Salted Links: 7 April 2014

The Hash is on the road this week, but while yours truly is flying the friendly skies, the following round-up will keep you in the loop on current events and interesting research. Today’s cache includes a unique attack on Microsoft Outlook, using XSS to launch DoS attacks, and a note on the end of Windows XP.

It’s time to say goodbye to Windows XP

By the time you read this, there will be less than 24-hours until the end of Windows XP. For home users, where the real problem exists, the panic point will be the lack of security updates. Yet, actually updating the software on systems used in the home has always been a problem, so this isn’t a world stopping event for them.

For the office, Windows XP will live on. Even today, I know of organizations that are still using Windows 2000 and NT4, so the fact that XP will remain isn’t a shock. There are legacy systems and applications in use that simply cannot be upgraded or altered.

Examples of this can be seen in the healthcare, transportation, and manufacturing industries. Thus, if the system works, don’t change it. It’s a painful policy, but one that many of us in IT have to live with year after year.

In a blog post, Qualys’ CTO, Wolfgang Kandek, commented:

“Many industrial control systems and medical devices, configurations that typically have much longer useful life spans (>10 years) than pure computer equipment (

“Nevertheless, these systems are full XP and as attackable as your average office machine if they are used in similar fashion, for email and web browsing. Moving [them] into network segments that do not have direct Internet access and introducing additional firewalls that curb that type of usage are ways to improve security.”

Microsoft is offering extended support for XP, with prices starting at $100,000 per year. Banks (if their ATMs run XP) will likely opt-in for this until they can phase the operating system out. But for the most part, XP usage is down.

Data collected from Qualys’ BrowserCheck shows the percentage of XP dropping from 35 percent in January 2013 to just 14 percent this past February. Qualys expects this number to drop to 10 percent by the end of this month.

Using XSS for DoS attacks [The Hacker Blog]

Matthew Bryant (also known as Mandatory) has outlined additional methods of using XSS flaws on a website to initiate DoS attacks. His research is an extension of data released by Incapsula last week, after they discovered a video website with XSS flaws being used to trigger a DDoS attack.

“Overall these types are attacks are bound to happen again as they are simple and effective when done in a clever way. If chained with a lack of CSRF tokens or Open Redirect vulnerability, things could get much more powerful and complex. They also have a big advantage in that they don’t require any sort of infection on a victim’s computer but rather just some rogue JS on a vulnerable site,” Bryant concluded.

“It really makes you think, should these large sites be help responsible for vulnerabilities that allow attacks like this to happen? A good comparison would be DNS amplification attacks which allow DoS attack to be amplified through the use of vulnerable DNS servers.”

[SOURCE]

Slow persistence with Outlook [enigma0x3]

On Sunday, researcher Matt Nelson posted a blog that caught my attention.

Using a bit of Phishing, in order to get a mark to accept VBS running (you’d be surprised how often Visual Basic is allowed in the workplace), you can use Outlook and PowerShell to maintain slow persistence on the system.

Nelson explains:

“By using [PowerShell and Outlook], we can achieve slow persistence on a machine by monitoring the default inbox and executing a payload when an email comes in with a specified subject. When you want your shell, you send an email and wait for the script on the user’s machine to check in.”

It’s a neat tactic, and depending on the target, could be useful during a pen test where abnormal methods to gain access are needed.

[SOURCE]

Items of note:

The summer conference circuit is in full swing.

Source Boston is this week (April 8-10), and there are several B-Sides events coming as well. B-Sides Chicago is on the 26th, and there’s one in London on the 29th. There are B-Sides events set for Boston, Algeria, San Antonio, Denver, Nashville, New Orleans, and Cincinnati in May.

As usual, Black Hat and DEF CON are coming, both conferences are currently in various phases of prep, but hotel blocks are available.

Speaking of Vegas, B-Sides Las Vegas has started an Indie-Go-Go campaign to raise funds for the summer show, the largest of the B-Sides events. The Las Vegas gathering, now in its fifth year, is the show that started the B-Sides phenomena.

More details are available at the B-Sides and SOURCE Conference websites.

In related news, Indianapolis will be hosting its first major security conference in June, CircleCity Con. If you’re so inclined, come hang out in the Hash’s hometown and talk shop.