Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #13

February 14, 2020

Census Bureau Security Concerns; Microsoft's Fix for Zero-day Flaw in Internet Explorer; Adobe's 42 New Flaws


SANS NewsBites              February 14, 2020              Vol. 22, Num. 013




  GAO Report Enumerates Census Bureau Security Concerns

  Microsoft's February Updates Include Fix for Zero-day Flaw in Internet Explorer

  Adobe February Updates


  US and German Intel Agencies Owned Controlling Stake in Swiss Encryption Device Maker

  US Justice Department Charges Huawei with Racketeering and Conspiracy

  Mozilla Updates

  Fix Available for Critical Flaw in GDPR Cookie Consent WordPress Plugin

  Malicious Extensions Pulled from Google Chrome Store

  MIT Researchers Detail Mobile Voting App's Flaws

  xHelper Android Malware is Vexingly Persistent

  Car Mobile Apps Not Always Reset After Vehicles Are Rented or Resold

  Mobile World Congress Tech Show Cancelled Over Coronavirus Worries

  Ransomware Targets Texas City and School District

  Florida County Election System Infected with Ransomware in 2016

  North Miami Beach Police Systems Hit with Ransomware


**********************  Sponsored By Cisco Systems  *************************

The Security Bottom. When organizations have dozens of security products and still get breached, it begs the question: How much security is enough? How many products does an organization need? How much should be spent on security? We aim to answer these questions through a double-blind survey of security professionals, along with expert commentary.



-- SANS 2020 | Orlando, FL | April 3-10 |

-- SANS Training at RSA Conference 2020 | San Francisco, CA | February 23-24 |

-- SANS Munich March 2020 | March 2-7 |

-- SANS Northern VA - Reston Spring 2020 | March 2-7 |

-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 |

-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 |

-- SANS London March 2020 | March 16-21 |

-- SANS San Francisco Spring 2020 | March 16-27 |

-- SANS Secure Singapore 2020 | 16-28 March |

-- SANS Secure Canberra 2020 | March 23-28 |

-- SANS OnDemand and vLive Training

Get a free GIAC Certification Attempt or Take $350 Off through February 19 with OnDemand or vLive training.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap




--GAO Report Enumerates Census Bureau Security Concerns

(February 12 & 13, 2020)

A Government Accountability Office (GAO) report on the Census Bureau's preparedness found that the bureau is lagging on some of its goals, including IT system implementation and cybersecurity issues. The report says that the bureau has not met its goal of ensuring that its self-response site can support up to 600,000 users at a time. GAO also notes that the bureau needs to fix cybersecurity issues "in a timely manner," implement DHS recommendations, and ensure that the privacy of those responding is protected.

Read more in:

FNN: House members fear Census IT 'debacle' similar to Iowa caucus fiasco

The Hill: Lawmakers grill Census Bureau officials after report on cybersecurity issues

GAO: 2020 Census: Initial Enumeration Underway but Readiness for Upcoming Operations Is Mixed


--Microsoft's February Updates Include Fix for Zero-day Flaw in Internet Explorer

(February 11 & 13, 2020)

Microsoft's monthly security updates include fixes for 99 vulnerabilities in multiple products. Twelve of the flaws are rated critical; of those, one, a remote code execution vulnerability in Internet Explorer, is being actively exploited. Microsoft disclosed the IE vulnerability in January but a patch had not been available until earlier this week.

Read more in:

KrebsOnSecurity: Microsoft Patch Tuesday, February 2020 Edition

ZDNet: Microsoft's February 2020 Patch Tuesday fixes 99 security bugs

Threatpost: Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches

MSRC: CVE-2020-0674 | Scripting Engine Memory Corruption Vulnerability

MSRC: Security Update Summary


--Adobe February Updates

(February 11 & 12, 2020)

Adobe's security updates for February include fixes for 42 vulnerabilities in multiple products. The updates address 21 critical issues in Framemaker and 12 critical flaws in Reader and Acrobat. The updates also fix critical flaws in Flash Player and Experience Manager.   

[Editor Comments]

[Pescatore] Hey, Adobe and McAfee - it has been at least 8 years since Adobe patches started trying to trick users into installing McAfee software. That practice continues to make both companies look cheap and sleazy - imagine if Ford said, "Every time a Ford car has a defect that requires a recall, we will try to trick you into turning on a satellite radio service." Is whatever revenue flows on this deal really worth it???

[Neely] Remember the Flash Player EOL date is 12/31/20, so we're not yet done patching it. The Adobe Creative Cloud application keeps that suite of applications updated, augmenting the enterprise capabilities. Even so, scanning to make sure they are applied is prudent.

[Murray] Tens last month, tens this month, likely tens next month.  How deep must the reservoirs be?

Read more in:

SC Magazine: Adobe Patch Tuesday: Critical vulnerabilities in Flash Player, Framemaker patched

ZDNet: Adobe squashes 35 critical vulnerabilities in security patch update

Threatpost: Adobe Addresses Critical Flash, Framemaker Flaws

Bleeping Computer: Adobe Releases the February 2020 Security Updates

Adobe: Security Updates Available for Adobe Framemaker | APSB20-04

Adobe: Security update available for Adobe Acrobat and Reader | APSB20-05

****************************  SPONSORED LINKS  ******************************

1) Webcast February 19th at 1PM ET: Real-World Implementation of Deception Technologies. Register:

2) Join us at the SANS ICS Security Summit & Training Summit 2020 | Orlando, FL | March 2-9.

3) Don't miss this webcast: Threat Actor Analysis and Strategic Security Investments. Register:




--US and German Intel Agencies Owned Controlling Stake in Swiss Encryption Device Maker

(February 11 & 13, 2020)

According to reports in the US, German, and Swiss press, between 1970 and 1993, the US and West German intelligence agencies were secret majority owners of Crypto AG, a Swiss company that made encryption devices. The reports say that the agencies were able to control aspects of Crypto AG's business, including manipulating algorithms used in the company's devices so that the agencies could easily decrypt foreign adversaries' communications. Crypto AG customers included more than 130 national governments. Germany withdrew from the arrangement in 1993; US intelligence bought its stake and remained in control until it sold off Crypto AG's assets in 2018. The controlling partnership was shielded behind a trust company in Liechtenstein. Bruce Schneier points out that while the story itself is not news, "what is new is the formerly classified documents describing the details" of how the agencies were able to exploit their access to supposedly encrypted information.

[Editor Comments]

[Pescatore] As the article points out, this was no longer a secret by the early 1990s, but Crypto AG products were still used by many who weren't paying attention to relatively low visibility reports. Today, every piece of software used by businesses (especially mobile applications) is a potential "Crypto AG" scenario. Supply chain security has to focus on risk assessment and testing of products and services in use, not just country of origin.

Read more in:

Washington Post: 'The intelligence coup of the century'

ZDF: "Operation 'Rubicon'" #Cryptoleaks: How BND and CIA Deceived Everyone (in German)

SRF: worldwide espionage operation with Swiss company uncovered (in German)

Schneier: Crypto AG Was Owned by the CIA

The Register: Crypto AG backdooring rumours were true, say German and Swiss news orgs after explosive docs leaked

GovInfosecurity: CIA Secretly Owned Swiss Encryption Firm for Years: Reports


--US Justice Department Charges Huawei with Racketeering and Conspiracy

(February 13, 2020)

The US Department of Justice (DoJ) has returned a superseding indictment, charging China's Huawei Technologies with racketeering and conspiracy to steal trade secrets. The defendants named in the indictment include Huawei and four subsidiaries. The indictment includes examples of Huawei's alleged theft of intellectual property from US companies.   

[Editor Comments]

[Pescatore] Like the Crypto AG item, this is also another "old news" item. Back in 2003 Cisco went public with intellectual property theft claims against Huawei and later settled a lawsuit. Trade wars between countries raise the press visibility of these issues, but the supply chain risk doesn't change - accurate assessments and monitoring are needed.

[Murray] In his recent book, Hamilton, the author Ron Chernow noted that the US became an industrial power, in part, by stealing intellectual property and suborning talent from England. While free trade is the preferred way to redress inequities among nations, theft of IP is to be preferred to armed conflict.  

Read more in:

Cyberscoop: U.S. charges Huawei with conspiracy to steal trade secrets, racketeering

ZDNet: US charges Huawei with racketeering and conspiracy to steal trade secrets

Washington Post: U.S. charges China's Huawei with racketeering and conspiracy to steal U.S. trade secrets in new indictment

Justice: Chinese Telecommunications Conglomerate Huawei and Subsidiaries Charged in Racketeering Conspiracy and Conspiracy to Steal Trade Secrets


--Mozilla Updates

(February 11 & 12, 2020)

Mozilla has released updated versions of Firefox, Firefox ESR, and Thunderbird. Firefox 73 includes fixes for six vulnerabilities; Firefox ESR 68.5 includes fixes for five vulnerabilities; and Thunderbird 68.5 includes fixes for four vulnerabilities.


[Editor Comments]

[Neely] Your enterprise may already be pushing out these updates. If not, leverage slipstreaming them in with the February Microsoft and Adobe updates you're already deploying.

Read more in:

Mozilla: Mozilla Foundation Security Advisory 2020-05: Security Vulnerabilities fixed in Firefox 73

SC Magazine: Mozilla issues patches for Firefox 73, Firefox ESR 68.5 and Thunderbird 68.5

Threatpost: Mozilla Firefox 73 Browser Update Fixes High-Severity RCE Bugs


--Fix Available for Critical Flaw in GDPR Cookie Consent WordPress Plugin

(February 12 & 13, 2020)

The developers of the GDPR Cookie Consent plugin for WordPress have released an updated version to address a critical flaw. The vulnerability could be exploited to alter website content or to inject malicious JavaScript code. As its name suggests, the plugin is designed to help websites comply with the EU's General Data Protection Regulation (GDPR); the plugin is estimated to be in use on more than 700,000 websites.

[Editor Comments]

[Neely] While your Wordpress site will detect out-of-date plugins, updating them automatically requires additional software or a plugin. If you're manually checking and updating, put a reminder on your calendar; don't wait to find out you have a problem the hard way.

Read more in:

ZDNet: Critical XSS vulnerability patched in WordPress plugin GDPR Cookie Consent

Bleeping Computer: WordPress Cookie Consent Plugin Fixes Critical Flaw for 700K Users

Portswigger: Oh crumbs - Security flaw in WordPress GDPR cookie plugin left 700,000 sites open to abuse

Threatpost: Critical WordPress Plugin Bug Afflicts 700K Sites


--Malicious Extensions Pulled from Google Chrome Store

(February 13, 2020)

Google has pulled more than 500 malicious extensions from its Web Store. The extensions redirected users to potentially malicious sites and harvested users' personal information.

[Editor Comments]

[Neely] If you have one of these extensions installed, it will be automatically be disabled and marked as malicious. Extensions so marked should be uninstalled.

Read more in:

Duo: Security Researchers Partner With Chrome To Take Down Browser Extension Fraud Network Affecting Millions of Users

ZDNet: Google removes 500+ malicious Chrome extensions from the Web Store

Duo: Extensive Fraud Network Found Using Malicious Chrome Extensions


--MIT Researchers Detail Mobile Voting App's Flaws

(February 13, 2020)                                

In a paper released earlier this week, researchers from the Massachusetts Institute of Technology (MIT) say that the Voatz mobile voting app, which has been used in several US states to allow voters overseas to cast their ballots, contains worrisome security shortcomings. The flaws could be exploited to see data being transmitted from the app, alter users' votes, and to impersonate a user's mobile phone. In addition, Voatz does not use blockchain to secure votes in the way its makers say it does. Voatz responded to the papers findings, noting in a blog post that the researchers based their conclusions on an outdated version of the app and that the researchers did not connect to the Voatz servers.

Read more in:

Internet Policy (MIT): The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections (PDF)

Voatz: Voatz Response to Researchers' Flawed Report

Vice: 'Sloppy' Mobile Voting App Used in Four States Has 'Elementary' Security Flaws

ZDNet: MIT researchers disclose vulnerabilities in Voatz mobile voting election app

The Verge: Blockchain voting app is dangerously vulnerable, researchers say

Statescoop: MIT researchers find vulnerabilities in Voatz mobile voting app

Wired: Voting App Flaws Could Have Let Hackers Manipulate Results


--xHelper Android Malware is Vexingly Persistent

(February 12 & 13, 2020)

Android malware known as xHelper reinfects devices even after factory resets. The malware dropper Trojan was first noticed last spring. Theories that the reinfections came from pre-installed malware or from the Google Play store were disproven. Researchers at Malwarebytes, along with a savvy Android user, discovered that the reinfection came from folders that were not removed even after a factory reset. Malwarebytes has instructions for removing the folders.   

[Editor Comments]

[Neely] In short, the malware dropper hangs out in hidden directories that are not removed during a factory wipe and leverages Google PLAY to reinstall itself. The Malwarebytes article has steps for finding and removing the files. As the dropper uninstalls itself after setting up the processes for installing the malware, your MDM is unlikely to detect it.

[Murray] It seems unlikely that most, or even many, Android users will even know about xHelper, much less do anything about it. One accepts that geeks can manage the security of Android devices. One should not give them to children, the elderly, or the otherwise naive.  

Read more in:

Ars Technica: Nasty Android malware reinfects its targets, and no one knows how

Malwarebytes: Android Trojan xHelper uses persistent re-infection tactics: here's how to remove


--Car Mobile Apps Not Always Reset After Vehicles Are Rented or Resold

(February 5 & 12, 2020)

A man who leased a car from Ford between 2013 and 2016 discovered that he still had access to the vehicle's controls through the mobile app more than three years later. Another man has twice rented cars and found that he could still access the controls for the vehicles months after he had retuned them.

[Editor Comments]

[Pescatore] The same is true for many of those smart TVs in hotels, but especially in Airbnbs and other consumer grade lodging that employees and executives might be using on travel. Good to use this item as an updated warning in awareness campaigns.

[Neely] When selling or turning in your personal vehicle, it is prudent to factory reset the mobile apps, including any phonebook information which has been downloaded. When purchasing a vehicle, make sure you are the only one with access to the online management features, which may require dealer support to verify. Current Rental Car agreements also advise consumers to reset the information prior to turning in the vehicle. In any cases, it's prudent to make sure the vehicle doesn't contain prior data before connecting your devices.

Read more in:

KrebsOnSecurity: When Your Used Car is a Little Too 'Mobile'

Ars Technica: Rental cars can be remotely started, tracked, and more after customers return them


--Mobile World Congress Tech Show Cancelled Over Coronavirus Worries

(February 12 & 13, 2020)

The Mobile World Conference tech show, which was scheduled to be held February 24-27 in Barcelona, Spain, has been cancelled due to concerns about the coronavirus. The decision to cancel the conference was made after a number of high-profile vendors announced they would not attend.  

Read more in:

Ars Technica: Mobile World Congress canceled due to coronavirus [Updated]

BBC: MWC 2020: Smartphone showcase cancelled over coronavirus fears

BBC: MWC phone show cancellation a 'nightmare' for firms


--Ransomware Targets Texas City and School District

(February 13, 2020)

A city and school district in Texas have been hit with ransomware. Computers belonging to the city of Garrison became infected on February 10; Garrison's mayor says the city has recovered from the attack and is operating as usual as of February 13. Computers at the Nacogdoches Independent School District became infected on February 11; the district is still working to recover access to its data. The city and the school district are about 20 miles apart and do not share a computer system. Officials are investigating whether the two attacks are related.

Read more in:

SC Magazine: Texas attack: Garrison, Nacogdoches schools hit with ransomware


--Florida County Election System Infected with Ransomware in 2016

(February 12, 2020)

Palm Beach County (Florida) election supervisor Wendy Sartory Link said that computers at the the county's election office became infected with ransomware shortly before the 2016 US general election. Link, who became election supervisor in January 2019, learned of the incident during a conversation with the office's acting IT director.

Read more in:

Palm Beach Post: EXCLUSIVE: PBC elections office hit by ransomware before 2016 election

NPR: Key Florida Elections Office Endured Cyberattack Ahead of 2016 Election

ZDNet: Florida county election office hit by ransomware before 2016 presidential election


--North Miami Beach Police Systems Hit with Ransomware

(February 8 & 11, 2020)

Hackers have targeted computers belonging to the North Miami Beach (Florida) Police Department with ransomware. The police department's IT staff shut down affected machines to curtail the malware's spread and have alerted the FBI and the Secret Service.   

[Editor Comments]

[Murray] Remember that, while the decision as to how to deal with a "ransomware" attack is a business decision, ensuring that the decision is made prior to the attack is a responsibility of security staff.

Read more in:

Miami Herald: Another city hit by ransomware attack. This time the police department is the target.

Cyware: Ransomware Actors Targets Police Department in Miami, Demand Millions in Ransom




Microsoft Patch Tuesday

Adobe Patches

Malspam Pushes Ursnif

Changes to Microsoft LDAP/AD and How to Cope with Them

Ransomware Abuses Out of Date Driver

SweynTooth BLE Vulnerabilities

Safe Documents in Office 365 Advanced Threat Protection

Wordpress GDPR Cookie Consent Plugin Vulnerability

Apple Joins Fido Alliance

Symantec Endpoint Protection Multiple Issues

DNSSEC Root Key Signing Ceremony Delayed


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit