Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #23

March 22, 2019

Boeing's Self-Certification of Safety; Texas, Connecticut, and New Jersey High School Girls Lead National Governors March Madness Cyber Talent Tournament


SANS NewsBites               March 22, 2019                Vol. 21, Num. 023



  Boeing Self-Certified Safety of New Flight Software

  Texas, Connecticut and New Jersey High School Girls Lead National Governors March Madness Cyber Talent Tournament


  DHSs CISA Warns of Vulnerabilities in Certain Implantable Medical Devices

  Old Android Flaw Patched

  UK Police Organization Suffers Ransomware Attack

  Norsk Hydro Ransomware Attack Disrupts Operations

  Facebook Patches Fizz TLS Flaw

  Mozilla Releases Firefox 66

  WordPress Easy WP SMTP Plug-in Updated to Fix Flaw

  Facebook Stored Passwords in Plaintext

  NIST Working on New Encryption Protocols

  GAOs Science and Technology Assessment and Analytics Group Will Help Legislators Grasp Technical Issues

  Cisco Patches IP Phone Flaws




-- SANS 2019 | Orlando, FL | April 1-8 |

-- SANS London April 2019 | April 8-13 |

-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 |

-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 |

-- Pen Test Austin 2019 | April 29-May 4 |

-- SANS Security West 2019 | San Diego, CA | May 9-16 |

-- SANS Amsterdam May 2019 | May 20-25 |

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 |

-- SANS Cyber Defence Japan 2019 | July 1-13 |

-- SANS OnDemand and vLive Training

Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive course. Offer ends April 3.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

*************************  Sponsored By InfoBlox   *************************

Virtual Event, April 18 at 10am PDT: Integrating the NOC & SOC Learn more and Register here:




--Boeing Self-Certified Safety of New Flight Software

(March 16 & 19, 2019)

Boeings Maneuvering Characteristics Augmentation System (MCAS) flight software, which is increasingly looking like a major factor in the crashes, five months apart, of two Boeing Max 737 aircraft, was certified by Boeing itself. The US Federal Aviation Administration (FAA) delegated that responsibility to the manufacturer because, in the words of an FAA safety official, it would be detrimental to our competitiveness if foreign manufacturers are able to move improved products into the marketplace more quickly. Boeing did not train pilots on the new software features and regulators agreed that it was a derivative model and that it didnt require additional simulator training.

[Editor Comments]

[Pescatore] Im not even going to attempt to comment on the complex aircraft safety issues involved here, but a couple of quotes in this story leap out as far as lessons learned that can be applied to making arguments to management about cybersecurity needs: (1) Boeing is quoted as saying the FAA concluded that it met all certification and regulatory requirements and the Boeing System Safety Analysis concluded that the system complied with all applicable FAA regulations. Sounds very similar to the common post breach statements of We were PCI compliant, even though 100M customer accounts were compromised. Compliant is not safe or secure. (2) Software automation was assumed to provide benefits without requiring training of the human experts on how to handle the inevitable cases where the software wasnt working right. In cybersecurity, when product/services claim zero false negatives but *never* mention false positives, training is required on how to deal with potential false positives before taking action that will cause business impact.

[Murray] As with most catastrophic accidents, this one is likely to prove to involve a combination of contributing factors. The lesson for IT developers is to identify all possible failure modes for ones system (including other), what evidence of the failure the operator or manager will see, and what corrective action they must be prepared to take. That said, all software developers should aspire to the record for quality of Boeing and Airbus.  

[Honan] For too long we have let manufacturers determine the reliability and security of their software and systems through self-certification. The "trust us; it works" approach to software engineering has to end. I am glad to see that Members of the European Parliament adopted the European Cybersecurity Act including the first EU-wide cybersecurity certification framework to ensure a common cybersecurity certification approach in the European internal market and ultimately improve cybersecurity in a broad range of digital products (e.g. Internet of Things) and services."

Read more in:

Seattle Times: Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system

Ars Technica: Boeing downplayed 737 MAX software risks, self-certified much of planes safety

NYT: F.A.A. Approval of Boeing Jet Involved in Two Crashes Comes Under Scrutiny

NYT: After 2 Crashes of New Boeing Jet, Pilot Training Now a Focus


--Texas, Connecticut and New Jersey High School Girls Lead National Governors March

Madness Cyber Talent Tournament

(March 22, 2019)

On the third day of the National Governors Cyber Talent Tournament the top ten states are: (1) Texas, (2) Connecticut, (3) New Jersey, (4) Nevada, (5) Virginia, (6) Indiana, (7) Maryland, (8) North Carolina (9) Iowa, and (10) Georgia. Among smaller states, top states are Wyoming, Delaware, North Dakota, and Vermont.

The real time leaderboard is posted at:

Collegiate competitions for $2.5 million in scholarships start in 14 days:

****************************  SPONSORED LINKS  ******************************

1) Check out the SANS Reading Room where more than 75,000 unique visitors read papers every month.

2) SURVEY: Are you involved with operational technology and ICS? Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter for a chance to win a $400 Amazon gift card

3) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card.




--DHSs CISA Warns of Vulnerabilities in Certain Implantable Medical Devices

(March 21, 2019)

The US Department of Homeland Securitys (DHSs) Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory warning of flaws in Medtronic cardio defibrillators that could be exploited to take control the implanted devices. The proprietary Conexus telemetry protocol that monitors use to connect to the devices uses no encryption and does not have a means of authenticating devices to ensure they are authorized to control the implant. Medtronic is developing updates to mitigate these vulnerabilities, according to a company security bulletin.

[Editor Comments]

[Neely] While exploitation is not overly difficult, it requires knowledge of which device is implanted as well as close proximity. Firmware updates from Medtronic are planned for later this year to increase the security. Mitigate the risk by following the CISA advised precautions (See ICS CERT link below) which focus on using monitors in controlled environments and not attaching unapproved devices to them.

Read more in:

Ars Technica: Critical flaw lets hackers control lifesaving devices implanted inside patients

The Register: Don't have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)

ICS CERT: Medical Advisory (ICSMA-19-080-01) Medtronic Conexus Radio Frequency Telemetry Protocol

Medtronic: Conexus Telemetry and Monitoring Accessories: Vulnerability Summary


--Old Android Flaw Patched

(March 20, 2019)

A flaw in Android devices running version 4.4 or later can be exploited by apps to steal users website login tokens. The vulnerability in the Chromium browser engine was introduced in Android 4.4, known as KitKat, which was released in 2013. The flaw has been fixed in Chrome on Android version 72.0.3626.81 or higher and in Android 7.0 or higher.

[Editor Comments]

[Murray] Mobile users should prefer apps to browsers.

[Neely] According to the Android developer site, only 49.7% of Androids are running version 7.0 or higher. The older devices are still functional which makes the argument to replace them challenging. Android 7 was released in August 2016, so updates may still be available depending on your hardware provider. If youre running an older device, the easiest mitigation is to replace it.


Read more in:

Wired: An Android Vulnerability Went Unfixed for Over Five Years

The Register: Renegade Android apps can siphon off your web logins, browser history. So make sure Chrome or OS is patched, friends


--UK Police Organization Suffers Ransomware Attack

(March 21, 2019)

The Police Federation of England and Wales (PFEW) has been dealing with a ransomware attack that infected some of the organizations databases and other systems and also deleted backup files. The attack occurred on March 9. The organization took immediate steps to contain the incident, which included taking some systems offline to prevent the malware from spreading.

Read more in:

The Register: Brit Police Federation cops to ransomware attack on HQ systems

ZDNet: Police Federation hit by ransomware attack

Dark Reading: Police Federation of England and Wales Suffers Apparent Ransomware Attack


--Norsk Hydro Ransomware Attack Disrupts Operations

(March 19 & 21, 2019)

Norsk Hydro, one of the worlds largest aluminum producers, has been hit with a ransomware attack that left one of its units operating at 50 percent of capacity. The Norwegian company, which has sites in 40 countries, says that the attack encrypted data on computers at facilities in the US and Europe. The company shut down its global network to contain the infection, and has reverted to manual operations at some plants and shut down production entirely at others. The attack was first noticed on US computers on Monday, March 18.  

[Editor Comments]

[Honan] Norsk Hydro should be a case study in how to run an effective incident response. They were able to continue their business, although at a lower level, in spite of their key systems being offline. Their website contains great examples of how to provide updates to an issue and may serve as a template for how to respond to security breaches:


Read more in:

The Register: Ransomware drops the Lillehammer on Norsk Hydro: Aluminium giant forced into manual mode after systems scrambled

Ars Technica: Severe ransomware attack cripples big aluminum producer

Cyberscoop: Norwegian aluminum producer Norsk Hydro hit with large ransomware attack

Motherboard: Ransomware Forces Aluminum Manufacturing Giant to Shut Down Network Worldwide

Reuters: Hydro products unit running at 50 percent after cyber attack


--Facebook Patches Fizz TLS Flaw

(March 20, 2019)

In February, Facebook patched a critical flaw in Fizz, its open source implementation for Transport Layer Security protocol TLS 1.3. The vulnerability could be exploited to trigger an infinite loop, creating a denial-of-service condition in the web service. The researchers who found the flaw notified Facebook on February 20; the fix was released on February 25. The Fizz source code was made public last summer; other web applications that use Fizz are urged to apply updates as soon as possible.

Read more in:

SC Magazine: Facebook patches denial-of-service flaw in its open-source Fizz TLS implementation

Semmle: Semmle Discovers Denial of Service (DoS) Vulnerability in Facebook Fizz

GitHub: facebookincubator/fizz


 --Mozilla Releases Firefox 66

(March 19 & 20, 2019)

Mozilla has released Firefox 66 and Firefox Extended Support Release (ESR) 60.6. The newest versions of the browsers include fixes for a total of 22 vulnerabilities. Five of the flaws are rated critical, of those, four affect both updated versions of the browser. Firefox 66 also includes a new autoplay blocking feature that prevents websites from playing sound without user permission.

[Editor Comments]

[Northcutt] Ive tried the sound autoplay blocking feature on most of the major news sites. What a blessing! How many times have you searched for the tab that was making the unwanted audio? With the update, I switched Firefox back to default browser.

[Williams] While Firefox updates automatically for home users, enterprise users will have to push the update. One of these vulnerabilities (CVE 2019-9790) looks likely to be weaponized. This class of bug was largely mitigated in IE and Edge by implementing isolated heaps for the DOM, but those mitigations consume more memory and haven't been adopted by most other applications.


Read more in:

Mozilla: See whats new in Firefox! 66.0 Firefox Release

SC Magazine: Mozillas latest Firefox releases fix 22 vulnerabilities

ZDNet: Firefox 66 is out: Block on auto-playing video with sound, Windows Hello support


--WordPress Easy WP SMTP Plug-in Updated to Fix Flaw

(March 21, 2019)

A flaw in the Easy WP SMTP plug-in for WordPress is being actively exploited. The attacks were detected by two companies that make firewall plug-ins for WordPress. The attackers changed site settings, created new admin accounts, and redirected traffic from websites. The plug-ins creator was alerted to the problem and has released an update, version

Read more in:

ZDNet: Zero-day in WordPress SMTP plugin abused by two hacker groups


--Facebook Stored Passwords in Plaintext

(March 21, 2019)

Hundreds of millions of Facebook account passwords were stored in plaintext on internal company servers. Facebook has launched an investigation. The issue affects between 200 million and 600 million Facebook users; the passwords could have been searched by company employees. The affected passwords date back as far as 2012. Facebook plans to contact users whose passwords are included in the unencrypted batch.

[Editor Comments]

[Pescatore] It sounds like most of the exposure involved passwords of Facebook Lite users, a version used where connectivity is spotty. But, Facebook saying this was found during a routine security review in  January raises a number of questions: (1) Facebook made no public disclosure until March 21st after an insider informed Brian Krebs; and (2) Since it appears the exposure has existing since *2012* why hadnt previous detailed or routine security reviews ever noticed??

[Neely] Reports indicated over 2000 queries by Facebook engineers included plaintext passwords. While the focus of these appear to be in the Facebook Lite application, its a good idea to change your Facebook password anyway, and enable two-factor authentication for the account.

[Williams] Finding plaintext passwords is unfortunately more common than most of the industry talks about. In security assessments, we often see developers logging plaintext passwords so they can log in as a user to reproduce a fault. This equates to "user impersonation" which we know Facebook supports in at least some contexts (without logging passwords) due to a previous security issue with their impersonation API. The other likely location for these passwords would be logs where HTTP variables for POST requests were logged. Enabling logging of HTTP POST variables makes web server logs extremely sensitive as they frequently now contain credit card numbers, passwords, and other sensitive data. This incident should serve as a catalyst to examine what sensitive data is being logged in your organization.

Read more in:

KrebsOnSecurity: Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

CNET: Facebook passwords by the hundreds of millions sat exposed in plain text

eWeek: Facebook Admits It Left Hundreds of Millions of User Passwords Exposed

Motherboard: Facebook Mistakenly Stored Hundreds of Millions of User Passwords as Plaintext


--NIST Working on New Encryption Protocols

(March 20, 2019)

The National Institute of Standards and technology (NIST) is in the process of evaluating and winnowing down proposals for encryption standards for quantum computers and for lightweight computing devices, like RFID tags and smart cards. The Post Quantum Cryptography Project evaluated 69 proposals over the past year and selected 26 to examine more closely. Matthew Scholl, Chief of the Computer Security Division at NIST, said that they are not looking for a specific number of algorithms, and noted that when quantum computing comes about, having more than one algorithm with some different genetic mathematical foundations will ensure that we have a little more resiliency. The Lightweight Cryptography Project received initial submissions in late February; authors have until March 29, 2019 to amend those submissions.

[Editor Comments]

[Murray] One of the algorithms that we know to be vulnerable to quantum computers is RSA, widely used for key exchange. There are proposals for alternatives to this algorithm that can be introduced in a non-disruptive way but which will take time. We do not know how much time we have but it will be adequate if we are prudent.  

[Neely] Encryption algorithms for lightweight devices have been challenging, and selection of an improved solution using modern techniques is needed. Initial submissions need to be revised or edited by March 29th. The candidate algorithms will be discussed in a workshop November 4-6, 2019.

Read more in:

FCW: NIST pushes new encryption protocols for quantum, connected devices

CSRC: Post-Quantum Cryptography

CSRC: Lightweight Cryptography


--GAOs Science and Technology Assessment and Analytics Group Will Help Legislators Grasp Technical Issues

(March 20, 2019)

The US Government Accountability Office (GAO) launched the Science, Technology Assessment and Analytics Team in late January. The groups focus will include providing technology assessments and technical services for the Congress. By the end of this calendar year, the team is expected to have roughly 60 engineers, physicists, data analysts, computer scientists, and other specialists on staff. In the last session of congress, less than four percent of members have science, technology, or engineering backgrounds.

Read more in:

Nextgov: Inside GAOs Plan to Make Congress More Tech-Savvy

GAO Blog: Our New Science, Technology Assessment and Analytics Team


--Cisco Patches IP Phone Flaws

(March 21, 2019)

Cisco has released fixes for five high-severity flaws in its IP Phone 7800 and 8800 series. Most of the vulnerabilities could be remotely exploited without authentication. The most serious of the flaws is a cross-site request forgery (CSRF) vulnerability that affects the 8800 series phone. Other flaws include a path traversal vulnerability, a file upload denial of service vulnerability, an authorization bypass vulnerability, and a remote code execution flaw.

[Editor Comments]

[Williams] Normally I'd say the remote code execution is the most serious by far, but this is a special case. Most Cisco IP phones run web servers. A CSRF against one of these phones could potentially give an attacker a foothold in the internal network. I highly recommend disabling the HTTP server on your IP phones, if they're centrally managed you don't need it anyway. Monitoring for spurious TCP connections outbound from the phones is also recommended.


Read more in:

Threatpost: Cisco Patches High-Severity Flaws in IP Phones

Bleeping Computer: Cisco Fixes High-Severity Vulnerabilities in IP Phone 77800, 8800

US-CERT: Cisco Releases Security Advisories for Multiple Products



Using Active Directory (AD) To Find Hosts That Are Not in AD

Cloudflare Releases Proxy Detection Tools

Fake CDC Emails Spread GandCrab Ransomware

Google Photo Cross-Site-Leak Exposes Picture Meta Data

JavaScript Requests Without Same Origin Policy Limitations

Business Email Compromise Moving to SMS

Discovering IPv6 Hosts With UPNP

Microsoft Anti Malware Crashing Windows

Reduction in DDoS Attacks

Atlassian Sourcetree Vulnerability

Microsoft Defender for macOS


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit