Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: The SANS Institute (NewsBitessans.org)
Date: Fri Jun 14 2013 - 14:19:02 CDT
-----BEGIN PGP SIGNED MESSAGE-----
SANS NewsBites June 14, 2013 Vol. 15, Num. 047
TOP OF THE NEWS
US FDA Issues Cybersecurity Recommendations for Electronic Medical
ICS-CERT Warns Health Care Providers of Hard-Coded Passwords in
THE REST OF THE WEEK'S NEWS
Legislators Seek to Declassify FISA Court Opinion
Google Wants to Disclose Data on FISA Court Orders
Eight People Charged in International Cybercrime Scheme
EU Justice Commissioner Demands Answers About EU Citizen Data and
Plea Deal Reached in Case Involving SQL Injection Attacks
State Prosecutors Introduce "Save Our Smartphones" Initiative
Apple iOS7 Will Include Activation Lock Security Measures
Prison Terms for Two in Phishing Scheme
Twelve-Year Prison Sentence for Man Who Sold Pirated Industrial
KeyBoy Malware Exploits Known Flaws in Microsoft Office
Microsoft Patches 23 Flaws; Adobe Issues Fixes for Single Flaw in
*********************** SPONSORED BY F5 Networks, Inc. ******************
Preparing for the next wave of Cyber Attacks
Cyber espionage can have devastating effects on your organization and
unlike other crimes such may be conducted for years without you being
aware of it until serious consequences arise. Learn more about cyber
espionage and steps you can take to refocus your security to protect
your most critical assets.
- -- Industrial Control System (ICS) Security Training
In-depth, hands-on technical courses taught by top SCADA experts. Gain
the most current information regarding SCADA and Control System threats
and learn how to best prepare to defend against them. Leave the event
with solutions that you can immediately put to use in your organization.
--Washington, DC (August 12-August 16)
- -- SANSFIRE 2013 Washington, DC June 14-22, 2013
43 courses. Bonus evening sessions include Avoiding Cyberterrorism
Threats Inside Hydraulic Power Generation Plants; and Automated Analysis
of Android Malware.
- -- Security Impact of IPv6 Summit Washington, DC June 14-16
Held in conjunction with SANSFIRE 2013, the Security Impact of IPv6
Summit offers discussions and panels with IPv6 security experts, ISPs,
early adopters, and industry vendors. You will come away with best
practices from those who have already implemented IPv6. A two-day,
post-summit class follows:
- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013
10 courses. Bonus evening sessions include OODA - The Secret to
Effective Security in Any Environment; and APT: It is Not Time to Pray,
It is Time to Act.
- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013
7 courses. Bonus evening sessions include Offensive Digital Forensics;
and Base64 Can Get You Pwned!
- -- SANS Boston 2013 Boston, MA August 5-10, 2013
9 courses. Bonus evening sessions include Cloud R and Forensics; and You
Can Panic Now. Host Protection is (Mostly) Dead.
- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013
10 courses. Bonus evening presentations include Thanks for Recovering
... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is
Time to Act.
- -- SANS London Summer 2013 London, UK July 9-July 16, 2013
5 courses. SANS has added a new London date to the security-training
calendar, giving security professionals the opportunity to take one of
four of SANS' most popular 6-day courses and the excellent 2 day
Securing The Human course.
- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13 2013
SANS's European forensics summit and dedicated forensics training event.
Four of SANS's most important forensics training courses and
opportunities to network with leading digital forensics experts.
- -- SANS Dubai 2013 Dubai, UAE October 26th - November 7th 2013
SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
- -- Multi-week Live SANS training
- -- Looking for training in your own community?
- -- Save on On-Demand training (30 full courses) - See samples at
Plus Canberra, Austin, Mumbai, Bangkok and Melbourne all in the next 90
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
--US FDA Issues Cybersecurity Recommendations for Electronic Medical
(June 13, 2013)
The US Food and Drug Administration (FDA) has issued cybersecurity
recommendations for medical devices. The FDA is urging manufacturers of
these products to incorporate measures to protect them from malware and
attacks, suggesting that the agency might not approve devices that
haven't taken cybersecurity into consideration. The FDA's
recommendations follow news of security issues in certain fetal monitors
and software used in body fluid analysis. The agency also recommended
that health care providers improve their cybersecurity practices, as it
has noted instances in which passwords were widely distributed or even
disabled on software that is supposed to have limited access. There are
also reports that health care providers have not applied security
updates "in a timely manner." There is no evidence that medical devices
are being targeted, and there have been no reports of patients injured
or killed as a result of cybersecurity issues.
FDA's Cybersecurity for Medical Devices and Hospital Networks
[Editor's Note (Pescatore): This document reinforces a 2005 (8 years
ago!) guidance memo from FDA saying "Note: The FDA typically does not
need to review or approve medical device software changes made solely
to strengthen cybersecurity." Many medical device manufacturers have
been falsely claiming that they couldn't patch vulnerable software
because they would need to go back through device recertification - not
true! Never been true! The rest of the guidance basically reinforces
many of the Critical Security Controls.
(Murray): Medical devices have been targeted by so-called "researchers"
who have been rewarded with sensational news coverage. The coverage has
encouraged and enabled mischief.
(McBride): The broad, potentially toothless, medical device cyber
security guidance is only in draft.]
--ICS-CERT Warns Health Care Providers of Hard-Coded Passwords in
(June 13 & 14, 2013)
The US Department of Homeland Security (DHS) has issued an alert to
hospitals and other health care facilities, warning that many of the
electronic medical devices they use may contain security flaws. The
alert comes from DHS's Industrial Control System Cyber Emergency
Response Team (ISC-CERT). It says that many devices were manufactured
with hard-coded passwords, which attackers could exploit to change the
devices' settings or install malicious firmware. The alert recommends
that the health care facilities isolate the affected devices from the
Internet and their LANs.
[Editor's Note (Pescatore): As we see the "Internet of Things" coming,
I hope the next generation of device designers will look at building in
hard-coded passwords the way today's designers would look at building
asbestos or mercury into their products.]
*************************** Sponsored Links: ******************************
1) IBM Webcast - Security Analytics: What Matters in Your Chatter with
Westley McDuffie, Wednesday, June 19th 12:30 pm EDT.
2) Take the SANS survey on Security Intelligence and Analytics and enter
to win an iPad! http://www.sans.org/info/132922
3) SANS Analyst Webcast: Implementing Hardware Roots of Trust With
Trusted Platform Modules http://www.sans.org/info/132932
THE REST OF THE WEEK'S NEWS
--Legislators Seek to Declassify FISA Court Opinion
(June 11 & 13, 2013)
US lawmakers have proposed legislation that would declassify some
opinions from the Foreign Intelligence Surveillance Court, following the
leak of information that indicated the court has been ordering
telecommunications companies to turn over customers' call records.
Specifically, the bill seeks to require that the Justice Department
declassify the FISA Court's interpretations of the Foreign Information
Security Act and the Patriot Act. On Wednesday, June 12, the FISA Court
"granted a motion not to block disclosure of an earlier ... opinion that
declared parts of the NSA's surveillance under Section 702 of the FISA
Amendments Act to be unconstitutional." The Electronic Frontier
Foundation filed the motion in May.
--Google Wants to Disclose Data on FISA Court Orders
(June 12, 2013)
Google, Facebook, Microsoft, and Yahoo have asked the Justice Department
to lift gag orders that prohibit the companies from discussing FISA
Court orders requesting customer data. Google and other companies have
begun publishing data about the number of national security letters
(NSLs) they receive annually, although those figures are given in ranges
of thousands, which was the agreement reached with government. NSLs may
not request content, but FISA Court orders are not bound by the same
restrictions. Google wants to publish the data to support its assertion
that it does not allow the NSA to gather information through a secure
portal or put the requested data in a drop box for federal agents to
retrieve, as has been reported. Google has a team that reviews every
FISA order. Typically, the company delivers the requested information
by hand or sends it to the requesting organization through secure FTP
transfers. Hand-delivered data would likely be hardcopy or put on a
memory disk or external hard drive.
--Eight People Charged in International Cybercrime Scheme
(June 12 & 13, 2013)
The US Attorney's Office in New Jersey has charged eight people with
conspiracy to commit wire fraud, conspiracy to commit money laundering,
and conspiracy to commit identity theft. The alleged criminals are from
Kiev, Ukraine, as well as Massachusetts, New York, and the state of
Georgia in the US. The complaint alleges that the group stole US $15
million or more from customer accounts at banks, brokerage firms and
other financial institutions, transferring the money into accounts
controlled by the group and onto pre-paid debit cards. Four of those
named have been arrested.
--EU Justice Commissioner Demands Answers About EU Citizen Data and
(June 12, 2013)
European Union (EU) justice commissioner Viviane Reding has given US
Attorney General Eric Holder until Friday to provide specifics on how
much personal information PRISM has collected about people in the EU.
Reding is concerned that the program "could have grave adverse
consequences for the fundamental rights of EU citizens." She is
demanding to know what is being done with the data, whether the
program's scope "involves issues beyond national security," and whether
the surveillance program targets private citizens.
[Editor's Note (Honan): Viviane Reding, the Vice President of the
European Commission and EU Commissioner for Justice, has released a
statement regarding the PRISM scandal stating that "The data protection
rights of EU citizens are non-negotiable."
--Plea Deal Reached in Case Involving SQL Injection Attacks
(June 12, 2013)
A man who launched attacks on the websites of several US police
departments and public agencies has agreed to a plea deal. John Anthony
Borell, III pleaded guilty to a total of five charges from combined
cases in Utah, Missouri, and New York. The terms of the plea deal impose
a three-year prison sentence and require that Borell pay nearly US
$230,000 in restitution.
--State Prosecutors Introduce "Save Our Smartphones" Initiative
(June 11, 12, & 13, 2013)
A group of law enforcement officials, politicians, and consumer
advocates aim to help fight the growing theft of smartphones, which has
reached "epidemic" proportions, according to San Francisco District
Attorney George Gascon. The group plans to ask the manufacturers of the
most widely used devices - Apple, Google/Motorola, Microsoft, and
Samsung - to develop features that make the phones less attractive to
thieves. The announcement of the initiative came on the same day that
Gascon and New York Attorney General Eric Schneiderman were hosting a
Smartphone Summit with representatives from major smartphone makers.
--Apple iOS7 Will Include Activation Lock Security Measures
(June 11, 2013)
Apple has announced that the newest version of its mobile operating
system, iOS7, will include a "kill switch" feature to make iPhone less
attractive to thieves. Users will need to provide a valid Apple ID and
password before they are permitted to erase data or turn off the "Find
My iPhone" feature. The same combination of Apple ID and password will
be required to reactivate the device after it has been erased remotely.
iOS 7 is expected to be available this fall.
--Prison Terms for Two in Phishing Scheme
(June 10 & 11, 2013)
A US district judge in Connecticut has sentenced two Romanian men to
prison for their roles in a phishing scheme. Bogdan Boceanu received an
80-month sentence and Andrei Bolovan received a 27-month sentence. In
December, Bolovan pleaded guilty to conspiracy to commit fraud in
connection with access devices. That same month, a jury found Boceanu
guilty of the same charge as well as one charge of conspiracy to commit
bank fraud. In all, 19 people are believed to have been involved in the
scheme, which phished for payment card information, then used that
information to make fraudulent withdrawals from ATMs.
--Twelve-Year Prison Sentence for Man Who Sold Pirated Industrial
(June 11 & 12, 2013)
A man from Chengdu, China has been sentenced to 12 years in prison for
his role in a software piracy operation that sold over US $100 million
worth of software. Xiang Li, who operated a website that sold pirated
software, was convicted of conspiracy to commit wire fraud and criminal
copyright infringement. The software sold on the site was largely
industrial grade, much of it designed for aerospace simulation and
design, defense, intelligence gathering, and manufacturing plant design,
and other technical applications. Li was arrested two years ago when US
agents posing as businessmen set up a meeting with him in the Northern
Mariana Islands, which is a protectorate of the US and therefore falls
under US jurisdiction.
--KeyBoy Malware Exploits Known Flaws in Microsoft Office
(June 10 & 11, 2013)
Malware known as KeyBoy exploits known flaws in certain version of
Microsoft office to install a Trojan horse program and steal data. The
attacks have been targeting users in Vietnam, India, China, and Taiwan.
KeyBoy spreads initially through spear phishing messages that include
Microsoft Word attachments designed to take advantage of the remote code
execution vulnerabilities in Microsoft Office 2003, 2007, and 2010. The
flaws were patched in April and August 2012.
Microsoft Bulletins With Office Fixes:
--Microsoft Patches 23 Flaws; Adobe Issues Fixes for Single Flaw in
(June 11 & 12, 2013)
On Tuesday, June 11, Microsoft issued five security bulletins to address
a total of 23 flaws in various products. One of the bulletins is a
cumulative update for Internet Explorer. The bulletin fixes 19 security
flaws in the browser and is rated critical. Another bulletin addresses
a remote code execution flaw in Microsoft Office that is already being
exploited in "limited, targeted attacks." That bulletin is rated
important. Notably absent from the security updates was a fix for a flaw
in Windows; that flaw was recently disclosed by a Google researcher. On
the same day, Adobe issued security updates for Flash Player 11.7 for
Windows, Mac, and Linux systems, and version 11.1 for Android. Those
updates address just one vulnerability.
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was American
Electric Power's CSO. He now leads the global cyber skills development
program at SANS for power, oil & gas and other critical infrastructure
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy
Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director
of the digital forensics and incident response research and education
program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----