Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #12

February 12, 2019

Spear Phishing Credit Unions; Switzerland's eVoting Pen Testing; Appeals Court Allows Lawsuits Challenging Georgia (US) Voting Machines


SANS NewsBites                Feb. 12, 2018                Vol. 21, Num. 012



  Credit Unions Targeted in Spear Phishing Campaign

  Switzerland Invites eVoting System Pen Testing

  Federal Appeals Court Allows Lawsuits Challenging Georgia (US) Voting Machines to Proceed


  Smarter GDPR: You Are Invited: February 14th, 2019 at 1:00 PM EST

  Rotational Cyber Workforce Act Would Let Specialists Bring Skills to Other Agencies

  Bill Would Establish Public/Private Cybersecurity Specialist Employee Exchange

  Estonias Volunteer Cyber Force

  Bill Would Establish Election Cyber Threat Information Sharing Program

  Australian Parliament Network User Passwords Reset Following Unspecified Security Incident

  Public-Private Partnership Guidelines for Protecting Patient Data

  Anti-Deepfake Video Tool

  Another Week, Another WordPress Flaw

  Texas State Legislator Introduces Bill to Ban Mobile Service Throttling in Disaster Areas





-- SANS 2019 | Orlando, FL | April 1-8 |

-- SANS Baltimore Spring 2019 | March 2-9 |

-- SANS London March 2019 | March 11-16 |

-- SANS San Francisco Spring 2019 | March 11-16 |

-- SANS Secure Singapore 2019 | March 11-23 |

-- SANS Munich March 2019 | March 18-23 |

-- SANS Secure Canberra 2019 | March 18-23 |

-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 |

-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive course. Offer ends February 20.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

***************************  Sponsored By Splunk ****************************

Key Considerations When Choosing a Security Operations Center (SOC) Model.  

Gartner recently published "Selecting the Right SOC Model for Your Organization." In this report, Gartner identifies key considerations for security and risk management leaders when choosing a SOC model.

Download your copy to learn how organizations with complex use cases and widespread security operations are integrating traditional security operations with more comprehensive functions.




--Credit Unions Targeted in Spear Phishing Campaign

(February 8, 2019)

A spear phishing attack targeted anti-money laundering officers at the credit unions around the US. The USA Patriot Act requires that all US financial institutions appoint a minimum of two Bank Secrecy Act (BSA) contacts whose responsibility it is to report suspicious financial transactions that could indicate money laundering. On January 30, 2019, credit union BSA officers began receiving email messages spoofed to appear to be coming from BSA officers at other credit unions. The messages asked the recipients to open a PDF attachment that purportedly contained information about a suspicious transaction. A link within the attachment led to a malicious site. BSA officers at other financial institutions, not just credit unions, have reported receiving similar spoofed messages. It is not clear yet where the attackers obtained the list of BSA officers.

[Editor Comments]

[Hoelzer] FINCEN and NCUA, two of the few holders of this composite list, are both claiming that they've checked their systems and they aren't breached. When there are only a handful of places in the world where the composite document exists and it's been exposed the reality is that either an insider is selling information or youre breached and your detection systems aren't telling you the right things. Inadequate detection is extremely common and something I've long worked to help techies communicate up the chain and continue to work to teach techies how to overcome, but it takes real effort and training, not another "magic box".

[Neely] BSA Contact information is held by the NCUA who are now actively investigating how this information was released. The Credit Union community is small enough that many BSA officers already know each other so these messages contain attachments from known contacts. Credit Unions are already training their staff to be on guard for content from unknown contacts through phishing exercises. Mitigation for this sort of attack is reliant on endpoint and perimeter protections.

Read more in:

KrebsOnSecurity: Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions


--Switzerland Invites eVoting System Pen Testing

(February 10, 2019)

Starting later this month, Switzerlands government will allow researchers and security companies to pen test its electronic voting system. Participants need to sign up prior to the start of the pen test period, which runs from February 25-March 24.

Read more in:

OnLineVote: Public Intrusion Test (PIT)

ZDNet: Swiss government invites hackers to pen-test its e-voting system


--Federal Appeals Court Allows Lawsuits Challenging Georgia (US) Voting Machines to Proceed

(February 8, 2019)

A federal appeals court in the US state of Georgia is allowing two lawsuits challenging the states use of electronic voting machines to move forward. The lawsuits challenge the use of the machines that do not create a paper trail. The three-judge panel of the 11th U.S. Court of Appeals did not rule on the merits of the case but rejected arguments that state officials have immunity from the suits.

Read more in:

NYT: Court: Suits Challenging Georgia Voting Machines Can Proceed

****************************  SPONSORED LINKS  ******************************

1) Join BTB Security as they share a simple decision matrix that can be used in #security buying scenarios, featuring SANS Dave Shackleford.

2) New Blog Post: Traditional network controls are blind to commonly deployed attacks. It's time to rethink network security. Read more here:

3) What does it take to establish a successful security operations program?  Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card.




--Smarter GDPR - You Are Invited: February 14th, 2019 at 1:00 PM EST

February 11, 2019

The European General Data Protection Regulation (GDPR) has now been in effect for nearly a year, and lawyer-driven blizzards of emails and web site warnings have generated many myths about documentary compliance. A more effective approach is to use GDPR as a lever to help drive needed improvements in data security and user privacy. Join NewsBites editors Brian Honan, John Pescatore, Gal Shpantzer, and Mark Weatherford in a how-to webinar focusing on real-world examples of pitfalls to avoid and the promising practices to follow to make actual improvements in overall security as your organization addresses GDPR compliance.

Register: Dispelling GDPR Myths: Avoid the Compliance Trap, Make Real Security/Privacy Gains


--Rotational Cyber Workforce Act Would Let Specialists Bring Skills to Other Agencies

(February 7, 8, & 11, 2019)

The Federal Rotational Cyber Workforce Act would allow cyber specialists from federal government agencies to bring their expertise to other agencies. Specialists would spend no more than one year at another agency. The program aims to help federal cybersecurity specialists develop multiagency and policy expertise on cyber threats.

[Editor Comments]

[Pescatore] I started my security career at NSA doing 6-month rotating internships in different groupsgreat way to go early in a career. The same concept, applied to more experienced security folks, helping pass on What Works kind of guidance to smaller agencies sounds like a good idea. I dont know why legislation is required to make this happen in government but it is worth a try.

[Neely] This already happens informally today. It works best when there is parity of threat models and cyber capabilities.


Read more in:

FCW: Senators reintroduce rotational cyber workforce bill

Nextgov: Lawmakers Propose a Rotational Program for Federal Cyber Workers

MeriTalk: Cyber Workforce Bill Reintroduced


--Bill Would Establish Public/Private Cybersecurity Specialist Employee Exchange

(February 11, 2019)

The Cyber Security Exchange Act would bring cyber experts from private companies and academia to work at federal agencies for up to two years, and would provide for federal workers to work in the private sector as well.

[Editor Comments]

[Neely] This allows better understanding of issues from a different perspective as well as teaching new skills in problem solving due to both the difference in budget and threat model. When weve loaned DOE employees to private companies the best results have come when the exchange is accompanied with well-defined expectations and deliverables.

Read more in:

The Hill: Bipartisan bill would create public-private cyber workforce exchange


--Estonias Volunteer Cyber Force

(February 11, 2019)

Estonia has a volunteer cyber defense force to help protect the countrys computer systems. The group, which comprises roughly 2,600 individuals, came into being after the 2007 cyberattacks that targeted Estonian government, financial, and other computer systems. The unit was formally established in 2011. The Estonian volunteer force is officially part of the Defence League, Estonias national guard. Latvia has established a similar organization, and Marylands National Guard digital forces have trained with the Estonian volunteer group.

Read more in:

Bloomberg: One of Russias Neighbors Has Security Lessons for the Rest of Us


--Bill Would Establish Election Cyber Threat Information Sharing Program

(February 6, 2019)

Two US Senators have reintroduced legislation that would establish a program at the State Department to share elections cyber threat information with other countries. The Global Electoral Exchange Program would help other countries adopt best practices for elections cybersecurity and also help fight misinformation campaigns and voter suppression.

Read more in:

Nextgov: Lawmakers Push for the State Department to Help Secure Foreign Elections

Nextgov: Global Electoral Exchange Act of 2019


--Australian Parliament Network User Passwords Reset Following Unspecified Security Incident

(February 8, 2019)

Australias Department of Parliamentary Services (DPS) reset all user passwords for accounts with access to Australias Parliamentary network following an unspecified incident that occurred late last week. DPS and other government agencies are investigating the incident.

[Editor Comments]

[Northcutt] The consensus among security experts is that passwords should be longa minimum of 12 characters. And if there is a way to include 2FA by all means, do so.

Read more in:

The Register: Big trouble Down Under as Australian MPs told to reset their passwords amid hack attack fears

ZDNet: Australian government computing network reset following security 'incident'

Parlinfo.aph: Statement by the Presiding Officers - Parliamentary Computing Network;query=Id%3A%22media%2Fpressrel%2F6485245%22


--Public-Private Partnership Guidelines for Protecting Patient Data

(February 8, 2019)

A public-private healthcare group partnership has published a four-volume guide to protecting patients and patients information in the digital age. The first volume discusses the current cybersecurity threats facing the health care industry [and] sets forth a call to action for the health care industry with the goal of raising general awareness of the issue. The second and third technical volumes address cybersecurity practices for small and medium-to-large healthcare organizations. The fourth volume comprises supplemental references and resources.

Read more in:

FNN: Industry, govt groups publish cyber guide to protecting patients information

PHE: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients


--Anti-Deepfake Video Tool

(February 11, 2019)

A new tool aims to help detect when video footage has been compromised by deepfake manipulation. The tool, which runs in the background on recording devices, generates regular, periodic hashes of the data which are then recorded to a public blockchain.  

[Editor Comments]

[Williams] Research on video manipulation, including Deepfake, is needed, but this tool is not worth getting excited about in the short term. While the approach has some possible use cases, they don't meet the most immediate Deepfake detection needs. It's the equivalent of saying you've created software for detecting syslog manipulation when the "detection mechanism" is comparing the current log to hashes of the logs taken previously.


Read more in:

Wired: A New Tool Protects Videos From Deepfakes and Tampering


--Another Week, Another WordPress Flaw

(February 11, 2019)

A flaw in the Simple Social Buttons WordPress plug-in could be exploited to take control of vulnerable sites. Users are urged to update Simple Social Buttons to version 2.0.22, which was released on Friday, February 8. The plug-in has been installed on more than 40,000 WordPress websites.

[Editor Comments]

[Williams] While this is certainly an issue only on WordPress websites, calling this plugin a "WordPress flaw" is like calling a vulnerability in a third party app a "Windows flaw" because of where the software was installed. Wording matters and this particular wording is somewhat ambiguous. That said, update now because this is relatively easy to exploit, and successful exploitation allows attackers access to the underlying server hosting WordPress.


[Neely] This is an application design flaw which exists in both the free and paid versions of the plugin. While youre checking to make sure the plugin is updated, also make sure that your site has been updated to PHP 7.

Read more in:

ZDNet: WordPress plugin flaw lets you take over entire sites


--Texas State Legislator Introduces Bill to Ban Mobile Service Throttling in Disaster Areas

(February 11, 2019)

A legislator in the Texas House of Representatives has introduced a bill that would prohibit wireless carriers from throttling mobile Internet service access in disaster areas. The bill would prohibit throttling in disaster areas for everyone, not just for first responders. The bill appears to be a response to the situation in California last fall when Verizon throttled service to first responders who were fighting wildfires.

Read more in:

Ars Technica: Texas lawmaker wants to ban mobile throttling in disaster areas

Capitol.texas: An Act relating to mobile Internet service access in an area subject to a declared state of disaster.




Phishing Kit with JavaScript Keylogger

Phishing Via Google Translate

iPhone Apps Record Screens

Android Malware Steals Crypto Addresses from Clipboard

Packet Challenge

Not An E-Mail Virus, Just Interesting Malware

Severe Docker runc Vulnerability

MacOS Mojave Privacy Flaw


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit