Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #25

March 29, 2019

Law Firm Sues Insurance Company Over Refusal to Pay NotPetya Claim; UConn Health Center Hit With $5m Lawsuit Over Breach; 25 Governors Launch Cyber FastTrack; Microsoft Uses Court Order to Sinkhole Iranian Hacker Websites



SANS NewsBites               March 29, 2019                Vol. 21, Num. 025




  Law Firm Sues Insurance Company Over Refusal to Pay NotPetya Claim

  UConn Health Center Hit With $5m Lawsuit Over Breach

  Governors Announce Cyber FastTrack in 25 States for College Students Who Might Like Careers in Cyber Security

  Microsoft Uses Court Order to Sinkhole Iranian Hacker Websites



  FTC Orders Broadband Providers to Tell Them About Their Customer Data Collection, Retention, and Use Practices

  Asus Issues Fix for Live Update Tool

  Mozilla Fixes Thunderbird Flaws

  NYC Tenants Suing Landlord Over Keyless Entry

  GAO Reports Find Security Issues on IT Systems Related to the Schedules of Federal Debt

  Senate Armed Services Committee Hearing on Cybersecurity Responsibilities of the Defense Industrial Base

  Hosting Provider Takes Down Exposed Spyware Database

  Melissa Virus is 20 Years Old

  UK Report Critical of Huawei Commitment to Security

  Former NSA Contractor to Plead Guilty to Data Theft

  Bill Would Give Senators Help Protecting Personal Digital Devices and Accounts

  MEPs Say No Cookies




-- SANS Security West 2019 | San Diego, CA | May 9-16 |

-- SANSFIRE 2019 | Washington, DC | June 15-22 |

-- SANS London April 2019 | April 8-13 |

-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 |

-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 |

-- Pen Test Austin 2019 | April 29-May 4 |

-- SANS Amsterdam May 2019 | May 20-25 |

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 |

-- SANS Cyber Defence Japan 2019 | July 1-13 |

-- SANS OnDemand and vLive Training

Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive course. Offer ends April 3.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap


*************************** Sponsored By InfoBlox ***************************

Virtual Event, April 18 at 10am PDT: Integrating the NOC & SOC.




--Law Firm Sues Insurance Company Over Refusal to Pay NotPetya Claim

(March 26, 2019)

Multi-national law firm DLA Piper has been denied payment of a claim over the NotPetya malware infection. Its insurance company, Hiscox, maintains that it does not need to pay under the "acts of war" exclusion clause based on a statement from the UK government that the Russian military was "almost certainly" responsible for the attack.

[Editor Comments]

[Pescatore] There are more stories like this about experience with cybersecurity insurance than there are success stories, as "acts of war" or "pre-existing conditions" and other clauses are used to deny insurance claims. That said, not every action by a government is an act of war. It will be good to get some case law on the books defining this in this context. Lots of other side currents to this story, given that NotPetya used the Eternal Blue tools that were created by the US government and were leaked into the wild!

[Murray] This would be a novel application of the exclusion. However, the dispute demonstrates that small to medium size enterprises may not have the expertise to negotiate "cyber" insurance policies or claims. They should consider the use of brokers and adjusters specializing in these policies.

Read more in:

SC Magazine: Insurer refuses payout to DLA Piper over NotPetya cyberattack

InfoSecurity Magazine: DLA Piper Set to Sue Insurer Over NotPetya Claim: Report


--UConn Health Center Hit with $5M Lawsuit Over Breach

(March 27, 2019)

The University of Connecticut Health Center is being hit with a $5 million class action lawsuit over a data breach that exposed 326,000 current and former patients.

Read more in:

SC Magazine: UConn Health Center hit with $5M suite over breach


--Governors Announce Cyber FastTrack in 25 States for College Students Who Might Like Careers in Cyber Security

(March 29, 2019)

Governors from twenty-five states announced a three-part program to educate college students on foundations and advanced topics (intrusion detection, web app pen testing, ICS security) that prepare them for jobs in the field. It's free. 100 of the best players get scholarships for three SANS classes and certifications. 200 players who do well will earn scholarships they can use at their colleges. Read a Facebook post below from Champlain College's Jonathan Castro challenging college students to try to beat his score.

Registration starts on Wednesday April 5 and runs through May 10.

Information and registration:


The College Challenge from Champlain College's Jonathan Castro:

In case you haven't heard, Governor Scott of Vermont announced the creation of a program called Cyber FastTrack. Cyber FastTrack is an awesome three-stage program created to help educate college students on common cybersecurity topics such as intrusion detection, security operations, system and network penetration testing, and application penetration testing.

Also, have we mentioned that this program is FREE! That's not even the best part.

Those who do extremely well in this program will be awarded three of SANS most popular courses and their associated certifications including SANS Security Essentials, Hacker Exploits and Incident Handling, and one of five focused electives: Cyber Defense in Depth, Digital Forensics, Industrial Control Systems Security, Intrusion Detection, or Web Application Penetration Testing. Those who do well but don't win a SANS scholarship will have the chance to win one of 200 $500 scholarships that can be used at Champlain College.

The deadline to enroll is April 5, 2019, and can be completed at If you're curious about how the challenges would look, SANS has dedicated an interactive page with challenges (much like a CTF) at

P.S. let me know if you beat my score (100% completion in 30 minutes).

--Microsoft Uses Court Order to Sinkhole Iranian Hacker Websites

(March 27, 2019)

Microsoft's Digital Crimes Unit obtained a court order to take over and sinkhole nearly 100 websites that were being used by Iranian hackers to launch attacks. The hackers used spear phishing attacks and spoofed websites to steal credentials and gain access to targeted computers. The hacking group focuses on businesses and government agencies as well as journalists and human rights activists.

[Editor Comments]

[Murray] Note that Microsoft routinely seeks court approval for what might otherwise look like vigilante enforcement. One assumes that there have been cases where a court has withheld approval.

Read more in:

Cyberscoop: Microsoft uses court order to shut down APT35 websites

The Hill: Microsoft takes down sites tied to suspected Iranian hackers

Bleeping Computer: Microsoft Retaliates Against APT35 Hacker Group by Seizing 99 Domains

Microsoft: New steps to protect customers from hacking

****************************  SPONSORED LINKS  ******************************

1) ICYMI  SANS Automation & Integration Security Briefing: SOARing to

New Heights - Using Orchestration & Automation Tools in the Way They're


2) "Simplifying Application Security with VMware AppDefense" with Dave

Shackleford. Learn More:

3) Don't Miss "New Year, Same Magecart: The Continuation of Web-based

Supply Chain Attacks" Register:





--FTC Orders Broadband Providers to Tell Them About Their Customer Data Collection, Retention, and Use Practices

(March 27, 2019)

The US Federal Trade Commission (FTC) wants to know what major broadband providers do with customer data. Specifically, the FTC has ordered the companies, which include AT&T, Verizon, T-Mobile, Comcast, and Google Fiber, to tell them what data they collect, what they do with it, and how transparent these practices are to their customers.

[Editor Comments]

[Pescatore] Always good to see the FTC take action vs. hear about how new laws are required before a government agency can do anything. There will be three questions to be answered: (1) Does what they are doing match what their privacy policies say they are doing? (2) Is everything they are doing actually allowed by US law, or should regulations be modified? and (3) Will FTC do any testing to make sure that the ISPs practices actually match what they reported??

Read more in:

Ars Technica: FTC investigates whether ISPs sell your browsing history and location data

ZDNet: FTC asks broadband providers to disclose how they collect user data

The Register: Yeah, you better, you... you better tell us how you're misusing people's data, privacy, watchdog suggests to US telcos

Threatpost: FTC Demands Broadband Providers Reveal Data Handling Practices

FTC: FTC Seeks to Examine the Privacy Practices of Broadband Providers

FTC: Order to File a Special Report


--Asus Issues Fix for Live Update Tool

(March 26, 2019)

Asus has released a fix for its Live Update tool for notebooks that was hijacked to place backdoors on computers. While the malware infected hundreds of thousands of computers, the attackers appeared to be intent on targeting just several hundred machines as they dropped additional malware on specific computers based on their MAC addresses. Nonetheless, users are urged to download and install the update to remove the backdoor. Users whose computers were targeted by MAC address need to back up their files and restore their computer's operating system to factory settings.

[Editor Comments]

[Neely] Targeted systems need to perform a factory reset to remove the added malware beyond the back door. Tools are available to determine whether your MAC address was targeted. If unsure, the safest bet is the factory reset.

Read more in:

The Register: Asus: Yo dawg, we hear a million of you got pwned by a software update. So we got you an update for the update

SC Magazine: Asus issues patch, but questions still remain about ShadowHammer

CNET: Asus pushes patch after hackers used updates to send malware

Threatpost: ASUS Patches Live Update Bug That Allowed APT to Infect Thousands of PCs

Asus: ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups


--Mozilla Fixes Thunderbird Flaws

(March 26 & 27, 2019)

Mozilla has released Thunderbird 60.6.1 to address two critical vulnerabilities. The issues affect the email client's IonMonkey JavaScript JIT compiler. These fixes were also included in Mozilla's Firefox 66.0.1 release last week.

[Editor Comments]

[Neely] While these flaws are not present in the standard mail viewer, rich content, which uses browser or browser-like contexts, can be exploited. This is worth an immediate update cycle.

Read more in:

SC Magazine: Mozilla plugs two critical security holes in Thunderbird

Softpedia: Mozilla Thunderbird 60.6.1 Released with Critical Security Fixes

Mozilla: Security vulnerabilities fixed in Thunderbird 60.6.1


--NYC Tenants Suing Landlord Over Keyless Entry

(March 23, 2019)

Several tenants of a New York City apartment building are suing their landlord, demanding that they be provided with physical keys for the keyless locks that have been installed on the building's main entrance. The keyless locks use a smartphone app for operation; the tenants have been given card keys to carry so they do not have to use an app to enter their building. The lawsuit demands that the tenants have access to all entryways without the need for a smartphone app. A New York state assemblyperson who represents the neighborhood has introduced legislation that would require landlords to offer traditional alternatives to smartphone app entry systems, and to limit what can be done with the information the keyless entry systems collect.

[Editor Comments]

[Neely] The appeal of keyless locks is the perceived removal of the lost or copied key challenges. This implementation appears to be a mixture of digital locks for common spaces paired with conventional locks for private spaces to provide defense in depth. While this case focuses on tenant versus landlord rights, consideration also has to be given to user acceptance as it impacts the risks of compromise, damage or digital key replication by disgruntled tenants.

Read more in:

NYT: When a Phone App Opens Your Apartment Door, but You Just Want a Key


--GAO Reports Find Security Issues on IT Systems Related to the Schedules of Federal Debt

(March 27, 2019)

A Government Accountability Office (GAO) audit of the Schedules of Federal Debt, the system that keeps track of how much the government owes to its creditors, found security flaws in related IT systems at the Treasury's Bureau of the Fiscal Service (BFS) and the Federal Reserve Banks. The GAO's November 2018 report on the BFS found access control and configuration management issues that "represent a significant deficiency in internal control over financial reporting." The GAO's recently released report on the Federal Reserve Banks "found new weaknesses in the security of the information systems that the Treasury Department uses to keep track of and otherwise manage the debt--including one in a Federal Reserve Bank system that Treasury relies on. This new weakness, along with some unresolved earlier ones, could lead to an increased risk of unauthorized access to Federal Reserve Bank systems."

[Editor Comments]

[Neely] Due to the sensitive nature of the weaknesses, the GAO report is for Official Use Only and not publicly available. The audit appeared to focus on configuration management - ensuring the systems were robust enough to protect transactions from malfeasance. As the FRB is still working 15 findings from the previous audit, they will be challenged to add these to the workload. This will be a bit like changing a flat tire while driving. Risk-based prioritization will be key.

Read more in:

Dark Reading: GAO Finds Deficiencies in Systems for Handling National Debt

Fedscoop: System that tracks federal debt needs security fixes, GAO says

GAO: MANAGEMENT REPORT: Areas for Improvement in the Federal Reserve Banks' Information System Controls

GAO: FINANCIAL AUDIT: Bureau of the Fiscal Service's Fiscal Years 2018 and 2017 Schedules of Federal Debt (November 2018)


--Senate Armed Services Committee Hearing on Cybersecurity Responsibilities of the Defense Industrial Base

(March 27, 2019)

At a Senate Armed Services Committee Subcommittee on Cybersecurity hearing on Tuesday, March 26, Senator Joe Manchin (D-West Virginia) wondered "why we don't hold the larger contractors who are responsible for the contract to make sure the subcontractors they are hiring have protections." Industry representatives told committee members that the increasing complexity of supply chains makes this difficult. Contracts between prime contractors and subcontractors are not always available to the government, and some prime contractors are reluctant to identify subcontractor identities to the government because they are concerned that if the government knew who was working for them, they might go straight to the subcontractor instead.

[Editor Comments]

[Pescatore] Hard to believe that someone on the Board of Directors of a prime contractor would agree with the strategy of "Well, since the government does not require us to make sure our subcontractors will protect information, we won't worry about it because it is hard for us to even know what is in our supply chain." I can't imagine a COO ever once saying that about the quality of the subcontractors in the product chain for a commercial product.

[Neely] Flowing cyber security requirements to subcontractors, including providers of out sourced or cloud based services is critical to ensuring organizations data is properly protected and responsibilities are accepted and understood.

[Murray] The so-called "Defense Industrial Base" is a decades old "poster boy" for government/business cooperation and intelligence sharing; it dates from WWII. We might well use it as a model in "cyber space" where both government and industry continue to complain.

Read more in:

Nextgov: Holding Government Contractors Responsible for Cybersecurity Is Trickier Than It Sounds

Inside Privacy: Senate Armed Services Subcommittee on Cybersecurity Holds Hearing to Discuss the Responsibilities of the Defense Industrial Base

Armed-Services.senate: Cybersecurity Responsibilities of the Defense Industrial Base


--Hosting Provider Takes Down Exposed Spyware Database

(March 26, 2019)

Several weeks after being alerted to the fact, a cellphone spyware company's hosting provider has taken down a publicly accessible database that contains tens of thousands of images and audio recordings. Motherboard initially attempted to communicate with the owner of the company, Mobiispy, but received no response. Motherboard then contacted the site's registrar and hosting company; the hosting company, Codero, eventually took down the content.

Read more in:

Motherboard: Hosting Provider Finally Takes Down Spyware Leak of Thousands of Photos and Phone Calls


--Melissa Virus is 20 Years Old

(March 25, 2019)

Twenty years ago this month, the Melissa virus swept through Microsoft Outlook to infect computers of recipients of the malicious email who clicked on it. Email servers became overwhelmed and the estimated cost of cleanup and repair was US $80 million. The malware's author was sentenced to 20 months in prison and fined US $5,000. Several months after the author was sentenced, the FBI established its National Cyber Division.

Read more in:

FBI: The Melissa Virus


--UK Report Critical of Huawei Commitment to Security

(March 28, 2019)

A report from the UK's National Cyber Security Centre says that Huawei has repeatedly failed to address security issues in its products and that the company's software engineering practices "significantly increased risk to UK operators." The report says that in 2012, Huawei pledged to adopt company-wide security practices, but that this has not yet happened. The UK report is an annual update on a Huawei-run lab in the UK. The report does not suggest that Huawei poses a security threat because of possible backdoors, but does say the company's failure to follow through on promises to adopt strong security practices presents the possibility of vulnerabilities that be exploited by anyone. (Please note that the WSJ story is behind a paywall.)

[Editor Comments]

[Pescatore] The UK has been inspecting and testing Huawei's software since late 2010, when the testing center was set up as part of the requirements when British Telecom selected Huawei for a big UK telecoms infrastructure upgrade. I went to a talk by the director of that center back in 2013 or so and he mentioned that the inspections showed that in reality the biggest risk to the UK in using Huawei wasn't the Chinese government inducing Huawei to sneak in sophisticated backdoors. Rather it was the huge number of well known (OWASP Top 10) software vulnerabilities and sloppy coding practices that were in the Huawei code. Focusing supply chain security on eliminating vendors from particular countries while not even requiring software from other suppliers to be testing is pretty much right up there with screened windows on submarines...

