SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #16

February 26, 2019

Apps Stop Sharing with Facebook; Holes in Blockchain Security; Payroll Company Pays Data Ransom


College program: 1. Georgia 2. Virginia, 3. Maryland

High School program: 1. Nevada 2 Virginia 3. Michigan


SANS NewsBites                 Feb. 26, 2018               Vol. 21, Num. 016



Some Apps Stop Sharing Data with Facebook After WSJ Report

Holes in Blockchain Security

Payroll Company Pays Data Ransom


Senator Warner Wants to Work with Healthcare Sector on Cybersecurity Strategy

DNC Cybersecurity Checklist for Candidates

White House Releases New National Strategy for Aviation Security

International Civil Liberties and Technology Coalition Files Submission Regarding Australias Encryption Laws

TurboTax Customer Data Exposed in Credential Stuffing Attack

IARPA Virtuous User Environment

Electric Vehicle Charging Station Security Issues




-- SANS 2019 | Orlando, FL | April 1-8 |

-- SANS London March 2019 | March 11-16 |

-- SANS San Francisco Spring 2019 | March 11-16 |

-- SANS Secure Singapore 2019 | March 11-23 |

-- SANS Munich March 2019 | March 18-23 |

-- SANS Secure Canberra 2019 | March 18-23 |

-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 |

-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 |

-- SANS Security West 2019 | San Diego, CA | May 9-16 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a 9.7" iPad, Samsung Galaxy Tab A or Take $250 Off with OnDemand or vLive training. Offer ends March 6.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

***************************  Sponsored By  Splunk  **************************

Gartner recently published "Selecting the Right SOC Model for Your

Organization." In this report, Gartner identifies key considerations for

security and risk management leaders when choosing a SOC model.

Download your copy to learn how organizations with complex use cases and

widespread security operations are integrating traditional security

operations with more comprehensive functions.



--Some Apps Stop Sharing Data with Facebook After WSJ Report

(February 22 & 24, 2019)

New York Governor Andrew Cuomo has called for an investigation into reports that health apps were sending sensitive data to Facebook. The Wall Street Journal report said that the apps were sending health and financial data to Facebook even when users were not logged into Facebook or did not have Facebook accounts. Facebooks response to the initial WSJ report was to contact app developers and advertisers to tell them that Facebooks terms of service prohibits them from sending Facebook sensitive user data. Facebook maintains that the app developers are the ones who should be under scrutiny. Others say that Facebook should take responsibility for what it has created.  Some of the apps have stopped sending the data to Facebook. (Please note that the WSJ stories are behind a paywall.)

[Editor Comments]

[Pescatore] This appears to be more of Yet Another Privacy Violating Analytics SDK Collection issue than it does a Facebook issue. The analogy here is like using live customer data to test new applicationsin the name of analytics and performance monitoring, sensitive data is collected by apps using various SDKs and sent all over the place. The Apple App Stores and Google Play equivalent for Android should do a better job of detecting this kind of behavior with end-to-end testing before accepting apps into their stores.

Read more in:

WSJ: Popular Apps Cease Sharing Data With Facebook (paywall)

WSJ: You Give Apps Sensitive Personal Information. Then They Tell Facebook. (paywall)

WSJ: Eleven Popular Apps That Shared Data With Facebook (paywall)

Bleeping Computer: NY Governor Cuomo Calls For Investigation on Facebook Health Data Collection

ZDNet: Another Facebook privacy scandal, this time involving its mobile analytics SDK

--Holes in Blockchain Security

(February 19, 2019)

When blockchain technology first appeared on the scene a decade ago, it was touted as being secure. But the emergence of more blockchains has exposed security problems, such as smart contract flaws and 51% attacks.

[Editor Comments]

[Pescatore] Eek! You mean, blockchains have been overhyped?? Next they will tell mew turmeric wont protect me from cancer and meteorites.

[Neely] Both Blockchain implementation weaknesses and algorithm shortfalls are being exploited. While implementation flaws are being actively addressed, intrinsic flaws, which where theorized from the beginning are harder to mitigate. These are showing up due to the plethora of blockchains (over 1500) now operating and under attack. While it can be incredibly expensive to successfully exploit a large blockchain like Bitcoin, smaller blockchains require a smaller number of successful mining nodes which allow the blockchain to be modified or forked, as you would find in a 51% attack. If you must use cryptocurrency, use large implementations like Bitcoin.


[Williams] 51% attacks are particularly problematic in private blockchain implementations since the number of participating nodes is inherently small. Remember that it's not the number of nodes on the network that matter in a 51% attack, it's the amount of processing power. Smart contracts are another issue entirely and need to be audited by security professionals who understand the underlying frameworks on which they are built.

Read more in:

Technology Review: Once hailed as unhackable, blockchains are now getting hacked

--Payroll Company Pays Data Ransom

(February 23, 2019)

Payroll software company Apex Human Capital Management chose to meet the demands of a ransomware attack that prevented hundreds of its customers from accessing its services for nearly three days. Apex learned of the attack on Tuesday, February 19; it later took all systems offline and began notifying its customers that it was working to address a security threat. The ransomware encrypted the companys systems as well as its offsite disaster recovery system. Apex did not say how much it paid or what strain of ransomware infected its systems. The decryption keys it received in return for paying the demands caused more problemsbreaking file directories and making some executable files inoperable.

[Editor Comments]

[Pescatore] Whether a ransom demand occurs after an executive kidnapping or a ransomware attack, the decision to pay is a business decision. But the probability that paying off a ransomware demand will actually result in lower costs to the business over a full year is not very high.

[Neely] This is a good case study to understand how a ransomware attack can impact your business. Many conversations stop at the pay or not pay decision point without considering the entire process. Important take-aways include recovery is not as simple as just applying the decrypting key and that replication or backups may include things you dont want, such as ransomware. At a minimum, make sure that you can set your recovery site to specific points in time as well as suspend replication to achieve a known good state. Make sure that you can recover a business system according to the DR plan timing and objectives.

[Williams] Firms that handle ransomware attacks regularly have detailed information about standard ransom demands and the reputation of attackers to follow through on promises to decrypt your data.

Read more in:

KrebsOnSecurity: Payroll Provider Gives Extortionists a Payday

****************************  SPONSORED LINKS  ******************************

1) Visit booth #6464 at RSA to learn how Unisys can help you Prioritize,

Protect, Predict, Isolate, and Maintain your Security network.  Learn

More at

2) SURVEY: Are you involved with operational technology and ICS? SANS

wants to hear from you! Take 10 minutes to complete the State of OT/ICS

Cybersecurity Survey and enter to win a $400 Amazon gift card.

3) What does it take to establish a successful security operations

program?  Take the 2019 SANS SOC Survey and enter for a chance to win a

$400 Amazon gift card.



--Senator Warner Wants to Work with Healthcare Sector on Cybersecurity Strategy

(February 21 & 22, 2019)

In an effort to strengthen cybersecurity in the healthcare sector, US Senator Mark Warner (D-Virginia) has sent letters to multiple healthcare organizations asking for their input in develop[ing] a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector. Among the questions Warner asks in the letter are whether the organizations have adopted any strategies to reduce vulnerabilities that they recommend be adopted across the sector and whether the organizations are using software or operating systems that are no longer supported.

[Editor Comments]

[Murray] HIPAA security rules have not only been ineffective in security, they have been counter-productive in digital medical records. They have resulted in the proliferation of both paper and electronic data with the consequential leakage and few of the promised advantages. It is time to tear up these rules and replace them with rules that are simple, effective, and measurable.  

Read more in:

Nextgov: Senator Seeks Input on Health Care Cyber Strategy

The Hill: Warner questions health care groups on cybersecurity

MeriTalk: Warner Seeks to Work With Healthcare Industry on Cybersecurity

Warner: Warner Seeks to Advance Information Security in the Health Care Sector

Scribd: AHA Health Cyber Letter


--DNC Cybersecurity Checklist for Candidates

(February 22 & 25, 2019)

The US Democratic National Committee (DNC) has released an updated cybersecurity checklist for candidates and others involved in the 2020 elections to employ to protect their data. The list addresses the importance of not reusing passwords, of using a password manager, and of having separate password managers for personal and work accounts. It also strongly advises against using mail services other than those hosted by Microsoft (Outlook/Office 365) or Google (Gmail/G Suite) and strongly recommends using the HTTPS Everywhere browser extension.  

Read more in:

Medium: Device and Account Security Checklist 2.0

Cyberscoop: DNC updates cybersecurity advice to protect candidates from hackers in 2020

The Hill: DNC unveils new security checklist to protect campaigns from cyberattacks

Dropbox: Device and Account Security Checklist


--White House Releases New National Strategy for Aviation Security

(February 20, 2019)

The White House has released an updated/new National Strategy for Aviation Security. The report enumerates the threats the Aviation Ecosystem faces, which include terrorists, hostile nation-states and foreign intelligence activity, the spread of infectious disease, and cyber threats, including connectivity, reliance on radio frequency spectrum, and proliferation of unmanned aircraft. The report also lists the roles and responsibilities of the various government agencies and the private sector with regard to the strategy.

Read more in:

Nextgov: White House Orders Agencies to Defend the Skies From Cyberattacks

White House: National Strategy for Aviation Security of the United States of America December 2018


--International Civil Liberties and Technology Coalition Files Submission Regarding Australias Encryption Laws

(February 25, 2019)

A coalition of civil liberties advocates and technology companies have filed a submission regarding Australias encryption laws. The submission argues against Australias plan to force service providers to allow law enforcement to be secretly added to encrypted communications as ghost users. The group also voiced its opposition to plans to force companies to reveal source code to the government, to requiring phone makers to take screenshots and send then to law enforcement, and to imposing gag orders on companies that receive technical capabilities requests from the government.

Read more in:

ZDNet: Tech giants and civil liberty groups call out ghost cops and source code demands under Australian encryption laws


--TurboTax Customer Data Exposed in Credential Stuffing Attack

(February 22 & 25, 2019)

Some TurboTax customer data were exposed through a credential stuffing attack. Parent company Intuit temporarily disabled the hacked accounts. Affected customers will have to call Intuit and verify their identity to reactive their accounts.  

[Editor Comments]

[Murray] So called stuffing attacks exploit a failure to resist brute force attacks by regulating logon attempts. Application providers should slow down the logon prompt after failed attempts. Slowing the prompt by minutes will resist brute force attacks with only minor inconvenience to a fat-fingered user. Users should not use the same password across applications.  

Read more in:

Dark Reading: TurboTax Hit with Cyberattack, Tax Returns Compromised

Bleeping Computer: Tax Returns Exposed in TurboTax Credential Stuffing Attacks

ago.vermont: Example of TurboTax customer notification letter provided to Vermont Attorney General


--IARPA Virtuous User Environment

(February 25, 2019)

The US Intelligence Advanced Research Projects Agency (IARPA) is developing the Virtuous User Environment (VirtUE), which uses containers to isolate different user functions. The idea is to limit damage from breaches by preventing intruders from gaining access to other networks.

Read more in:

FNN: IARPA to offer potential cure for employees linkclickitis disease

IARPA: Virtuous User Environment (VirtUE)


--Electric Vehicle Charging Station Security Issues

(February 25, 2019)

Researchers from the US Department of Energys (DOEs) Idaho National Laboratory are looking into how hacking electric vehicle (EV) charging stations could affect the flow of power through local grids. The project involved running an attack on the EV stations human machine interface (HMI) to communicate with control system to increase the harmonic distortion of the energy flowing through the station. The project plans to examine how such increased distortions would affect local power grids. Idaho National Laboratory is working on the project with other DOE labs as well as utilities, charging station vendors, and a charging network operator.

Read more in:

Cyberscoop: Power struggle: Government-funded researchers investigate vulnerabilities in EV charging stations




B0ront0k Linux Server Ransomware

Cr1pt0r Ransomware Targets DLink NAS Devices

ICANN Pushes DNSSEC to Defend Against DNS Zone Manipulation

LinkedIn Messages Used to Push Fake Job Offers

WinRAR ACE Vulnerability used in Malspam

Android FIDO2 Certification


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit