OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #41

May 24, 2019

Equifax Credit Downgrade; 2,400 US College Students Eligible To Win Cyber Scholarships; Patch Now! BlueKeep Windows Remote Desktop Protocol Vulnerability; Finland Fighting Fake News


SANS NewsBites                 May 24, 2019                Vol. 21, Num. 041



  Moody's Downgrades Equifax Rating Outlook Over Cyberattack

  Two Thousand Four Hundred U.S. College Students Reach the Scholarship Round in the Governors' Cyber FastTrack

  BlueKeep Windows Remote Desktop Protocol Vulnerability

  Finland Fighting Fake News Through Education


  Google Stored Some G Suite Passwords Unhashed for 14 Years

  ARM Cuts Ties with Huawei

  Firefox 67 Includes Security Fixes and New Privacy Features

  More Windows Update/AV Product Problems

  TrickBot Infection Prompts School Closure in Ohio

  Senate Bill Would Require Warrants to Search US Citizens' Devices at Border

  US Federal Election Commission Says Non-Profit Can Offer Cybersecurity Services to Campaigns





-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019

-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019

-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019

-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019

-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019

-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019

-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019

-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019

-- SANS OnDemand and vLive Training

Get a Free GIAC Certification Attempt or Take $350 Off your OnDemand or vLive course. Offer ends May 29.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



*********** Sponsored By RedCanary ***********

You can't detect what you can't see. Join Red Canary, Carbon Black, and MITRE ATT&CK(TM) on May 28 as we shine a light on defense evasion. This webinar will examine specific instances of defense evasion across Windows, macOS, and Linux environments. Gain real-world insights and learn how to build detection strategies. http://www.sans.org/info/212950




--Moody's Downgrades Equifax Rating Outlook Over Cyberattack

(May 23, 2019)

Moody's has downgraded its rating outlook for Equifax from stable to negative due to losses the company sustained as a result of the massive data security breach in 2017. The revised outlook came in response to Equifax's SEC filing earlier this month. This is the first time a credit-rating agency has downgraded an organization's outlook because of the financial repercussions of a cyberattack.

[Editor Comments]

[Pescatore, Neely, Honan] Another useful press item to show to board members, but Moody's action is like downgrading the barn door long after all the horses got out and ran into the highway. The financial ratings companies are very good at downgrading stocks *after* everyone loses all their money.

Read more in:

SC Magazine: In a first, Moody's downgrades Equifax's rating outlook due to cyberattack



--Two Thousand Four Hundred U.S. College Students Reach the Scholarship Round in the Governors' Cyber FastTrack

(May 22, 2019)

On Wednesday, 2,400 students were notified they had reached the Cyber FastTrack scholarship round where they compete for $2.5 million in scholarships for studies at their colleges and for advanced SANS courses. Twenty-five state governors launched Cyber FastTrack on April 5 as the first step in a national initiative to close the US cybersecurity skills gap. Cyber FastTrack gives every college student in each of the governors' states a way to "play a game" to discover their aptitude to excel in the field. More than 13,000 students played and employers across the country have committed to interview the high scorers for internships and jobs.

Rankings of colleges, by state, which had students participate in Cyber FastTrack with quarterfinalists:


The Cyber FastTrack Program: www.cyber-fasttrack.org

North Dakota's announcement celebrating their finalists: https://ndus.edu/2019/05/22/ndus-institutions-do-well-in-national-cyber-challenge/


--BlueKeep Windows Remote Desktop Protocol Vulnerability

(May 23, 2019)

Last week, Microsoft issued a patch for a critical input validation flaw in the Remote Desktop Protocol (RDP). The presence of the flaw, known as BlueKeep, is generating warnings to patch vulnerable systems. BlueKeep can be exploited with no end-user interaction. Microsoft deemed the flaw serious enough to issue fixes for older, unsupported versions of Windows, including XP, 2003, and Vista. The issue does not affect Windows 8 or Windows 10.

[Editor Comments]

[Williams] This is a true "patch now" vulnerability. Multiple firms now have reliable proof-of-concept exploits. It will be a matter of days to weeks, not months, before this is turned into a worm. Either patch now, disable RDP, or enable Network Level Authentication (NLA). NLA doesn't prevent exploitation, but it does limit exploitation to accounts that can already authenticate to the vulnerable machine.

[Neely] This flaw can be exploited anonymously, so modifications of credentials is not a mitigation. Review systems with RDP exposed to the Internet, eliminate access for those that don't need it. Apply the patch to all systems. The best fix is to update older systems (Windows 7 and below) to Windows 10 or 8.

Read more in:

ISC: An Update on the Microsoft Windows RDP "Bluekeep" Vulnerability (CVE-2019-0708) [now with pcaps]


Ars Technica: Why a Windows flaw patched nine days ago is still spooking the Internet



--Finland Fighting Fake News Through Education

(May 21, 2019)

In 2014, the Finnish government introduced an initiative to fight fake news. The initiative includes awareness and education; schools teach digital literacy and critical thinking about misinformation. Finland's President has called on all citizens to take responsibility to fight false information.

[Editor Comments]

[Pescatore] In the US, the News Integrity Initiative at Craig Newmark Graduate School of Journalism at the City University of New York is a project funded by several foundations and technology companies like Facebook and Mozilla to fight media manipulation and encourage strong investigative reporting.

CUNY: News Integrity Initiative

https://www.journalism.cuny.edu/centers/tow-knight-center-entrepreneurial-journalism/news-integrity-initiative/: News Integrity Initiative

[Murray, Neely] In a world in which all knowledge is as close as the palm of one's hand, critical thinking, the ability to separate truth from fiction, useful from useless, becomes the essential skill. Our schools spend too much time transferring knowledge and training memory, not nearly enough on thinking.

Read more in:

WEForum: How Finland is fighting fake news - in the classroom


CNN: Finland is winning the war on fake news. What it's learned may be crucial to Western democracy


****************************  SPONSORED LINKS  ******************************

1) ICYMI: "Increasing Visibility with Ixia's Vision ONE" with Serge Borso and Taran Singh. Register: http://www.sans.org/info/212955

2) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/212960

3) SURVEY: How is your organization responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card:





--Google Stored Some G Suite Passwords Unhashed for 14 Years

(May 21 & 22, 2019)

Google has admitted that it stored some G Suite passwords in plaintext; the issue affects some enterprise accounts, but not individual consumer accounts. Due to a bug in the admin password recovery feature, unhashed passwords were stored in the admin console. Google has disabled the problematic feature, which has existed since 2005.    

Read more in:

Google: Notifying administrators about unhashed password storage


Wired: Google Has Stored Some Passwords in Plaintext Since 2005


The Register: G Suite'n'sour: Google resets passwords after storing some unhashed creds for months, years


SC Magazine: Google G Suite glitch left some passwords stored in plain text for 14 years


ZDNet: Google says it stored some G Suite passwords in unhashed form for 14 years


CNET: Google had some passwords stored in plaintext for more than a decade



--ARM Cuts Ties with Huawei

(May 22, 2019)

Chip designer ARM has said it will no longer work with Huawei, although it will continue to support Huawei products. While ARM does not manufacture chips, its intellectual property is used in many widely-used mobile processors. ARM's decision to cut ties with Huawei was made to comply with a recent White House executive order; while ARM is a UK company, much of its research and development is conducted in the US.

Read more in:

Wired: If Huawei Loses Arm's Chip Designs, It's Toast


Ars Technica: ARM is the latest partner to shun Huawei, so how will it design chips?


BBC: Huawei: ARM memo tells staff to stop working with China's tech giant


CNET: Chip designer Arm ditches Huawei because of Trump ban



--Firefox 67 Includes Security Fixes and New Privacy Features

(May 21 & 22, 2019)

Mozilla has released Firefox 67. The newest version of the browser fixes two dozen security issues, including two rated critical. Other changes to Firefox include a feature that will prevent extensions from running in private windows by default. Extensions installed prior to updating the browser to version 67 will retain their default status of being enabled in private windows. There is also a new option in the Content Blocking settings that lets users block "known fingerprinters and cryptominers." Mozilla has released updates for Firefox ESR and Thunderbird as well, bringing both to version 60.7.

[Editor Comments]

[Murray] One merely has to look at the version numbers on browsers to know that adding new features and functions to a porous base will not get us to security. Prefer purpose-built apps to browsers for sensitive applications and hostile environments.  

[Neely] New settings no longer enable extensions in private mode browser windows by default. This can be enabled in the extension settings. Note that the update enables existing extensions for private mode windows to avoid breaking things. After updating, review extension settings to determine which extensions should be active in private mode windows.

Read more in:

SC Magazine: Mozilla fires up another Firefox update, patching 24 vulnerabilities


Duo: Firefox Now Blocks Cryptominers and Fingerprinters


Threatpost: Mozilla Tackles Two Critical Flaws with Firefox 67 Release


Mozilla: Security vulnerabilities fixed in Firefox 67


Mozilla: Security vulnerabilities fixed in Firefox ESR 60.7


Mozilla: Security vulnerabilities fixed in Thunderbird 60.7



--More Windows Update/AV Product Problems

(May 22, 2019)

Microsoft is seeing a repeat of anti-virus interaction problems that occurred with April's patch Tuesday. The May updates for Windows 7 and Windows Server 2008 R2 are casing problems for users running certain Sophos and McAfee anti-virus products. Sophos alerted users about the "hang on boot" issue last week. Microsoft has confirmed that the May updates are causing "the system to have slow startup or become unresponsive at restart after installing this update."

Read more in:

ZDNet: Windows 7 patch warning: Antivirus clash causing PCs to freeze


Microsoft: May 14, 2019--KB4499164 (Monthly Rollup)



--TrickBot Infection Prompts School Closure in Ohio

(May 21, 2019)

Officials at Coventry Local School District in Ohio cancelled school on Monday, May 20 following a malware infection on the district's network. The district detected the TrickBot malware the previous week, but IT staff were unable to remediate the infection in time for school to resume on Monday. The FBI is helping with recovery efforts.

Read more in:

ZDNet: Ohio school sends students home because of Trickbot malware infection



--Senate Bill Would Require Warrants to Search US Citizens' Devices at Border

(May 22, 2019)

Two US Senators have introduced legislation that would require border agents to obtain a warrant to search US citizens' devices. Currently, border agents are free to look through travelers' device without warrants; in 2018, they conducted more than 33,000 searches, seven times as many as in 2015. According to information uncovered in a lawsuit brought by the American Civil Liberties Union (ACLU), border agents can "search devices for general law enforcement purposes, such as investigating and enforcing bankruptcy, environmental, and consumer protection laws...; search and seize devices for the purpose of compiling "risk assessments" or to advance pre-existing investigations...; and consider requests from other government agencies to search specific travelers' devices."

[Editor Comments]

[Neely] Currently CBP agents not only may search devices, but also may share that information with DHS without a warrant. Until the legislation passes, it remains best practice to allow your device to be searched rather than be refused entry or worse.

Read more in:

CNET: Senators propose bill requiring warrants to search devices at the border


ACLU: We Got U.S. Border Officials to Testify Under Oath. Here's What We Found Out.



--US Federal Election Commission Says Non-Profit Can Offer Cybersecurity Services to Campaigns

(May 21 & 23, 2019)

The US Federal Election Commission (FEC) has approved a request from Defending Digital Campaigns (DDC), a non-profit organization, to offer free and discounted election cybersecurity services to political campaigns. The FEC's advisory opinion notes the "highly unusual and serious threat" that foreign adversaries pose to US elections.  The FEC decided to allow the request due to "the unusual and exigent circumstances... and because of the demonstrated, currently enhanced threat of foreign cyberattacks against party and candidate committees."

Read more in:



Dark Reading: FEC Gives Green Light for Free Cybersecurity Help in Federal Elections


Cyberscoop: FEC allows Harvard nonprofit to provide free cybersecurity services to campaigns





Setting Up Shodan Monitoring


Fingerprinting Smartphones with Gyroscope Data


RDP #bluekeep Signature For Snort/Suricata


Dangers of Custom URI Schemes


New Zero Day Exploits by SandboxEscaper


Signed Exploit Code


An Update on the Microsoft Windows RDP BlueKeep Vulnerability


Update on Physical Skimmer Market


Apple Supplemental Update For macOS 10.14.5


20% of Linux Docker Containers Without Password


Microsoft Releases Advanced Threat Protection for MacOS



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create