SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #84

October 19, 2012

TOP OF THE NEWS

More than 70 Percent of SSL Sites Still Vulnerable to BEAST Attack
Experts Say Medical Equipment Running Outdated Software Enables Attacks
ISPs Will Start Anti-Piracy Alert System Next Month

THE REST OF THE WEEK'S NEWS

Apple Getting Tough on Java
HSBC Hit With DDoS Attack
Review Finds No Evidence of Huawei Espionage
Adobe Reader and Acrobat XI Offer Enhanced Security Features
Pirate Bay Moves to the Cloud
Pacemakers Can be Hacked to Deliver Deadly Shock
Kaspersky Developing Secure OS for Industrial Control Systems and Medical Appliances
Study Says Filesharers Buy More Music Online
McKinnon Will Not be Extradited

---

********************** Sponsored By Palo Alto Networks *********************
The Palo Alto Networks Ignite Conference promises to be the network security event of the year - November 12-14, 2012 at the Las Vegas Wynn. Learn how to safely enable your business with over 30 educational sessions, user driven content, on-site CNSE certification, hands-on Expert Lab and networking opportunities with your peers. Learn more at: http://www.sans.org/info/115652
****************************************************************************
TRAINING UPDATE
- - --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- - --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses.
http://www.sans.org/event/sydney-2012

- - --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- - --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- - --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- - --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun.
http://www.sans.org/event/security-east-2013

- - --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
http://www.sans.org/event/north-american-scada-2013

- - --Looking for training in your own community?
http://www.sans.org/community/

- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, Johannesburg, Seoul, Tokyo, Barcelona, and Cairo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

More than 70 Percent of SSL Sites Still Vulnerable to BEAST Attack (October 18, 2012)

More than a year after the disclosure of a security flaw in SSL/TLS, 71 percent of SSL sites still have not taken steps to mitigate the vulnerability. The attack, known as BEAST (Browser Exploit Against SSL/TLS) can be used to decrypt cookies that are used by websites to restrict access to accounts. Of the 179,000 websites examined, 127,000 remained vulnerable to the BEAST attack.
-http://www.theregister.co.uk/2012/10/18/ssl_security_survey/

Experts Say Medical Equipment Running Outdated Software Enables Attacks (October 17, 2012)

Experts in both the health and security fields say that malware has been found on medical technology devices. The issue was raised last week at a National Institute of Standards and Technology (NIST) Information Security and Privacy Advisory Board panel discussion in Washington, DC. The chief information security officer at Beth Israel Deaconess Medical center in Boston said that his facility has more than 650 pieces of equipment running older versions of Windows. The reason the devices have not been updated is that doing so could risk their compliance status with US Food and Drug Administration (FDA) regulations. FDA approval focuses on safety; cyberthreats are not taken into consideration. The infections could cause the devices to fail to record and track patient data.
-http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medi
cal-devices/?ref=rss
-http://www.bbc.co.uk/news/technology-19979936
-http://arstechnica.com/security/2012/10/hospitals-computer-hardware-also-suffers
-from-infection/
-http://www.nbcnews.com/technology/technolog/medical-malware-rampant-us-hospitals
-1C6530658
[Editor's Note (Assante): The acknowledgement that information technology, where present, is a primary component of medical diagnostic equipment and medical devices is long over due. I have spent enough time in CT scanners to be concerned if the system was not properly calibrated. Letting the software and operating systems go unmanaged should be the same as having a machine or device fall outside of operating specifications.
(Murray): Using Windows to implement
[medical ]
application machines unnecessarily increases both the potential for accidental failure and the attack surface that can be exploited by rogues.
(Pesactore): Argh - this myth that medical equipment can't be patched without requiring full FDA re-certification has been nonsense for years! In January 2005, the FDA issued Guidance for Industry 1553, which states, "It is possible, but unlikely, that a software patch will need a new 510(k) submission." Later, the same document states, "In most cases, therefore, you would not need to report a cybersecurity patch under 21 CFR Part 806 so long as you have evaluated the change and recorded the correction in your records." So, please, please - don't let the equipment vendors con you.]

ISPs Will Start Anti-Piracy Alert System Next Month (October 16 & 17, 2012)

In the next few weeks, US Internet service providers (ISPs) will start to implement an alert system to notify users whose accounts are being used to share copyrighted material in violation of US law. The plan, which is being overseen by the Center for Copyright Information (CCI), calls for ISPs to send alerts to the account holders. If there is no response to a first set of alerts, ISPs may take other steps to gain users' attention, such as slowing their Internet speeds or directing them to online tutorials about digital copyright. The goal of the plan is to educate and inform users, saving punishment as a last resort for users who do not respond to alerts and do not stop the illegal activity.
-http://thehill.com/blogs/hillicon-valley/technology/262315-internet-providers-se
t-to-crack-down-on-illegal-file-sharing
-http://www.theatlantic.com/technology/archive/2012/10/internet-service-providers
-are-about-to-crack-down-on-lllegal-file-sharing/263714/
[Editor's Note (Pescatore): I'd like to see similar action against users who are running botnet command and control sites... ]

---

*************************** Sponsored Links: ******************************
1) Take the SANS Application Security Survey and be entered to win a $300 American Express Card! http://www.sans.org/info/115657
2) SANS Webcast: Blind as a Bat? Or Eagle Vision Into Encrypted Packets? With Dave Shackleford & Tony Zirnoon. Nov 5, 2012. http://www.sans.org/info/115662
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Getting Tough on Java (October 18, 2012)

Apple has released updates for Java 6 on Mac OS X 10.6.8, 10.7, and 10.8, bringing Java for Mac OS X in line with Oracle's most recent Java update. However, the Apple update removes old versions of Java browser plug-ins from browsers that run on Mac OS X. This means that Mac users who want to run Java on their computers will need to download the software from Oracle. On computers running Snow Leopard, users who have not installed Java for Mac OS X 10.6 update 9 will have their browsers reconfigured not to run Java applets by default. Once the update for Lion and Mountain Lion is in place, users who visit websites that require Java will see the "Missing Plug-in" message and can download Java 7 from Oracle. Apple has been aiming to eliminate certain browser plug-ins - most notably Flash and Java - that have been proven vectors of attack. Apple stopped bundling Java with its operating systems when it introduced Lion in 2011. Removed on Safari and other browsers running on the Mac OS X platform. Oracle has issued a batch of security fixes for its products, including Java. The Java update addresses at least 30 vulnerabilities.
-http://arstechnica.com/apple/2012/10/apple-removes-java-from-all-os-x-web-browse
rs/
-http://www.computerworld.com/s/article/9232566/Apple_tries_to_kill_its_own_Java_
on_most_Macs?taxonomyId=17
-http://www.darkreading.com/risk-management/167901115/security/vulnerabilities/24
0009305/apple-removes-default-java-support-in-browsers.html
-http://www.h-online.com/security/news/item/Apple-updates-Java-for-older-Mac-OS-X
-kills-browser-plugin-1732089.html
-http://krebsonsecurity.com/2012/10/critical-java-patch-plugs-30-security-holes/

HSBC Hit With DDoS Attack (October 18, 2012)

UK-based bank HSBC has been targeted in a distributed denial-of-service (DDoS) attack. The bank says that while customers found themselves unable to log in to their accounts, no customer data were affected by the attack. HSBC is "cooperating with relevant authorities." As of Thursday evening, some sites were once again accessible.
-http://news.cnet.com/8301-1009_3-57535500-83/hsbc-hit-by-broad-denial-of-service
-attack/
-http://www.zdnet.com/dos-hackers-take-hsbc-websites-down-7000006015/

Review Finds No Evidence of Huawei Espionage (October 17 & 18, 2012)

A review of security risks posed by companies that supply telecommunications equipment to US organizations found no evidence that Huawei had conducted espionage for China. In a recently released congressional report, US legislators were openly critical of Huawei and ZTE for not being more forthcoming about their relationships with the Chinese government. The report said that Huawei and ZTE products "cannot be trusted to be free of foreign state influence and thus pose a security threat to the US and to
[US ]
systems." However, the review, which was ordered by the White House, did find evidence that using equipment from Huawei could pose risks because it contains exploitable vulnerabilities. What is not clear is whether the flaws were intentionally built into the equipment or if they are the result of poor coding practices. Clouding the issue, a White House National Security Council spokesperson has said, "The White House has not conducted any classified inquiry that resulted in clearing any telecom equipment supplier." Huawei is feeling pressure from other countries as well. The Australian federal government has barred Huawei from bidding on the country's National Broadband Network, but has not given reasons for the decision beyond saying that it acted on advice from the Australian Security Intelligence Organisation (ASIO).
-http://www.reuters.com/article/2012/10/17/us-huawei-spying-idUSBRE89G1Q920121017
-http://www.informationweek.com/security/management/huawei-zte-4-security-fears/2
40009248
-http://www.zdnet.com/huawei-reportedly-cleared-of-spying-in-white-house-review-7
000005957/
-http://www.bbc.co.uk/news/technology-19988919
-http://www.computerworld.com/s/article/9232229/A_better_reason_to_avoid_Huawei_r
outers_Code_from_the_90s?taxonomyId=245
[Editor's Note (Honan): Vulnerabilities exist in all systems, especially in the modern global economy where parts and materials are subcontracted to many third parties. Before implementing any equipment or software you should conduct a proper risk assessment and controls put in place to continuously monitor it. This is the approach the UK has taken with Huawei since 2001
-http://www.telegraph.co.uk/finance/comment/damianreece/9600396/China-must-recipr
ocate-our-trust-in-its-companies.html]

Adobe Reader and Acrobat XI Offer Enhanced Security Features (October 17 & 18, 2012)

Adobe has released updated versions of Reader and Acrobat with improved security features, including enhanced sandboxing. The sandbox feature, which was introduced in Adobe Reader X, has made it more difficult for hackers to attack the products as it restricts read-only activities as well as write operations. The new versions of Reader and Acrobat also offer PDF whitelisting, force Address Space Layout Randomization (ASLR), and Elliptic Curve Cryptography for digital signatures.
-http://www.computerworld.com/s/article/9232562/Adobe_bolsters_Reader_Acrobat_XI_
security?taxonomyId=17
-http://www.darkreading.com/vulnerability-management/167901026/security/applicati
on-security/240009265/adobe-bolsters-security-in-reader-acrobat-xi.html
-http://www.scmagazine.com/security-beefed-up-in-new-adobe-reader-acrobat/article
/264112/
-http://arstechnica.com/security/2012/10/adobe-reader-and-acrobat-get-another-lay
er-of-security/

Pirate Bay Moves to the Cloud (October 17, 2012)

The Pirate Bay has moved to the cloud to evade takedown attempts. Instead of relying on physical servers, the filesharing site now operates through virtual machines on several different cloud services in two different countries. After Swedish police raided hosting company PRQ earlier this month, a number of torrent sites went dark; Pirate Bay had stopped using PRQ for hosting services before the raid.
-http://arstechnica.com/tech-policy/2012/10/the-pirate-bay-ditches-its-servers-se
ts-sail-for-the-cloud/
-http://www.bbc.co.uk/news/technology-19982440

Pacemakers Can be Hacked to Deliver Deadly Shock (October 17, 2012)

At a security conference in Melbourne, Australia, a researcher demonstrated how a pacemaker could be remotely instructed to deliver an 830-volt shock. Someone armed with a laptop from up to 50 feet away could command the device to administer the fatal voltage. The problem lies with the wireless transmitter programming. It was not complicated to get the devices to reveal their serial and model numbers, which would allow an attacker access to reprogram transmitted firmware and ultimately, reprogram the implanted device.
-http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly
_830_volt_jolt?taxonomyId=85

Kaspersky Developing Secure OS for Industrial Control Systems and Medical Appliances (October 16 & 17, 2012)

Kaspersky Lab is developing a secure operating system that it says will provide added protection against threats like Stuxnet. The OS is being designed specifically for companies that are responsible for elements of critical infrastructure so they can run their industrial control systems more securely. CEO Eugene Kaspersky said that ideally, to secure industrial control systems (ICS), all ICS software would need to be rewritten from scratch, incorporating the best security technology. Because that would require vast amounts of time and money, a secure OS is the next best option.
-http://www.eweek.com/security/kaspersky-lab-developing-secure-os-for-industrial-
control-systems/
-http://www.darkreading.com/advanced-threats/167901091/security/application-secur
ity/240009264/the-secure-operating-system-equation.html
-http://news.cnet.com/8301-1009_3-57533307-83/kaspersky-builds-its-own-antimalwar
e-os-but-not-for-you/
-http://www.wired.com/threatlevel/2012/10/kaspersky-operating-system/

Study Says Filesharers Buy More Music Online (October 15 & 17, 2012)

According to a study from The American Assembly, people who engage in filesharing are more likely to buy music online than non-filesharers. While the music collections of filesharers are larger than those of non-filesharers, largely due to free downloading and copying music from friends and family, filesharers have a rate of online music purchase that outstrips that of non-filesharers by 30 percent.
-http://www.nbcnews.com/technology/technolog/file-sharers-buy-more-music-non-file
-sharers-says-study-1C6496069
-http://www.techspot.com/news/50498-study-filesharers-spend-30-more-on-music-than
-non-p2p-users.html

McKinnon Will Not be Extradited (October 16, 2012)

The UK will not extradite Gary McKinnon to the US where he would face charges for allegedly breaking into computer systems at the Pentagon and NASA in 2001 and 2002. UK home secretary Theresa May has blocked the extradition due to human rights concerns. McKinnon, who has Asperger's Syndrome and depression, could become suicidal if he were sent to the US to face trial. UK prosecutors could potentially bring charges against him domestically. McKinnon's allegedly took actions that resulted in the "shut down
[of ]
the entire US Army's Military District of Washington network ... for 24 hours," and damages allegedly ran to US $700,000. US officials have expressed disappointment over the decision.
-http://arstechnica.com/tech-policy/2012/10/uk-halts-extradition-of-accused-hacke
r-over-suicide-concerns/
-http://www.wired.com/threatlevel/2012/10/mckinnon-extradition-win/
-http://www.h-online.com/security/news/item/Gary-McKinnon-not-to-be-extradited-to
-the-US-1730880.html
-http://www.cnn.com/2012/10/16/world/europe/uk-us-mckinnon-extradition/index.html

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/