SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #40
May 21, 2019The Story Behind the U.S. Conflict with Huawei
****************************************************************************
SANS NewsBites May 21, 2019 Vol. 21, Num. 040
****************************************************************************
TOP OF THE NEWS
The Story Behind The U.S. Conflict with Huawei
REST OF THE WEEK'S NEWS
Windows 10 Update Causes Some Systems to Freeze
Microsoft Updates Causing Problems for Some Machines Running Sophos AV
Boeing Corrects 737 Max Flight Simulators
Slack Patches Vulnerability in Windows Desktop Version
Baltimore Still Working to Recover from Ransomware
Huawei Gets a Temporary Reprieve from Commerce Department
Google Will Restrict Huawei's Access to Android Updates
Add Phone Number to Google for Security
Former CIA Officer Sentenced for Espionage
Former Australian Government Contractor Allegedly Used Agency System for Cryptomining
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019
-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019
-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019
-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019
-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019
-- SANS OnDemand and vLive Training
Get a Free GIAC Certification Attempt or Take $350 Off your OnDemand or vLive course. Offer ends May 29.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Splunk **************************
A SIEM solution is like a radar system. Without one, IT is flying blind and organizations are vulnerable to cyberthreats. But a cloud-based SIEM solution could add even more benefits to an organization's security defenses. Download Take Your SIEM to the Cloud to learn how to improve your security posture using a cloud-based SIEM. http://www.sans.org/info/212850
*****************************************************************************
TOP OF THE NEWS
--The Story Behind The U.S. Conflict with Huawei
(May 21, 2019)
Today's in-depth Reuters story provides detailed background on the U.S. fight with Huawei.
Read more in:
Reuters: Hobbling Huawei: Inside the U.S. war on China's tech giant
https://uk.reuters.com/investigates/special-report/huawei-usa-campaign/
**************************** SPONSORED LINKS ******************************
1) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/212855
2) Attend the inaugural SANS Enterprise Defense Summit in Redondo Beach, CA - June 3-4 http://www.sans.org/info/212860
3) How is your organization responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/212865
*****************************************************************************
REST OF THE WEEK'S NEWS
--Windows 10 Update Causes Some Systems to Freeze
(May 17 & 20, 2019)
A problem with a recent update for Windows 10 has caused some systems to freeze after users try to run the System Restore feature. Microsoft has made workarounds for the issue available. The issue lies in the way different versions of Windows .sys drivers are restored during reboot.
[Editor Comments]
[Murray] Automatic updates are good for the population of systems but a small risk for individual systems. Most users and applications can rely upon the defaults. If yours is not one of these, turn off auto updates: https://www.pcworld.com/article/3085136/two-ways-to-control-or-stop-windows-10-updates.html. The ability to work with almost any device is both a feature and a vulnerability of Windows. Most "blue screen(s) of death" are caused by third-party device drivers. Apple achieves a more stable and manageable platform by supporting a very short list of devices. Choose.
Read more in:
Microsoft: You cannot restore the system to a restore point after you install a Windows 10 update
Threatpost: Windows 10 Update Bricks PCs, Microsoft Offers Workarounds
https://threatpost.com/windows-10-update-bricks-pcs/144897/
--Microsoft Updates Causing Problems for Some Machines Running Sophos AV
(May 20, 2019)
Sophos is warning users that a patch Microsoft released last week as part of its monthly update is causing machines running Windows 7 and Windows Server 2008 R2 along with certain Sophos AV products to hang on reboot. Sophos is advising affected customers to uninstall the Microsoft update in Safe Mode.
Read more in:
The Register: Sophos tells users to roll back Microsoft's Patch Tuesday run if they want PC to boot
https://www.theregister.co.uk/2019/05/20/sophos_microsoft_patch_tuesday_boot_hang/
Sophos: Following the Microsoft Windows 14th May update some machines hang on boot
https://community.sophos.com/kb/en-us/134117
--Boeing Corrects 737 Max Flight Simulators
(May 17 & 20, 2019)
Boeing has made changes to the flight simulators for its Boeing 737 Max aircraft after learning that existing simulators did not accurately convey the difficulty of regaining control of aircraft when the anti-stall system malfunctions as it did in the Lion Air and Ethiopian Airlines crashes. Boeing says it "made corrections to the 737 MAX simulator software and has provided additional information to device operators to ensure that the simulator experience is representative across different flight conditions."
[Editor Comments]
[Neely] When the 737 Max 8 with MACS was released, the goal was to create "just another 737" without certification as a new aircraft or significant pilot training. Additionally the MACS software didn't undergo the same assessment as the plane. The identified shortfalls in MACS have reportedly been fixed, and the simulator now matches the software behavior. Now comes the verification and acceptance testing for this critical safety system.
[Pescatore] The analog of this is use cases and playbooks that need to be updated, not just because of new threat information but because of business process changes: new supply chain partners, new applications, changes in access, etc.
Read more in:
The Register: Boeing admits 737 Max sims didn't accurately reproduce what flying without MCAS was like
https://www.theregister.co.uk/2019/05/20/737_max_flight_simulators_not_accurate_report/
NYT: Boeing 737 Max Simulators Are in High Demand. They Are Flawed.
https://www.nytimes.com/2019/05/17/business/boeing-737-max-simulators.html
--Slack Patches Vulnerability in Windows Desktop Version
(May 17 & 20, 2019)
Slack developers have released a security update for Slack Desktop version 3.3.7 for Windows to address a flaw that could be exploited to hijack downloaded documents. The download path for files shared in Slack channel could be altered through a maliciously-crafted hyperlink. The issue is fixed in version 3.4.0.
[Editor Comments]
[Neely] While the vulnerability is somewhat tricky to exploit, the change could be used to setup a network path for not only data exfiltration, but also access to malware that bypasses perimeter protections. Version 3.4.0 was released April 18th, 3.4.1 was released May 3rd.
Read more in:
Tenable: Stealing Downloads from Slack Users
https://medium.com/tenable-techblog/stealing-downloads-from-slack-users-be6829a55f63
SC Magazine: Slack patches flaw that could allow attackers to hijack downloaded documents
Ars Technica: Slack patches vulnerability in Windows client that could be used to hijack files
Threatpost: Slack Bug Allows Remote File Hijacking, Malware Injection
https://threatpost.com/slack-remote-file-hijacking-malware/144871/
InfoSecurity Magazine: Download Hijack Flaw Patched in Slack Patches for Windows
https://www.infosecurity-magazine.com/news/download-hijack-flaw-patched-in/
--Baltimore Still Working to Recover from Ransomware
(May 17 & 20, 2019)
Baltimore, Maryland's city council has established the Committee on Cybersecurity and Emergency Preparedness to examine the city's response to a ransomware attack that started on May 7. The city is still struggling to recover from the attack. Some utility bills cannot be paid, and real estate transactions cannot be completed; manual alternatives are being set up.
[Editor Comments]
[Murray] The vulnerability exploited by all ransomware is default "read/write" access. Given this default, we are lucky that we are not seeing more misleading modification of data, rather than simply denial of access. It is essential to move to a new default, "read-only/execute-only." Forty years ago we expected that this would be the default; convenience trumped security. Now it is long overdue. Since this policy change will not resist all data modification, we must still think strong authentication, process-to-process isolation, reliable access control (enterprise data only on servers where access control is reliable), and back-up with fast recovery. Finally, planning for compromise, early detection, and remediation, must now be a continuous activity with frequent drills. "A plan is not a document that one takes out and reads while sitting in the ashes. Rather it is a capability, the ability to do something in its presence that you cannot do in it absence." "Anything worthy of being called a plan will say who will do what and when they will do it."
Read more in:
Ars Technica: Baltimore ransomware nightmare could last weeks more, with big consequences
SC Magazine: Baltimore city council forms committee to examine ransomware attack response
GovTech: Special Committee to Form Following Baltimore Cyberattack
https://www.govtech.com/security/Special-Committee-to-Form-Following-Baltimore-Cyberattack.html
--Huawei Gets a Temporary Reprieve from Commerce Department
(May 20, 2019)
Less than a week after the US Commerce Department said it plans to add Huawei to its "Entity List," which places restrictions on the use of a company's technology in the US, the Commerce Department has granted a temporary general license to allow Huawei to maintain support for its existing products. The license is effective from Monday, May 20 through Monday, August 19, and covers Huawei handsets that were available to the public on or before May 16, 2019.
Read more in:
ZDNet: US grants temporary license for Huawei to support products
https://www.zdnet.com/article/us-grants-temporary-license-for-huawei-to-support-products/
Commerce: Department of Commerce Announces the Addition of Huawei Technologies Co. Ltd. to the Entity List
CNET: The Huawei controversy: Everything you need to know
https://www.cnet.com/news/the-huawei-controversy-everything-you-need-to-know/
--Google Will Restrict Huawei's Access to Android Updates
(May 20, 2019)
Following last week's White House executive order effectively banning the use of Huawei products, Google has said that it will restrict Huawei's access to future Android operating system updates. Other companies have also begun indicating that they will curtail their dealings with Huawei.
[Editor Comments]
[Neely] Additionally, plans include cutting off access to the Google Play store and technical support from Google. It may be a good time to update your lifecycle plans for Huawei devices rather than getting into a situation where critical security updates are not available for your device.
Read more in:
CNET: Google cuts off Huawei phones from future Android updates
https://www.cnet.com/news/google-reportedly-cuts-off-huawei-phones-from-future-android-updates/
ZDNet: Google services to continue working on existing Huawei Android devices
Washington Post: Google cuts off Huawei after Trump administration crackdown
--Add Phone Number to Google for Security
(May 17 & 20, 2019)
Google teamed up with researchers from New York University and the University of California, San Diego to look at the effect basic security hygiene has on account hijacking. They found "that simply adding a recovery phone number to your Google Account can block" nearly all automated bit and bulk phishing attacks as well as two-thirds of targeted attacks.
[Editor Comments]
[Neely] Beyond setting a recovery phone number, also enable two-factor authentication for your Google accounts. In February, Google posted a list of five things you can do to improve online security: https://www.blog.google/technology/safety-security/five-things-you-can-do-right-now-to-stay-safer-online/
[Murray] We have seen fraudulent attempts change these numbers. This is the reason that the use of tokens for one-time-passwords is marginally safer than SMS. Like other service providers relying on phone numbers for security, Google must be prepared to resist these attacks. Users should periodically check to ensure that the number Google has in records is really theirs.
[Pescatore] The study did point out the major problem: when prompted, 38% did not have access to the phone listed as the recovery number. I'd add Heather Mahalik's advice to the 5 Google recommendations: login to myactivity.google.com and see how much information and history you have exposed across the various Google properties, then go to myaccount.google.com and minimize your exposures where possible.
Read more in:
Googleblog: New research: How effective is basic account hygiene at preventing hijacking
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
ZDNet: Add a recovery phone number to block automated hijack attempts: Google
https://www.zdnet.com/article/add-a-recovery-phone-number-to-block-automated-hijack-attempts-google/
--Former CIA Officer Sentenced for Espionage
(May 20, 2019)
Former CIA intelligence officer Kevin Patrick Mallory has been sentenced to 20 years in prison for espionage. Last June, Mallory was found guilty of conspiracy to deliver, attempted delivery, delivery of national defense information to aid a foreign government, and making material false statements.
Read more in:
InfoSecurity Magazine: Ex-CIA Man Gets 20 Years for Handing China Secrets
https://www.infosecurity-magazine.com/news/ex-cia-man-gets-20-years-for-1/
Justice: Former CIA Officer Sentenced to Prison for Espionage
https://www.justice.gov/usao-edva/pr/former-cia-officer-sentenced-prison-espionage
--Former Australian Government Contractor Allegedly Used Agency System for Cryptomining
(May 21, 2019)
Authorities in Australia have arrested and charged a former government IT contractor for allegedly using federal computing resources to mine for cryptocurrency. The suspect is being charged with "unauthorised modification of data to cause impairment... [and] unauthorised modification of restricted data." He allegedly earned AU $9,000 from the scheme.
Read more in:
ZDNet: IT contractor allegedly abused government systems for cryptocurrency mining
AFP: Government employee charged with using government IT systems to mine for cryptocurrency
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Sharepoint Exploited
https://isc.sans.edu/forums/diary/CVE20190604+Attack/24952/
Vulnerabilities in Apple Air Drop (PDF)
https://www.usenix.org/system/files/sec19fall_stute_prepub.pdf
MSFT RDP Vulnerability (#BlueKeep) Update
https://twitter.com/search?q=%23bluekeep
Risks of JWT
https://snikt.net/blog/2019/05/16/jwt-signature-vs-mac-attacks/
MuddyWater Campaign Evolves
https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html
Google Analyzes Vendor Response to 0-Day Exploits
https://googleprojectzero.blogspot.com/p/0day.html
ASUS WebStorage Abused for Malware Distribution
https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create