Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #22

March 19, 2019

27 Governors Launch U.S. National Cyber Talent Search on Wednesday; Cybercom Recruiting Energy Companies; Massachusetts Public Defender Hit with Ransomware



SANS NewsBites               March 19, 2019                Vol. 21, Num. 022



  27 Governors Launch U.S. National Cyber Talent Search on Wednesday, March 20

  Cybercom Recruiting Energy Companies to Help Develop Infrastructure Protection Strategy

  Massachusetts Public Defender System Hit with Ransomware Attack



  IBM Fixes Watson Flaws

  New Mirai Variant Adds More Device Exploits to its Toolbox

  Exactis Data Exposure Illustrates Large Risk

  Fujitsu Wireless Keyboard Vulnerability

  Former Cryptocurrency Exchange CEO Given Suspended Sentence

  Sandia National Laboratories HADES Program

  Japanese Police Arrest Cryptocurrency Theft Suspect

  DARPA Project is Developing Secure, Open-Source Voting System

  Researchers Find Serious Flaw in Proposed Swiss Internet Voting System Code




-- SANS 2019 | Orlando, FL | April 1-8 |

-- SANS London April 2019 | April 8-13 |

-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 |

-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 |

-- Pen Test Austin 2019 | April 29-May 4 |

-- SANS Security West 2019 | San Diego, CA | May 9-16 |

-- SANS Amsterdam May 2019 | May 20-25 |

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 |

-- SANS Cyber Defence Japan 2019 | July 1-13 |

-- SANS OnDemand and vLive Training

Get an iPad Mini, ASUS Chromebook C223NA or Take $250 Off with OnDemand or vLive training. Offer ends March 20.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

********************** Sponsored By AWS Marketplace *************************

AWS Webcast Series: Building a Visibility Strategy in the AWS Cloud, featuring SANS instructor Dave Shackleford. In this webcast, learn how to utilize AWS cloud-native controls and third-party options for full visibility into the security state of your cloud workloads and operations. March 29, 1 PM ET. Register here:




--26 Governors Launch U.S. National Cyber Talent Search; Competition Opens Wednesday, March 20

(March 19, 2019)

Twenty-six U.S. state governors invited every young woman in grades 9-12 in their states to participate in CyberStart, a series of digital challenges that enables them to discover their aptitude for and excitement about entering the cybersecurity industry. The program awards winning schools and participants cash prizes of up to $1,000 and 400 college scholarships. CyberStart registration is open through April 12. This US program builds on the UKs HMG CyberDiscovery program that proved that the CyberStart game identifies large numbers of people with elite talent levels even among those who had no experience in cyber and no idea they had relevant talent.


--Cybercom Recruiting Energy Companies to Help Develop Infrastructure Protection Strategy

(March 14, 2019)

The US Cyber Command (Cybercom) wants US energy companies to work with them to develop the defend forward strategy to protect the countrys energy infrastructure. Gaining access to adversaries networks to see what they are planning and thwart attacks before they are launched. Any offensive cyber activity would be conducted by Cybercom, not the power companies.

Read more in:

E&E News: Pentagon to utilities: Uncle Sam wants you


--Massachusetts Public Defender System Hit with Ransomware Attack

(March 13, 2019)

The Massachusetts Committee for Public Counsel Services (CPCS) is in the process of restoring its systems from backups in the wake of a February ransomware attack. CPCS CIO Daniel Saroff says that the organizations network was hit with both a Trojan and ransomware. The organization did not pay the ransom. The attack has caused attorneys who work through CPCSs bar advocate program to miss a payday. A notice on the website as of Monday evening March 18, says CPCSs computer systems have been attacked and are not working properly. We are still representing clients. In addition, there is no evidence that confidential information from clients has been released as a result of these attacks.

Read more in:

MassLive: Cyberattack shuts down Committee for Public Counsel Services network, leaving bar advocates unpaid

****************************  SPONSORED LINKS  ******************************

1) Download the ebook, "7 SIEM Trends to Watch in 2019," and learn about the exciting features on the horizon.

2) SURVEY: Are you involved with operational technology and ICS? Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter for a chance to win a $400 Amazon gift card

3) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card.




--IBM Fixes Watson Flaws

(March 18, 2019)

IBM has released a security bulletin that addresses five vulnerabilities in the IBM Runtime Environment Java Technology Edition used by Watson Explorer and IBM Watson Content Analytics. The most serious of the bunch is a flaw in Java SE, Java SE Embedded, and JRockit JNDI that could be exploited to take control of vulnerable devices.

Read more in:

The Register: Bad cup of Java leaves nasty taste in IBM Watson's 'AI' mouth: Five security bugs to splat in analytics gear

IBM: Security Bulletin: Multiple vulnerabilities affect Watson Explorer and IBM Watson Content Analytics


--New Mirai Variant Adds More Device Exploits to its Toolbox

(March 18, 2019)

A new variant of Mirai botnet malware has added exploits for several new Internet of Things (IoT) devices including WePresent WiPG-1000 Wireless Presentation systems, and LG Supersign TVs. The new Mirai variant also has new credentials to use in brute force attacks. This Mirai variant includes 27 exploits, 11 of which are completely new to the malware.

[Editor Comments]

[Pescatore] This, and the Exactis breach item in this issue, are strong reasons to make sure supply chain security includes the products and services being consumed outside of the IT department. DDoSing the board session in the big fancy conference room may be a minor annoyance, but those same vulnerabilities used to record board sessions for insider trading could be a disaster.

[Neely] Cyber hygiene has to be foundational for IoT devices. In addition to supply chain security, core protections must include micro-segmentation, rigorous application of updates, and only minimum needed network access. An added challenge: some telepresence systems have to be exposed to the Internet to operate, which means they also need to be isolated from other systems, and possibly disconnected or powered off when not in use.


Read more in:

Unit 42: New Mirai Variant Targets Enterprise Wireless Presentation & Display Systems

ZDNet: New Mirai malware variant targets signage TVs and presentation systems

Ars Technica: Brace yourselves: New variant of Mirai takes aim at a new crop of IoT devices

Cyberscoop: Mirai offshoot offers 'greater firepower' for DDoS attacks, researchers warn


--Exactis Data Exposure Illustrates Large Risk

(March 18, 2019)

The takeaway from this piece about the downfall of data aggregator Exactis is that small companies now have the ability to get their hands-on large troves of data, and many of those small companies may not have the expertise to protect those data. A misconfigured Amazon ElasticSearch server left an Exactis database of hundreds of millions of records exposed on the Internet. The leak was disclosed in June 2018. The company has ceased to operate.

[Editor Comments]

[Neely] Exactis learned that even if data is not actually leaked, reports of exposed data, and corresponding class and business actions against the company can be fatal.


[Northcutt] Well written, well researched, article. Worth taking the time to read. Great reminder that data, always thought of as an asset, can also be a liability. The article says they are not operational, but their website is still up, although Firefox, my default browser, generated a compromised system alert.


Read more in:

Wired: Here's What It's Like to Accidentally Expose the Data of 230M People


--Fujitsu Wireless Keyboard Vulnerability

(March 15, 16, & 18, 2019)

A Fujitsu wireless keyboard was found to be vulnerable to a keystroke injection attack. The issue affects the Fujitsu Wireless Keyboard Set LX901. The keyboard and mouse send information protected by the Advanced Encryption Standard, but the USB receiver dongle will also accept unencrypted input if it is formatted correctly. The researcher who detected the issue notified Fujitsu late last year. There is not yet a patch for the vulnerability.   

[Editor Comments]

[Neely] Not only will the receiver accept unencrypted input when properly encoded, the encrypted stream can be replayed, possibly from an adjacent building with appropriate antennas. Fujitsu has halted sales of the LX901 keyboard while they look into the issue. The best mitigation is to use a wired keyboard and mouse, disconnecting the USB dongle so it cannot receive unauthorized input until a fix can be applied.


Read more in:

Ars Technica: How a wireless keyboard lets hackers take full control of connected computers

Threatpost: Unpatched Fujitsu Wireless Keyboard Bug Allows Keystroke Injection

The Register: This headline is proudly brought to you by wired keyboards: Wireless Fujitsu model hacked

SecLists: [SYSS-2018-033]: Fujitsu Wireless Keyboard Set LX901 - Keystroke Injection Vulnerability


--Former Cryptocurrency Exchange CEO Given Suspended Sentence

(March 15, 2019)

A court in Tokyo, Japan, has found former Mt. Gox CEO Mark Karpels guilty of tampering with the organizations financial records. The court found that Karpels doctored the cryptocurrency exchanges books to disguise the losses from cyberthieves, but did not embezzle funds, as he was accused of doing. Karpels, who is a French citizen, is unlikely to face time in prison for his actions. The court gave him a thirty-month sentence suspended for four years, which means that as long as he behaves during that time, he will serve no more confinement. Mt. Gox ceased trading and filed for bankruptcy protection in 2014.

Read more in:

ZDNet: Former Mt. Gox CEO found guilty of record tampering, but likely to avoid prison

NYT: Bitcoin Tycoon Who Oversaw Mt. Gox Implosion Gets Suspended Sentence


--Sandia National Laboratories HADES Program

(March 15, 2019)

The Sandia National Laboratories High-Fidelity Adaptive Deception and Emulation System (HADES) program could be described as a dynamic honeypot, a synthetic network that looks and feels real to intruders, and that allows defenders to observe attackers in realtime.


[Editor Comments]

[Neely] This is exciting stuff. Vince and his SNL team worked to create a honeypot that looks really real to an attacker, utilizing software defined networks; tailored applications and virtual machine state; browser and document history, as well as a platform that can be setup and configured quickly as well as scale massively if needed. Sandia is investigating the best way to share this technology with the cyber security community.


Read more in:

FNN: Sandias synthetic network offers new insight into how cyber attackers work


--Japanese Police Arrest Cryptocurrency Theft Suspect

(March 15, 2019)

Police in Japan have arrested an 18-year-old in connection with the theft of 15 million (US$130,000) worth of Monacoin cryptocurrency. The suspect allegedly exploited a flaw in the Monappy online wallet service gift card feature to steal the Monacoins in August 2018. The suspect faces computer fraud and concealment of criminal proceeds charges for allegedly moving the stolen Monacoins to another network and converting them into a different cryptocurrency. The thefts affected roughly 7,700 people.  

Read more in:

Bleeping Computer: 18-Year Old Arrested in Japan for Stealing $130k in Cryptocurrency

Japan Today: 18-year-old hacker referred to prosecutors over cryptocurrency theft


--DARPA Project is Developing Secure, Open-Source Voting System

(March 14, 2019)

The US Defense Advanced Research Projects Agency (DARPA) has launched a US$10 million contract to design and build a secure voting system. The system will use open source software and secure, open source hardware. The system will also provide verifiable and transparent results. The prototype will not be sold, but can be used by voting machine companies to adopt and customize with no licensing fees.

Read more in:

Motherboard: DARPA Is Building a $10 Million, Open Source, Secure Voting System


--Researchers Find Serious Flaw in Proposed Swiss Internet Voting System Code

(March 12, 2019)

Researchers have found a serious vulnerability in Internet voting software that Switzerland plans to use in an upcoming election. The cryptographic backdoor that the researchers found could be exploited to alter votes without being detected. The researchers submitted their findings to Swiss Post, the countrys postal service, which developed the system along with a Spanish company, Scytl. Swiss Post publicly said the researchers were correct and that they had asked Scytl to fix the problem. The researchers noted that while Swiss Post said that an attacker would need to have control over its secure IT infrastructure to exploit the vulnerability, it failed to address the fact that the vulnerability could be exploited by a Swiss Post insider.

Read more in:

Motherboard: Researchers Find Critical Backdoor in Swiss Online Voting System



Binary Analysis With Jupyter and Radare2

IMAP Brute Forcing Against Cloud Accounts

Sniffing BitLocker Keys from TPM

PuTTY Updates

Fujitsu Wireless Keyboard Vulnerabilities

Free Support for Ubuntu 14.04 LTS Ends in April

Latest Mirai Version with Even More Exploits

Signed Malware Goes Undetected

Google Allows G Suite Users to Disable SMS/Voice Authentication


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit