Salted Links: 7 April 2014

The Hash is on the road this week, but while yours truly is flying the friendly skies, the following round-up will keep you in the loop on current events and interesting research. Today's cache includes a unique attack on Microsoft Outlook, using XSS to launch DoS attacks, and a note on the end of Windows XP.

It's time to say goodbye to Windows XP

By the time you read this, there will be less than 24-hours until the end of Windows XP. For home users, where the real problem exists, the panic point will be the lack of security updates. Yet, actually updating the software on systems used in the home has always been a problem, so this isn't a world stopping event for them.

For the office, Windows XP will live on. Even today, I know of organizations that are still using Windows 2000 and NT4, so the fact that XP will remain isn't a shock. There are legacy systems and applications in use that simply cannot be upgraded or altered.

Examples of this can be seen in the healthcare, transportation, and manufacturing industries. Thus, if the system works, don't change it. It's a painful policy, but one that many of us in IT have to live with year after year.

In a blog post, Qualys' CTO, Wolfgang Kandek, commented:

"Many industrial control systems and medical devices, configurations that typically have much longer useful life spans (>10 years) than pure computer equipment (<4 years), have Windows XP systems as vital components in their setups that cannot simply be updated.

"Nevertheless, these systems are full XP and as attackable as your average office machine if they are used in similar fashion, for email and web browsing. Moving [them] into network segments that do not have direct Internet access and introducing additional firewalls that curb that type of usage are ways to improve security."

Microsoft is offering extended support for XP, with prices starting at $100,000 per year. Banks (if their ATMs run XP) will likely opt-in for this until they can phase the operating system out. But for the most part, XP usage is down.

Data collected from Qualys' BrowserCheck shows the percentage of XP dropping from 35 percent in January 2013 to just 14 percent this past February. Qualys expects this number to drop to 10 percent by the end of this month.

Using XSS for DoS attacks [The Hacker Blog]

Matthew Bryant (also known as Mandatory) has outlined additional methods of using XSS flaws on a website to initiate DoS attacks. His research is an extension of data released by Incapsula last week, after they discovered a video website with XSS flaws being used to trigger a DDoS attack.

"Overall these types are attacks are bound to happen again as they are simple and effective when done in a clever way. If chained with a lack of CSRF tokens or Open Redirect vulnerability, things could get much more powerful and complex. They also have a big advantage in that they don't require any sort of infection on a victim's computer but rather just some rogue JS on a vulnerable site," Bryant concluded.

"It really makes you think, should these large sites be help responsible for vulnerabilities that allow attacks like this to happen? A good comparison would be DNS amplification attacks which allow DoS attack to be amplified through the use of vulnerable DNS servers."

Slow persistence with Outlook [enigma0x3]

On Sunday, researcher Matt Nelson posted a blog that caught my attention.

Using a bit of Phishing, in order to get a mark to accept VBS running (you'd be surprised how often Visual Basic is allowed in the workplace), you can use Outlook and PowerShell to maintain slow persistence on the system.

Nelson explains:

"By using [PowerShell and Outlook], we can achieve slow persistence on a machine by monitoring the default inbox and executing a payload when an email comes in with a specified subject. When you want your shell, you send an email and wait for the script on the user's machine to check in."

It's a neat tactic, and depending on the target, could be useful during a pen test where abnormal methods to gain access are needed.

Items of note:

The summer conference circuit is in full swing.

Source Boston is this week (April 8-10), and there are several B-Sides events coming as well. B-Sides Chicago is on the 26th, and there's one in London on the 29th. There are B-Sides events set for Boston, Algeria, San Antonio, Denver, Nashville, New Orleans, and Cincinnati in May.

As usual, Black Hat and DEF CON are coming, both conferences are currently in various phases of prep, but hotel blocks are available.

Speaking of Vegas, B-Sides Las Vegas has started an Indie-Go-Go campaign to raise funds for the summer show, the largest of the B-Sides events. The Las Vegas gathering, now in its fifth year, is the show that started the B-Sides phenomena.

More details are available at the B-Sides and SOURCE Conference websites.

In related news, Indianapolis will be hosting its first major security conference in June, CircleCity Con. If you're so inclined, come hang out in the Hash's hometown and talk shop.

Join the CSO newsletter!

Error: Please check your email address.

Tags Black Hat ConferenceoutlookblogspowershellSOURCE BostonSecurity Leadershipb-sidesDDoS attacksDefconXSSMicrosoftsecurity

More about MicrosoftQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts