SANS Network Security offers 40+ cyber security courses in Las Vegas or Live Online. Save $300 thru tomorrow.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #54

July 10, 2020

Critical Vulnerabilities in Zoom, Citrix, WordPress and Palo Alto -- Already Being Exploited


****************************************************************************

SANS NewsBites                July 10, 2020                Vol. 22, Num. 054

****************************************************************************

TOP OF THE NEWS


  Zoom Zero-day Affects Clients Running on Older Versions of Windows

  Palo Alto Networks Releases Updates for Another PAN-OS Vulnerability

  Citrix Patches 11 Vulnerabilities in Networking Products; Someone is Already Scanning for Vulnerable Installations

  Critical Flaw in WordPress Plugin



REST OF THE NEWS


  Russian Hacking Group Cosmic Lynx is Conducting Sophisticated eMail Scams

  Criminals are Taking Control of Abandoned Subdomains

  ThiefQuest macOS Malware More Focused on Stealing Information than on Encrypting Data

  DigiCert Will Revoke 50,000 Certificates This Weekend Because of Botched Audit

  Turchin Indictment Unsealed

  German Authorities Seize BlueLeaks Server

  Microsoft Seizes Domains Used in Phishing Attacks that Targeted Office 365 Users

  CISA Warns of Vulnerabilities in Medical Devices and Hospital Information Management System


INTERNET STORM CENTER TECH CORNER


******************  Sponsored By Cyolo Security Ltd  ************************


Webcast | Join Almog Apirion, CEO and Co-founder of Cyolo and SANS Instructor, Chris Dale as they discuss "Everything you need to know before trusting a zero-trust provider" | Tuesday, July 14, 2020 at 2:00 PM EDT

| http://www.sans.org/info/216960


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


Best Special Offers of the Year with OnDemand Cybersecurity Training


Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 (256GB SSD), or Take $350 Off with your OnDemand registration through July 22.


- https://www.sans.org/ondemand/specials




SANS now offers THREE ways to complete a course:




OnDemand | Live Online | In-Person:


- https://www.sans.org/ondemand/


- https://www.sans.org/live-online


- https://www.sans.org/cyber-security-training-events/in-person/north-america




Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses


.        Taught by real world practitioners


.        Ideal preparation for more than 30 GIAC Certifications




Top OnDemand Courses


SEC401: Security Essentials Bootcamp Style


- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


SEC560: Network Penetration Testing and Ethical Hacking


- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking


______________________




Upcoming In-Person and Live Online Events:


   

DFIR Summit & Training (Free Summit) | July 16-25 | Live Online


- https://www.sans.org/event/digital-forensics-summit-2020




SANS Rocky Mountain Summer 2020 | July 20-25 | Live Online


- https://www.sans.org/event/rocky-mountain-summer-2020




SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online


- https://www.sans.org/event/reboot-nova-2020




SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online


- https://www.sans.org/event/network-security-2020


______________________




Test drive a course: https://www.sans.org/course-preview




View the full SANS course catalog and skills roadmap.


- https://www.sans.org/cyber-security-courses


- https://www.sans.org/cyber-security-skills-roadmap



*****************************************************************************

TOP OF THE NEWS  

 

--Zoom Zero-day Affects Clients Running on Older Versions of Windows

(July 9, 2020)

Zoom is working on a fix for a zero-day vulnerability that was disclosed on Thursday, July 9. The arbitrary code execution flaw affects the Zoom client running on Windows 7, Windows Server 2008 R2, and older versions of the operating system. Zoom clients running on Windows 8 and Windows 10 are not affected.


[Editor Comments]


[Ullrich] This bug only appears to be useable on Windows 7. If you still use Windows 7: Don't use it for tasks like Zoom, web browsing or anything. Only use it for the specific task that requires Windows 7 to run on the particular system.


[Neely] A more complete fix is to upgrade to supported Windows versions. Windows 7 and Server 2008 support ended January 14th this year. If you must run older operating systems, don't use them for internet-based activities such as email, browsing, or video conferencing, and restrict access to make exploitation more difficult.


Read more in:

Threatpost: Zoom Zero-Day Allows RCE, Patch on the Way

https://threatpost.com/unpatched-zoom-bug-rce/157317/

ZDNet: Zoom working on patching zero-day disclosed in Windows client

https://www.zdnet.com/article/zoom-working-on-patching-zero-day-disclosed-in-its-windows-client/

Cyberscoop: Zero-day flaw found in Zoom for Windows 7

https://www.cyberscoop.com/zoom-zero-day-windows-7-acros/

 
 

--Palo Alto Networks Releases Updates for Another PAN-OS Vulnerability

(July 8 & 9, 2020)

Palo Alto Networks has released updates to fix a critical command injection vulnerability in its PAN-OS GlobalProtect portal. The flaw affects PAN-OS 9.1 versions prior to 9.1.3; PAN-OS 8.1 versions prior to 8.1.15; PAN-OS 9.0 versions prior to 9.0.9; and all versions of PAN-OS 8.0 and PAN-OS 7.1. Fixes will not be released for PAN-OS 8.0 and 7.1 as those versions are no longer supported.


[Editor Comments]


[Neely] This patch addresses CVE-2020-2034, which allows unauthenticated remote attackers to execute arbitrary OS commands with root privileges on unpatched devices. If you're on the older unsupported PAN-OS versions, it's time to move forward, which may necessitate new hardware.


[Ullrich] Another reason to make sure the administrative interfaces for these devices are not visible to the outside.


Read more in:

Bleeping Computer: Palo Alto Networks fixes another severe flaw in PAN-OS devices

https://www.bleepingcomputer.com/news/security/palo-alto-networks-fixes-another-severe-flaw-in-pan-os-devices/

The Register: If you haven't potentially exposed 1000s of customers once again with networking vulns, step forward... Not so fast, Palo Alto Networks

https://www.theregister.com/2020/07/09/palo_alto_fix/

Palo Alto Networks: CVE-2020-2034 PAN-OS: OS command injection vulnerability in GlobalProtect portal

https://security.paloaltonetworks.com/CVE-2020-2034

 
 

--Citrix Patches 11 Vulnerabilities in Networking Products; Someone is Already Scanning for Vulnerable Installations

(July 7, 8, & 9, 2020)

Earlier this week, Citrix released fixes for 11 vulnerabilities in Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances. The flaws include information disclosure, local privilege elevation, code injection, cross-site scripting, authorization bypass, denial of service. Rob Joyce, the former head of the NSA's Tailored Access Operations (TAO) team, has urged users to apply the patches as soon as possible. Active scanning for vulnerable installations has been detected.


[Editor Comments]


[Ullrich] The XSS vulnerability is particularly interesting here. The impact of XSS vulnerabilities is often underestimated. In this case, the XSS vulnerability can be used to execute code on the device. Exploitation has been demonstrated in a YouTube video, but code for the full exploit has not been made public yet. The victim, an administrator currently logged into the system, will have to visit a malicious website to trigger the exploit chain. The result is full access to the device for the attacker.


[Neely] The debate over urgency occurs because the attacks require access to vulnerable devices to exploit. Targeting the management interface using XSS can lead to compromise. Virtual IPs could also be used to initiate a DOS attack or internal network scan. In addition to applying the patches, restrict access to the management interface.


[Honan] Given the large number of people now working remotely during the Coronavirus pandemic, attacks against remote access points, such as Citrix gateways, are on the rise. These vulnerabilities are already being actively exploited and should be patched as quickly as possible.


Read more in:

ISC: Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688

https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/

The Register: FYI: Someone's scanning for gateways with those security holes Citrix told you not to worry too much about

https://www.theregister.com/2020/07/09/citrix_bugs_exploit/

DUO: Citrix Patches 11 Vulnerabilities in Several Products

https://duo.com/decipher/citrix-patches-11-vulnerabilities-in-several-products

Threatpost: Citrix Bugs Allow Unauthenticated Code Injection, Data Theft

https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/

The Register: Citrix tells everyone not to worry too much about its latest security patches. NSA's former top hacker disagrees

https://www.theregister.com/2020/07/08/citrix_eleven_patches/

Bleeping Computer: Citrix fixes 11 flaws in ADC, Gateway, and SD-WAN WANOP appliances

https://www.bleepingcomputer.com/news/security/citrix-fixes-11-flaws-in-adc-gateway-and-sd-wan-wanop-appliances/

Twitter: Rob Joyce

https://twitter.com/RGB_Lights/status/1280616246015340546

Citrix: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update

https://support.citrix.com/article/CTX276688


 

--Critical Flaw in WordPress Plugin

(July 8, 2020)

A critical remote code execution flaw in the Adning Advertising plugin for WordPress could be exploited to completely take control of vulnerable sites. The flaw has been exploited in the wild. Users are urged to update to Adning version 1.5.6, which also fixes a high-severity unauthenticated arbitrary file deletion via path traversal vulnerability.


Read more in:

Threatpost: Advertising Plugin for WordPress Threatens Full Site Takeovers

https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/

Wordfence: Critical Vulnerabilities Patched in Adning Advertising Plugin

https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/


****************************  SPONSORED LINKS  ******************************


1) Webcast | You don't want to miss SANS Senior Instructor, Chris Crowley as he presents "Preventing Runtime Exploits: The SANS Implementation Guide for RunSafe Security's Alkemist" | Wednesday, July 15, 2020 at 2:00 PM EDT

| http://www.sans.org/info/216965


2) Webcast | Join SANS Senior Instructor, Dave Shackleford and Guillaume Ross for this informative webcast as they discuss "Securing the Remote Workforce without VPNs: Uptycs and JA3" | Thursday, July 16, 2020 at 1:00 PM EDT

| http://www.sans.org/info/216970


3) Webcast | Join SANS Senior Instructor, Dave Shackleford joined by Portshift's Co-Founder, Zohar Kaufman for our upcoming webcast as they present "Containers Vulnerability Management: Time to Step Things Up!" | Tuesday, July 14, 2020 at 12:00 PM EDT

| http://www.sans.org/info/216975


*****************************************************************************

THE REST OF THE WEEK'S NEWS 

 

--Russian Hacking Group Cosmic Lynx is Conducting Sophisticated eMail Scams

(July 7, 2020)

A group of Russian hackers dubbed Cosmic Lynx has been launching sophisticated business email compromise schemes since last July. According to researchers at Agari, the group has launched more than 200 attacks against organizations in 46 countries. Cosmic Lynx targets organizations that have not implemented DMARC; the group has focused on scams involving mergers and acquisitions.


[Editor Comments]


[Honan] While DMARC is not a panacea against phishing attacks, it helps reduce the risk. The Global Cyber Alliance has a simple step-by-step guide that is available for free on how to ensure your mail service has DMARC configured correctly: https://dmarc.globalcyberalliance.org/


Read more in:

Wired: Looks Like Russian Hackers Are on an Email Scam Spree

https://www.wired.com/story/russian-hackers-email-scams/

SC Magazine: BEC scams grow in complexity as Russian actors launch Cosmic Lynx operation

https://www.scmagazine.com/home/security-news/cybercrime/bec-scams-grow-in-complexity-as-russian-actors-launch-cosmic-lynx-operation/

Threatpost: First-Ever Russian BEC Gang, Cosmic Lynx, Uncovered

https://threatpost.com/russian-bec-gang-cosmic-lynx-uncovered/157166/

Bleeping Computer: First reported Russian BEC scam gang targets Fortune 500 firms

https://www.bleepingcomputer.com/news/security/first-reported-russian-bec-scam-gang-targets-fortune-500-firms/

 
 

--Criminals are Taking Control of Abandoned Subdomains

(June 23 & July 7, 2020)

Criminals have been taking control of abandoned subdomains associated with well-known organizations and using them for nefarious purposes, including malware, pornographic content, or spreading malware. In late June, Microsoft published an article describing how to prevent subdomain takeovers.


[Editor Comments]


[Pescatore] The use of cloud services caused "dangling DNS" records to be a bigger issue. Warnings were coming out at least as far back as 2015 when use of IaaS started to ramp up. Infoblox, Nominet and other DNS security-focused vendors have put out detailed "DNS basic security hygiene" advice.


Read more in:

The Register: Hundreds of forgotten corners of mega-corp websites fall into the hands of spammers and malware slingers

https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/

Microsoft: Prevent dangling DNS entries and avoid subdomain takeover

https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover

 
 

--ThiefQuest macOS Malware More Focused on Stealing Information than on Encrypting Data

(July 7 & 8, 2020)

Researchers now think the ThiefQuest malware that targets macOS is largely focused on exfiltrating data from infected networks. Initial assessment of ThiefQuest categorized the malware as ransomware. While it does have an encryption component, researchers think it may be included as a distraction rather than the main purpose of the malware.


Read more in:

Malwarebytes: Mac ThiefQuest malware may not be ransomware after all

https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/

SC Magazine: Hidden purpose of Mac 'ransomware' EvilQuest is data exfiltration, say researchers

https://www.scmagazine.com/home/security-news/hidden-purpose-of-mac-ransomware-evilquest-is-data-exfiltration-say-researchers/

 
 

--DigiCert Will Revoke 50,000 Certificates This Weekend Because of Botched Audit

(July 10, 2020)

DigiCert plans to revoke 50,000 Extended Validation (EV) certificates on Saturday, July 11 after learning that they were not properly audited. While the situation does not pose a security threat, EV guidelines require that the certificates be revoked. 


[Editor Comments]


[Ullrich] Yet more proof that the problem with TLS is not so much technical flaws but flaws in the CA ecosystem. The CA/Browser forum has done good work in tightening up some of the requirements around certificate authorities, and browser makers are abandoning the idea of "Extended Validation" (EV) certificates, as they caused more issues than they solved.


[Neely] If you're managing your intermediate certificate store, you'll want to make sure you have updated intermediate certificate authority (ICA) certificates for DigiCert EV RSA CA G2, GeoTrust EV RSA CA G2 and Thawte EV RSA CA G2.


Read more in:

The Register: Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle

https://www.theregister.com/2020/07/10/digicert_pulls_certs/

Knowledge.digicert: DigiCert ICA Replacement

https://knowledge.digicert.com/alerts/DigiCert-ICA-Replacement

 
 

--Turchin Indictment Unsealed

(July 8, 2020)

The US Department of Justice recently unsealed an indictment charging Andrey Turchin

with conspiracy to commit computer hacking, two counts of computer fraud and abuse, conspiracy to commit wire fraud, and access device fraud. Turchin allegedly hacked into networks at hundreds of organizations, established backdoors, and then sold access to those systems. Turchin is a citizen of Kazakhstan and is believed to be residing there currently.


Read more in:

Justice: Citizen of Kazakhstan, known as "fxmsp," charged with computer fraud, wire fraud, and conspiracy for hacking hundreds of corporate networks in more than 40 countries worldwide

https://www.justice.gov/usao-wdwa/pr/citizen-kazakhstan-known-fxmsp-charged-computer-fraud-wire-fraud-and-conspiracy-hacking

Dark Reading: US Charges Kazakhstani Citizen With Hacking Into More Than 300 Orgs

https://www.darkreading.com/attacks-breaches/us-charges-kazakhstani-citizen-with-hacking-into-more-than-300-orgs/d/d-id/1338305

ZDNet: Fxmsp hacker indicted by feds for selling backdoor access to hundreds of companies

https://www.zdnet.com/article/fxmsp-hacker-indicted-by-feds-for-selling-network-access-impacting-hundreds-of-companies/

Threatpost: Notorious Hacker 'Fxmsp' Outed After Widespread Access-Dealing

https://threatpost.com/notorious-hacker-fxmsp-outed/157275/

Justice: Andrey Turchin Indictment (PDF)

https://www.justice.gov/usao-wdwa/press-release/file/1292541/download

 
 

--German Authorities Seize BlueLeaks Server

(July 7, 8, & 9, 2020)

Authorities in Germany have seized a server hosting BlueLeaks data, 269 GB of US police documents. The department of public prosecution in Zwickau said the server was seized on July 3 at the request of the US government.


Read more in:

PC Mag: Germany Seizes Server Hosting 'BlueLeaks' Data Dump on US Police Practices

https://www.pcmag.com/news/germany-seizes-server-hosting-blueleaks-data-dump-on-us-police-practices

Vice: Cops Seize Server that Hosted BlueLeaks, DDoSecrets Says

https://www.vice.com/en_us/article/qj43xq/cops-seize-blueleaks-ddosecrets-server

Threatpost: BlueLeaks Server Seized By German Police: Report

https://threatpost.com/blueleaks-server-seized-by-german-police-report/157288/

ZDNet: German authorities seize 'BlueLeaks' server that hosted data on US cops

https://www.zdnet.com/article/german-authorities-seize-blueleaks-server-that-hosted-data-on-us-cops/

Cyberscoop: German police seize DDoSecrets server distributing 'BlueLeaks' files

https://www.cyberscoop.com/blueleaks-german-police-seize-server/

The Hill: Germany seizes server hosting leaked US police files

https://thehill.com/policy/technology/506557-germany-seizes-server-hosting-leaked-us-police-files

 
 

--Microsoft Seizes Domains Used in Phishing Attacks that Targeted Office 365 Users

(July 7 & 8, 2020)

Recently unsealed documents detail Microsoft's efforts to thwart phishing attacks that preyed on people's concerns about COVID-19. The attacks targeted Office 365 users in 62 countries around the world and were crafted to appear to be from employers or other trusted entities. Microsoft's Digital Crime Unit became aware of the fraudulent activity in December 2019. On July 1, Microsoft obtained a court order allowing it to seize the malicious domains.


[Editor Comments]


[Neely] The federal court's motion was sealed so as not to tip their hand, which allows Microsoft to fight cyber-attacks without enlisting federal prosecutors. Unlike traditional phishing email schemes, when the user clicked the link, they were prompted to grant access to their Office 365 account, which then allowed access to email, contacts, OneDrive, SharePoint and notes without explicitly collecting login credentials. Enabling 2FA is a key mitigation to this sort of attack.


Read more in:

Microsoft: Microsoft takes legal action against COVID-19-related cybercrime

https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/

Dark Reading: Microsoft Seizes Domains Used in COVID-19-Themed Attacks

https://www.darkreading.com/operations/microsoft-seizes-domains-used-in-covid-19-themed-attacks/d/d-id/1338293

Ars Technica: Microsoft neuters Office 365 account attacks that used clever ruse

https://arstechnica.com/information-technology/2020/07/microsoft-neuters-office-356-account-attacks-that-used-clever-ruse/

ZDNet: Microsoft seizes six domains used in COVID-19 phishing operations

https://www.zdnet.com/article/microsoft-seizes-six-domains-used-in-covid-19-phishing-operations/

The Register: Microsoft sues coronavirus phishing spammers to seize their domains amid web app attacks against Office 354.5

https://www.theregister.com/2020/07/08/microsoft_sues_office_365_phishers/

Threatpost: Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks

https://threatpost.com/microsoft-seizes-domains-office-365-phishing-scam/157261/

 
 

--CISA Warns of Vulnerabilities in Medical Devices and Hospital Information Management System

(July 8, 2020)

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published two advisories regarding security issues in ultrasound systems from Philips and in the OpenClinic GA open source hospital information management system. Philips has released updates to address the authentication bypass issue in some of the affected products and expects to have fixes for the rest of the affected products by the end of the calendar year. 


Read more in:

GovInfosecurity: Alerts: Flaws in Ultrasound, Open-Source Hospital Systems

https://www.govinfosecurity.com/alerts-flaws-in-ultrasound-open-source-hospital-systems-a-14585

US-CERT/CISA: ICS Medical Advisory (ICSMA-20-177-01) Philips Ultrasound Systems

https://us-cert.cisa.gov/ics/advisories/icsma-20-177-01

Philips: Security Advisories: Philips Ultrasound (24-June-2020)

https://www.usa.philips.com/healthcare/about/customer-support/product-security

US-CERT/CISA: ICS Medical Advisory (ICSMA-20-184-01) OpenClinic GA

https://us-cert.cisa.gov/ics/advisories/icsma-20-184-01

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


F5 Big IP Wrap-up

https://twitter.com/NCCGroupInfosec/status/1280593966879125504

https://www.sans.org/webcasts/116065

 

Citrix ADC / Citrix Gateway Patches

https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/

 

Citrix Scanning

https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/

https://www.youtube.com/watch?time_continue=6&v=1_D4_9BKHSc&feature=emb_logo

 

Citrix Vulnerability Details (CVE-2020-8194)

https://dmaasland.github.io/posts/citrix.html

 

SANS.edu Student Billy Wilson: Security Supercomputers with BPF Probes

https://www.sans.org/reading-room/whitepapers/detection/securing-soft-underbelly-supercomputer-bpf-probes-39635

 

Obfuscated Malware

https://isc.sans.edu/forums/diary/If+You+Want+Something+Done+Right+You+Have+To+Do+It+Yourself+Malware+Too/26320/

 

PaloAlto Networks PAN-OS CVE-2020-2034

https://security.paloaltonetworks.com/CVE-2020-2034

 

Microsoft Releases Free Memory Analysis Service

https://www.microsoft.com/en-us/research/blog/toward-trusted-sensing-for-the-cloud-introducing-project-freta/

 

Mozilla Suspending Send Service

https://www.zdnet.com/article/mozilla-suspends-firefox-send-service-while-it-addresses-malware-abuse/

 

Juniper Patches

https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES

 

Google Releases Tsunami Security Scanner

https://github.com/google/tsunami-security-scanner


 

*****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create