[Williams] When assessing the cybersecurity of a vendor, you have to infer what you can't see from what you can see. In this case, we can see that Huawei's products fail to follow even rudimentary standards for cybersecurity. This starts at the very code base, where insecure functions that have been deprecated for more than a decade are still in widespread use (rather than their more secure counterparts). Their existence in Huawei's code base indicates that Huawei doesn't implement a secure development lifecycle (SDLC). Methods for evaluating these sorts of supply chain risks will be discussed at the SANS Supply Chain Security Summit. (CFP open through April 1st:

Read more in:

WSJ: Huawei Equipment Has Major Security Flaws, U.K. Says (paywall)

CNET: The Huawei controversy: Everything you need to know

CNET: Huawei products bring 'significantly increased risk,' British watchdog warns

The Register: Huawei savaged by Brit code review board over pisspoor dev practices

Publishing: Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board


--Former NSA Contractor to Plead Guilty to Data Theft

(March 27 & 28, 2019)

A former National Security Agency contractor, Harold Thomas Martin III, will plead guilty to willful retention of national defense information. Martin was employed as a contractor between 1993 and 2016 through multiple consulting firms and worked at government agencies that include the NSA and the Office of the Director of National Intelligence (ODNI). If the court accepts his plea agreement, Martin will be sentenced to nine years in prison. (Please note that the WSJ story is behind a paywall.)

Read more in:

Dark Reading: Former Government Contractor Pleads Guilty To Federal Charge Of Willful Retention Of National Defense Information

Ars Technica: Former NSA contractor pleads guilty to stealing classified material

WSJ: Former NSA Contractor Expected to Plead Guilty This Week for Theft of Top Secret Documents (paywall)

Cyberscoop: Ex-NSA contractor set to plead guilty for theft of top secret information


--Bill Would Give Senators Help Protecting Personal Digital Devices and Accounts

(March 28, 2019)

US Senators Ron Wyden (D-Oregon) and Tom Cotton (R-Arkansas) have introduced The Senate Cybersecurity Protection Act, a bill that would "permit the Senate Sergeant at Arms (SAA) to provide voluntary cybersecurity assistance to protect the personal accounts and devices of Senators and certain Senate staff. The bill was introduced in response to the SSA's statement that it could not use federal funds to protect devices and accounts that are not issued by the government. Several weeks ago, Wyden and Cotton wrote to the SSA to ask that all senators receive annual reports about cyber incidents involving senate computers and data, and that Senate leadership be notified within five days of the discovers of a breach.

[Editor Comments]

[Neely] Business, in the public or private sector, should be conducted from corporate accounts on devices that are running an approved, secure configuration, not only to reduce the sustainability to compromise but also loss of data no longer contained in corporate repositories or in enterprise accounts that can be recovered.

Read more in:

Bleeping Computer: New Bill to Protect U.S. Senate Personal Devices, Accounts from Hackers

Wyden: The Senate Cybersecurity Protection Act of 2019

Wyden: March 13, 2019 Letter to SSA


--MEPs Say No Cookies

(March 28, 2019)

Members of European Parliament (MEPs) want the Council of the European Union and the European Data Protection Board to take action against the use of cookies on websites. The MEPs are concerned about EU members being tracked online. The push to remove cookies from EU websites comes in response to a report that found most EU member country main government websites were rife with commercial trackers.

Read more in:

The Register: Tough cookies: MEPs call for EU websites to be scrubbed of trackers



Creating Your Own Passive DNS Logs

NVidia Privilege Escalation

Firefox Importing Windows Root Certificates

Incomplete Patch for Cisco RV320 Routers

TPLink Debug Port Vulnerability

Apple Updates

ASUS Response to Kaspersky Report

UC Webbrowser MITM Vulnerability

New Set of LTE Vulnerabilities (PDF)

Microsoft Releases Application Guard for Firefox and Chrome


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit