(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Windows 10 collects more data and has more cloud connections than any version of Windows before—a design that has many privacy implications. One of the continued complaints around this is a lack of clarity around what gets collected and how it gets used. Ed Bott spotted that the privacy statement, the lengthy document covering all of Microsoft's major online services, was updated in October.

Some of the changes are straightforward corrections or updates to accommodate new service names. Others, however, are a bit more meaningful. For example, on consumer systems the encryption keys used for BitLocker drive encryption by default get backed up to OneDrive online. These enables data recovery in certain situations. The description of this in the privacy statement has been updated to note that "Microsoft doesn't use your individual recovery keys for any purpose" making clear that while the keys may be stored on OneDrive, Microsoft will not use them and is not interested in decrypting your disk.

Another alteration clarifies language that was being misinterpreted. The original privacy statement read that Microsoft "will access [...] your content (such as [...] files in private folders)" in response to law enforcement demands, to ensure safe operation of its services, and a few other situations. This led some to believe that private folders on users' hard disks were vulnerable to inspection and distribution by Microsoft. The new text makes it explicit that only files stored on OneDrive and e-mails stored in Outlook.com are covered by this statement.

Read 2 remaining paragraphs | Comments

WordPress Users Ultra Plugin [Unrestricted File Upload]
ESA-2015-163: EMC VPLEX Sensitive Information Exposure Vulnerability

(credit: SecureRF)

A potential standard for securing network-connected pacemakers, automobiles, and other lightweight devices has suffered a potentially game-over setback after researchers developed a practical attack that obtains its secret cryptographic key.

Known as Algebraic Eraser, the scheme is a patented way to establish public encryption keys without overtaxing the limited amounts of memory and computational resources that often constrain so-called Internet of Things (IoT) devices. Developed by scientists from Shelton, Connecticut-based SecureRF, it's similar to the Diffie-Hellman key exchange in that it allows two parties who have never met to securely establish a key over an insecure channel.

The big advantage Algebraic Eraser has had is its ability to work using only a tiny fraction of the power and computing resources required by more traditional key exchanges. Algebraic Eraser has looked so promising that it's an underlying technology in ISO/IEC AWI 29167-20, a proposed International Organization for Standardization specification for securing radio frequency identification-enabled technologies, wireless sensors, embedded systems, and other devices where security is paramount and computing resources are minimal.

Read 13 remaining paragraphs | Comments

Open-Xchange Security Advisory 2015-11-17
Free WMA MP3 Converter - Buffer Overflow Exploit (SEH)
Murgent CMS - SQL Injection Vulnerability
Magento Bug Bounty #24 - Multiple CSRF Web Vulnerabilities
Magento Bug Bounty #22 - (Profile) Persistent Vulnerability
LAN Scan HD v1.20 iOS - Command Inject Vulnerability

CSO Online

A change in wording could attract more women to infosec
CSO Online
Information security is an endeavor that is frequently described in terms of war. What can we learn from history and from other industries about what a change in verbiage might do to affect the gender balance of this industry?

and more »

Today, we are all receiving a huge amount of spam containing multiple malicious documents (cfr my last diary). If most of them are part of massive spam campaigns and are already well known, others could be very interesting (becausenew or targeting specific people/groups). Being the happy owner of domain names and email addresses for years (some for 15+ years!), they are listed in all spammers databases around the world. This helps me to receive a lot of emails. Im collecting mails tagged as spam or send to unknown recipients. Thats a kind of email honeypot.

The amount of mails received being important, its boring to process them manually. I needed a way to automate the processing of all thoseattachments. Thats the purpose of mime2vt.py. This Pythonscript extracts MIME types from email flowsand checks them against virustotal.com. This is a basic check that helps in the triage of all those malicious files.Today, theimplemented features are:

  • MIME attachments are optionally dumped in a directory (for later investigations)
  • VirusTotal API key used to:
    • Check if the file is known (its score is returned and logged)
    • Submitunknown files
  • Non relevant MIME types can be excluded (ex: image/png,image/gif,image/jpeg,text/plain,text/html)
  • Results are logged via Syslog
  • Zip archives are inspected
  • Virustotal results are send to an Elasticsearch instance (optional)

I recently updated the script with bug fixes and new features:

  • URLs are extracted from emails
  • MD5 hashes are stored in a local database

As the scripts reads the mail from STDIN, its easy to implement it in any environment. Example, I"> :0* ^X-Spam-Flag: YES{ :0c | /usr/local/bin/mime2vt.py -d /var/mime/%y/%m/%d -c /etc/mime2vt.conf :0 spam"> Nov 16 12:12:50 marge mime2vt.py[9238]: DEBUG: config_file = /etc/mime2vt.confNov 16 12:12:50 marge mime2vt.py[9238]: Processing zip archive: 8e10533a4b624f90b646a971fcf063c5.zipNov 16 12:12:50 marge mime2vt.py[9238]: DEBUG: Extracted MD5 06a4059da943b09f13ab2909824968de from ZipNov 16 12:12:51 marge mime2vt.py[9238]: DEBUG: VT Response received" />

The script is updated quite oftenbut it alreadyavailable on github.

Xavier Mertens
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status