SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #54
July 10, 2020Critical Vulnerabilities in Zoom, Citrix, WordPress and Palo Alto -- Already Being Exploited
****************************************************************************
SANS NewsBites July 10, 2020 Vol. 22, Num. 054
****************************************************************************
TOP OF THE NEWS
Zoom Zero-day Affects Clients Running on Older Versions of Windows
Palo Alto Networks Releases Updates for Another PAN-OS Vulnerability
Citrix Patches 11 Vulnerabilities in Networking Products; Someone is Already Scanning for Vulnerable Installations
Critical Flaw in WordPress Plugin
REST OF THE NEWS
Russian Hacking Group Cosmic Lynx is Conducting Sophisticated eMail Scams
Criminals are Taking Control of Abandoned Subdomains
ThiefQuest macOS Malware More Focused on Stealing Information than on Encrypting Data
DigiCert Will Revoke 50,000 Certificates This Weekend Because of Botched Audit
Turchin Indictment Unsealed
German Authorities Seize BlueLeaks Server
Microsoft Seizes Domains Used in Phishing Attacks that Targeted Office 365 Users
CISA Warns of Vulnerabilities in Medical Devices and Hospital Information Management System
INTERNET STORM CENTER TECH CORNER
****************** Sponsored By Cyolo Security Ltd ************************
Webcast | Join Almog Apirion, CEO and Co-founder of Cyolo and SANS Instructor, Chris Dale as they discuss "Everything you need to know before trusting a zero-trust provider" | Tuesday, July 14, 2020 at 2:00 PM EDT
| http://www.sans.org/info/216960
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Best Special Offers of the Year with OnDemand Cybersecurity Training
Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 (256GB SSD), or Take $350 Off with your OnDemand registration through July 22.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
DFIR Summit & Training (Free Summit) | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Rocky Mountain Summer 2020 | July 20-25 | Live Online
- https://www.sans.org/event/rocky-mountain-summer-2020
SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online
- https://www.sans.org/event/reboot-nova-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Zoom Zero-day Affects Clients Running on Older Versions of Windows
(July 9, 2020)
Zoom is working on a fix for a zero-day vulnerability that was disclosed on Thursday, July 9. The arbitrary code execution flaw affects the Zoom client running on Windows 7, Windows Server 2008 R2, and older versions of the operating system. Zoom clients running on Windows 8 and Windows 10 are not affected.
[Editor Comments]
[Ullrich] This bug only appears to be useable on Windows 7. If you still use Windows 7: Don't use it for tasks like Zoom, web browsing or anything. Only use it for the specific task that requires Windows 7 to run on the particular system.
[Neely] A more complete fix is to upgrade to supported Windows versions. Windows 7 and Server 2008 support ended January 14th this year. If you must run older operating systems, don't use them for internet-based activities such as email, browsing, or video conferencing, and restrict access to make exploitation more difficult.
Read more in:
Threatpost: Zoom Zero-Day Allows RCE, Patch on the Way
https://threatpost.com/unpatched-zoom-bug-rce/157317/
ZDNet: Zoom working on patching zero-day disclosed in Windows client
https://www.zdnet.com/article/zoom-working-on-patching-zero-day-disclosed-in-its-windows-client/
Cyberscoop: Zero-day flaw found in Zoom for Windows 7
https://www.cyberscoop.com/zoom-zero-day-windows-7-acros/
--Palo Alto Networks Releases Updates for Another PAN-OS Vulnerability
(July 8 & 9, 2020)
Palo Alto Networks has released updates to fix a critical command injection vulnerability in its PAN-OS GlobalProtect portal. The flaw affects PAN-OS 9.1 versions prior to 9.1.3; PAN-OS 8.1 versions prior to 8.1.15; PAN-OS 9.0 versions prior to 9.0.9; and all versions of PAN-OS 8.0 and PAN-OS 7.1. Fixes will not be released for PAN-OS 8.0 and 7.1 as those versions are no longer supported.
[Editor Comments]
[Neely] This patch addresses CVE-2020-2034, which allows unauthenticated remote attackers to execute arbitrary OS commands with root privileges on unpatched devices. If you're on the older unsupported PAN-OS versions, it's time to move forward, which may necessitate new hardware.
[Ullrich] Another reason to make sure the administrative interfaces for these devices are not visible to the outside.
Read more in:
Bleeping Computer: Palo Alto Networks fixes another severe flaw in PAN-OS devices
https://www.bleepingcomputer.com/news/security/palo-alto-networks-fixes-another-severe-flaw-in-pan-os-devices/
The Register: If you haven't potentially exposed 1000s of customers once again with networking vulns, step forward... Not so fast, Palo Alto Networks
https://www.theregister.com/2020/07/09/palo_alto_fix/
Palo Alto Networks: CVE-2020-2034 PAN-OS: OS command injection vulnerability in GlobalProtect portal
https://security.paloaltonetworks.com/CVE-2020-2034
--Citrix Patches 11 Vulnerabilities in Networking Products; Someone is Already Scanning for Vulnerable Installations
(July 7, 8, & 9, 2020)
Earlier this week, Citrix released fixes for 11 vulnerabilities in Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances. The flaws include information disclosure, local privilege elevation, code injection, cross-site scripting, authorization bypass, denial of service. Rob Joyce, the former head of the NSA's Tailored Access Operations (TAO) team, has urged users to apply the patches as soon as possible. Active scanning for vulnerable installations has been detected.
[Editor Comments]
[Ullrich] The XSS vulnerability is particularly interesting here. The impact of XSS vulnerabilities is often underestimated. In this case, the XSS vulnerability can be used to execute code on the device. Exploitation has been demonstrated in a YouTube video, but code for the full exploit has not been made public yet. The victim, an administrator currently logged into the system, will have to visit a malicious website to trigger the exploit chain. The result is full access to the device for the attacker.
[Neely] The debate over urgency occurs because the attacks require access to vulnerable devices to exploit. Targeting the management interface using XSS can lead to compromise. Virtual IPs could also be used to initiate a DOS attack or internal network scan. In addition to applying the patches, restrict access to the management interface.
[Honan] Given the large number of people now working remotely during the Coronavirus pandemic, attacks against remote access points, such as Citrix gateways, are on the rise. These vulnerabilities are already being actively exploited and should be patched as quickly as possible.
Read more in:
ISC: Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688
https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/
The Register: FYI: Someone's scanning for gateways with those security holes Citrix told you not to worry too much about
https://www.theregister.com/2020/07/09/citrix_bugs_exploit/
DUO: Citrix Patches 11 Vulnerabilities in Several Products
https://duo.com/decipher/citrix-patches-11-vulnerabilities-in-several-products
Threatpost: Citrix Bugs Allow Unauthenticated Code Injection, Data Theft
https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/
The Register: Citrix tells everyone not to worry too much about its latest security patches. NSA's former top hacker disagrees
https://www.theregister.com/2020/07/08/citrix_eleven_patches/
Bleeping Computer: Citrix fixes 11 flaws in ADC, Gateway, and SD-WAN WANOP appliances
https://www.bleepingcomputer.com/news/security/citrix-fixes-11-flaws-in-adc-gateway-and-sd-wan-wanop-appliances/
Twitter: Rob Joyce
https://twitter.com/RGB_Lights/status/1280616246015340546
Citrix: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update
https://support.citrix.com/article/CTX276688
--Critical Flaw in WordPress Plugin
(July 8, 2020)
A critical remote code execution flaw in the Adning Advertising plugin for WordPress could be exploited to completely take control of vulnerable sites. The flaw has been exploited in the wild. Users are urged to update to Adning version 1.5.6, which also fixes a high-severity unauthenticated arbitrary file deletion via path traversal vulnerability.
Read more in:
Threatpost: Advertising Plugin for WordPress Threatens Full Site Takeovers
https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/
Wordfence: Critical Vulnerabilities Patched in Adning Advertising Plugin
https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/
**************************** SPONSORED LINKS ******************************
1) Webcast | You don't want to miss SANS Senior Instructor, Chris Crowley as he presents "Preventing Runtime Exploits: The SANS Implementation Guide for RunSafe Security's Alkemist" | Wednesday, July 15, 2020 at 2:00 PM EDT
| http://www.sans.org/info/216965
2) Webcast | Join SANS Senior Instructor, Dave Shackleford and Guillaume Ross for this informative webcast as they discuss "Securing the Remote Workforce without VPNs: Uptycs and JA3" | Thursday, July 16, 2020 at 1:00 PM EDT
| http://www.sans.org/info/216970
3) Webcast | Join SANS Senior Instructor, Dave Shackleford joined by Portshift's Co-Founder, Zohar Kaufman for our upcoming webcast as they present "Containers Vulnerability Management: Time to Step Things Up!" | Tuesday, July 14, 2020 at 12:00 PM EDT
| http://www.sans.org/info/216975
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Russian Hacking Group Cosmic Lynx is Conducting Sophisticated eMail Scams
(July 7, 2020)
A group of Russian hackers dubbed Cosmic Lynx has been launching sophisticated business email compromise schemes since last July. According to researchers at Agari, the group has launched more than 200 attacks against organizations in 46 countries. Cosmic Lynx targets organizations that have not implemented DMARC; the group has focused on scams involving mergers and acquisitions.
[Editor Comments]
[Honan] While DMARC is not a panacea against phishing attacks, it helps reduce the risk. The Global Cyber Alliance has a simple step-by-step guide that is available for free on how to ensure your mail service has DMARC configured correctly: https://dmarc.globalcyberalliance.org/
Read more in:
Wired: Looks Like Russian Hackers Are on an Email Scam Spree
https://www.wired.com/story/russian-hackers-email-scams/
SC Magazine: BEC scams grow in complexity as Russian actors launch Cosmic Lynx operation
https://www.scmagazine.com/home/security-news/cybercrime/bec-scams-grow-in-complexity-as-russian-actors-launch-cosmic-lynx-operation/
Threatpost: First-Ever Russian BEC Gang, Cosmic Lynx, Uncovered
https://threatpost.com/russian-bec-gang-cosmic-lynx-uncovered/157166/
Bleeping Computer: First reported Russian BEC scam gang targets Fortune 500 firms
https://www.bleepingcomputer.com/news/security/first-reported-russian-bec-scam-gang-targets-fortune-500-firms/
--Criminals are Taking Control of Abandoned Subdomains
(June 23 & July 7, 2020)
Criminals have been taking control of abandoned subdomains associated with well-known organizations and using them for nefarious purposes, including malware, pornographic content, or spreading malware. In late June, Microsoft published an article describing how to prevent subdomain takeovers.
[Editor Comments]
[Pescatore] The use of cloud services caused "dangling DNS" records to be a bigger issue. Warnings were coming out at least as far back as 2015 when use of IaaS started to ramp up. Infoblox, Nominet and other DNS security-focused vendors have put out detailed "DNS basic security hygiene" advice.
Read more in:
The Register: Hundreds of forgotten corners of mega-corp websites fall into the hands of spammers and malware slingers
https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/
Microsoft: Prevent dangling DNS entries and avoid subdomain takeover
https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
--ThiefQuest macOS Malware More Focused on Stealing Information than on Encrypting Data
(July 7 & 8, 2020)
Researchers now think the ThiefQuest malware that targets macOS is largely focused on exfiltrating data from infected networks. Initial assessment of ThiefQuest categorized the malware as ransomware. While it does have an encryption component, researchers think it may be included as a distraction rather than the main purpose of the malware.
Read more in:
Malwarebytes: Mac ThiefQuest malware may not be ransomware after all
https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/
SC Magazine: Hidden purpose of Mac 'ransomware' EvilQuest is data exfiltration, say researchers
https://www.scmagazine.com/home/security-news/hidden-purpose-of-mac-ransomware-evilquest-is-data-exfiltration-say-researchers/
--DigiCert Will Revoke 50,000 Certificates This Weekend Because of Botched Audit
(July 10, 2020)
DigiCert plans to revoke 50,000 Extended Validation (EV) certificates on Saturday, July 11 after learning that they were not properly audited. While the situation does not pose a security threat, EV guidelines require that the certificates be revoked.
[Editor Comments]
[Ullrich] Yet more proof that the problem with TLS is not so much technical flaws but flaws in the CA ecosystem. The CA/Browser forum has done good work in tightening up some of the requirements around certificate authorities, and browser makers are abandoning the idea of "Extended Validation" (EV) certificates, as they caused more issues than they solved.
[Neely] If you're managing your intermediate certificate store, you'll want to make sure you have updated intermediate certificate authority (ICA) certificates for DigiCert EV RSA CA G2, GeoTrust EV RSA CA G2 and Thawte EV RSA CA G2.
Read more in:
The Register: Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle
https://www.theregister.com/2020/07/10/digicert_pulls_certs/
Knowledge.digicert: DigiCert ICA Replacement
https://knowledge.digicert.com/alerts/DigiCert-ICA-Replacement
--Turchin Indictment Unsealed
(July 8, 2020)
The US Department of Justice recently unsealed an indictment charging Andrey Turchin
with conspiracy to commit computer hacking, two counts of computer fraud and abuse, conspiracy to commit wire fraud, and access device fraud. Turchin allegedly hacked into networks at hundreds of organizations, established backdoors, and then sold access to those systems. Turchin is a citizen of Kazakhstan and is believed to be residing there currently.
Read more in:
Justice: Citizen of Kazakhstan, known as "fxmsp," charged with computer fraud, wire fraud, and conspiracy for hacking hundreds of corporate networks in more than 40 countries worldwide
https://www.justice.gov/usao-wdwa/pr/citizen-kazakhstan-known-fxmsp-charged-computer-fraud-wire-fraud-and-conspiracy-hacking
Dark Reading: US Charges Kazakhstani Citizen With Hacking Into More Than 300 Orgs
https://www.darkreading.com/attacks-breaches/us-charges-kazakhstani-citizen-with-hacking-into-more-than-300-orgs/d/d-id/1338305
ZDNet: Fxmsp hacker indicted by feds for selling backdoor access to hundreds of companies
https://www.zdnet.com/article/fxmsp-hacker-indicted-by-feds-for-selling-network-access-impacting-hundreds-of-companies/
Threatpost: Notorious Hacker 'Fxmsp' Outed After Widespread Access-Dealing
https://threatpost.com/notorious-hacker-fxmsp-outed/157275/
Justice: Andrey Turchin Indictment (PDF)
https://www.justice.gov/usao-wdwa/press-release/file/1292541/download
--German Authorities Seize BlueLeaks Server
(July 7, 8, & 9, 2020)
Authorities in Germany have seized a server hosting BlueLeaks data, 269 GB of US police documents. The department of public prosecution in Zwickau said the server was seized on July 3 at the request of the US government.
Read more in:
PC Mag: Germany Seizes Server Hosting 'BlueLeaks' Data Dump on US Police Practices
https://www.pcmag.com/news/germany-seizes-server-hosting-blueleaks-data-dump-on-us-police-practices
Vice: Cops Seize Server that Hosted BlueLeaks, DDoSecrets Says
https://www.vice.com/en_us/article/qj43xq/cops-seize-blueleaks-ddosecrets-server
Threatpost: BlueLeaks Server Seized By German Police: Report
https://threatpost.com/blueleaks-server-seized-by-german-police-report/157288/
ZDNet: German authorities seize 'BlueLeaks' server that hosted data on US cops
https://www.zdnet.com/article/german-authorities-seize-blueleaks-server-that-hosted-data-on-us-cops/
Cyberscoop: German police seize DDoSecrets server distributing 'BlueLeaks' files
https://www.cyberscoop.com/blueleaks-german-police-seize-server/
The Hill: Germany seizes server hosting leaked US police files
https://thehill.com/policy/technology/506557-germany-seizes-server-hosting-leaked-us-police-files
--Microsoft Seizes Domains Used in Phishing Attacks that Targeted Office 365 Users
(July 7 & 8, 2020)
Recently unsealed documents detail Microsoft's efforts to thwart phishing attacks that preyed on people's concerns about COVID-19. The attacks targeted Office 365 users in 62 countries around the world and were crafted to appear to be from employers or other trusted entities. Microsoft's Digital Crime Unit became aware of the fraudulent activity in December 2019. On July 1, Microsoft obtained a court order allowing it to seize the malicious domains.
[Editor Comments]
[Neely] The federal court's motion was sealed so as not to tip their hand, which allows Microsoft to fight cyber-attacks without enlisting federal prosecutors. Unlike traditional phishing email schemes, when the user clicked the link, they were prompted to grant access to their Office 365 account, which then allowed access to email, contacts, OneDrive, SharePoint and notes without explicitly collecting login credentials. Enabling 2FA is a key mitigation to this sort of attack.
Read more in:
Microsoft: Microsoft takes legal action against COVID-19-related cybercrime
https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/
Dark Reading: Microsoft Seizes Domains Used in COVID-19-Themed Attacks
https://www.darkreading.com/operations/microsoft-seizes-domains-used-in-covid-19-themed-attacks/d/d-id/1338293
Ars Technica: Microsoft neuters Office 365 account attacks that used clever ruse
https://arstechnica.com/information-technology/2020/07/microsoft-neuters-office-356-account-attacks-that-used-clever-ruse/
ZDNet: Microsoft seizes six domains used in COVID-19 phishing operations
https://www.zdnet.com/article/microsoft-seizes-six-domains-used-in-covid-19-phishing-operations/
The Register: Microsoft sues coronavirus phishing spammers to seize their domains amid web app attacks against Office 354.5
https://www.theregister.com/2020/07/08/microsoft_sues_office_365_phishers/
Threatpost: Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks
https://threatpost.com/microsoft-seizes-domains-office-365-phishing-scam/157261/
--CISA Warns of Vulnerabilities in Medical Devices and Hospital Information Management System
(July 8, 2020)
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published two advisories regarding security issues in ultrasound systems from Philips and in the OpenClinic GA open source hospital information management system. Philips has released updates to address the authentication bypass issue in some of the affected products and expects to have fixes for the rest of the affected products by the end of the calendar year.
Read more in:
GovInfosecurity: Alerts: Flaws in Ultrasound, Open-Source Hospital Systems
https://www.govinfosecurity.com/alerts-flaws-in-ultrasound-open-source-hospital-systems-a-14585
US-CERT/CISA: ICS Medical Advisory (ICSMA-20-177-01) Philips Ultrasound Systems
https://us-cert.cisa.gov/ics/advisories/icsma-20-177-01
Philips: Security Advisories: Philips Ultrasound (24-June-2020)
https://www.usa.philips.com/healthcare/about/customer-support/product-security
US-CERT/CISA: ICS Medical Advisory (ICSMA-20-184-01) OpenClinic GA
https://us-cert.cisa.gov/ics/advisories/icsma-20-184-01
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
F5 Big IP Wrap-up
https://twitter.com/NCCGroupInfosec/status/1280593966879125504
https://www.sans.org/webcasts/116065
Citrix ADC / Citrix Gateway Patches
https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/
Citrix Scanning
https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/
https://www.youtube.com/watch?time_continue=6&v=1_D4_9BKHSc&feature=emb_logo
Citrix Vulnerability Details (CVE-2020-8194)
https://dmaasland.github.io/posts/citrix.html
SANS.edu Student Billy Wilson: Security Supercomputers with BPF Probes
https://www.sans.org/reading-room/whitepapers/detection/securing-soft-underbelly-supercomputer-bpf-probes-39635
Obfuscated Malware
https://isc.sans.edu/forums/diary/If+You+Want+Something+Done+Right+You+Have+To+Do+It+Yourself+Malware+Too/26320/
PaloAlto Networks PAN-OS CVE-2020-2034
https://security.paloaltonetworks.com/CVE-2020-2034
Microsoft Releases Free Memory Analysis Service
https://www.microsoft.com/en-us/research/blog/toward-trusted-sensing-for-the-cloud-introducing-project-freta/
Mozilla Suspending Send Service
https://www.zdnet.com/article/mozilla-suspends-firefox-send-service-while-it-addresses-malware-abuse/
Juniper Patches
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES
Google Releases Tsunami Security Scanner
https://github.com/google/tsunami-security-scanner
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
