Hackin9

The Office of Personnel Management has suspended operation of the Electronic Questionnaires for Investigations Processing (E-QIP) system, the web gateway used to submit materials for background investigations. The agency announced the move today, citing the discovery of a vulnerability in the portal during an ongoing review of the agency's security. "As a result, OPM has temporarily taken the E-QIP system offline for security enhancements," an agency spokesperson said in an official statement to press.

The flaw in E-QIP is reportedly not related to the massive breach of the OPM's systems, which may have exposed up to 18 million individuals' personal information. That information includes everything from social security number and date of birth to records of clearance adjudications, proceedings in which officials discuss reasons why an individual's security clearance may have been removed.

In some cases, adjudication data could include information about financial difficulties, sex lives, substance abuse, and other failings that could be used to potentially blackmail a person or otherwise coerce them into potentially giving up classified information.

Read 2 remaining paragraphs | Comments

 

The email message sent to the bank employee claimed that the sender received a wire transfer from the recipients organization and that the sender wanted to confirm that the payment went through without issues. The victim was encouraged to click a link that many people would considersafe, in part because it began with https://www.google.com/.How would you examine the nature of this email?

Examining MSG and EML Files on Linux

One way to analyze the suspicious message saved as an Outlook .msg file is to start with the MSGConvert tool by Matijs van Zuijlen. This utilitycan convert .msg files into the more open multipart MIME formatted .eml files, whose structure is defined by RFC 822. MSGConvert works well on Linux. If you are using a recently-updated REMnuxsystem, MSGConvert is already installed and you can invoke it using themsgconvert command. If using another distro,you can install the tool using the command cpan -i Email::Outlook::Message.

Once MSGConvert produces the.eml file, you can examine some of its aspects using a text editor, though this approach wont provide you with visibility into some aspects of the files contents. A better alternative is to use the" />

In the example above, invoking emldump.py without any parameters showed the structure of the .eml file. The -d parameter directed the tool to dump the item that was designatedusing the -s parameter.

The suspicious email message included plain text and RTF-formatted components with matching contents. This is typical of many messages sent nowadays: The senders email client uses RTF to represent formattingand also attaches the text version of the message for email client that cannot display RTFcontent.

In the case of the email message described here, it is unclear whether it was used as part of a mass-scale or a targetedattack, which is one of the reasons Im not showing its contents here. However, the message resembled the style of the note posted on one public forum, which looked like this:

Recently I received BPay transfer from you. I need to verify if it is sent correctly. This contact was in the transaction beneficiary info. Here is the full details of the payment:

Automatic Redirect via Google

The malicious link embedded in the email messagewas designedmake the victim believe that the destination of the URL was hosted on google.com and was, therefore, safe. In reality, the link was designed to redirectto a .zip file hosted on Dropbox." />

So that the victim didnt encounter this notice, the attacker added the usg= parameter to the malicious URL. Though the details of this parameter to Googles search URL are undocumented, it appears to contain a hash or a checksum of the URL specified in the q= parameter. If usg= is missing or its contents dont match the URL in the query, then Google doesnt automatically redirect and presents the notice above. A proper value supplied within this parameter causes google.com to automatically redirect to the specified URL. Google uses this mechanism to direct visitors to their desired destination when they click a link on the search results page.

No one outside Google seems to know the algorithm for computing usg= contents. To derive the proper value, the attacker must have had to wait for Google to index contents his or her Dropbox, so that Googles servers precomputed the hash/checksum. Armed with the proper usg= value, the attacker would have known how to craft the URL that automatically redirected the victim. (Do you have a better theory regarding this? If so, please leave a comment to this diary.)

The potential of using usg= for automatic malicious redirects has been known for several years.

As of this writing, it is no longer possible to download the malicious zip file from the specified location, because Dropbox presents the following message:

Error (429) This accounts public links are generating too much traffic and have been temporarily disabled!

Tracking Email Using Google Analytics

The malicious message contained an embedded 1-pixel image that was designed to track whether, when and where the recipient opened the message. This web bug was linked to the attackers Google Analytics account. To accomplish this, the embedded HTML code began like this:

img src=http://www.google-analytics.com/collect?v=1tid=...

The tid= parameter contained the senders Google Analytics trackingID. The cid= parameter identified the messagerecipient using the persons email address. As the result, Google Analytics provided the adversary with the insights necessary to track the effectiveness and context of the initial attack vector.

In this incident, the attacker was using mainstream tools to deliver malicious payload and keep an eye on the overall campaign with the help of Google search engine">Lenny Zeltserfocuses on safeguarding customers IT operations at NCR Corp. He also teaches how toanalyze malwareat SANS Institute. Lenny is activeon TwitterandGoogle+. He also writes asecurity blog.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[SECURITY] [DSA 3297-1] unattended-upgrades security update
 

A year after Iraqi officials ordered the shutdown of Internet access in nearly a quarter of the country to limit the ability of ISIS to communicate, the government ordered a complete shutdown of Internet service in the country for three hours on Saturday, June 27. A shorter interruption followed today. At least one of these outages was apparently intended to block a different sort of message traffic: the sharing of answers for national exams for entry into junior high school.

The outage began at 5:00am in Iraq and lasted until 8:00am, based on data from Dyn Research. According to the Egypt-based Arabic news service El Hadas, the outage corresponded to "the start of the sixth ministerial preparatory exams"—the national tests for entry into junior high school. In Iraq, education is only required for all students up to the sixth-grade level; those who fail to score well enough on exams at the end of the sixth year generally don't continue their education.

With that kind of high-pressure testing, the motivation for cheating is high as well—so high that the government decided to shut down Internet access to prevent parents or others from remotely assisting students during the exams. It's not clear whether the brief outage today (which lasted about an hour, starting at 5:00am again) was also connected to testing.

Read on Ars Technica | Comments

 
In response to public concerns about cryptographic security, the National Institute of Standards and Technology (NIST) has formally revised its recommended methods for generating random numbers, a crucial element in protecting private ...
 
novius-os.5.0.1 Persistent XSS, LFI & Open Redirect Vulnerabilities
 
CollabNet Subversion Edge indes local file inclusion
 
CollabNet Subversion Edge missing single login restriction
 
CollabNet Subversion Edge missing brute force protection
 
CollabNet Subversion Edge insecure password change
 
CollabNet Subversion Edge tail local file inclusion
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: The 4.0.6 stable update contains a number of important fixes across the tree.
 

After last weeks story, hopefully youve got your problem users accounts identified. With that worked out, lets see about finding problem applications.

We all need a handle on what applications are installed on workstations for a number of reasons

  • to make sure that when upgrade time comes, that nobody gets left behind
  • that older apps that have security vulnerabilities or have limited function get taken care of - old versions of putty or Java for instance
  • that users dont install applications that the organization hasnt paid for
  • and finally, its a decent shot at finding installed malware that your AV product might have missed.

First, lets look at the powershell command to list installed software. This is a rough equivalent of control panel / programs, or wmic product list">Get-WmiObject -Class Win32_Product -computername

If you run this, youll see that this is *really* verbose (I wont show the output), and the list view is not so useful. Let">Get-WmiObject -Class Win32_Product -computername . | select vendor, name, version | format-table

or, to make the display more useful, replace format-table with out-gridview or output-csv" />

But that just gives us programs that use the Microsoft installer process to install (msis and similar packages). How about single exe type apps, things like putty.exe, sed.exe and so on?">Name : sed.exe
Length : 186880
CreationTime : 9/4/2012 1:33:52 PM
LastWriteTime : 3/31/2009 3:32:34 PM
LastAccessTime : 9/4/2012 1:33:52 PM
VersionInfo : File: C:\sed.exe
InternalName: sed
OriginalFilename: sed
FileVersion: 10.0.7063.0
FileDescription: SUA Utility
Product: Microsoftr Windowsr Oper
ProductVersion: 10.0.7063.0
Debug: False
Patched: False
PreRelease: False
PrivateBuild: True
SpecialBuild: False
Language:">

But we want a table view, and again just a few of those fields. The name, the original name (to account for users renaming EXE files), the file and application versions, and maybe the publisher. Some of these are a bit tricky to get, as theyre lower down in the heirarchy of the object, but it">get-childitem ssh.exe | format-list name,creationtime,lastwritetime,@{label=ProductVersionexpression={$_.versioninfo.productversion}},@{label=FileVersionexpression={$_.versioninfo.fileversion}},@{label=Original FileName">Name : ssh.exe
CreationTime : 5/30/2011 4:50:57 PM
LastWriteTime : 8/6/2013 6:12:44 PM
ProductVersion : Release 0.63
FileVersion">

OOOPS - looks like Im a rev back on putty!">">">Name : excel.exe
Length : 20400288
CreationTime : 5/22/2015 7:11:54 PM
LastWriteTime : 5/22/2015 7:11:54 PM
LastAccessTime : 6/11/2015 3:58:19 PM
VersionInfo : File: C:\Program Files (x86)\Microsoft
Office\Office14\excel.exe
InternalName: Excel
OriginalFilename: Excel.exe
FileVersion: 14.0.7151.5001
FileDescription: Microsoft Excel
Product: Microsoft Office 2010
ProductVersion: 14.0.7151.5001
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: Language Neutral

Great, you say, how is inventorying things one file at a time useful? Lets use get-childitem recursively and pull all the EXEs in one shot. This is a reasonable way to grab everything. With that in a spreadsheet or database, you">get-childitem c:\*.exe -recurse | format-table name,creationtime,lastwritetime,@{label=ProductVersionexpression={$_.versioninfo.productversion}},@{label=FileVersionexpression={$_.versioninfo.fileversion}},@{label=Original FileNameexpression={$_.versioninfo.originalfilename}},@{label=Product">$Path | Select-Object `
@{n=Namee={$Filename}},`
@{n=FilePathe={$Item}},`
@{n=Original Namee={$originalname}},`
@{n=Createde={$Age}},`
@{n=Product Vere={$product}},`
@{n=File Vere={$filever}}`
}| Export-Csv d:\sans\Results.csv -NoTypeInformation

" />

Note that not all values are populated in the metadata for every file - thats just the way it is when youre processing standalone files like this.

Using this approach, you can see that with maybe an afternoon of scripting effort, you can set up a system that you might otherwise pay thousands or tens of thousands of dollars for - assuming that youre OK running your software inventory system from the CLI. For me, running my inventory from the CLI would be prefered, but I guess you figured that out !

Have you found a trick to process information like this more efficiently? Got a better script to collect this info more simply? Please, share using our comment form!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
[SECURITY] [DSA 3296-1] libcrypto++ security update
 
[security bulletin] HPSBGN03351 rev.1 - HP IceWall SSO Dfw, SSO Certd, MCRP, and Federation Agent running OpenSSL, Remote Disclosure of Information
 
SEC Consult SA-20150626-0 :: Critical vulnerabilities in Polycom RealPresence Resource Manager (RPRM) allow surveillance on conferences
 
ESA-2015-097: EMC Secure Remote Services (ESRS) Virtual Edition (VE) Multiple Security Vulnerabilities
 

Naked Security

Monday review - the hot 28 stories of the week
Naked Security
You can easily unsubscribe if you decide you no longer want it. Image of days of week courtesy of Shutterstock. Tags: computer security, Infosec, monday review, news, security news, weekly roundup. inShare. How likely are you to recommend Naked ...

 
Internet Storm Center Infocon Status