SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #64

August 18, 2015

TOP OF THE NEWS

IRS 'Get Transcript' Scam Affects 300,000+ Taxpayers
Millions of Websites Running on Windows Server 2003

THE REST OF THE WEEK'S NEWS

DARPA Solicits Proposals for DDoS Counterattack Tools
US Air Traffic Control System Local Outage Blamed on Software Update
State of Virginia Decommissions Bad Voting Machines
University of Virginia Breach
Stagefright Vulnerability Dogs Google
Two More Vulnerabilities in OS X
How College CIOs Prepare for Back-to-School Challenges
Google Admin App Vulnerability

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Splunk ***************************

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/179652

***************************************************************************
TRAINING UPDATE

- --SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.
http://www.sans.org/u/5ZT

- --Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N

- --SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 |
13 courses
http://www.sans.org/u/5Zz

- --SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 |
8 courses
http://www.sans.org/u/5ZO

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand
Specials - http://www.sans.org/u/Xy

Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************

---

TOP OF THE NEWS

IRS 'Get Transcript' Scam Affects 300,000+ Taxpayers (August 17, 2015)

The US Internal Revenue Service (IRS) now says that more than 300,000 taxpayers' personal information was stolen in a breach reported earlier this year. The attackers exploited a feature that allows taxpayers to retrieve transcripts of their previous year's taxes and used the information to fie fraudulent returns.
-http://arstechnica.com/security/2015/08/irs-estimate-of-tax-records-stolen-by-fr
audsters-soars-to-over-300000/
-http://www.cnet.com/news/hackers-might-have-stolen-irs-data-on-more-than-300000-
households/
-http://www.nextgov.com/cybersecurity/2015/08/irs-data-breach-nearly-three-times-
bigger-previously-reported/119188/?oref=ng-HPriver

Millions of Websites Running on Windows Server 2003 (August 17, 2015)

Statistics from Netcraft show that more than 600,000 web-facing systems are running unpatched versions of Windows Server 2003. An estimated 175 million websites are supported by the outdated software. Among the organizations running Windows Server 2003 are Alibaba and NatWest. Microsoft reportedly offered extended support for Windows Server 2003 for a US $600 per-server fee.
-http://www.zdnet.com/article/windows-server-2003-servers-insecure-unpatched/

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Breach Detection - What You Need to Know: http://www.sans.org/info/179657

2) Live Webinar: Asurion's Privileged Identity Management Journey. Learn best practices for protecting and monitoring super user accounts. Sign-up now: http://www.sans.org/info/179662

3) Use Maltego to exploit cyber threat intelligence from Web sources, to gain deeper insight into threats. Live demonstration webinar with Recorded Future on Wednesday, August 19 at 1:00 PM ET. Register now: http://www.sans.org/info/179667
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

DARPA Solicits Proposals for DDoS Counterattack Tools (August 17, 2015)

The Pentagon's Defense Advanced Research Projects Agency (DARPA) will select researchers to develop tools capable of launching counterattacks against distributed denial-of-service (DDoS) attacks. The three-year program, called Extreme DDoS Defense (XD3) "aims to thwart DDoS attacks by dispersing cyber assets (physicals and/or logically), disguising the characteristics and behaviors of those assets, and mitigating the attacks that still penetrate the targeted environment." Proposals are due on October 13, 2015; the project will start in spring 2016.
-http://www.nextgov.com/cybersecurity/2015/08/pentagon-researchers-will-wage-coun
terattack-crippling-ddos-cyber-strikes/119192/?oref=ng-HPriver
-https://www.fbo.gov/?s=opportunity&mode=form&id=b569a8b6ea2c5d3f2ee7fb37
a5120968&tab=core&_cview=0

US Air Traffic Control System Outage Blamed on Software Update (August 16 and 17, 2015)

An FAA air traffic control management component ran into problems following a software upgrade. The problem caused hundreds of flights to be cancelled and delayed. The outage lasted several hours on Saturday, August 15, but its effects were felt through the rest of the weekend.
-http://thehill.com/policy/cybersecurity/251310-software-limits-exposed-in-air-tr
affic-outage
-http://thehill.com/policy/transportation/251289-flypocalypse-raises-doubts-about
-air-traffic-control-automation
-http://www.nytimes.com/2015/08/17/business/air-traffic-control-problem-delays-hu
ndreds-of-us-flights.html

State of Virginia Decommissions Bad Voting Machines (August 17, 2015)

The US state of Virginia has stopped using voting machines that have been designated as the "worst" in the country, according to a computer scientist who tried for years to get them banned. The state's board of elections decertified the WINVote touchscreen voting machines, which experienced numerous problems including inexplicably subtracting votes and allowing smartphones to connect to their wireless network.
-http://www.wired.com/2015/08/virginia-finally-drops-americas-worst-voting-machin
es/
[Editor's note (Northcutt): Bad voting machine? What could possibly go wrong:
-https://freedom-to-tinker.com/blog/jeremyepstein/decertifying-the-worst-voting-m
achine-in-the-us/
-http://www.csmonitor.com/USA/Elections/2012/1107/Voting-machine-glitches-How-bad
-was-it-on-Election-Day-around-the-country
-http://www.motherjones.com/politics/2012/07/digital-voting-machines-fail-hacked
-http://www.huffingtonpost.com/news/electronic-voting-machines/
-https://www.schneier.com/blog/archives/2015/04/an_incredibly_i.html
-http://wavy.com/2015/04/01/dept-of-elections-serious-security-concerns-with-wire
less-voting-equipment/]

University of Virginia Breach (August 17, 2015)

The University of Virginia (UVa) has acknowledged that attackers breached some of its IT systems. The school took down its systems on Friday, August 14 to perform a security upgrade; systems were restored in Sunday, August 16. All users will be required to change their passwords. The attack reportedly focused on the email accounts of two UVa employees whose work is related to China.
-http://www.scmagazine.com/uva-attack-came-from-china-targeted-email-accounts-of-
two-staffers/article/433157/
-http://thehill.com/policy/cybersecurity/251259-hackers-hit-university-of-virgini
a

Stagefright Vulnerability Dogs Google (August 17, 2015)

After a first attempt to fix the Stagefright vulnerability was found to have problems, Google said that a Stagefright fix for Nexus devices would not be complete until next month. It has been difficult for Google to get the fixes to users because of the lack of a direct pipeline. Google is facing some criticism of its handing of the issue, particularly in light of its Project Zero vulnerability reporting program.
-http://www.theregister.co.uk/2015/08/17/botched_google_stagefright_fix_wont_be_r
esolved_until_september/
[Editor's Note (Murray): I continue to believe that the geeks, who rejected iOS and demanded an open mobile operating system, can operate Android with an acceptable level of risk. However, nice people do not give Android to small children or the elderly. ]

Two More Vulnerabilities in OS X (August 16, 17, and 18, 2015)

A pair of vulnerabilities in Apple's OS X could be exploited to remotely access vulnerable computers. The flaws could be used to cause memory corruption in the operating system's kernel. The issue affects OS X Yosemite as well as OS X 10.10.5.
-http://www.theregister.co.uk/2015/08/18/apple_local_root_os_x_yosemite/
-http://www.computerworld.com/article/2971727/security/italian-teen-finds-two-zer
oday-vulnerabilities-in-os-x.html
-http://appleinsider.com/articles/15/08/16/new-privilege-escalation-exploit-disco
vered-in-os-x-yosemite-also-affects-just-released-10105

How College CIOs Prepare for Back-to-School Challenges (August 17, 2015)

Chief information officers (CIOs) at colleges and universities face an array of tasks and issues that are unique to their situations. College CIOs must deal with students' often malware-infected devices connecting to the network; systems that require constant uptime; and students and faculty who know their way around IT systems. CIOs at six schools discuss how they manage connectivity, service, security, and innovation.
-http://www.computerworld.com/article/2970862/infrastructure-management/how-colle
ge-cios-brace-for-back-to-school.html

Google Admin App Vulnerability (August 14, 2015)

An unpatched vulnerability in Google's Admin app for Android could be exploited to allow other apps to steal Google for Work account access credentials. As part of the mobile operating system's security program, Android apps run in their own sandboxes. However, a flaw in the Google Admin app could be exploited to break into the app's sandbox and read any file. (The Google Admin app lets users manage their Google for Work accounts from Android devices.) Google says it has released a fix for the issue.
-http://www.computerworld.com/article/2971516/security/zeroday-flaw-in-google-adm
in-app-allows-malicious-apps-to-read-its-files.html
-http://www.scmagazineuk.com/medium-severity-vulnerability-still-unpatched-in-goo
gle-admin-app/article/432983/

---

STORM CENTER TECH CORNER

New Version of Kansa Framework for DFIR
-https://isc.sans.edu/forums/diary/Tool+Tip+Kansa+Stafford+released+PowerShell+fo
r+DFIR/20049/

Exploiting the Chrome XSS Auditor
-http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html

Another OS X Yosemite privilege escalation vulnerability
-https://github.com/kpwn/tpwn

OnStar App Vulnerability
-https://www.youtube.com/watch?v=3olXUbS-prU&feature=youtu.be

Portmapper (Port 111) used for reflective DDoS Attack
-http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early
-warning-to-the-industry/

Adwind
-https://isc.sans.edu/diary/Adwind+another+payload+for+botnetbased+malspam/20041/

Hunting
-https://isc.sans.edu/forums/diary/Are+you+a+Hunter/20045/

Kaspersky Accused of Manufacturing False Positives
-http://www.theregister.co.uk/2015/08/14/kasperskygate/

Large Malicious Ad Campaign
-https://blog.malwarebytes.org/malvertising-2/2015/08/ssl-malvertising-campaign-c
ontinues/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/