(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The CID, a unique identifier for Microsoft accounts, is used as part of the hostname for the location of user data for Outlook.com, Microsoft accounts, and other Live services. (credit: Sean Gallagher)

If you think using secure HTTP would be enough to protect your privacy when checking webmail, think again. When users connect to their Microsoft user account page, Outlook.com, or OneDrive.com even when using HTTPS, the connection leaks a unique identifier that can be used to retrieve their name and profile photo in plaintext.

A unique identifier called a CID is exposed because it's sent as part of a Domain Name Service lookup for the address of the storage server containing profile data and as part of the initiation of an encrypted connection. As a result, it could be used to track users when they connect to services from both computers and mobile devices, possibly even identifying users as their requests leave the Tor anonymizing network.

In a lab test, Ars confirmed the leak, first publicized this weekend by a blogger based in Beijing. Packet captures of connections to Outlook.com, the Windows account page, and OneDrive.com revealed DNS lookup requests for a host with the format cid-[user's CID here].users.storage.live.com. The CID is also embedded in the Server Name Indication (SNI) extension data exchanged during the Transport Layer Security "handshake" that secures the session to the services, as Ars confirmed in an inspection of the packets.

Read 2 remaining paragraphs | Comments


Researchers have uncovered advanced malware that can steal virtually all of a large organization's e-mail passwords by infecting its Outlook Web Application (OWA) mail server over an extended period of time.

Researchers from security firm Cybereason discovered the malicious OWA module after receiving a call from an unnamed company that had more than 19,000 endpoints. The customer had witnessed several behavioral abnormalities in its network and asked Cybereason to look for signs of an infection. Within a few hours, the security firm found a suspicious DLL file loaded into the company's OWA server. While it contained the same name as a benign DLL file, this one was unsigned and was loaded from a different directory.

The OWAAUTH.dll file contained a backdoor. Because it ran on the server, it was able to retrieve all HTTPS-protected server requests after they had been decrypted. As a result, the attackers behind this advanced persistent threat—the term given to malware campaigns that target a specific organization for months or years—were able to steal the passwords of just about anyone accessing the server.

Read 2 remaining paragraphs | Comments

[security bulletin] HPSBUX03359 SSRT102094 rev.2 - HP-UX pppoec, local elevation of privilege

Thiscartoon by JohnKlossnerreally hit a nerve with many security professionals. Itnicely illustrates how many of us see the futility of our jobs: We can buy all the greatest and latest equipment, but in the end, we are up against users clicking on links and installing software that they shouldnt. Cisco recently published a statistic that 40% of all users who hit one of the recent exploit kits landing pages are getting infected by one of the exploits delivered by the exploit kit. Brad keeps telling us about the various methods how to spot exploit kits, and how they evolve over time. In the end, any user we can keep away from an exploit kit page is a win.

This October, like in years past, we celebrate cyber security awareness month. The idea is to use this month for some special security awareness activities. In the past, we used a specific theme for our diaries in October. This month, we will have a couple specific diaries about tips and tricks in awareness training. If you want to share any tips, please let us know.

Here are a couple of resources:

SANS Securing the Human:http://www.securingthehuman.org (in particular the Ouch newsletter)
SANS Tip of the Day:http://www.sans.org/tip_of_the_day.php
Past CSAM Diaries:">https://www.staysafeonline.org/ncsam/

And if you need more inspiration for your own campaign, here are more of Johns security related cartoons:http://jklossner.com/computerworld/security.html

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SouthernAlpha (press release) (blog)

InfoSec Nashville 2015: Navigating Adversaries and Allies
SouthernAlpha (press release) (blog)
Now in its 15th year, InfoSec Nashville is the Southeast's leading security conference and aims to bring technologists and security professionals together for a full day of exciting speakers and networking opportunities. This year, the Middle Tennessee ...

Multiple Reflected XSS in ResAds version 1.0.1 WordPress plugin
A Reflected XSS in Easy2Map version 1.2.9 WordPress plugin
Multiple Path/Directory Traversal and/or Local File Inclusion in Easy2Map version 1.2.9 WordPress plugin
LanSpy Buffer Overflow
Internet Storm Center Infocon Status