SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #47

June 14, 2013

TOP OF THE NEWS

US FDA Issues Cybersecurity Recommendations for Electronic Medical Devices
ICS-CERT Warns Health Care Providers of Hard-Coded Passwords in Medical Devices

THE REST OF THE WEEK'S NEWS

Legislators Seek to Declassify FISA Court Opinion
Google Wants to Disclose Data on FISA Court Orders
Eight People Charged in International Cybercrime Scheme
EU Justice Commissioner Demands Answers About EU Citizen Data and PRISM
Plea Deal Reached in Case Involving SQL Injection Attacks
State Prosecutors Introduce "Save Our Smartphones" Initiative
Apple iOS7 Will Include Activation Lock Security Measures
Prison Terms for Two in Phishing Scheme
Twelve-Year Prison Sentence for Man Who Sold Pirated Industrial Software
KeyBoy Malware Exploits Known Flaws in Microsoft Office
Microsoft Patches 23 Flaws; Adobe Issues Fixes for Single Flaw in Flash Player

---

*********************** SPONSORED BY F5 Networks, Inc. ******************
Preparing for the next wave of Cyber Attacks

Cyber espionage can have devastating effects on your organization and unlike other crimes such may be conducted for years without you being aware of it until serious consequences arise. Learn more about cyber espionage and steps you can take to refocus your security to protect your most critical assets.

http://www.sans.org/info/132912
***************************************************************************
TRAINING UPDATE

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.


--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 43 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- Security Impact of IPv6 Summit Washington, DC June 14-16 Held in conjunction with SANSFIRE 2013, the Security Impact of IPv6 Summit offers discussions and panels with IPv6 security experts, ISPs, early adopters, and industry vendors. You will come away with best practices from those who have already implemented IPv6. A two-day, post-summit class follows:

http://www.sans.org/event/ipv6-summit-2013/course/ipv6-essentials

http://www.sans.org/event/ipv6-summit-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13 2013 SANS's European forensics summit and dedicated forensics training event. Four of SANS's most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26th - November 7th 2013
SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Canberra, Austin, Mumbai, Bangkok and Melbourne all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

US FDA Issues Cybersecurity Recommendations for Electronic Medical Devices (June 13, 2013)

The US Food and Drug Administration (FDA) has issued cybersecurity recommendations for medical devices. The FDA is urging manufacturers of these products to incorporate measures to protect them from malware and attacks, suggesting that the agency might not approve devices that haven't taken cybersecurity into consideration. The FDA's recommendations follow news of security issues in certain fetal monitors and software used in body fluid analysis. The agency also recommended that health care providers improve their cybersecurity practices, as it has noted instances in which passwords were widely distributed or even disabled on software that is supposed to have limited access. There are also reports that health care providers have not applied security updates "in a timely manner." There is no evidence that medical devices are being targeted, and there have been no reports of patients injured or killed as a result of cybersecurity issues.
-http://www.computerworld.com/s/article/9240040/FDA_calls_on_medical_device_maker
s_to_focus_on_cybersecurity?taxonomyId=17
FDA's Cybersecurity for Medical Devices and Hospital Networks
-http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
[Editor's Note (Pescatore): This document reinforces a 2005 (8 years ago!) guidance memo from FDA saying "Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity." Many medical device manufacturers have been falsely claiming that they couldn't patch vulnerable software because they would need to go back through device recertification - not true! Never been true! The rest of the guidance basically reinforces many of the Critical Security Controls.
(Murray): Medical devices have been targeted by so-called "researchers" who have been rewarded with sensational news coverage. The coverage has encouraged and enabled mischief. (McBride): The broad, potentially toothless, medical device cyber security guidance is only in draft. ]

ICS-CERT Warns Health Care Providers of Hard-Coded Passwords in Medical Devices (June 13 & 14, 2013)

The US Department of Homeland Security (DHS) has issued an alert to hospitals and other health care facilities, warning that many of the electronic medical devices they use may contain security flaws. The alert comes from DHS's Industrial Control System Cyber Emergency Response Team (ISC-CERT). It says that many devices were manufactured with hard-coded passwords, which attackers could exploit to change the devices' settings or install malicious firmware. The alert recommends that the health care facilities isolate the affected devices from the Internet and their LANs.
-http://arstechnica.com/security/2013/06/vast-array-of-medical-devices-vulnerable
-to-serious-hacks-feds-warn/
-http://www.theregister.co.uk/2013/06/14/medical_device_security_warning/
-http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01
[Editor's Note (Pescatore): As we see the "Internet of Things" coming, I hope the next generation of device designers will look at building in hard-coded passwords the way today's designers would look at building asbestos or mercury into their products. ]

---

*************************** Sponsored Links: ******************************
1) IBM Webcast - Security Analytics: What Matters in Your Chatter with Westley McDuffie, Wednesday, June 19th 12:30 pm EDT. http://www.sans.org/info/132917

2) Take the SANS survey on Security Intelligence and Analytics and enter to win an iPad! http://www.sans.org/info/132922

3) SANS Analyst Webcast: Implementing Hardware Roots of Trust With Trusted Platform Modules http://www.sans.org/info/132932
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Legislators Seek to Declassify FISA Court Opinion (June 11 & 13, 2013)

US lawmakers have proposed legislation that would declassify some opinions from the Foreign Intelligence Surveillance Court, following the leak of information that indicated the court has been ordering telecommunications companies to turn over customers' call records. Specifically, the bill seeks to require that the Justice Department declassify the FISA Court's interpretations of the Foreign Information Security Act and the Patriot Act. On Wednesday, June 12, the FISA Court "granted a motion not to block disclosure of an earlier ... opinion that declared parts of the NSA's surveillance under Section 702 of the FISA Amendments Act to be unconstitutional." The Electronic Frontier Foundation filed the motion in May.
-http://arstechnica.com/tech-policy/2013/06/for-the-first-time-secret-court-wont-
block-release-of-nsa-opinion/
-http://www.wired.com/threatlevel/2013/06/fisa-court-declassification/
-http://www.computerworld.com/s/article/9239973/Senators_Google_push_for_transpar
ency_at_surveillance_court?taxonomyId=17
-http://www.uscourts.gov/uscourts/courts/fisc/index.html

Google Wants to Disclose Data on FISA Court Orders (June 12, 2013)

Google, Facebook, Microsoft, and Yahoo have asked the Justice Department to lift gag orders that prohibit the companies from discussing FISA Court orders requesting customer data. Google and other companies have begun publishing data about the number of national security letters (NSLs) they receive annually, although those figures are given in ranges of thousands, which was the agreement reached with government. NSLs may not request content, but FISA Court orders are not bound by the same restrictions. Google wants to publish the data to support its assertion that it does not allow the NSA to gather information through a secure portal or put the requested data in a drop box for federal agents to retrieve, as has been reported. Google has a team that reviews every FISA order. Typically, the company delivers the requested information by hand or sends it to the requesting organization through secure FTP transfers. Hand-delivered data would likely be hardcopy or put on a memory disk or external hard drive.
-http://www.washingtonpost.com/business/technology/google-details-how-it-hands-ov
er-data-to-federal-officials/2013/06/12/94671d26-d377-11e2-b05f-3ea3f0e7bb5a_sto
ry.html
-http://www.wired.com/threatlevel/2013/06/google-uses-secure-ftp-to-feds/
-http://www.wired.com/threatlevel/2013/06/google-fisa-requests/
-http://www.npr.org/blogs/thetwo-way/2013/06/11/190723995/google-asks-permission-
to-publish-info-about-fisa-requests
-http://www.washingtonpost.com/business/technology/google-asks-government-for-per
mission-to-publish-national-security-request-data/2013/06/11/59dc80fc-d2c7-11e2-
8cbe-1bcbee06f8f8_story.html
-http://www.zdnet.com/facebook-and-microsoft-join-call-to-disclose-fisa-requests-
7000016708/

Eight People Charged in International Cybercrime Scheme (June 12 & 13, 2013)

The US Attorney's Office in New Jersey has charged eight people with conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft. The alleged criminals are from Kiev, Ukraine, as well as Massachusetts, New York, and the state of Georgia in the US. The complaint alleges that the group stole US $15 million or more from customer accounts at banks, brokerage firms and other financial institutions, transferring the money into accounts controlled by the group and onto pre-paid debit cards. Four of those named have been arrested.
-http://www.zdnet.com/eight-members-of-international-cybercrime-ring-charged-7000
016788/
-http://www.computerworld.com/s/article/9240016/US_charges_eight_with_multimillio
n_dollar_cybercrime?taxonomyId=17
-http://www.justice.gov/usao/nj/Press/files/Sharapka,%20Oleksiy,%20et%20al.%20Arr
est%20News%20Release.html

EU Justice Commissioner Demands Answers About EU Citizen Data and PRISM (June 12, 2013)

European Union (EU) justice commissioner Viviane Reding has given US Attorney General Eric Holder until Friday to provide specifics on how much personal information PRISM has collected about people in the EU. Reding is concerned that the program "could have grave adverse consequences for the fundamental rights of EU citizens." She is demanding to know what is being done with the data, whether the program's scope "involves issues beyond national security," and whether the surveillance program targets private citizens.
-http://www.computerworld.com/s/article/9239997/Europe_demands_Prism_answers_from
_U.S._AG_Holder?taxonomyId=17
-http://www.bbc.co.uk/news/technology-22872884
-http://www.v3.co.uk/v3-uk/news/2274503/prism-europe-demands-us-response-to-data-
sharing-concerns
[Editor's Note (Honan): Viviane Reding, the Vice President of the European Commission and EU Commissioner for Justice, has released a statement regarding the PRISM scandal stating that "The data protection rights of EU citizens are non-negotiable."
-http://europa.eu/rapid/press-release_SPEECH-13-536_en.htm]

Plea Deal Reached in Case Involving SQL Injection Attacks (June 12, 2013)

A man who launched attacks on the websites of several US police departments and public agencies has agreed to a plea deal. John Anthony Borell, III pleaded guilty to a total of five charges from combined cases in Utah, Missouri, and New York. The terms of the plea deal impose a three-year prison sentence and require that Borell pay nearly US $230,000 in restitution.
-http://arstechnica.com/tech-policy/2013/06/hacker-who-led-anonymous-sponsored-ha
cks-against-police-agrees-to-plea-deal/
-http://www.ohio.com/news/ohio-man-to-plead-guilty-to-hacking-charges-in-utah-1.4
05264
-http://ia601801.us.archive.org/17/items/gov.uscourts.utd.84202/gov.uscourts.utd.
84202.50.0.pdf

State Prosecutors Introduce "Save Our Smartphones" Initiative (June 11, 12, & 13, 2013)

A group of law enforcement officials, politicians, and consumer advocates aim to help fight the growing theft of smartphones, which has reached "epidemic" proportions, according to San Francisco District Attorney George Gascon. The group plans to ask the manufacturers of the most widely used devices - Apple, Google/Motorola, Microsoft, and Samsung - to develop features that make the phones less attractive to thieves. The announcement of the initiative came on the same day that Gascon and New York Attorney General Eric Schneiderman were hosting a Smartphone Summit with representatives from major smartphone makers.
-http://news.cnet.com/8301-1009_3-57589115-83/prosecutors-team-up-to-combat-smart
phone-thefts/
-http://www.washingtonpost.com/business/technology/sf-ny-prosecutors-to-announce-
anti-smartphone-theft-initiative-before-summit-of-major-makers/2013/06/13/7dbb57
0c-d3fb-11e2-b3a2-3bf5eb37b9d0_story.html
-http://www.nbcnews.com/technology/kill-switch-pushed-solution-smartphone-thefts-
6C10289065
-http://www.computerworld.com/s/article/9240039/US_prosecutors_propose_kill_switc
h_to_prevent_smartphone_theft?taxonomyId=17

Apple iOS7 Will Include Activation Lock Security Measures (June 11, 2013)

Apple has announced that the newest version of its mobile operating system, iOS7, will include a "kill switch" feature to make iPhone less attractive to thieves. Users will need to provide a valid Apple ID and password before they are permitted to erase data or turn off the "Find My iPhone" feature. The same combination of Apple ID and password will be required to reactivate the device after it has been erased remotely. iOS 7 is expected to be available this fall.
-http://www.cnn.com/2013/06/11/tech/mobile/iphone-ios7-kill-switch/index.html
-http://www.eweek.com/mobile/new-ios-7-lockout-feature-that-may-save-lives-wont-a
rrive-until-fall/

Prison Terms for Two in Phishing Scheme (June 10 & 11, 2013)

A US district judge in Connecticut has sentenced two Romanian men to prison for their roles in a phishing scheme. Bogdan Boceanu received an 80-month sentence and Andrei Bolovan received a 27-month sentence. In December, Bolovan pleaded guilty to conspiracy to commit fraud in connection with access devices. That same month, a jury found Boceanu guilty of the same charge as well as one charge of conspiracy to commit bank fraud. In all, 19 people are believed to have been involved in the scheme, which phished for payment card information, then used that information to make fraudulent withdrawals from ATMs.
-http://www.scmagazine.com/romanian-phishers-sentenced-to-us-federal-prison/artic
le/298336/
-http://www.fbi.gov/newhaven/press-releases/2013/two-romanian-citizens-involving-
in-phishing-scheme-sentenced-to-federal-prison

Twelve-Year Prison Sentence for Man Who Sold Pirated Industrial Software (June 11 & 12, 2013)

A man from Chengdu, China has been sentenced to 12 years in prison for his role in a software piracy operation that sold over US $100 million worth of software. Xiang Li, who operated a website that sold pirated software, was convicted of conspiracy to commit wire fraud and criminal copyright infringement. The software sold on the site was largely industrial grade, much of it designed for aerospace simulation and design, defense, intelligence gathering, and manufacturing plant design, and other technical applications. Li was arrested two years ago when US agents posing as businessmen set up a meeting with him in the Northern Mariana Islands, which is a protectorate of the US and therefore falls under US jurisdiction.
-http://www.computerworld.com/s/article/9239985/Chinese_seller_of_pirated_softwar
e_sentenced_to_12_years_in_US_prison?taxonomyId=17
-http://www.bloomberg.com/news/2013-06-11/chinese-national-sentenced-to-12-years-
over-pirated-software.html
-http://arstechnica.com/tech-policy/2013/06/chinese-piracy-ring-operator-sentence
d-to-12-years-after-being-lured-to-us/
-http://www.ice.gov/news/releases/1306/130611wilmington.htm

KeyBoy Malware Exploits Known Flaws in Microsoft Office (June 10 & 11, 2013)

Malware known as KeyBoy exploits known flaws in certain version of Microsoft office to install a Trojan horse program and steal data. The attacks have been targeting users in Vietnam, India, China, and Taiwan. KeyBoy spreads initially through spear phishing messages that include Microsoft Word attachments designed to take advantage of the remote code execution vulnerabilities in Microsoft Office 2003, 2007, and 2010. The flaws were patched in April and August 2012.
-http://www.scmagazine.com/new-targeted-attack-campaign-leverages-microsoft-offic
e-vulnerabilities/article/297169/
-http://www.computerworld.com/s/article/9239940/New_backdoor_KeyBoy_malware_hits_
Asia_with_targeted_attacks
Microsoft Bulletins With Office Fixes:
-http://technet.microsoft.com/en-us/security/bulletin/MS12-060
-http://technet.microsoft.com/en-us/security/bulletin/MS12-027

Microsoft Patches 23 Flaws; Adobe Issues Fixes for Single Flaw in Flash Player (June 11 & 12, 2013)

On Tuesday, June 11, Microsoft issued five security bulletins to address a total of 23 flaws in various products. One of the bulletins is a cumulative update for Internet Explorer. The bulletin fixes 19 security flaws in the browser and is rated critical. Another bulletin addresses a remote code execution flaw in Microsoft Office that is already being exploited in "limited, targeted attacks." That bulletin is rated important. Notably absent from the security updates was a fix for a flaw in Windows; that flaw was recently disclosed by a Google researcher. On the same day, Adobe issued security updates for Flash Player 11.7 for Windows, Mac, and Linux systems, and version 11.1 for Android. Those updates address just one vulnerability.
-http://www.scmagazine.com/microsoft-patches-18-internet-explorer-vulnerabilities
-closes-an-actively-exploited-hole-in-office/article/298348/
-http://www.zdnet.com/patch-tuesday-23-vulnerabilities-fixed-ie-windows-office-70
00016698/
-http://krebsonsecurity.com/2013/06/adobe-microsoft-patch-flash-windows/
-http://www.h-online.com/security/news/item/Microsoft-doesn-t-close-all-holes-on-
June-patch-day-1887051.html
-http://www.computerworld.com/s/article/9239982/Microsoft_patches_critical_IE_vul
nerabilities_and_actively_exploited_Office_flaw?taxonomyId=17
-http://www.zdnet.com/microsoft-misses-google-found-flaw-in-patch-tuesday-updates
-7000016762/
-https://technet.microsoft.com/en-us/security/bulletin/ms13-jun

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/