Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #74

September 20, 2019

SIM Swapping: Leaders in Protecting Customers; Shareholders Sue FedEx for NotPetya ; Smart TVs are Watching the Watchers


SANS NewsBites                Sept. 20, 2019               Vol. 21, Num. 074




 SIM Swapping: Some Providers Do More Than Others to Protect Customers

  FedEx Shareholders File Complaint Alleging Company Was Not Transparent About Effect of NotPetya

  Smart TVs are Watching the Watchers



More Details Released About Iowa Court System Penetration Test Confusion

  Revived Emotet Botnet

  Stolen Computers in Georgia Contain Voter Information

  Scotiabank's Unprotected GitHub Repositories Exposed Sensitive Information

  Hacking Group Targeting IT Providers in Saudi Arabia

  Data Analytics CEO Arrested After Ecuador Citizens Data Exposed

  Prison Sentence for Man Who Arranged Kansas Swatting Attack




-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 |

-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 |

-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 |

-- SANS Tokyo Autumn 2019 | September 30-October 12 |

-- SANS Baltimore Fall 2019 | October 7-12 |

-- SANS October Singapore 2019 | October 7-26 |

-- SANS Amsterdam October 2019 | October 28-November 2 |

-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 |

-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 |

-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off through October 2 with your OnDemand or vLive course.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

*********** Sponsored By AWS Marketplace ***********

Securing App Pipelines in AWS. SANS senior instructor Dave Shackleford and AWS solutions architect Nam Le explain ways to improve and automate security across the continuous integration/continuous deployment (CI/CD) pipeline. Learn how to manage secrets and privileged access, secure APIs and serverless applications, and find solutions on AWS Marketplace. Sept. 26, 2 PM ET.




--SIM Swapping: Some Providers Do More Than Others to Protect Customers

(September 19, 2019)

According to a report from Vice, Verizon monitors IMEI (International Mobile Equipment Identity) changes; if a customer's phone number is activated on a new device with a different SIM card, Verizon cuts off service to both devices until the customer verifies the change. Sprint, AT&T, and T-Mobile do not appear to have similar monitoring programs. T-Mobile has a feature called NOPORT that is available for some devices, but the company does not advertise or promote the feature.   

[Editor Comments]

[Pescatore] Good reason to look at switching to Verizon the next time your mobile phone contract is up. Market forces can help drive the carriers to compete on security/privacy features. Since they all offer the same phones and the same services, they can only compete on pricing - I'll pay a bit more for "clean mobile pipes," harder to compromise device management, etc.

[Ullrich] Be careful what you ask for. You will likely have to pay a "sim swap fee" if you need to call your carrier whenever you insert a SIM into a different phone, like the current $30 "upgrade fee" being charged (that is usually easily avoided by just swapping SIMs).

[Murray] Anyone who has ever lost or broken a phone knows that the service providers do not make the remedies easy. That said, the training of provisioning personnel to "where possible, accommodate the customer," makes them vulnerable to "social engineering." The most powerful mechanism that we have for resisting fraudulent changes to "names and addresses" is to confirm the changes in and out of band to both the old and new addresses.

Read more in:

Vice: Verizon Makes SIM Swapping Hard. Why Doesn't AT&T, Sprint, and T-Mobile?


--FedEx Shareholders File Complaint Alleging Company Was Not Transparent About Effect of NotPetya

(September 19, 2019)

FedEx shareholders have filed a complaint against the company, alleging that executives withheld information about the extent of losses incurred as a result of the June 2017 NotPetya attack on the company's European subsidiary, TNT Express. The complaint also alleges that executives sold off shares in the company before disclosing details of the incident. The complaint alleges that FedEx and its executives made "materially false and misleading statements" about the attack's impact.

Read more in:

The Register: FedEx execs: We had no idea cyberattack would be so bad. Investors: Is that why you sold $40m+ of your own shares?

Reg Media: Verified Stockholder Derivative Complaint (PDF)


--Smart TVs are Watching the Watchers

(September 18 & 19, 2019)

In two separate studies, university researchers have found that smart TVs are collecting data about users' viewing habits and sending the information back to companies like Google and Facebook. Researchers from Princeton University and the University of Chicago examined the tracking conducted by Roku and Amazon devices. Researchers from Northeastern University and Imperial College London looked at a broader range of devices.  

[Editor Comments]

[Murray] According to the reports, not only is there no attempt to anonymize the data, unique identifiers like serial numbers and MAC addresses are "hoarded." Not only is the data not used only in the aggregate, it is explicitly used to target the users.  

[Neely] Until required disclosure, privacy, and opt-out requirements are mandated, there are a limited number of options to mitigate this behavior. While not always practical, consider not connecting the Smart TV to the network if you're not streaming content or using those capabilities. Enabling options in the Smart TV, or streaming devices, to limit ad tracking reduce this behavior by up to 50%. In-line solutions that blackhole or otherwise block advertising domains are required to obtain added success. Some home routers now include this capability.

Read more in:

Princeton: Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices

Moniotrlab: Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach

Wired: On Roku and Amazon Fire TV, Channels Are Watching You

ZDNet: Smart TVs send user data to tech heavyweights including Facebook, Google, Netflix

Threatpost: Smart TVs, Subscription Services Leak Data to Facebook, Google

Ars Technica: Facebook and Google have ad trackers on your streaming TV, studies find

****************************  SPONSORED LINKS  ******************************

1) In the Boston area? Reserve your seat at the Vulnerability Management Briefing September 27th:

2) Webcast September 24th at 1PM ET: Discover best ways to protecting DNS pathways from malicious use.

3) Tune in for next Monday's webcast: Elevating Enterprise Security with Fidelis Cybersecurity: Endpoint Security Capabilities.




--More Details Released About Iowa Court System Penetration Test Confusion

(September 18 & 19, 2019)

The two people arrested for breaking into the Dallas County courthouse in Adel, Iowa, are out of jail, but the confusion about the penetration test they were hired to conduct has not yet been resolved. The state of Iowa hired a company called Coalfire to conduct IT penetration tests against its court systems. The people who were arrested decided to try to break into a courthouse and see if they could gain physical access to court systems. The Iowa Judicial Branch has released redacted documents pertaining to the agreement that led to the September 11 arrests.

[Editor Comments]

[Ullrich] This looks more and more like confusion between different agencies and not so much like anything the penetration testers did wrong. If there is a lesson at this point: Make sure to contact different subsidiaries before you conduct a test to make sure they are aware and that the agency or the individual that signed the contract had the authority to give you permission.

[Murray] One is reminded of the 1992 movie "Sneakers" that suggested that "break-ins" are what security people do. In fact, penetration testing, "social engineering," and physical intrusion are separate activities and should not be combined. (Personally and professionally, I practice "defensive" consulting, designed to protect me from even the appearance of malpractice. As part of my defense, I do not engage in covert activities.)  

Read more in:

Iowa Courts: State Court Administration Statement

The Register: Remember that security probe that ended with a sheriff cuffing the pen testers? The contract is now public so you can decide who screwed up

Ars Technica: Iowa officials claim confusion over scope led to arrest of pen-testers


--Revived Emotet Botnet

(September 16, 18, & 19, 2019)

The Emotet Botnet is once again sending out malware-laden spam after several months of inactivity. Emotet is sending spam, as it did before, but instead of spreading just a banking Trojan, it also spreads ransomware, information stealers, and other types of malware. The revived Emotet is ramping up the use of its stolen email trick, which involves accessing older messages and replying to them, even quoting content from the real message.

Read more in:

Threatpost: Emotet Returns from Summer Vacation, Ramps Up Stolen Email Tactic

Bleeping Computer: Emotet Trojan Evolves Since Being Reawakend, Here is What We Know

ZDNet: Emotet, today's most dangerous botnet, comes back to life


--Stolen Computers in Georgia Contain Voter Information

(September 18, 2019)

Two computers taken from a recreation center in Atlanta, Georgia contain personally identifiable information for every voter in the state. The computers, which were to be used to check voters in for a local special election, were in a locked case. The Fulton County election director says that the stolen computers do not connect to the Internet.

Read more in:

Govtech: Stolen Computers in Atlanta Hold Statewide Voter Data


--Scotiabank's Unprotected GitHub Repositories Exposed Sensitive Information

(September 18 & 19, 2019)

Toronto-based Scotiabank is scrambling to take down or hide unprotected public GitHub repositories containing sensitive information, including "software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances."

[Editor Comments]

[Neely] A perennial advantage of source code repositories is they capture all the information associated with your project including credentials embedded within the file tree or configuration files, which facilitate deployment actions. Excluding credential information, private keys, and passwords has been a challenge in the past to prevent production deployments from connecting to development; with those code repositories being internet facing and accessible, ensuring this information is not included in the commit is critical. Additionally, make sure that you follow the security practices for your code repository, including access controls, logging, code signing, and permission management.

Read more in:

The Register: Scotiabank slammed for 'muppet-grade security' after internal source code and credentials spill onto open internet

IT World Canada: Scotiabank source code, credentials found open on GitHub: news report


--Hacking Group Targeting IT Providers in Saudi Arabia

(September 18, 2019)

Researchers from Symantec say that a group of hackers have been targeting IT providers in Saudi Arabia with supply chain attacks with the ultimate goal of infecting certain customers' networks. Symantec has named the hacking group Tortoiseshell; it has been active for more than 14 months.  

Read more in:

Symantec: Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks

Dark Reading: Saudi IT Providers Hit in Cyber Espionage Operation

Ars Technica: Advanced hackers are infecting IT providers in hopes of hitting their customers

Cyberscoop: A persistent group of hackers has been hitting Saudi IT providers, Symantec says

Bleeping Computer: New TortoiseShell Group Hacks 11 IT Providers to Reach Their Customers

Infosecurity Magazine: New Attack Group Targets Saudi IT Providers


--Data Analytics CEO Arrested After Ecuador Citizens Data Exposed

(September 17, 2019)

Authorities in Ecuador have arrested the head of a data analytics firm after the company, Novaestrat, inadvertently left personal details about the majority of Ecuador's population accessible on the Internet. The data were on an Elasticsearch server that was not protected with a password. Officials said that Novaestrat was not authorized to have all the information it had. The company and its executives are being investigated "on charges of violation of privacy and dissemination of personal information without authorization."

[Editor Comments]

[Neely] Ecuador is enacting new privacy laws to prevent recurrence. While the authorization for the data may have come from a prior administration, verification of the continued right to that data was missed. In addition, verification of access controls around external data sources needs to be part of your continuous monitoring program. The time to enact privacy laws, including requirements on security and access revocation, is before the entire populace's data is exposed.

Read more in:

ZDNet: Arrest made in Ecuador's massive data breach


--Prison Sentence for Man Who Arranged Kansas Swatting Attack

(September 17, 2019)

Casey Viner has been sentenced to 15 months in prison for arranging the December 2017 swatting attack that resulted in the death of an innocent person. Viner had been arguing with another individual regarding an online game, and contacted Tyler Barriss, asking him to conduct the attack. The address Viner provided was incorrect. Barriss was sentenced to 20 years in prison earlier this year.

Read more in:

KrebsOnSecurity: Man Who Hired Deadly Swatting Gets 15 Months

Ars Technica: Instigator of fatal Kansas swatting receives prison sentence



Investigating Gaps in Windows Event Logs

Analyzing a Current Emotet Sample

Agent Tesla

SOHOpelesly Broken 2

HP Printer Privacy

Windows Defender "Scan Now" Failed Bug Fix

New CWE Top 25 Released

QEMU Vulnerability

VMWare Vulnerability

SAMBA 4.11 Released

GitHub Security Updates

Apple Updates


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit