this morning, Marriott disclosed a massive data breach of the Starwood reservations database affecting up to 500 million guests. The primary information disclosed was birthdays, passport numbers, email, mailing addresses and phone numbers. While stored credit card numbers may have been accessed, Marriott claims these were encrypted and not accessed.



2. At 9 AM (EST) this morning, the US Government (OMB, Department of Education, and the CIO Council) announced the Federal Cyber Reskilling Program to discover and train federal employees who have the aptitude to excel in cyber security. Applications opened at 10 AM.

For details: https://www.cio.gov/reskilling/

The Federal Cyber Reskilling program may well break the logjam that made it so hard for federal agencies to find highly skilled technical cybersecurity professionals because the program gives immediate opportunities to people who are already employed in government but not currently working in IT or cybersecurity. Nationally, that number exceeds 2 million. The UK proved that all three elements of this US program (the aptitude test, the essentials bridge course, and the immersion academy courses) work. The UK found and reskilled people ranging from a psychiatrist to a journalist to police and many more, all of whom are now working in important cybersecurity roles. If you know anyone in government who isn't in IT but likes solving puzzles and other hard problems tell them to just try it. They might surprise themselves.


See https://www.infosecurity-magazine.com/news-features/all-you-need-cyber-retraining/ for the full story on the UKs success with this type of program.


SANS NewsBites              November 30, 2018               Vol. 20, Num. 94



  Russia Probing US Energy Grid

  US Senate to Adopt Disk Encryption  

  DHS Will Use CDM Data to Calculate Agencies Cyber Hygiene Score

  Another Outage for Azure Multifactor Authentication


  Firm Says It Can Recover Data from Locked Smartphones

  US UK Vulnerability Equities Processes and Transparency

  DOJ Indicts Two for Creating and Using SamSam Ransomware

  FBI, Tech Companies Take Down Botnet Fraud Operation

  Half of Phishing Sites Display Padlocks in Address Bar

  Dell Resets Passwords After Attempted Data Theft

  International Anti-Botnet Guide

  Lawsuit Alleges Former Intel Employee Tried to Steal Secret Project Data




-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018

-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019

-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019

-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019

-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019

-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019

-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019

-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get the ALL NEW 11" iPad Pro, or a Microsoft Surface Pro, or Take $350 Off with OnDemand and vLive Training. Offer ends December 5.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



***************************  Sponsored By Pulse Secure  ************************************

See why automated discovery and access to IoT is essential to attain complete network visibility with SANS Dave Shackleford & Pulse Secure. Register: http://www.sans.org/info/208820




--Russia Probing US Energy Grid

(November 28, 2018)

FireEye researchers told an audience at the CyberwarCon forum in Washington, DC, earlier this week that although the US power grid has defenses in place, theres still a concentrated Russian cyber espionage campaign targeting the bulk of the US electrical grid. The Russian group behind the attacks has been using generic tools and techniques developed by other hackers, which both reduce its costs and makes it more difficult to track and identify. 

[Editor Comments]

[Murrray] Our grid may or may not be more vulnerable than that of the Russians, but we are much more dependent. We should have no higher Cybersecurity priority than the security and resilience of the power grid.    

Read more in:

Wired: Russian Hackers Haven't Stopped Probing the US Power Grid


--US Senate to Adopt Disk Encryption

(November 29, 2018)

The US Senate Committee on Rules and Administration has instructed the Senate Sergeant at Arms to begin enabling disk encryption on all Senate computers. Senator Ron Wyden (D-Oregon), who earlier this year urged the committee to adopt the practice, said that this new policy will make it much harder for any would-be spy or criminal who steals a Senate computer to access Senate data.

[Editor Comments]

[Pescatore] As a US citizen, glad to see sensitive information will be protected when laptops of representatives and their staff are lost or stolen. A bigger benefit will be those representatives being less likely to draft legislation making encryption weaker.

[Neely] A second step matters when using full disk encryption: Replace sleep mode with hibernate so encryption keys are not resident in memory of a closed or unattended laptop.

[Ullrich] Disk encryption has been a standard recommendation for a few years now, so about time for the Senate to use it, especially for mobile devices and laptops. OTOH disk encryption typically does nothing to disrupt the most common attack vector used in remote exploits like spear phishing.

[Murray] While notable when it happens, the leakage of information from lost, stolen, or abandoned disk drives is relatively rare. However, the use of full disk encryption is both cheap and convenient. Using it should be as routine as changing ones socks.

[Northcutt] It is good to see them thinking proactively. After the laptop theft at the VA, government agencies were in a huge rush to encrypt mobile devices with memory, but that petered off by 2007. Not much has changed since then:

https://thehill.com/policy/technology/97817-va-loses-another-laptop-with-veterans-personal-information: VA loses another laptop with veterans' personal data, prompting inquiry

Read more in:

ZDNet: US Senate computers will use disk encryption



--DHS Will Use CDM Data to Calculate Agencies Cyber Hygiene Score

(November 28 & 29, 2018)

The US Department of Homeland Security (DHS) will use the Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm to generate cyber hygiene scores for government agencies. Using data collected from continuous diagnostic and mitigation (CDM) tools, the AWARE score will reflect agencies progress toward adoption of continuous diagnostic and mitigation (CDM) measures as well as known and unpatched vulnerabilities within an agencys systems. AWARE is expected to be fully in production in FY 2020.

[Editor Comments]

[Pescatore] Five years into the CDM program, it is a step forward to finally see measurement of basic security hygiene finally being used as part of the report card for government agencies. BUT, right now there is no commitment to make those scores public or to provide any transparency on the scoring algorithm and DHS has now been talking about AWARE for 2 years and saying use-in-scoring is at least another year away.

[Neely] The CDM dashboard is attempting to use a common set of criteria and controls to measure cyber hygiene across multiple agencies. As participation increases, it will provide an overall perspective on the federal government cyber status. At this point operational technology and cloud services are out of scope for CDM, though cloud is on the roadmap for future inclusion.

Read more in:

FNR: Are agencies making the grade on cyber hygiene? DHS looks to find out with AWARE algorithm


GCN: DHS tweaking cyber 'credit score' program


Nextgov: Agencies Will Soon Have a Cyber Hygiene ScoreAnd Will Know Where They Rank



--Another Outage for Azure Multifactor Authentication

(November 28, 2018)

On Tuesday, November 27, Microsoft Azure experienced a multifactor authentication outage for the second time in nine days. The first outage began on Monday, November 19 and was resolved later that same day. The second outage occurred on November 27 just after 09:00 ET (14:00 UTC). According to the Azure status history, the issue was resolved shortly after 12:00 ET (17:00 UTC). Microsoft Azure notes that a preliminary investigation [revealed] that an earlier DNS issue triggered a large number of sign-in requests to fail, which resulted in backend infrastructure becoming unhealthy, and says that a full Root Cause Analysis should be available some time on Friday, November 30.

[Editor Comments]

[Pescatore] Cloud Service Providers should be held to very high standards for availability and integrity of services, and Microsoft admits they had several failures here. The Azure SLA is 99.9%, which is about 45 minutes of clock time per month, BUT the calculation is based on User Minutes, not clock timethe 8+ hour period of the outages may or may not have triggered any SLA-based compensation for you. In any event, the compensation is only 25% or 50% service credits, nothing to do with actual business impact.

Read more in:

Computerworld: Microsoft's multi-factor authentication service flakes outagain


SC Magazine: Microsofts Azure MFA down for second time in two weeks


Azure: Azure status history


**************************  SPONSORED LINKS  ********************************

1) Why choose between EPP or EDR when you can have both? Discover Next Generation Endpoint Security with Cisco Systems. Register: http://www.sans.org/info/208825

2) Join SANS Alissa Torres and DomainTools as they reveal the technical realities of ICS attack protocols such as Modbus and DNP3. Register: http://www.sans.org/info/208830    

3) SANS is bringing the best hands-on, immersion-style information and software security training to SANS Reno Tahoe 2019 (Feb 25-March 2)! Choose from one of six skills-based courses. Learn more, http://www.sans.org/info/208835.




--Firm Says It Can Recover Data from Locked Smartphones

(November 27 & 28, 2018)

DriveSavers claims they can retrieve data from any locked iPhone as well as Android devices from Samsung, Blackberry and others regardless of passcode length or complexity. For US $3,900 and authoritative proof of device and data ownership, the company will return your device to you unlocked. The service is designed for family members of deceased loved ones, rather than law enforcement.

[Editor Comments]

[Williams] With all the continued talk from Rosenstein (and other governments) about the need for encryption backdoors, I suspect this claim is more marketing than reality. If consumers have this capability, it stands to reason law enforcement does as well. If the capability exists at all, it's only a matter of time before Apple and Blackberry close the flaws allowing access.

Read more in:

Softpedia: Company Says Its Software Allows Anyone to Hack into an iPhone


The Verge: DriveSavers claims it has a way to break into locked iPhones with 100 percent success



--US UK Vulnerability Equities Processes and Transparency

(November 28 & 29, 2018)

The UKs GCHQ and its National Cyber Security Centre (NCSC) have published a description of the Equities Process that it uses to determine whether it will disclose a vulnerability to vendors or retain it. According to the GCHQ blog post, the starting position is always that disclosing a vulnerability will be in the national interest. The entities involved in the UKs Equities Process are the Equities Technical Panel, which is made up of intelligence agents who are experts in the field; the GCHQ Equities Board, which has members from other government agencies and departments; and the Equities Oversight Committee, which is chaired by the CEO of NCSC. The USs Vulnerabilities Equities Process (VEP) was developed nearly a decade ago, but was only publicly disclosed in November 2017. (A redacted version of the VEP was released in 2016 in response to a Freedom of Information Act (FOIA) request filed by the Electronic Frontier Foundation.)

Read more in:

ZDNet: GCHQ: We don't tell tech companies about every software flaw


NBC News: U.K. cybersecurity agency mounts transparency push


The Register: GCHQ opens kimono for infosec world to ogle its vuln disclosure process


GCHQ: The Equities Process


EFF: Time Will Tell if the New Vulnerabilities Equities Process Is a Step Forward for Transparency (November 16, 2017)


Whitehouse: Vulnerabilities Equities Policy and Process for the United States Governmentfrom November 2017



--DOJ Indicts Two for Creating and Using SamSam Ransomware

(November 28, 2018)

The US Department of Justice (DOJ) has indicted two Iranian men in connection with numerous ransomware attacks between December 2015 and September 2018. The indictment alleges that the men wrote and used ransomware known as SamSam. The victims included hospitals, cities, and public institutions. The men face charges of conspiracy to commit wire fraud, conspiracy to commit fraud and related activity in connection with computers, as well as substantive charges of intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer.

Read more in:

Wired: DOJ Indicts Hackers For Ransomware That Crippled Atlanta


DOJ: Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses



--FBI, Tech Companies Take Down Botnet Fraud Operation

(November 27 & 28, 2018)

The US Department of Justice (DOJ) has unsealed an indictment charging eight individuals with multiple criminal offenses for their roles in a digital advertising fraud scheme. DOJ also unsealed seizure warrants and search warrants authorizing the FBI, along with private sector organizations, to take control of more than 30 Internet domains and obtain information from nearly 90 servers that were used in the operation of botnets that are part of the scheme.

Read more in:

SC Magazine: FBI swats down massive, botnet-fueled ad fraud operation


Bleeping Computer: 3ve Ad Fraud Botnet with Billions of Daily Ad Requests Shut Down


DOJ: Two International Cybercriminal Rings Dismantled and Eight Defendants Indicted for Causing Tens of Millions of Dollars in Losses in Digital Advertising Fraud



--Half of Phishing Sites Display Padlocks in Address Bar

(November 28, 2018)

Once upon a time, users were urged to look for the padlock in browser address bars to check to see that the website they were visiting was legitimate. This is no longer the case. According to research from PhishLabs, half of phishing scams now have associated websites that display the padlock. PhishLabs chief technology officer John LaCour says, The lock doesn't tell you anything about the legitimacy of the site. It only tells you that your data is encrypted as it's sent over the internet.

[Editor Comments]

[Ullrich] The authentication component of TLS is often misunderstood. No matter if you are using a free certificate (for example Letsencrypt) or a paid certificate, the certificate only verifies that you are connecting to the correct host name. It does not ensure that the site is legitimate or associated with a specific organization. Improvements like Extended Validation (EV) certificates tried to solve this problem but have not made much of a difference, and browsers have recently started to move away from recognizing them.

Read more in:

KrebsOnSecurity: Half of all Phishing Sites Now Have the Padlock


Nextgov: Phishing Sites Are Duping Users With That Little Green Padlock



--Dell Resets Passwords After Attempted Data Theft

(November 28, 2018)

A breach of Dells internal network has prompted the company to reset passwords for all customers for the Dell website. On November 9, 2018, Dell admins detected an unauthorized user trying to access a database that holds customer information, including hashed passwords.

[Editor Comments]

[Murray] One may fairly infer from this that Dell is not using strong authentication with one time passwords. Shame!Simply changing reusable passwords is locking the barn after the horse is stolen.

Read more in:

The Register: What the Dell? Customer passwords reset after miscreants break into Big Mike's IT emporium


Dell: Dell Announces Potential Cybersecurity Incident



--International Anti-Botnet Guide

(November 29, 2018)

The Council to Secure the Digital Economy (CSDE) has published a guide to help protect the Internet from botnets. The International Anti-Botnet Guide 2018 offers voluntary best practices for stakeholders throughout the global Internet and communications ecosystem. The guide is built on three core principles: Security demands dynamic, flexible solutions, is a shared responsibility among all stakeholders, [and] relies on mutually beneficial teamwork and partnership among governments, suppliers, providers, researchers, enterprises, and consumers. CSDE plans to update the guide annually.

Read more in:

Securing Digital Economy: International Anti-Botnet Guide 2018


Cyberscoop: Here's how the private sector wants to fight botnets



--Lawsuit Alleges Former Intel Employee Tried to Steal Secret Project Data

(November 27, 28, & 29, 2018)

A lawsuit filed in federal court in Sacramento, California alleges that a former Intel employee attempted to download information about 3D XPoint, a top secret memory technology project, shortly before he left the company to work at a rival company. Intels security system blocked the file from being copied. Intel has reportedly spent US $1 billion on the project.

[Editor Comments]

[Williams] The number of organizations who still have no DLP in place is absolutely astounding. The most frequent objection we hear to deploying DLP is that it can be easily bypassed by a determined attacker. While that's true, insiders almost always make noise while trying to bypass it. Here, it saved Intel from losing details on a $1 billion dollar intellectual property investment.

Read more in:

SacBee: Billion-dollar project nearly compromised by rogue employee in Folsom, Intel alleges


The Register: Ex-Intel engineer tried to make off with 3D XPoint secret sauce on his way to Micron, says Chipzilla


RegMedia: Complaint




Obfuscated QNAP bash Malware


Obfuscated Shell Scripts: Fake MacOS Flash Updates


Sennheiser HeadSetup Certificate Authority Install


Microsoft Fixes Shared Folder Permission Deletion Problem


Russian Language Malspam Pushing Shade (Troldesh) Ransomware


Half of All Phishing Sites Use HTTPS


Chrome and Firefox to Remove FTP Support


California Wildfire Used in BEC Scams


3ve Botnet Dismantled


Scamclub Malvertising Against iOS Users


Andre Shori: To Block Or Not To Block? Impact and Analysis of Actively Blocking Shodan Scans




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create