SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #5

January 18, 2013

A pattern is emerging involving increasing volume and sophistication of
cyber attack against "operational technology (OT)" ranging from SCADA
power systems to oil & gas and manufacturing (and centrifuge) industrial
control; medical technology devices; environmental control systems and
other appliances; essentially all computer-controlled technology not
owned/managed by traditional IT organizations. In many large
organizations OT systems rival IT systems in number and exceed them in
vulnerability and potential damage. Nation-state and other attackers
have been laser focused on OT both as targets and as pathways for
getting to other targets. The first chance to learn the state of the art
in protecting OT, bringing together OT technology leaders and IT
security leaders is in Orlando February 12-13 with intense courses
before and after the workshop (and you have 6 days left to save $500 if
you want to learn about this new threat vector and see how it could
affect your company and your career). Also at this meeting, the top ICS
security guy (who just left DHS) will provide insights and discussion
unlike what has been available anywhere else, and the International
Consortium on ICS Security" will be launching its 2013 projects. (By
invitation - ask Mike Assante to invite you if you work for a major ICS
end-user or supplier and think you can contribute.)
Registration: http://www.sans.org/event/north-american-scada-2013

Alan

PS You also have 6 days (until January 23) to save $500 on courses at
SANS 2013 - the largest training program in cybersecurity - in early
March in Orlando. http://www.sans.org/event/sans-2013

---

TOP OF THE NEWS

Fake Java Patch Is Actually Malware; Zero Day Java Exploit Is Being Sold
Red October Hackers Exploited Known Java Vulnerability
Iran Will be a "Force to be Reckoned With" in Cyber Arena

THE REST OF THE WEEK'S NEWS

Researchers Find Security Weakness in Systems That Interface with Medical Devices
Foxit Updates PDF Reader to Fix Critical Flaw
German Federal Criminal Police to Use Interim Surveillance Software
Top Developer Found to Have Outsourced Work to Chinese Subcontractor
Proposed Amendment to CFAA Would Remove Terms of Service Agreements From the Computer Fraud and Abuse Act
Adobe Releases Fixes for ColdFusion Vulnerabilities
US-CERT Continues to Recommend Disabling Java After Oracle Issues Patch
NIST to Test Technology for Secure Health Data Sharing
NIST to Test Technology for Secure Health Data Sharing

SYSTEMS SECURITY NEWS

The SCADA Patch Problem

---

************************ SPONSORED BY Bit9 *******************************
LIVE WEBCAST: Trust-based Application Control 101 - 8% of enterprise endpoints are infected with malware at any given time. And 80% of stolen data comes from servers the enterprise thinks are secure. These alarming statistics show why antivirus and other traditional security products are ineffective against advanced threats and targeted attacks. Register today for this webcast http://www.sans.org/info/121342
****************************************************************************
TRAINING UPDATE
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
tp://www.sans.org/event/monterey-2013

- - --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Fake Java Patch Is Actually Malware and Zero Day Java Exploit Is Being Sold (January 17, 2013)

In a typically opportunistic move by hackers, malicious software is masquerading as the latest patch for Java, and connecting infected machines back to a command and control server. In addition, top ranked security reporter Brian Krebs wrote on Wednesday that a zero-day Java exploit for an apparently brand-new vulnerability was being advertised for US$5,000 in an underground hacking forum. The advertisement was posted for a short time, then disappeared, Krebs wrote.
-http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/
-http://www.computerworld.com/s/article/9235946/Malware_masquerades_as_patch_for_
Java

Red October Hackers Exploited Known Java Vulnerability (January 15 & 16, 2013)

Among the attack vectors employed by those behind the Red October cyberespionage campaign was an old Java exploit. Red October, which appears to have been operational for at least five years, targeted diplomatic, military, and government data on computer systems and mobile devices. Kaspersky Labs disclosed their discovery of Red October on Monday, January 14. The research indicated that the perpetrators exploited vulnerabilities in Excel and Word to launch their attacks. On Tuesday, a company called Securlert said that the hackers were also exploiting a known Java vulnerability that Oracle had patched in October 2011.
-http://www.zdnet.com/red-october-hackers-also-used-java-exploit-for-spy-campaign
-7000009881/
-http://www.theregister.co.uk/2013/01/16/red_october_java_connection/
-http://www.computerworld.com/s/article/9235859/Java_exploit_used_in_Red_October_
cyberespionage_attacks_researchers_say?taxonomyId=17

Iran Will be a "Force to be Reckoned With" in Cyber Arena (January 17, 2013)

The head of the US Air Force Space Command, General William Shelton, said that in the wake of Stuxnet, Iran has taken steps to strengthen both its offensive and its defensive cyber powers and will be a "force to be reckoned with." Analysts say that cyberattacks emanating from Iran are of increasingly greater sophistication. Iranian officials deny the country's involvement with the wave of distributed denial-of-service (DDoS) attacks on US banks.
-http://www.nbcnews.com/technology/technolog/iran-beefed-cyber-capabilities-after
-stuxnet-us-general-1B8024450
-http://www.bloomberg.com/news/2013-01-17/iran-s-cyber-threat-potential-great-u-s
-general-says.html
[Editor's Note (Murray): As the first victim of "cyber war" perpetrated by a nation state, it is unlikely that Iran will sit quietly.
(Paller): Some might argue that Georgia or another nation was an earlier victim of cyberwar, but that does not make Bill Murray's comment any less cogent. ]

---

THE REST OF THE WEEK'S NEWS

Researchers Find Security Weakness in Systems That Interface with Medical Devices (January 17, 2013)

Vulnerability researchers have found they were able to gain access to a medical information management system that interfaces with medical devices. The pair of researchers was able to attain privileged user status on the Philips XPER system due to weak remote authentication. One of the more difficult aspects of their activity was obtaining the equipment on which to run the tests, as sale of the system in question is restricted to licensed buyers only. They managed to obtain one from a reseller; when it arrived, it bore an inventory tag from an unnamed hospital. (Please note that Dark Reading now requires a free subscription. They will ask for your name and email address and that you choose a password.)
-http://www.darkreading.com/vulnerability-management/167901026/security/attacks-b
reaches/240146474/security-researchers-expose-bug-in-medical-system-used-with-x-
ray-machines-other-devices.html.html
www.scmagazine.com/patient-data-revealed-in-medical-device-hack/article/276568/
[Editor's Note (Murray): Vulnerability, high consequence, low threat, low risk. Publicizing the vulnerability has not made the world better. ]

Foxit Updates PDF Reader to Fix Critical Flaw (January 17, 2013)

Foxit has released an updated version of its Foxit Reader PDF viewer plug-in that fixes a critical remote code execution flaw. The vulnerability affected the browser plug-in for Firefox, Chrome, Opera, and Safari. Users are urged to upgrade to Foxit Reader version 5.4.5.
-http://www.computerworld.com/s/article/9235925/Foxit_patches_critical_flaw_in_PD
F_viewer_browser_plug_in?taxonomyId=17
-http://www.foxitsoftware.com/support/security_bulletins.php#FRD-18

German Federal Criminal Police to Use Interim Surveillance Software (January 17, 2013)

According to a confidential document that has been leaked to the Internet, the German Federal Criminal Police Office, the Bundeskriminalamt (BKA), has purchased surveillance software that will reportedly be used until the organization's custom surveillance software is ready for use. The software uses a Trojan horse program to record Internet telephony conversations prior to their encryption from the sender or after their decryption on the recipient's device.
-http://www.h-online.com/security/news/item/German-Federal-Criminal-Police-acquir
es-interim-government-trojan-from-Gamma-1786026.html
-http://qz.com/44208/german-governments-surveillance-software-unsettles-a-nation-
that-prizes-privacy/

Top Developer Found to Have Outsourced Work to Chinese Subcontractor (January 16 & 17, 2013)

An audit found that a software developer at an unnamed critical infrastructure organization had outsourced his work to a subcontractor in China and was spending his days surfing the Internet. The man's company became suspicious when VPN (virtual private network) traffic logs showed logins to the company's server from Shenyang, China. They asked their service provider, Verizon, to investigate. Instead of finding evidence of malware, they discovered that their top developer had outsourced his work. He had even gone so far as to send his RSA token to China by express mail. A subsequent investigation revealed that the programmer has taken on jobs with other companies and outsourced that work as well.
-http://www.computerworld.com/s/article/9235926/_Bob_outsources_tech_job_to_China
_watches_cat_videos_at_work?taxonomyId=17
-http://www.bbc.co.uk/news/technology-21043693
-http://www.theregister.co.uk/2013/01/16/developer_oursources_job_china/
-http://www.v3.co.uk/v3-uk/it-sneak-blog/2236830/developer-outsources-own-job-to-
china-but-vpn-logs-give-the-game-away
[Editor's Note (Shpantzer): Proactive review of logs (if you actually turn logs on, that is) can be both cheap and effective and is perhaps the most underutilized 'tool' out there. For example, successful VPN logins from a place nobody should be coming from (as in the story above) and, the same userID logged in from two different regions within X hours. Easy way to find potential misuse of legitimate credentials. Some false positives possible but you'll see the patterns fairly quickly and know what's suspicious. ]

Proposed Amendment to CFAA Would Remove Terms of Service Agreements From the Computer Fraud and Abuse Act (January 15, 16, & 17, 2013)

US Representative Zoe Lofgren (D-California) has introduced legislation to amend the Computer Fraud and Abuse Act (CFAA). The CFAA currently lets prosecutors use a broad definition of unauthorized access, so that violating an ISP's or web site's terms of service agreement would be grounds to bring felony charges. Lofgren's bill would remove terms of service agreement violations from CFAA. Lofgren is calling the proposed amendment Aaron's Law in memory of Aaron Swartz, who committed suicide last week. Swartz was facing the possibility of more than 30 years in prison for 13 felony counts of computer and wire fraud. Swartz wanted to make millions of pages of academic papers available to the public.
-http://www.h-online.com/security/news/item/Aaron-s-Law-hopes-to-blunt-US-compute
r-crime-law-1786033.html
-http://www.theregister.co.uk/2013/01/16/congresswoman_petition_aaron_swartz/
-http://www.computerworld.com/s/article/9235854/Swartz_suicide_shines_light_on_fe
deral_anti_hacking_law?taxonomyId=17
-http://www.computerworld.com/s/article/9235892/Congresswoman_proposes_computer_f
raud_law_amendment_to_honor_Aaron_Swartz?taxonomyId=17

Adobe Releases Fixes for ColdFusion Vulnerabilities (January 16, 2013)

Adobe has issued fixes for four critical flaws in its ColdFusion application server. The vulnerabilities have been actively exploited since the beginning of the year. Adobe released an advisory about the flaws on January 4. On January 15, Adobe released Hotfixes for ColdFusion versions 10, 9.0.2, 9.0.1, and 9.0. Users are urged to upgrade as soon as possible.
-http://www.computerworld.com/s/article/9235894/Adobe_patches_exploited_ColdFusio
n_flaws?taxonomyId=17
-http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html

US-CERT Continues to Recommend Disabling Java After Oracle Issues Patch (January 14 & 16, 2013)

Although Oracle has released a patch for a vulnerability in Java that was being actively exploited, the US Department of Homeland Security's (DHS's) US Computer Emergency Response Team (US-CERT) is still urging users to disable Java in their browsers. A note from US-CERT said, "This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," and recommends that users disable Java "until adequate updates are available."
-http://www.nbcnews.com/technology/technolog/homeland-security-still-says-no-java
-1B8000547
-http://www.computerworld.com/s/article/9235898/Post_patch_US_CERT_continues_call
_to_disable_Java_plug_in?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57563951-83/homeland-security-still-advises-dis
abling-java-even-after-update/

NIST to Test Technology for Secure Health Data Sharing (January 15, 2013)

The US National Institute of Standards and Technology (NIST) will test technologies that are designed to help make sure that shared health care information remains secure. The issue is especially important for small providers. The project "aims to come up with tools and methods to support the secure exchange of health information, a process which may be especially difficult for small providers who might lack the security infrastructure or expertise of larger healthcare organizations."
-http://www.healthcareitnews.com/news/nist-test-data-exchange-security
-http://www.ofr.gov/OFRUpload/OFRData/2013-00724_PI.pdf
[Editor's note (Murray): HIPAA has created such a high barrier to electronic health records that we tolerate the paper health records that are killing and impoverishing us. Rules are not incentives. As the source of the HIPAA privacy rules, NIST should be a source of help. ]

---

SYSTEMS SECURITY NEWS

The SCADA Patch Problem

-http://www.darkreading.com/advanced-threats/167901091/security/vulnerabilities/2
40146355/the-scada-patch-problem.html
(McBride) This article is a positive step in coverage of ICS issues from the popular security press. It explains things as they really are rather than how IT security personnel are accustomed to them being. (Assante) Know when to patch. A decision to simply patch or not can be dangerous. System owners should evaluate both the risk of applying a patch and consider how an unaddressed vulnerability could be exploited. A blanket decision to forgo patching combined with a failure to consider compensating mitigations could be considered negligent. SEC might consider additional guidance forcing companies to disclose practices that keep managers blind to the risks they face.

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/