OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #18

March 5, 2019

Federal Cyber Reskilling Academy Draws 1,500+ Applicants ; Rob Joyce On Cyber Deterrence


SANS NewsBites                March 5, 2019                Vol. 21, Num. 018



  Federal Cyber Reskilling Academy Draws 1,500+ Applicants

  Rob Joyce Talks About Cyber Deterrence


  DOE Power Grid Improvement Challenge

  IBM Researchers Discover Flaws in Visitor Management Systems

  Googles Project Zero Discloses macOS Privilege Elevation Flaw

  2018 Cybercrime

  Adobe Releases Patch for ColdFusion Zero-Day Vulnerability

  US Government Unveils New Security Clearance Framework



Cybersecurity Training Update

-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019

-- SANS Munich March 2019 | March 18-23 | https://www.sans.org/event/munich-march-2019

-- SANS Secure Canberra 2019 | March 18-23 | https://www.sans.org/event/secure-canberra-2019

-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019

-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019

-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019

-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019

-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a 9.7" iPad, Samsung Galaxy Tab A or Take $250 Off with OnDemand or vLive training. Offer ends March 6.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



****************  Sponsored By NETSCOUT Systems, Inc. ***********************

"Maximizing SOC Effectiveness and Efficiency with Integrated Operations and Defense" John Pescatore, SANS Institute, joined by Arabella Hallawell, NETSCOUT, will talk with security managers about how the most commonly cited barriers to improving security operationsincluding lack of budget and lack of staffcan be overcome.  Register:  http://www.sans.org/info/210920




--Federal Cyber Reskilling Academy Draws 1,500+ Applicants

(March 4, 2019)

More than 1,500 current US federal employees applied to be part of the first cohort of the Cyber Reskilling Academy. The program, which is an effort of the CIO Councils Workforce Committee and the Education Department, is choosing just 25 people to participate in the inaugural class. This first round was open to current federal employees who are not in IT jobs. Applicants were given an assessment to determine whether they possess the brain wiring that indicates they would be successful as cyber defense analysts. Selected applicants will be notified at the beginning of April and will take part in training that runs from mid-April through mid-July. The second cohort will be open to all federal employees, including those already in IT positions and is expected to be larger.   

[Editor Comments]

[Paller] The UK ran a parallel reskilling program: HM Governments Cyber Retraining Academy. The results were remarkable: https://www.infosecurity-magazine.com/news-features/all-you-need-cyber-retraining/: All You Need to Know about the Cyber Retraining Academy  

[Neely] 1500 applicants for 25 positions shows a potential pipeline of talent. The next round promises to have an even larger applicant pool. It will be interesting to track whether these are diamonds in the rough or just folks wishing a career change.


Read more in:

Fedscoop: More than 1,500 feds applied for first Cyber Reskilling Academy cohort


Nextgov: Federal CIO: Agencies Already Tracking Future Cyber Reskilling Graduates


MeriTalk: Cyber Reskilling Academy Finding Success, Says Kent


FCW: Cyber reskilling pilot attracts 1,500 feds



--Rob Joyce Talks About Cyber Deterrence

(February 28 & March 4, 2019)

Former National Security Council cybersecurity policy coordinator and acting Homeland Security Advisor Rob Joyce told attendees at an Armed Forces Communications and Electronics Association (AFCEA) chapter meeting in Maryland last week that regarding cyberattacks launched by foreign adversaries, We have to impose costs in a visible way to start deterrence. Joyce, who is now senior adviser to NSA Director Gen. Paul Nakasone, said that work to safeguard the 2020 elections is already underway.

[Editor Comments]

[Paller] Few people in the United States have more knowledge of cyber attacks and what makes them hard. He ran the key teams at NSA. I always listen when Rob talks.

[Williams] Rob Joyce gets it. Deterrence won't work unless others see it. It must be visible. Deterrence operations must also increase the cost to the adversary to achieve an objective. Finally, deterrence requires reliable attribution. Deterrence operations directed at the wrong adversary may be considered an act of war.


Read more in:

Cyberscoop: NSAs Joyce outlines how U.S. can disrupt and deter foreign hacking


Ars Technica: NSAs top policy advisor: Its time to start putting teeth in cyber deterrence


****************************  SPONSORED LINKS  ******************************

1) Don't Miss "Overcoming Obstacles to Secure Multi-cloud Access" with John Pescatore and Rajoo Nagar.  http://www.sans.org/info/210925

2) SURVEY: Are you involved with operational technology and ICS? SANS wants to hear from you! Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/210930

3) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/210935




--DOE Power Grid Improvement Challenge

(March 4, 2019)

The US Department of Energy (DOE) has announced it is offering monetary awards for ideas for technologies that would improve the US energy grids efficiency, safety, and cybersecurity. Challenge registration is open through April 26, 2019 and submissions will be accepted through April 30, 2019.

[Editor Comments]

[Neely] $1 million is available to be awarded for the top 25 solutions. Participation is limited to US citizens or companies, who are not DOE employees. This is a chance to kickstart the process of making improvements in the power grid. The big challenge will be obtaining Congressional funding to implement the winning proposals.

[Murray] Cybersecurity in the energy grid continues to be seen as an inconvenience rather than, as in banking, an essential business function.  

Read more in:

Fedscoop: Department of Energy challenge seeks tech to improve the power grid


NETL: Electricity Industry Technology and Practices Innovation Challenge


NETL: Electricity Industry Technology and Practices Innovation ChallengeOfficial Rules



--IBM Researchers Discover Flaws in Visitor Management Systems

(March 4, 2019)

Researchers working with IBMs X-Force Red team have found nearly 20 security flaws in widely-used visitor management systems, the kiosks used to let visitors check in to businesses. The researchers were looking at how easy it would be to get someone checked in with no real identifying information; how easy is it to get other peoples data from the system; and can the app be escaped or caused to crash to get arbitrary code to run and access the corporate network. The researchers, who were summer interns, were able to do all three.

Read more in:

Security Intelligence: Stranger Danger: X-Force Red Finds 19 Vulnerabilities in Visitor Management Systems


Wired: The Overlooked Security Threat of Sign-In Kiosks


ZDNet: Data leaks, default passwords exposed in visitor management systems


Cyberscoop: IBM interns find 19 vulnerabilities in corporate check-in systems


Threatpost: Visitor Kiosk Access Systems Riddled with Bugs



--Googles Project Zero Discloses macOS Privilege Elevation Flaw

(March 4, 2019)

Researchers from Googles Project Zero have disclosed a vulnerability in macOS. Project Zero has nicknamed the flaw BuggyCow, chosen because the issue exists in the copy-on-write process in Apples XNU kernel. Project Zero gives companies a 90-day window to address flaws before disclosing them. Apple was notified of the flaw on November 30, 2018.

[Editor Comments]

[Ullrich] I am not surprised that Apple has not released a bug fix yet. Copy-on-Write (CoW) is tricky to implement correctly. This bug is likely difficult to fix without measurable performance issues. Linux had its own CoW issue a while ago (DirtyCow). While I dont want to distract from the significance of the bug, exploitation is tricky and does essentially amount to privilege escalation. An attacker who has a foothold on a system could use this vulnerability to gain more privileges.

[Williams] Unless you're a memory guru, the write-up on this from Google may leave a lot to be desired. My large fears for exploitation include anything using an SQLite database for critical data. Replacing code libraries is also possible, but we should be careful to note that they must be memory mapped from a filesystem that can be remounted (a fairly uncommon situation).

[Neely] Exploiting the vulnerability is tricky, and likely needs physical access or existing malware on the Mac. While Apple has not announced a fix, the release of the bug and POC code should expedite a fix.

Read more in:

Bugs.chromium: Issue 1726: XNU: copy-on-write behavior bypass via mount of user-owned filesystem image


Wired: Hack Brief: Google Reveals 'BuggyCow,' a Rare macOS Zero-Day Vulnerability


ZDNet: Googles Project Zero reveals zero-day macOS vulnerability to the public


Threatpost: Project Zero Discloses High-Severity Apple macOS Flaw



--2018 Cybercrime

(March 4, 2019)

This is a rundown of major cybersecurity-related indictments, pleas, convictions, and sentencings in 2018.

[Editor Comments]

[Pescatore] The average business is still way more likely to see damage from a cybercrime attack than from a nation-state attack. Enforcement always has some level of deterrence, but just like making sure you lock your car doors or at least dont leave the keys in the ignition with the windows open, the best deterrence is achieving basic security hygiene. Before the Verizon Data Breach Investigation Report was sorta downsized, it used to publish very telling statistics about root causes of incidentsa lot of open windows and keys in the ignition.

Read more in:

SC Magazine: The Criminal Element Gets Its Due



--Adobe Releases Patch for ColdFusion Zero-Day Vulnerability

(March 1 & 4, 2019)

Adobe has released security updates for a critical file upload restriction bypass flaw in its ColdFusion development platform. The flaw is being actively exploited. The flaw affects ColdFusion 2018, 2016, and 11. Users are urged to upgrade to ColdFusion 2018 Update 3, ColdFusion 2016 Update 10, and ColdFusion 11 Update 18.

[Editor Comments]

[Ullrich] Adobes ColdFusion is still a supported product, even though its use is declining. In the past, ColdFusion vulnerabilities have been exploited quickly and led to significant breaches. Please take this issue seriously and patch quickly.

Read more in:

Threatpost: Adobe Patches Critical ColdFusion Vulnerability With Active Exploit


ZDNet: Adobe releases out-of-band update to patch ColdFusion zero-day


SC Magazine: Adobe patches critical vulnerability in ColdFusion


Adobe: Security updates available for ColdFusion | APSB19-14



--US Government Unveils New Security Clearance Framework

(February 28, 2019)

The Office of the Director of National Intelligence (ODNI) and the Office of Personnel Management (OPM) are rolling out a new security clearance framework. The current security clearance process has been widely criticized for its inefficiency. Trusted Workforce 2.0 is focused on reducing the length of time it takes to obtain an initial clearance and on making it simpler for employees to move from one agency to another. 

[Editor Comments]

[Neely] Part of the proposal is to replace point-in-time reinvestigation with a continuous monitoring solution, which sounds good on paper, and has the potential to identify problems sooner. The challenge will be to achieve equivalent review. In parallel, the issue of reciprocity for clearances has been raised. Agencies currently have the right to reject another agencys clearance process. While this proposal seeks to simplify the levels of clearances, until all agencies use the same process and levels, agencies will continue to question the legitimacy of another agency-granted clearance.

Read more in:

FNN: ODNI, OPM planning series of sweeping updates to federal personnel vetting system


FCW: Federal government rolls out new framework for security clearance process






Cisco Router Patch


ColdFusion Patch and Exploit


macOS Unpatched Privilege Escalation Vulnerability Made Public


eBay Site Used for eBay Phish (article in German)


Ransomware Impersonates Protonmail


Docker Vulnerability Used for Crypto Miners


Windows Exploit Suggester Next Generation Released


Russian GPS Jamming Exercises



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create