SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #87
November 2, 2018****************************************************************************
SANS NewsBites November 2, 2018 Vol. 20, Num. 87
****************************************************************************
TOP OF THE NEWS
Apple Releases Updates for Multiple Products
Google Introduces Four New Security Enhancements
Cisco Adaptive Security Appliance Zero-Day
REST OF THE WEEKS NEWS
Texas Voting Machine Software Flaw Flips Votes
Bleedingbit Vulnerabilities Affect Bluetooth Low-Energy Chips from Texas Instruments
Wyden Introduces Draft Consumer Data Protection Act
DOJ Unseals Indictment Accusing 10 Chinese Nationals of Intellectual Property Theft
US-CERT Issues Advisory on Device Disposal
FDIC OIG Releases Information Security Program Performance Audit Report
Dept. of Health and Human Services Inspector General Wants FDA to Increase Integration of Cybersecurity into Premarket Review Process for Medical Devices
US Secretary of Defense Establishes Protecting Critical Technology Task Force; DHS Launches Supply Chain Risk Management Task Force
China Telecom and BGP Hijacking
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018
-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018
-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018
-- Tactical Detection & Data Analytics Summit & Training | Scottsdale, AZ | December 4-11 | https://www.sans.org/event/tactical-detection-summit-2018
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Best Offers of the Year: Get the ALL NEW 12.9" iPad Pro, or an HP ProBook 450 G5, or Take $400 Off with OnDemand and vLive Training. Offer Ends November 14.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Splunk ************************************
White Paper: Measuring the ROI of Security Operations Platforms. Security Operations Platforms produce a number of economic benefits in addition to helping your SOC team work more efficiently. This white paper aims to quantify those benefits by outlining a methodology to estimate your Return on Investment (ROI) from investing in SecOps Platforms. http://www.sans.org/info/207905
*************************************************************************************
TOP OF THE NEWS
--
Apple Releases Updates for Multiple Products
(October 30 & November 1, 2018)
Apple has released security updates for multiple products, including Safari, iCloud for Windows, iTunes, iOS, and macOS Mojave. The newest version of Apple's mobile operating system, iOS 12.1 includes fixes for more than 30 vulnerabilities, including nine remote code execution flaws in the WebKit browser engine and several flaws in FaceTime. The macOS update addresses a number of flaws, including one that could be exploited to crash other devices on the same WiFi network.
[Editor Comments]
[Ullrich] Earlier this year, Apple released another security update patching a critical ICMP error. Details about this vulnerability were released just now by the discoverer, Kevin Backhouse. It is nice and unusual for a researcher to give us so much time to patch, in particular given the severity of the problem. The vulnerability, CVE-2018-4407, allows for arbitrary remote code execution in the iOS and MacOS kernel. The vulnerability is triggered by malformed packets that trigger an ICMP error (so the trigger isnt necessarily an ICMP packet). In assembling the ICMP error, the kernel needs to copy part of the packet triggering the error, which in turn leads to a buffer overflow. Just as a reminder: While Apples advisories are often vague as to the impact and severity/exploitability of an issue, they still need to be taken seriously.
[Neely] Apple's crash bug similar to the ping of death of old. A malicious packet from the same network will crash your iOS or OS X devices due to a bug in the icmp_error function. Mac systems running 10.12.6, 10.13.6 and 10.14 need to apply the 2018-001 security updates. iOS devices need to update to 12.1. iOS 12.1 fixed a number of vulnerabilities and leaves a lock screen bypass in the new multi-session Facetime function. Compromise requires two additional iPhones and provides access to the contacts, making it a fairly low risk compromise. This is slated to be fixed in 12.1.1. Concerned users can mitigate the risk by turning off Facetime until 12.1.1. is installed.
Read more in:
Threatpost: Apple Fixes Multiple macOS, iOS Bugs Including a Quirky FaceTime Vulnerability
https://threatpost.com/apple-fixes-multiple-macos-ios-bugs-including-a-quirky-facetime-bug/138699/
The Register: Apple emits its much-anticipated updates to Mac, AppleTV, and iOS
https://www.theregister.co.uk/2018/10/30/apple_security_updates/
Bleeping Computer: Apple Fixes Creepy FaceTime Vulnerability, Crash Bug in macOS, and More
https://www.bleepingcomputer.com/news/security/apple-fixes-creepy-facetime-vulnerability-crash-bug-in-macos-and-more/
Apple: Apple security updates
https://support.apple.com/en-us/HT201222
US-CERT: Apple Releases Multiple Security Updates
https://www.us-cert.gov/ncas/current-activity/2018/10/30/Apple-Releases-Multiple-Security-Updates
--
Google Introduces Four New Security Enhancements
(October 31, 2018)
When users sign in to Google, Google will run a risk assessment on username and password combinations and allow access only if nothing looks suspicious. The feature requires that users have JavaScript enabled in their browsers; if JavaScript is not enabled, they will not be able to sign in. Other new features include an addition to Google Security Checkup that will identify harmful apps and recommend users remove them from their mobile devices. Users will also receive more notifications when account data are shared with apps and websites. And finally, in the event that a users account is hacked, there is now a process that will help verify critical security settings, secure your other accounts, check financial activity, and review content and files for unauthorized access or misuse.
[Editor Comments]
[Pescatore] It appears that most of these features apply to when you login to your Google account or when you *stay* logged in. Staying logged in to any Google account means you are logged in to every Google service and all the cross service tracking and monitoring is enabled across all of them. Everyone should think through the risk/benefit analysis of staying logged in vs. only logging in when necessary.
[Murray] JavaScript enabled as a security measure? What am I missing? Disabled by default on my iPad. Do not miss it. Gonna stay that way.
Read more in:
GoogleBlog: Announcing some security treats to protect you from attackers tricks
https://security.googleblog.com/2018/10/announcing-some-security-treats-to.html
Cyberscoop: Here's why Google is forcing JavaScript use on its sign-on pages
https://www.cyberscoop.com/google-javascript-security-sign-on/
ZDNet: Google won't let you sign in if you disabled JavaScript in your browser
https://www.zdnet.com/article/google-wont-let-you-sign-in-if-you-disabled-javascript-in-your-browser/
--
Cisco Adaptive Security Appliance Zero-Day
(October 31 & November 1, 2018)
Cisco has issued an advisory warning of a flaw in its Adaptive Security Appliance (ASA). The issue, which affects the ASAs Session Initiation Protocol (SIP) inspection engine, could be exploited to cause denial-of-service conditions. Updates are not yet available. Cisco has recommended several mitigation options: disabling SIP inspection; blocking the offending host(s); filtering on sent-by address of 0.0.0.0; and rate-limiting SIP traffic.
[Editor Comments]
[Ullrich] This vulnerability is apparently already used in the wild. It is only a DoS vulnerability, but it will result in any network protected by these devices losing connectivity. Patch quickly!
Read more in:
ZDNet: Cisco zero-day exploited in the wild to crash and reload devices
https://www.zdnet.com/article/cisco-zero-day-exploited-in-the-wild-to-crash-and-reload-devices/
Cyberscoop: Cisco says a flaw in its Adaptive Security Appliance allows remote attacks
https://www.cyberscoop.com/cisco-issues-warning-on-flaw-being-exploited-in-its-adaptive-security-appliance/
Cisco: Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
************************** SPONSORED LINKS ********************************
1) Join SANS Serge Borso and OPSWAT to learn about the top 6 security challenges in a perimeter-less network.
Register here: http://www.sans.org/info/207910
2) Attend SANS Tactical Detection & Data Analytics Summit in Scottsdale, AZ: Dec 4-5. http://www.sans.org/info/207915
3) Calling all security architects, SOC and IR managers: How automated and integrated are your security and IR processes? Take the SANS Survey | http://www.sans.org/info/207920
*****************************************************************************
REST OF THE WEEKS NEWS
--
Texas Voting Machine Software Flaw Flips Votes
(October 31, 2018)
A software bug in some voting machines being used in the Texas midterm elections flips votes when voters choose the straight party ticket option and then continue pressing buttons before the page has fully loaded on the screen. The Texas Director of Elections has issued an advisory explaining the issue and notes that voters should always carefully check their review screen before casting their ballots.
Read more in:
CNET: Software bugs could compromise midterm votes in Texas
https://www.cnet.com/news/software-bugs-could-compromise-midterm-votes-in-texas/
sos.state.tx: Election Advisory No. 2018-35
https://www.sos.state.tx.us/elections/laws/advisory2018-35.shtml
--
Bleedingbit Vulnerabilities Affect Bluetooth Low-Energy Chips from Texas Instruments
(November 1, 2018)
Researchers at Armis found a pair of vulnerabilities they have dubbed BleedingBit. The vulnerabilities affect Bluetooth Low-Energy (BLE) chips manufactured by Texas Instruments (TI). The chips are often used in enterprise WiFi access points as well as in some medical devices and smart locks. The flaws are exploitable from 100-300 feet and could be used to take control of devices without authentication. Armis notified TI of the issue in June and the company has made a patch available.
[Editor Comments]
[Ullrich] The big surprise to me was that these WiFi access points include BLE chipsets. As far as I can tell, there are two reasons for this. First, these access points are often built around commodity components that are shared in enterprise as well as consumer gear. As a result, they include BLE even if it is not required in the enterprise environment. Secondly, even enterprise environments often take advantage of BLE in order to locate and track locations of users, in particular in retail environments where BLE is often used to collect location data from customers browsing stores. Between these two vulnerabilities, I would consider the over-the-air firmware update issue more severe as it appears to be easier to exploit. This is a feature you should just be able to turn off.
[Murray] It is unlikely that many devices using the chip will be patched before they are obsolete or otherwise discarded. However, while this may be a wide spread vulnerability, it will be hard to exploit it for cryptomining or political surveillance.
[Honan] Until now the focus has been primarily on the security of the devices themselves. These vulnerabilities remind us that we need to pay attention to the security of the infrastructure and network protocols those IoT devices use.
[Neely] There are two flaws here. RCE (CVE-2018-16986) and OAD RCE (CVE-2018-7080). The RCE vulnerability allows for a buffer overflow to be used to access pointers malicious code needs to take control of the access point. The OAD vulnerability allows for unauthorized firmware updates as the security features to prevent this are disabled by default. TI has released updates to address CVE-2018-16986. Securing against CVE-2018-7080 requires verification of affected devices to ensure OAD functions are not enabled without implementing added security to verify the firmware updates are legitimate.
Read more in:
Armis: BleedingBit Exposes Enterprise Access Points and Unmanaged Devices to Undetectable Chip Level Attack
http://armis.com/bleedingbit/
Threatpost: Two Zero-Day Bugs Open Millions of Wireless Access Points to Attack
https://threatpost.com/two-zero-day-bugs-open-millions-of-wireless-access-points-to-attack/138713/
Bleeping Computer: New BLEEDINGBIT Vulnerabilities Affect Widely-Used Bluetooth Chips
https://www.bleepingcomputer.com/news/security/new-bleedingbit-vulnerabilities-affect-widely-used-bluetooth-chips/
CNET: Security researchers find flaws in chips used in hospitals, factories and stores
https://www.cnet.com/news/security-researchers-find-flaws-in-chips-used-in-hospitals-factories-and-stores/
--
Wyden Introduces Draft Consumer Data Protection Act
(November 1, 2018)
US Senator Ron Wyden (D-Oregon) has introduced draft legislation aimed at holding large companies accountable for data breaches. The Consumer Data Protection Act would affect companies with US$50 million or more in annual revenue and that hold personal information of one million or more people. Companies would be required to submit an annual data protection report, signed by CEOs; lying on the report could result in a possible 20-year prison sentence. The bill also recommends that the federal Trade Commission (FTC) have the authority to take action on privacy violations. It would grant the FTC the authority to levy fines up to four percent of a companys annual revenue, the same maximum amount as dictated by the European Unions General Data Protection Regulation (GDPR). The bill would amend the Federal Trade Commission Act.
[Editor Comments]
[Pescatore] While I think the US does need to move to a consumer Opt-In based privacy regime, and will eventually, this proposed bill tacks on more annual reports, a new bureau within FTC, a requirement that businesses analyze and report on every automated decision system in use, etc. It is kind of like fighting shoplifting by requiring every candy bar to have a candy-bar sized anti-theft device attached
Read more in:
CNET: Senator's privacy law draft could put CEOs in jail for data breaches
https://www.cnet.com/news/senator-introduces-privacy-law-draft-that-could-put-ceos-in-jail-for-data-breaches/
--
DOJ Unseals Indictment Accusing 10 Chinese Nationals of Intellectual Property Theft
(October 30, 31, & November 1, 2018)
The US Department of Justice has unsealed a 21-count indictment from June 2017 that alleges that two Chinese government intelligence officers and eight other people conspired to steal aerospace technology and other sensitive information from US and European companies over a period of several years. According to the indictment, the campaign ran from January 2010 through May 2015 at a minimum. The indictment alleges that the accused used spear phishing attacks, watering hole attacks, and domain hijacking attacks to conduct their operation.
Read more in:
Ars Technica: Feds: Chinese spies orchestrated massive hack that stole aviation secrets
https://arstechnica.com/tech-policy/2018/10/feds-say-chinese-spies-and-their-hired-hackers-stole-aviation-secrets/
Cyberscoop: DOJ unseals charges against 10 Chinese nationals for hacking aerospace companies
https://www.cyberscoop.com/doj-unseals-charges-against-10-chinese-nationals-for-hacking-aerospace-companies/
Dark Reading: Chinese Intel Agents Indicted for 5-Year IP Theft Campaign
https://www.darkreading.com/attacks-breaches/chinese-intel-agents-indicted-for-5-year-ip-theft-campaign-/d/d-id/1333166
Justice: Indictment from June 2017 (PDF)
https://www.justice.gov/opa/press-release/file/1106491/download
--
US-CERT Issues Advisory on Device Disposal
(October 31, 2018)
The US Department of Homeland Securitys (DHSs) US-CERT has issued a security tip that lists effective methods for removing data from electronic devices that are being disposed of; the methods include permanent data deletion, overwriting data, and destroying drives and other devices. The document also suggests responsible methods for disposing of electronic waste.
[Editor Comments]
[Pescatore] Nothing really new here, but good to forward on to the procurement and IT organizations to make sure this in their processes prior to surplussing *any* device, not just PCs/laptops/servers/etc.
[Murray] The hammer remains my preferred disposal tool. While my colleagues continue to remind me that it is not perfect, it raises the cost of attack way above that of the alternative means of getting old data.
[Neely] This tip is a convenient consolidation of best practices. Beyond backing up data and then clearing the media, pay attention to destruction guidance as improper mechanisms can release hazardous elements, cause fires or entanglements with the EPA.
Read more in:
US-CERT: Security Tip (ST18-005) Proper Disposal of Electronic Devices
https://www.us-cert.gov/ncas/tips/ST18-005
ZDNet: US-CERT issues guide on how to properly dispose of your electronic devices
https://www.zdnet.com/article/us-cert-issues-guide-on-how-to-properly-dispose-of-your-electronic-devices/
--
FDIC OIG Releases Information Security Program Performance Audit Report
(October 31, 2018)
The most recent performance audit report on the Federal Deposit Insurance Corporations (FDICs) cybersecurity program from the FDIC Office of Inspector General (OIG) found that while FDIC has established a number of information security program controls and practices that complied or were consistent with FISMA requirements, OMB policy and guidelines, and applicable NIST standards and guidelines, the audit, which was conducted by a third party, found security control weaknesses that limited the effectiveness of the FDICs information security program and practices and placed the confidentiality, integrity, and availability of the FDICs information systems and data at risk.
[Editor Comments]
[Murray and Paller] This report could be written about most agencies and enterprises, where a little convenience continues to trump efficient security.
Read more in:
Nextgov: FDIC Still Isnt Protecting Its Sensitive Information, Audit Finds
https://www.nextgov.com/cybersecurity/2018/10/fdic-still-isnt-protecting-its-sensitive-information-audit-finds/152465/
FDIC OIG: The FDICs Information Security Program2018: Executive Summary
https://www.fdicoig.gov/sites/default/files/publications/19-001.pdf
--
Dept. of Health and Human Services Inspector General Wants FDA to Increase Integration of Cybersecurity into Premarket Review Process for Medical Devices
(October 30, 2018)
In an interview conducted by Federal Drive host Tom Temin, deputy regional inspector general (IG) for the US Department of Health and Human Services (HHS) Abby Amoroso discusses a report from HHS Office of Inspector General (OIG) that concludes the Food and Drug Administration needs to pay more attention to cybersecurity in its premarket review of medical devices. While the FDA reviewers look for cybersecurity documentation in the submissions, the agency cannot currently reject medical devices for cybersecurity reasons. Amoroso says that they should have that authority. HHS OIG recommends that the FDA add cybersecurity documentation as an element in its Refuse-to-Accept checklists; that it include cybersecurity in its Smart template; and that the agency use presubmission meetings with manufacturers to address cybersecurity questions. The FDA concurs with all three recommendations.
Read more in:
FNR: HHS IG supports adding cybersecurity to FDA criteria for medical devices (audio interview)
https://federalnewsnetwork.com/federal-drive/2018/10/hhs-ig-supports-adding-cybersecurity-to-fda-criteria-for-medical-devices/
OIG.HHS: FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices
https://oig.hhs.gov/oei/reports/oei-09-16-00220.pdf
--
US Secretary of Defense Establishes Protecting Critical Technology Task Force; DHS Launches Supply Chain Risk Management Task Force
(October 30, 31, & November 1, 2018)
Secretary of Defense James Mattis has established the Protecting Critical Technology Task Force (PCTTF). Two initial sprints30 days and 90 daysto address basic issues. The task force will report to the deputy secretary of Defense and the vice chairman of the Joint Chiefs of Staff. In a separate story, the Department of Homeland Security has launched the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force.
Read more in:
Bloomberg: Mattis Moves to Protect Defense Supply Chain From Rivals' Theft
https://www.bloomberg.com/news/articles/2018-11-01/mattis-moves-to-protect-defense-supply-chain-from-rivals-theft
FedScoop: Mattis establishes DOD task force to protect critical tech, information
https://www.fedscoop.com/classified-information-protection-pentagon-task-force/
Inside Cybersecurity: DoD Memo: Establishment of the Protecting Critical Technology Task Force (PDF)
https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/2018/nov/cs2018_0459.pdf
FCW: DHS rolls out supply chain task force
https://fcw.com/articles/2018/10/30/dhs-supply-chain-task-force.aspx
Meritalk: DHS Launches ICT Sector Supply Chain Risk Task Force
https://www.meritalk.com/articles/dhs-launches-ict-sector-supply-chain-risk-task-force/
--
China Telecom and BGP Hijacking
(October 26, 2018)
Researchers from the US Naval War College and Tel Aviv University have published a joint paper describing how China Telecom, a major telecommunications and Internet service provider (ISP) in that country, has been gathering information through Border Gateway Protocol (BGP) hijacking.
Read more in:
ZDNet: China has been 'hijacking the vital internet backbone of western countries'
https://www.zdnet.com/article/china-has-been-hijacking-the-vital-internet-backbone-of-western-countries/
Scholar Commons: Chinas MaximLeave No Access Point Unexploited: The Hidden Story of China Telecoms BGP Hijacking
https://scholarcommons.usf.edu/mca/vol3/iss1/7/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Change in Strategy for Hancitor Malware
https://isc.sans.edu/forums/diary/Campaign+evolution+Hancitor+malspam+starts+pushing+Ursnif+this+week/24256/
Apple Updates
https://support.apple.com/en-us/HT201222
Telegram Stores Conversations Locally
https://twitter.com/nathanielrsuchy
Encrypted Word Maldocs
https://isc.sans.edu/forums/diary/More+malspam+using+passwordprotected+Word+docs/24262/
iOS / MacOS ICMP Error Remote Code Execution
https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407
iOS Lock Screen Bypass
https://www.youtube.com/watch?v=ojigFgwrtKs
Windows Defender Sandboxing Bug
https://isc.sans.edu/forums/diary/Windows+Defenders+Sandbox/24266/
Bleedingbit Bluetooth Low Energy Vulnerability
https://armis.com/bleedingbit/
Cisco ASA/Firepower DoS Vulnerability Actively Exploited
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
