Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #1

January 4, 2019

US HHS Cybersecurity Guidance for Health Care; CenturyLink 911 Emergency Service Cyber Outage


SANS NewsBites                 Jan. 4, 2019                Vol. 21, Num. 001



  US Dept. of Health and Human Services Releases Cybersecurity Guidance

  CenturyLink Data Center Outage Affected 911 Emergency Service



  SANS Holiday Hack Challenge

  Adobe Updates for Reader and Acrobat

  Chrome for Android Flaw Partially Patched

  CleanMyMacX Privilege Elevation Flaws

  Ransomware Infects Cloud Hosting Providers Systems

  Australian Government Worker Data Compromised

  Ransomware Attack Hinders Newspaper Production

  North Korean Defector Data Stolen

  Charges Filed in Petroleum Company Trade Secret Theft


***************************  Sponsored By Cylance  ************************************

Don't Miss: "Using Data Science to Secure Cloud Workloads." In this session, you will learn how and where data science is being applied in the security industry as well as Cylance's Threat Predictive Advantage, which is one of the many benefits of applying data science to Next-Gen AV products.



-- SANS Security East 2019 | New Orleans, LA | February 2-9 |

-- SANS Amsterdam January 2019 | January 14-19 |

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 |

-- SANS Las Vegas 2019 | January 28-February 2 |

-- SANS London February 2019 | February 11-16 |

-- SANS Anaheim 2019 | February 11-16 |

-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 |

-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 |

-- SANS Secure Singapore 2019 | March 11-23 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, Samsung Galaxy Tab S2, or Take $300 Off with OnDemand or vLive Training. Offer Ends January 9.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap




--US Dept. of Health and Human Services Releases Cybersecurity Guidance

(January 2, 2019)

The US Department of Health and Human Services (HHS) has released cybersecurity guidance for healthcare organizations. The documents were developed to meet a requirement in the 2015 Cybersecurity Act to provide healthcare organizations with consistent cybersecurity practices to protect patient data. The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. It includes a main document, two volumes of technical information, and a resources and templates section. The guidelines are voluntary.

[Editor Comments]

[Murray] This guidance represents a break with the past. It it good practice based rather than risk based. Many health care enterprises lack the necessary knowledge, skill, ability, and experience to assess risk but we know what practices are effective and efficient. That said, good practice for 2019 will be very different from 2018, much less 2015. Least privilege access control, strong authentication, end-to-end application layer encryption, improved, not to say novel, backup and recovery strategies, and early attack and breach detection are necessary to address the more organized and hostile threat profile for 2019.  

[Neely] This guidance is intended to leverage the CSF to help healthcare organizations adopt a better security posture based on current risks. It provides an excellent primer on current threats, impacts and mitigations as well as suggested controls for small, medium and large organizations. What is missing are the mandatory controls the regulators will be auditing them against.


[Pescatore] Like many of these efforts mandated by legislation, there is a lot of documentation just summarizing long existing guidance. Small health care organizations, however, may find the Technical Volume and Resources/Template sections useful to focus on justifying needed improvements to address the most common threats against health care systems.

Read more in:

FCW: HHS releases cyber guides for healthcare orgs

PHE: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients


--CenturyLink Data Center Outage Affected 911 Emergency Service

(December 28, 2018)

An outage affecting 15 CenturyLink data centers in the US and Europe caused 911 emergency services in several US states and in some areas of Canada to be unavailable. The problem started around noon ET on December 27; the issue was fully resolved as of December 29. The outage also affected Internet, phone and TV service availability. A CenturyLink spokesperson said, the outage was caused by a faulty network management card from a third-party equipment vendor that caused invalid traffic replication. The US Federal Communications Commission (FCC) is investigating the outage.  

[Editor Comments]

[Northcutt] I attended church with the guy in charge of the national suicide hot line. His nightmare was calling the hotline and getting a busy signal. CenturyLink executives appear to yawn in this case. If they are not subjected to crushing fines that show the FCC cares about human life, then 911 has no value.

[Neely] Critical services, such as 911, should have verified/tested backup service options, and assessed the time to fail-over versus their service availability requirements. For example, in the Boise area, local libraries had both primary internet connections as well as backup cellular hotspots to provide internet access to impacted residents during the service outage.

[Shpantzer] Positive feedback loops are the best loops. Imagine this started at your org. What kind of telemetry are you able to work with to get a root cause analysis in a reasonable amount of time? How would you know if this was a fault or malice?

Read more in:

The Verge: FCC investigating major CenturyLink outage and 911 disruptions

ZDNet: CenturyLink outage takes down several 911 emergency services across the US

MeriTalk: FCC Chairman Pai Investigates CenturyLink Outage


1) SANS Instructor, Matt Bromiley talks on "Enterprise Security with a Fluid Perimeter" Sponsored by Aruba. Register:

2) Infoblox Webcast: "Remediating Threats by Bridging Islands of Security" with John Pescatore. Register:

3) 12 cloud security and compliance exercises that are critical for keeping your organizations data and systems secure in Amazon Web Services (AWS). Learn More:



-SANS Holiday Hack Challenge Open Now through January 14, 2019

The FREE annual SANS Holiday Hack Challenge is underway right now! This year, Santa is hosting KringleCon, a virtual conference at the North Pole, where you walk through Santas virtual castle and watch 22 top-notch recorded 12-18 minute talks with directly applicable technical skills. And, within your browser, you can also walk around Santas castle solving cyber defense, DFIR, and pen test challenges as an entertaining and surprising holiday plot unfolds. Youll get to match wits with a holiday super villain while listening to a custom album of holiday tunes. Its fun for all ages, and it is SANS gift to the cyber security community. Over 16,500 people have played so far! Get it all for free at

--Adobe Updates for Reader and Acrobat

(January 3, 2019)

Adobe has released updates for two critical flaws in Reader and Acrobat. A use-after-free vulnerability could allow arbitrary code execution; a security bypass vulnerability could be exploited to obtain elevated privileges.

[Editor Comments]

[Shpantzer] Periodic reminder to patch/isolate/harden-the-configuration-of Reader, and that the only thing worse than a fake Adobe Reader download is a genuine Adobe Reader download.

Read more in:

The Register: Hope you're over that New Year's hangoverthere's an Adobe PDF app patch to install

Bleeping Computer: Adobe Acrobat and Reader Security Updates Released for Critical Bugs

Adobe: Security Bulletin for Adobe Acrobat and Reader | APSB19-02


--Chrome for Android Flaw Partially Patched

(January 3, 2019)

Google has patched a flaw in Chrome for Android that was first reported in May 2015. The vulnerability leaks information in User-Agent strings about smartphones models and firmware. Given that information, it is possible to determine the degree to which a device is up to date with security patches. Chrome for Android v. 70, which was shipped in October 2018, removed the build number from the User-Agent string.

Read more in:

ZDNet: Google Chrome flaw patched three years after initial report


--CleanMyMacX Privilege Elevation Flaws

(January 3, 2019)

More than a dozen privilege elevation vulnerabilities affect MacPaws CleanMyMacX software, a product that scans for and deletes unneeded files to free up space on computers. The flaws could be exploited to gain root access to a machine running the application. The flaws were detected by researchers at Cisco Talos. Updates for CleanMyMacX are available from MacPaw.

[Editor Comments]

[Shpantzer] Thou shalt not install random utilities on thine operating systems and expect no downsides.

Read more in:

Threatpost: A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access

SC Magazine: Multiple privilege escalation vulnerabilities in CleanMyMacX

Talos: Vulnerability Spotlight: Multiple privilege escalation vulnerabilities in CleanMyMac X


--Ransomware Infects Cloud Hosting Providers Systems

(January 2, 2019), a cloud hosting provider was hit with a ransomware attack on December 24. DataResolution provides services for more than 30,000 companies worldwide. The company has not released a public statement about the situation. The ransomware strain is believed to be Ryuk, the same one that was used in the attack that disrupted the production of some editions of certain US newspapers. 

Read more in:

KrebsOnSecurity: Cloud Hosting Provider Battling Christmas Eve Ransomware Attack


--Australian Government Worker Data Compromised

(January 2, 2019)

Data about 30,000 employees of the Victoria, Australia government were exposed when an unauthorized user accessed and downloaded a local directory. The compromised information includes work email addresses, job titles, and some mobile phone numbers. The data could be used to launch phishing attacks and influence campaigns.

Read more in:

SC Magazine: Australian government worker info hacked

Infosecurity Magazine: Third Party Accessed Victorian Government Directory


--Ransomware Attack Hinders Newspaper Production

(December 29, 30, & 31, 2018 & January 2, 2019)

A ransomware attack that hit the Tribune Company in late December disrupted printing operations and prevented some editions of several newspapers from being delivered on time. Affected publications include the New York Times, the Wall Street Journal, the Los Angeles Times, and the San Diego Union-Tribune. The ransomware used in the attack has been identified as Ryuk. While it bears similarities to other malware that has been associated with a certain hacking group, experts say it is too soon to attribute the attack to a specific group.

[Editor Comments]

[Neely] The interconnected nature of these systems allowed the ransomware to impact the systems at both Tribune Publishing as well as their former affiliates the Los Angeles Times and San Diego Union Tribune. While the affiliates had been sold in February, the systems had not implemented sufficient controls to prevent the spread of ransomware underscoring the need to implement controlled interfaces between business partners and minimize the duration of trust relationships when businesses are separated.


[Murray] Recovery is no longer about recovering one file, or even a few. In the face of ransomware and state sponsored sabotage, the requirement may be to recover all mission-critical capabilities within hours to days. Does your strategy meet this requirement?

[Shpantzer] Ryuk also hit the hosting provider, DataResolution.

Read more in:

Cyberscoop: Too soon to attribute cyberattack that disrupted U.S. newspapers, researchers say

CNET: Malware suspected of hobbling several newspapers' production

SC Magazine: Stop the presses: cyberattack disrupts distribution of major newspapers

ZDNet: Ransomware suspected in cyberattack that crippled major US newspapers

Dark Reading: Cyberattack Halts Publication for US Newspapers


--North Korean Defector Data Stolen

(December 28, 2018)

South Koreas Unification Ministry says that hackers accessed a database which has compromised personal information of North Korean defectors. The data include names, birthdates, and addresses of nearly 1,000 people. The information was stolen from one of the 25 support centers that the Unification Ministry operates to help North Korean defectors with jobs, healthcare, and legal support as they resettle in South Korea.     

Read more in:

NYT: North Korean Defectors Personal Data Was Stolen by Hackers, South Says

ZDNet: Hackers steal personal info of 1,000 North Korean defectors


--Charges Filed in Petroleum Company Trade Secret Theft

(December 21, 2018 & January 2, 2019)

US law enforcement agents have arrested a man for allegedly stealing trade secrets from the petroleum company where he worked. Hongjin Tan, who is from China, is a legal permanent US resident. Tan allegedly stole the information to use at a competing company in China where he had been offered a job. Phillips 66 has confirmed that it is cooperating with the FBI in an investigation related to a former employee; the company was not named in court documents.

[Editor Comments]

[Shpantzer] Have you discussed the concept of trade secrets with your legal counsel? Trade secrets are only legally protected if you secure them in a certain manner, above and beyond normal confidential data.

Read more in:

Justice: Chinese National Charged with Committing Theft of Trade Secrets

Security InfoWatch: Former Phillips 66 employee charged with trade secret theft



Malware Leaks Victim Data via FTP

Hijacking Dormant Twitter Accounts

Android Authentication Bypass via Skype

Critical Adobe Updates

FilesLocker Ransomware Master Key Published

WiFi Chipset Exploit (PDF)

Gift Card Scams

Bypassing Vein Scanner Authentication (in German)

Hacking Smart Lightbulbs and Firmware Exploits

European Union Offers Bug Bounty for Open Source Software

Bypassing Google ReCaptcha


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit