Digital Forensics

SANS NewsBites: Volume XXI – Issue #32

Source:https://www.sans.org/newsletters/newsbites/xxi/32

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI – Issue #32

April 23, 2019
150 Best US Colleges for Cyber Talent; Russian Hackers Infiltrated Florida Computers Before 2016 Election; DOE Developing Technology “Blacklist” for Utilities; Industry Choosing IT Cybersecurity Experts for OT Security

The 150 “Top Tier” US colleges for discovering and developing cybersecurity talent are listed at the end of this issue, sorted by state. If your organization recruits from any of these colleges, you now have the option to ask candidates for their “CyberStart scores.”  Performance on CyberStart was proven to be a reliable indicator of “elite” cyber talent in a national program in the UK.  See www.cyber-fasttrack.org for details on the program.  Twenty-five state governors announced the program and encouraged students in their states to “just try it” to discover their natural talent. More than 400 new students are engaging every day, so the Top Tier colleges will change over the remaining three weeks of student eligibility for 2019. George Mason demonstrated they could boost their college’s rank more than 50 positions in just 2 days by sending a single email to their students to tell them about the program (and the $2.5 million in available scholarships).  With over 7,400 college students already participating, the program shows preliminary promise of scaling to fill the nation’s need for elite cyber talent within the next 3 years.

Alan

****************************************************************************

SANS NewsBites               April 23, 2019                Vol. 21, Num. 032

****************************************************************************

TOP OF THE NEWS

Mueller Report Says Russian Hackers Infiltrated Florida Computers Prior to 2016 Election

DOE Developing Unclassified Technology “Blacklist” for Electric Utilities

Industry Increasingly Letting Cybersecurity Experts Manage Operational Technology

REST OF THE WEEK’S NEWS

Facebook Stored Instagram Passwords in Plaintext

Hutchins Pleads Guilty to Charges Related to Malware Creation

US Cities Dealing with Ransomware

jQuery JavaScript Patch for “Prototype Pollution” Vulnerability

Microsoft Patch Causing Problems for Users of Certain A-V Products

CIA Reportedly Told Foreign Intelligence Officials That Huawei Receives Funding from China’s Military

NIST Updates Mobile App Security Vetting Guide

GPS Rollover Issue Crashes New York City Wireless Network

768k Day Coming Soon

The Top Tier of US Colleges for Discovering and Developing Cybersecurity Talent

INTERNET STORM CENTER TECH CORNER

*****************************************************************************

CYBERSECURITY TRAINING UPDATE

— SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019

— SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019

— SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019

— SANS San Antonio 2019 | May 28-June 2 | https://www.sans.org/event/san-antonio-2019

— SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019

— Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019

— Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019

— SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019

— SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019

— SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off your OnDemand or vLive course. Offer ends May 1.

https://www.sans.org/online-security-training/specials/

— Can’t travel? SANS offers online instruction for maximum flexibility

— Live Daytime training with Simulcast – https://www.sans.org/simulcast

— Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

— Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

— Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

— View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

***********************  Sponsored By Splunk   ******************************

One Phish, Two Phish, Three Phish, Fraud Phish.  In this Seuss-inspired children’s book, readers are taken on a colorful journey, discovering the many surprising ways fraud touches our everyday lives, including credit card scams, payroll fraud, financial aid swindles, healthcare deception, and wire transfer fraud, as well as phishing attacks, account takeovers, and more. http://www.sans.org/info/211883

*****************************************************************************

TOP OF THE NEWS

–Mueller Report Says Russian Hackers Infiltrated Florida Computers Prior to 2016 Election

(April 18 & 19, 2019)

Mueller’s report on the investigation into Russian interference in the 2016 US presidential election says that “the Russian government interfered in the 2016 presidential election in sweeping and systematic fashion.” According to the report, Russian hackers infiltrated computer systems of at least one Florida county government and that they planted malware on systems at a voting machine manufacturing company. The report did not offer evidence that either incident compromised election results.

[Editor Comments] [Pescatore] The US Election Assistance Commission has a list that shows 9 different organizations have active efforts focused on improving election system security that started since January 2017 when election systems were finally defined as critical infrastructure. Most of those efforts are essentially defining best practices or identifying gaps against well-known best practices. This is kind of like studying best practices for avoiding potholes in roads (critical infrastructure) and identifying known potholes – without any emergency activity to at least fill those potholes!

[Murray] The strength of our election system rests more upon its diversity than on any technology. That said, we should prefer technology that is transparent, vetted before use, and audited after. It is salutary that more than half of us vote on paper ballots. Note that alternative means of recording votes were motivated by the desire for easy tabulation and early reporting, and that fraud has more often been in the counting and reporting processes than in the recording processes.

Read more in:

Politico: Collusion aside, Mueller found abundant evidence of Russian election plot

https://www.politico.com/story/2019/04/18/mueller-report-russian-election-plot-1365568

NYT: Russians Breached Florida County Computers Before 2016 Election, Mueller Report Says

https://www.nytimes.com/2019/04/18/us/florida-russia-2016-election-hacking.html

Dark Reading: Russia Hacked Clinton’s Computers Five Hours After Trump’s Call

https://www.darkreading.com/risk/russia-hacked-clintons-computers-five-hours-after-trumps-call/d/d-id/1334484

–DOE Developing Unclassified Technology “Blacklist” for Electric Utilities

(April 18, 2019)

The US Department of Energy (DOE) and the National Counterintelligence and Security Center are looking at ways to be more transparent about technology that poses security risks. DOE’s Center’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) is developing a list of “don’t buy” foreign supplied equipment and technology intelligence for the country’s electric utilities.

[Editor Comments] [Pescatore] More transparency is definitely needed, as all too often the products that are put on the government’s “Don’t Buy” list get there solely because of the country of origin, vs. any evidence or testing that showed malicious capabilities. Meanwhile, many products that governments routinely buy for Critical Infrastructure and deploy from domestic suppliers (see election machines) are riddled with vulnerabilities that are easily exploited by foreign powers. If all products for Critical Infrastructure were routinely tested before procurement, transparency in the results would not require any “redacting” or declassification.

[Neely] These lists are driven from counterintelligence, not cyber security, which means they are based on an assessment of the company and those that control their production of products more than actual deficiencies. They are answering the question “Should we do business with this company?” This also means that full disclosure of the research/evidence behind the negative decision may not be possible due to classification and need-to-know restrictions. Ideally there should also be supporting identified product deficiencies to enable a more rounded choice to support the blacklist decision.

Read more in:

E&E News: How hacking threats spurred secret U.S. blacklist

https://www.eenews.net/stories/1060176111

–Industry Increasingly Letting Cybersecurity Experts Manage Operational Technology

(April 18, 2019)

According to a 2018 Gartner report, just 35 percent of large industrial companies have put the CISO or their equivalent in charge of the networks that manage physical processes, also known as Operational Technology (OT). One of the reasons the figure is low is that manufacturers were concerned that the cybersecurity experts would interfere with manufacturing processes. The figure is expected to double by 2021; a central driver of the trend is believed to be the NotPetya and WannaCry attacks that caused serious problems at major manufacturers several years ago.

[Editor Comments] [Pescatore] The 35% estimate from early 2018 seems high to me, and probably a better question is “What percentage of security programs have the staff, skills and architecture to successfully secure OT systems?” Changing the Visio organization chart to show new functions under boxes is easy, but even security organizations that are mature in monitoring and security PCs, servers and routers, aren’t necessarily able to effectively secure OT systems, let alone integrate them into existing processes.

[Neely] Understanding how to secure components that can’t be patched and have multi-decade lifecycles is going to be a challenge for many cyber security professionals. While OT is not general purpose IT, bringing cyber expertise to bear can ensure adequate and verified perimeter protections are in place for those devices and their presence and purpose incorporated into the overall cyber strategy, resulting in more secure integration and access to and with IT systems. Even so, cooperation between the system owners and cyber teams will be critical to minimize operational impacts.

Read more in:

Axios: Industry puts cybersecurity pros in charge

https://www.axios.com/cybersecurity-officers-hacking-db38f870-b02a-4ee8-a52a-94171f52b9f8.html

****************************  SPONSORED LINKS  ******************************

1) Webinar: SANS Incident Response instructor explains: Prevent long-dwell attacks with SecBI’s automated detection & response. http://www.sans.org/info/211888

2) ICYMI” The Continuation of Web-based Supply Chain Attacks”  http://www.sans.org/info/211893

3) How is your organizations responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211898

*****************************************************************************

REST OF THE WEEK’S NEWS

–Facebook Stored Instagram Passwords in Plaintext

(April 18, 2019)

Facebook has acknowledged that it stored millions of Instagram passwords in internal server logs in plaintext. The news follows the revelation last month that Facebook employees had access to hundreds of millions of Facebook user passwords stored in plaintext, and less than a day after Facebook acknowledged that it had inadvertently saved contact lists of 1.5 million new Facebook users.

[Editor Comments] [Williams] While I’ve seen many downplay this report, saying “there’s no evidence of anyone inappropriately accessing the passwords,” logging them breaks the fundamental principle of non-repudiation. While Instagram timelines don’t regularly appear as critical evidence in my cases, this should serve as a warning for some smaller shops that do have non-repudiation issues – if it can happen to Facebook, it can happen to you. Logging HTTP POST variables is particularly dangerous for e-commerce where credit card data can be logged and put in the SIEM.

[Neely] This would be an excellent time to update your password as well as enable two-factor authentication on Facebook and Instagram accounts. Select the authenticator app rather than SMS code option. You can elect to have the service remember known devices so you only get prompted for the second factor when a new device authenticates.

[Northcutt] FB has also acknowledged lifting as many as 1.5M email addresses w/o customer consent.

https://www.cnn.com/2019/04/18/business/facebook-email-contacts/index.html: Facebook collected 1.5 million users’ email contacts without their knowledge

Read more in:

Cyberscoop: Facebook security notice announces millions of Instagram users had their passwords stored in plaintext

https://www.cyberscoop.com/instagram-password-plain-text-facebook-update/

Engadget: Facebook stored millions of Instagram passwords in plain text

https://www.engadget.com/2019/04/18/facebook-stored-instagram-passwords-plain-text/

ZDNet: Facebook admits to storing plaintext passwords for millions of Instagram users

https://www.zdnet.com/article/facebook-admits-to-storing-plaintext-passwords-for-millions-of-instagram-users/

–Hutchins Pleads Guilty to Charges Related to Malware Creation

(April 19 & 22, 2019)

Marcus Hutchins, the UK man who discovered a way to stop WannaCry from spreading, has pleaded guilty to conspiracy and to distributing malware. In 2014, Hutchins created the Kronos Trojan, which has been used to steal online bank account access credentials. Hutchins was arrested as he was preparing to fly home after attending a conference in Las Vegas, Nevada in 2017.

Read more in:

Regmedia: Plea Agreement

https://regmedia.co.uk/2019/04/19/plea.pdf

Ars Technica: Marcus Hutchins, slayer of WannaCry worm, pleads guilty to malware charges

https://arstechnica.com/information-technology/2019/04/marcus-hutchins-slayer-of-wannacry-worm-pleads-guilty-to-malware-charges/

SC Magazine: WannaCry hero Marcus Hutchins pleads guilty, faces five years

https://www.scmagazine.com/home/security-news/ransomware/wannacry-hero-marcus-hutchins-pleads-guilty-faces-five-years/

KrebsOnSecurity: Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware

https://krebsonsecurity.com/2019/04/marcus-malwaretech-hutchins-pleads-guilty-to-writing-selling-banking-malware/

Cyberscoop: Marcus Hutchins pleads guilty to two counts related to Kronos banking malware

https://www.cyberscoop.com/marcus-hutchins-malwaretech-guilty-plea-kronos/

The Register: Wannacry-slayer Marcus Hutchins pleads guilty to two counts of banking malware creation

https://www.theregister.co.uk/2019/04/19/marcus_hutchins_pleads_guilty/

Motherboard: ‘WannaCry Hero’ Marcus Hutchins Pleads Guilty to Making Banking Malware

https://motherboard.vice.com/en_us/article/qv7pad/marcus-hutchins-pleads-guilty-banking-malware-wannacry-hero

–US Cities Dealing with Ransomware

(April 10, 18, & 19, 2019)

Computer systems in four municipalities across the US have been affected by ransomware in the past week and a half. Systems in Greenville, North Carolina, became infected on April 10. Systems in Imperial County, California and in Stuart, Florida became infected on April 13, and systems in Augusta, Maine were infected on April 18.

[Editor Comments] [Shpantzer] Let’s see here… If ransomware/nukeware shuts down hospital systems, municipal networks with transportation and other OT, manufacturing plants, and other critical infrastructure (and all of those have happened), what are the international norms at play? If I walked into a hospital and took a hammer to a rack in the datacenter and shut the place down for a while, what would I be charged with? Why is ransomware not treated as an entirely different category than say stealing credit card numbers and creating banking Trojans to steal money from financial services or even stealing IP? Some counties in the US have populations bigger than some countries. I can help people mitigate the impact of ransomware but I can’t deter bad actors from doing this because I don’t arrest people. This seems like a job for better financial intelligence and manhunts for organized crime and those who enable this kind of disruption, at the international level.

Read more in:

SC Magazine: Ransomware ravages municipalities nationwide this week

https://www.scmagazine.com/home/security-news/ransomware/ransomware-ravages-municipalities-nationwide-this-week/

APNews: North Carolina city’s computers shut down due to virus

https://www.apnews.com/c82331e417804299b1f6a7eef8e7b58b

SC Magazine: Ransomware knocks Greenville, N.C. offline

https://www.scmagazine.com/home/security-news/ransomware/ransomware-knocks-greenville-n-c-offline/

LA Times: Ryuk malware hacked a county government website. It’s been down for 6 days

https://www.latimes.com/local/lanow/la-me-imperial-county-website-down-20190418-story.html

TC Palm: Rebuilding Stuart computer servers after cyberattack could take longer than expected

https://www.tcpalm.com/story/news/local/martin-county/2019/04/18/ransomware-attack-stuart-computers-could-take-longer-than-expected/3508420002/

Sun Journal: Cyberattack hits Augusta municipal operations; City Center closed

https://www.sunjournal.com/2019/04/18/city-of-augusta-hit-by-computer-virus-city-center-closed/

–jQuery JavaScript Patch for “Prototype Pollution” Vulnerability

(April 21, 2019)

An update to the jQuery JavaScript library addresses a “prototype pollution” vulnerability. JavaScript objects can contain multiple values; modifying a JavaScript object’s prototype, or default values, can affect the way applications process data. The jQuery JavaScript library is used on nearly 75 percent of Internet sites.

Read more in:

ZDNet: Popular jQuery JavaScript library impacted by prototype pollution flaw

https://www.zdnet.com/article/popular-jquery-javascript-library-impacted-by-prototype-pollution-flaw/

–Microsoft Patch Causing Problems for Users of Certain A-V Products

(April 19, 2019)

A component of the April 9 Windows security update is causing problems for users of several different anti-virus products. Users running anti-virus software from Avast, Avira, ArcaBit, McAfee and Sophos have been reporting that the update has caused their computers to become slow and even unresponsive. Avast and ArcaBit have released updates to fix the problem, and McAfee is in the process of developing a fix. Microsoft is blocking users running Avira and Sophos products from downloading the updates until fixes are developed. The problems affect users running Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2.

[Editor Comments] [Williams] Antivirus companies aren’t using undocumented interfaces because they want to or because “it looks cool.” They’re doing it because Microsoft isn’t providing the interfaces the AV companies need to protect users. If Microsoft isn’t careful, they’ll find themselves under the gun of another antitrust lawsuit from AV companies.

Read more in:

Ars Technica: McAfee joins Sophos, Avira, Avast–the latest Windows update breaks them all

https://arstechnica.com/gadgets/2019/04/latest-windows-patch-having-problems-with-a-growing-number-of-anti-virus-software/

Threatpost: Microsoft’s Latest Patch Hoses Some Antivirus Software

https://threatpost.com/microsofts-latest-patch-hoses-some-antivirus-software/143978/

SC Magazine: Machines running popular AV software go unresponsive after Microsoft Windows update

https://www.scmagazine.com/home/security-news/machines-running-popular-av-software-go-unresponsive-after-microsoft-windows-update/

–CIA Reportedly Told Foreign Intelligence Officials That Huawei Receives Funding from China’s Military

(April 21, 2019)

According to a report in The Times, the CIA told intelligence officials in Canada, the UK, New Zealand, and Australia that Huawei receives funding from Chinese government organizations. The Times article is quoted as saying that Huawei has received funding from “the People’s Liberation Army, China’s National Security Commission and a third branch of the Chinese state intelligence network.”

[Editor Comments] [Williams] There are lots of reasons not to use Huawei networking equipment, the biggest of which is the total lack of an SDLC (secure development lifecycle). Using a weak argument like Huawei taking money from the PLA hurts the argument itself.

Read more in:

CNET: CIA reportedly says Huawei funded by Chinese state security

https://www.cnet.com/news/cia-reportedly-says-huawei-funded-by-chinese-state-security/

Forbes: CIA Claims It Has Proof Huawei Has Been Funded By China’s Military And Intelligence

https://www.forbes.com/sites/zakdoffman/2019/04/20/cia-offers-proof-huawei-has-been-funded-by-chinas-military-and-intelligence/#7ca48b2e7208

–NIST Updates Mobile App Security Vetting Guide

(April 19, 2019)

The US National Institute of Standards and Technology (NIST) has released NIST Special Publication (SP) 800-163 Revision 1, Vetting the Security of Mobile Applications. The original version of the document was released in January 2015. The updated version “expands on the original document by exploring resources that can be used to inform an organization’s requirements for mobile app security;” provides greater detail about the steps of the vetting process; and offers a deeper “exploration of the current threat landscape facing mobile apps.”

[Editor Comments] [Neely] Keeping guidance on assessing mobile applications updated is key for success. Use this guide to develop processes for vetting key applications, and use your EMM to enforce decisions. Some of the risks associated with non-vetted applications can be mitigated by requiring installation from the official Apple and Google Play stores. Additionally, require Play Protect on Android devices which can uninstall apps that have been identified as malicious. This is built in to the iTunes store.

Read more in:

MeriTalk: NIST Updates Guidance on Mobile App Security Vetting

https://www.meritalk.com/articles/nist-updates-guidance-on-mobile-app-security-vetting/

CSRC: Vetting the Security of Mobile Applications: NIST Publishes SP 800-163 Revision 1

https://csrc.nist.gov/news/2019/nist-publishes-sp-800-163-rev-1

–GPS Rollover Issue Crashes New York City Wireless Network

(April 10, 12, & 22, 2019)

The GPS system rollover caused New York City’s private wireless network, NYCWiN, to crash; it remained down for 10 days. The GPS reset happens about every 20 years because the memory allocated for the system to count the date becomes full after 1,024 weeks. The NYCWiN outage affected “some of the New York Police Department’s license-plate readers, the Department of Transportation traffic-light programming, and communications at remote work sites for the sanitations and parks departments.” An investigation is expected to be completed next week.

[Editor Comments] [Murray] Y2K should have taught us the folly of allocating storage, or even address space, as though it is a scarce resource. This an example of false economy resulting from trying to drive by looking in the rear view mirror.

Read more in:

Statescoop: NYC works to reboot wireless network after GPS update crashed it

https://statescoop.com/nyc-works-to-reboot-wireless-network-after-gps-update-crashed-it/

NYT: New York City Has a Y2K-Like Problem, and It Doesn’t Want You to Know About It

https://www.nytimes.com/2019/04/10/nyregion/nyc-gps-wireless.html

GovTech: Avoidable Outage Continues to Plague NYC Wireless Network

https://www.govtech.com/network/Avoidable-Outage-Continues-to-Plague-NYC-Wireless-Network.html

NY Daily News: NYC wrapping up investigation into Y2K-like bug that knocked down system

https://www.nydailynews.com/news/politics/ny-y2k-bug-gps-wifi-system-glitch-investigation-northrop-grumman-20190422-dkyoundmwfbizhyb6c3gvgsogy-story.html

–768k Day Coming Soon

(April 18, 2019)

In August 2014, routers ran out of memory space to store the full BGP routing table, which holds the addresses of all known routable IPv4 Internet connected networks (CIDR blocks). The issue, referred to as 512k Day caused ISP outages around the world. At the time, legacy routers got emergency patches that allowed admins to allocate more memory for the IPv4 BGP routing table. The new upper limit was, in general, set at 768k. Entities tracking the size of the global BGP routing table say that 768k Day could occur within the next month.

.

[Editor Comments] [Ullrich] A similar “512k Day” caused some limited outages a few years ago. Sadly, the solution for older routers is to allocate memory for IPv4 that could be used for IPv6 instead. One reason IPv4 space is becoming more fragmented is the lack of IPv4 addresses and the need to use them more and more efficiently.

[Neely] The two primary mitigations to this risk are replacing older equipment such as Cisco 6500/7600 series products and not accepting /24 routes, instead let upstream transit providers handle that routing.

Read more in:

ZDNet: Some internet outages predicted for the coming month as ‘768k Day’ approaches

https://www.zdnet.com/article/some-internet-outages-predicted-for-the-coming-month-as-768k-day-approaches/

*******************************************************************************

The Top Tier of US Colleges for Discovering and Developing Cybersecurity Talent

*******************************************************************************

#1 in Alabama: Gadsden State Community College (#74 in the US)

#2 in Alabama: Athens State University (#89 in the US)

#3 in Alabama: The University of Alabama (#113 in the US)

#4 in Alabama: University of North Alabama (#131 in the US)

#6 in Arizona: Arizona State University-Tempe (#84 in the US)

#1 in Arkansas: Southern Arkansas University Main Campus (#2 in the US)

#2 in Arkansas: Harding University (#126 in the US)

#1 in California: California State University-Sacramento (#31 in the US)

#2 in California: Merritt College (#33 in the US)

#3 in California: California State University-San Bernardino (#35 in the US)

#4 in California: University of Southern California (#39 in the US)

#5 in California: California Polytechnic State University-San Luis Obispo (#46 in the US)

#6 in California: California State University-Northridge (#53 in the US)

#7 in California: University of California-Berkeley (#67 in the US)

#8 in California: Cypress College (#81 in the US)

#9 in California: University of La Verne (#83 in the US)

#10 in California: City College of San Francisco (#85 in the US)

#11 in California: San Francisco State University (#86 in the US)

#12 in California: California State Polytechnic University-Pomona (#91 in the US)

#13 in California: San Joaquin Delta College (#111 in the US)

#14 in California: San Bernardino Valley College (#126 in the US)

#15 in California: California State University-East Bay (#131 in the US)

#1 in Colorado: University of Colorado Boulder (#11 in the US)

#2 in Colorado: Colorado State University-Fort Collins (#44 in the US)

#3 in Colorado: Colorado State University-Pueblo (#97 in the US)

#4 in Colorado: University of Colorado Colorado Springs (#105 in the US)

#1 in Connecticut: University of New Haven (#12 in the US)

#2 in Connecticut: Central Connecticut State University (#25 in the US)

#3 in Connecticut: Sacred Heart University (#86 in the US)

#4 in Connecticut: Western Connecticut State University (#148 in the US)

#5 in Connecticut: University of Connecticut (#148 in the US)

#1 in Delaware: Wilmington University (#18 in the US)

#2 in Delaware: Delaware Technical Community College-Terry (#89 in the US)

#1 in District of Columbia: George Washington University (#50 in the US)

#2 in District of Columbia: American University (#75 in the US)

#1 in Florida: University of South Florida-Main Campus (#40 in the US)

#2 in Florida: Keiser University-Ft Lauderdale (#105 in the US)

#1 in Georgia: University of North Georgia (#15 in the US)

#2 in Georgia: Middle Georgia State University (#44 in the US)

#3 in Georgia: Georgia Southern University (#50 in the US)

#4 in Georgia: Columbus State University (#57 in the US)

#5 in Georgia: Georgia State University (#66 in the US)

#6 in Georgia: Kennesaw State University (#80 in the US)

#7 in Georgia: University of Georgia (#97 in the US)

#8 in Georgia: Georgia State University-Perimeter College (#119 in the US)

#9 in Georgia: Georgia Institute of Technology-Main Campus (#131 in the US)

#10 in Georgia: Gwinnett Technical College (#148 in the US)

#1 in Hawaii: University of Hawaii-West Oahu (#27 in the US)

#2 in Hawaii: University of Hawaii at Manoa (#61 in the US)

#1 in Idaho: Lewis-Clark State College (#22 in the US)

#2 in Idaho: University of Idaho (#33 in the US)

#3 in Idaho: Boise State University (#57 in the US)

#1 in Indiana: Ivy Tech Community College (#10 in the US)

#2 in Indiana: Purdue University Northwest (#38 in the US)

#3 in Indiana: Ball State University (#41 in the US)

#4 in Indiana: Valparaiso University (#49 in the US)

#5 in Indiana: Indiana University-Bloomington (#113 in the US)

#6 in Indiana: Purdue University-Main Campus (#135 in the US)

#7 in Indiana: University of Southern Indiana (#148 in the US)

#1 in Iowa: Iowa State University (#30 in the US)

#2 in Iowa: Drake University (#41 in the US)

#3 in Iowa: University of Iowa (#97 in the US)

#1 in Maryland: Montgomery College (#7 in the US)

#2 in Maryland: University of Maryland-Baltimore County (#14 in the US)

#3 in Maryland: University of Maryland-University College (#35 in the US)

#4 in Maryland: Prince George’s Community College (#41 in the US)

#5 in Maryland: Bowie State University (#71 in the US)

#6 in Maryland: University of Baltimore (#76 in the US)

#7 in Maryland: University of Maryland-College Park (#79 in the US)

#8 in Maryland: College of Southern Maryland (#123 in the US)

#1 in Michigan: Michigan State University (#4 in the US)

#2 in Michigan: Jackson College (#32 in the US)

#3 in Michigan: Ferris State University (#50 in the US)

#4 in Michigan: Eastern Michigan University (#60 in the US)

#5 in Michigan: Muskegon Community College (#86 in the US)

#6 in Michigan: Central Michigan University (#94 in the US)

#7 in Michigan: Northern Michigan University (#104 in the US)

#8 in Michigan: Grand Rapids Community College (#105 in the US)

#9 in Michigan: Macomb Community College (#108 in the US)

#10 in Michigan: Northwestern Michigan College (#113 in the US)

#11 in Michigan: Washtenaw Community College (#135 in the US)

#1 in Missouri: Washington University in St Louis (#119 in the US)

#1 in Nevada: University of Nevada-Reno (#13 in the US)

#2 in Nevada: College of Southern Nevada (#63 in the US)

#3 in Nevada: University of Nevada-Las Vegas (#69 in the US)

#4 in Nevada: Western Nevada College (#135 in the US)

#1 in New Jersey: Fairleigh Dickinson University-Florham Campus (#16 in the US)

#2 in New Jersey: Stevens Institute of Technology (#48 in the US)

#3 in New Jersey: New Jersey Institute of Technology (#64 in the US)

#4 in New Jersey: Rider University (#76 in the US)

#5 in New Jersey: William Paterson University of New Jersey (#101 in the US)

#6 in New Jersey: Brookdale Community College (#123 in the US)

#7 in New Jersey: Stockton University (#135 in the US)

#8 in New Jersey: Rutgers University-New Brunswick (#135 in the US)

#1 in New York: Utica College (#144 in the US)

#1 in North Carolina: University of North Carolina at Charlotte (#19 in the US)

#2 in North Carolina: University of North Carolina at Pembroke (#72 in the US)

#3 in North Carolina: University of North Carolina at Asheville (#91 in the US)

#4 in North Carolina: High Point University (#113 in the US)

#5 in North Carolina: Montreat College (#144 in the US)

#1 in Pennsylvania: Pennsylvania State University-Main Campus (#8 in the US)

#2 in Pennsylvania: Lincoln University (#37 in the US)

#3 in Pennsylvania: Montgomery County Community College (#56 in the US)

#4 in Pennsylvania: Villanova University (#95 in the US)

#5 in Pennsylvania: Carnegie Mellon University (#123 in the US)

#6 in Pennsylvania: Delaware County Community College (#126 in the US)

#7 in Pennsylvania: Community College of Allegheny County (#135 in the US)

#8 in Pennsylvania: Lehigh Carbon Community College (#144 in the US)

#1 in Rhode Island: Community College of Rhode Island (#76 in the US)

#2 in Rhode Island: Brown University (#101 in the US)

#1 in Tennessee: Austin Peay State University (#3 in the US)

#2 in Tennessee: The University of Tennessee-Chattanooga (#20 in the US)

#3 in Tennessee: University of Memphis (#108 in the US)

#4 in Tennessee: Tennessee Technological University (#113 in the US)

#1 in Texas: Texas A & M University-College Station (#6 in the US)

#2 in Texas: Texas State Technical College (#8 in the US)

#3 in Texas: The University of Texas at San Antonio (#24 in the US)

#4 in Texas: The University of Texas at Dallas (#25 in the US)

#5 in Texas: Houston Community College (#29 in the US)

#6 in Texas: University of North Texas (#46 in the US)

#7 in Texas: Amarillo College (#57 in the US)

#8 in Texas: Midwestern State University (#61 in the US)

#9 in Texas: The University of Texas at Arlington (#68 in the US)

#10 in Texas: Lamar University (#70 in the US)

#11 in Texas: The University of Texas Rio Grande Valley (#81 in the US)

#12 in Texas: Texas Tech University (#95 in the US)

#13 in Texas: University of Dallas (#100 in the US)

#14 in Texas: The University of Texas at Austin (#101 in the US)

#15 in Texas: The University of Texas at El Paso (#126 in the US)

#16 in Texas: Texas Woman’s University (#135 in the US)

#17 in Texas: Lone Star College System (#135 in the US)

#18 in Texas: Laredo Community College (#135 in the US)

#19 in Texas: Richland College (#148 in the US)

#1 in Utah: Western Governors University (#28 in the US)

#1 in Vermont: Norwich University (#53 in the US)

#2 in Vermont: Champlain College (#65 in the US)

#1 in Virginia: George Mason University (#1 in the US)

#2 in Virginia: Old Dominion University (#5 in the US)

#3 in Virginia: Liberty University (#17 in the US)

#4 in Virginia: Virginia Polytechnic Institute and State University (#21 in the US)

#5 in Virginia: Marymount University (#23 in the US)

#6 in Virginia: Christopher Newport University (#73 in the US)

#7 in Virginia: Northern Virginia Community College (#108 in the US)

#8 in Virginia: Radford University (#111 in the US)

#9 in Virginia: James Madison University (#113 in the US)

#10 in Virginia: J Sargeant Reynolds Community College (#119 in the US)

#11 in Virginia: Shenandoah University (#126 in the US)

#12 in Virginia: Thomas Nelson Community College (#131 in the US)

#1 in Washington: Eastern Washington University (#93 in the US)

#1 in West Virginia: West Virginia University at Parkersburg (#144 in the US)

#1 in Wyoming: University of Wyoming (#55 in the US)

#2 in Wyoming: Sheridan College (#119 in the US)

INTERNET STORM CENTER TECH CORNER

Analyzing UDF Files Using Python

https://isc.sans.edu/forums/diary/Analyzing+UDF+Files+with+Python/24860/

HTML Ping To Be Adopted By All Major Browsers

https://webkit.org/blog/8821/link-click-analytics-and-privacy/

Windows 7 End of Support Messages

https://www.windowslatest.com/2019/04/20/windows-7-users-are-now-receiving-the-end-of-support-notifications/

Microsoft to Modify Edge User Agent for Some Sites

https://www.onmsft.com/news/new-edge-insider-browser-can-change-user-agent-strings-based-on-what-website-youre-visiting

French Government Chat System Used Weak User Management (in German)

https://m.heise.de/security/meldung/Tchap-Frankreichs-nicht-so-exklusiver-Regierungschat-4403961.html

.rar Files Exploiting ACE Vulnerability CVE-2018-20250

https://isc.sans.edu/forums/diary/rar+Files+and+ACE+Exploit+CVE201820250/24864/

Malware Senders Become Younger and Less Sophisticated (in German)

https://www.heise.de/security/meldung/Malware-Verteiler-werden-immer-juenger-infizieren-sich-oft-selbst-4403823.html

McAfee Antivirus Affected by April Windows Update Crashes

http://kc.mcafee.com/corporate/index?page=content&id=KB91465

Rules to Protect Against Azure Blog Phishing in Outlook 365

https://malware-research.org/simple-rule-to-protect-against-spoofed-windows-net-phishing-attacks/

******************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI’s critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation’s top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power’s CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute’s top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute’s Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS’ efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Source: https://www.sans.org/newsletters/newsbites/xxi/32