News

Phishing Attacks using Office 365 and SharePoint

The bad guys have a new way of stealing your login credentials. They target you by sending you an invite via email to open a SharePoint document. The link takes you to an actual SharePoint page where you will see a OneDrive prompt. The prompt will have an “Access Document” link in it – don’t click this link!

This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don’t be tricked.

Whenever you’re submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you.
Remember, Think Before You Click.

Here’s how the Phish / Scam attack works

  • You the Friendly Office 365 user receives the malicious email –Often the use of URGENT or ACTION REQUIRED to instill a sense of immediacy to respond. The email contains a link to a SharePoint Online-based document.
  • The link directs to SharePoint – Attackers are using true-to-form SharePoint Online-based URLs, which adds credibility and legitimacy to the email and link since the user is being directed to a known-good hosting site.
  • You are then shown a OneDrive prompt – The SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an “Access Document” hyperlink that is actually a malicious URL, as shown below.
  • You are then presented with an Office 365 login screen – Here is where the scam takes place. Using a very authentic-looking login page where the cybercriminals harvest the user’s credentials.

Here are is an example of a phishing email:

Just some advice – Jermal

 

How to search for Open Amazon S3 Buckets and their contents

How to search for Open Amazon s3 Buckets and their contents — https://buckets.grayhatwarfare.com

GrayHatWarfare created https://buckets.grayhatwarfare.com/ a free tool that lists open s3 buckets and helps you search for interesting files.

For an intro on what Amazon open buckets are, please read the following: https://blog.rapid7.com/2013/03/27/open-s3-buckets/

In essence, many files are publicly accessible, some by design. These files sometimes include very sensitive data. https://github.com/nagwww/s3-leaks has a list of the biggest leaks recorded.

Another reason why application owners who provide backups solutions and cloud storage should be encrypting their data before placing it on S3.  Anything less is negligence on their part.

Since this was exposed, many projects have been created that can enumerate s3 buckets:

All these tools/projects have some common problems:

  • The real problem is where to find the list to brute-force for buckets,  and not actually doing the brute-force.
  • All tools/projects only scan the first page for results.
  • thebuckhacker.com includes uninteresting files and useful results tend to be lost in the noise. Also, the first 1000 results of each bucket are fairly limited.
  • The process is slow and not productive. It’s not very useful for pen-testers to run a tool to run for days, save the exports somewhere and then grep them whenever they want to search for something. What is better is a useful tool in front of a large database.

 

Now there is  http://buckets.grayhatwarfare.com/.  Which took the ideas of the many projects and tools previously mentioned above.

The project’s features are:

  • It is a searchable database of open buckets.
  • Includes millions of results within buckets (In the future might be more).
  • Cleaned up and removed uninteresting files like images. Most images names are auto-generated.
  • Currently has ~180.000.000 files. Included are all images that number would go up to a few billion, which is a completely different system.
  • As of today, 70 000 and growing buckets are listed (not all of them have “interesting” files)
  • Full-text search with binary logic (can search for keywords and also stopwords)
  • List of the buckets.
  • The user can browse the contents of the bucket.
  • Excluded a lot of other things that are not interesting like cloud-watch logs.
  • Found a solution to the problem on how to generate possible names for buckets. The process reviles some hundreds of new buckets per day.
  • Automated the process.

The project is currently free and running on servers paid by me. There are some limitations in place to protect resources, but otherwise pentesters can use this on their daily tasks.

Whats to come in grayhatwarfare.com

Lots of cool things:

  • Subdomains pointing to expired buckets which can lead to something like this: https://www.reddit.com/r/netsec/comments/8t0pb2/how_i_hacked_applecom/
  • Huge lists of exposed version control (.git) which can expose the website’s repository (Source, password files, log files etc).
  • Exposed cameras/IOT devices.
  • Huge resources like extremely large (actual) cracked password lists.

 

Ref Source

McGruff the Crime Dog Celebrates His 38th Birthday on July 1, 2018

The symbol of the National Crime Prevention Council celebrates another year delivering crime prevention and safety information nationwide. So remember to take a bite out of Crime

 

Celebrate McGruff’s and the National Crime Prevention Council’s efforts to “Take A Bite Out Of Crime” by joining us on your favorite social media site.

Back in 1980, a dog in a rumpled trench coat said, “You don’t know me yet. But you will.” Since then, McGruff the Crime Dog has taught millions of people that the police can’t fight crime alone – crime prevention is everybody’s business and everyone can help “Take A Bite Out Of Crime.”

Through television commercials, comic books, live appearances, and more, McGruff has encouraged Americans to take common-sense steps to reduce crime. Some of his favorite messages are

  • To lock doors, leave the lights on when away from home, and let neighbors know when you go on vacation
  • Do things that build a sense of neighborhood and create communities that don’t produce crime and where people look out for each other and kids to feel safe
  • Get involved, join Neighborhood Watch, and clean up streets and parks
  • For children and teens to protect themselves from substance abuse, bullies, and gang violence

 

In 1978, the Advertising Council, Inc., accepted the mission of helping the nation learn ways to prevent crime. The Ad Council gave the assignment to Dancer Fitzgerald Sample (now Saatchi & Saatchi), which volunteered its creative time and talent. That work was supported and informed by a group of 19 agencies, which formed the nucleus of the Crime Prevention Coalition of America. Today the National Crime Prevention Council manages the National Citizens’ Crime Prevention Campaign, featuring McGruff the Crime Dog and his slogan, “Take A Bite Out Of Crime.”

Over the years, McGruff has made thousands of appearances at community and school events and on radio and television. His messages have changed from urging personal, family, and home security to more broadly based crime prevention concerns. In 1984, the U.S. Postal Service released a first-class postage stamp bearing McGruff’s likeness. By the mid-1980s, McGruff was encouraging people to join Neighborhood Watch and clean up streets and parks so they’d be less inviting for criminals. During the mid-1990s, the Campaign addressed the effects of gun-related violence on children. Current issues include volunteering, bullying, cyberbullying, Internet safety, telemarketing crime against seniors, identity theft, intellectual property theft and safe firearm storage.

Some Facts About McGruff

  • There are 4,000 active McGruffs (number of costumes in use).
  • McGruff has a classy Corvette, a monster truck in Arizona, and a wiener wagon in Florida. But most of all, he likes to ride in patrol cars assisting law enforcement.
  • McGruff’s favorite crime-fighting techniques are to teach children specific tips to be safe at home and school and to help law enforcement officers do their jobs better.
  • McGruff is a “ham,” so he loves doing public service announcements for television and radio or posing for print or billboard advertising.
  • In 2010, McGruff turned 30 years young. He had birthday parties all around the country, making appearances at health and safety fairs and other media events and showing off his 32-foot-tall balloon at county and state fairs. He has blown out birthday candles on countless cakes. He has made the most of these opportunities to spread the word about preventing crime.

Source Info: https://www.ncpc.org/

 

Microsoft Developer Network’s (MSDN) Licensing

The Microsoft Developer Network, better known as MSDN, now called Visual Studio Subscriptions, is one of Microsoft’s most misunderstood products.  The Visual Studio Subscription (formerly MSDN) is one of the largest community platforms for developers working on Microsoft technologies.

What You Get in Your Visual Studio Subscription

With an MSDN subscription, you get all the software and benefits you need to stay up on all things code, including monthly cloud credits, collaboration tools, training perks, support, and more—all the latest and greatest from Microsoft.

This also provides IT departments with a cost-effective way to license Microsoft software for individuals involved in the development and test process, but who do not require the full suite of Visual Studio development tools.

The subscription license gives a single user the ability to access/use any Microsoft Enterprise product for Dev/Test purposes (i.e. WinServer, SQL Server, BizTalk, SharePoint, Dynamics, etc, etc, etc). The list of software titles included depends on the level of your subscription.

Beyond giving a single developer user cool software… providing a Visual Studio Subscription for all of the Developer and QA team provides an efficient, per-user, license model for your entire Dev & Test environments. Adopting this model means you do not have to purchase any stand-alone Microsoft products for pre-production.

The Visual Studio Subscription licenses each user for unlimited installs and instances of the products on their local, shared and virtualized
environments.

ref: unlimited dev test environments with msdn subscriptions

How much is a Visual Studio Subscription

A standard Visual Studio Enterprise subscription with MSDN costs $5,999 for the first year and $2,569 annually for renewals. VL customers get a discount, of course. An annual cloud subscription (with non-perpetual license) is a flat $2,999 per year. This is as of 2016 and subject to change.

 

Who can use the Software

Individual developers

Any individual developer can use Visual Studio Community to create their own free or paid apps. In addition, any number of users may use the software to develop and test device drivers for the Windows operating system.

Organizations –

  • An unlimited number of users within an organization can use Visual Studio Community for the following scenarios: in a classroom learning environment, for academic research, or for contributing to open source projects.
  • Any number of users may use the software to develop and test device drivers for the Windows operating system.
  • For all other usage scenarios: In non-enterprise organizations, up to 5 users can use Visual Studio Community. In enterprise organizations (meaning those with >250 PCs or > $1M in annual revenue) no use is permitted for employees as well as contractors beyond the open source, academic research, and classroom learning environment scenarios described above.

 

Individual User Licensing

Licensed are for Design, Development, Testing, and Demonstrating Your Programs

All Visual Studio subscriptions and Visual Studio Professional are licensed on a per-user basis. Each licensed user may install and use the software on any number of devices to design, develop, test, and demonstrate their programs. Visual Studio subscriptions also allow the licensed user to evaluate the software and to simulate customer environments in order to diagnose issues related to your programs. Each additional person who uses the software in this way must also have a license assigned to them.

ref: Visual Studio 2017 Licensing Whitepaper

 

Can Different Licensed Users Run the Same Software?

Yes. Each member of the development team that will use (install, configure, or access) the software must have his or her own Visual Studio subscription. Two or more individuals may use the same software if each has a Visual Studio subscription.

Examples:

A development team consists of 6 software developers, 1 architect/developer, and 3 testers. The team is
building an in-house Web-based accounting system and wants to use the software to set up a test environment running Windows Server 2012 and Microsoft SQL Server 2014. If all 10 team members will be accessing the development or test environment, then each will require a Visual Studio subscription. The minimum subscription levels including both of these products are Visual Studio Professional – annual, Visual Studio Professional with MSDN Subscription and Visual Studio Test Professional Subscription.

An organization has two development teams—one based in Seattle and the other in Singapore. Because of the time difference, the two teams are never working at the same time. However, because Visual Studio subscription licenses cannot be shared, each team member in each location must have his or her own Visual Studio subscription

A systems engineer from the organization’s IT department is installing the software needed for a development team—each member of which is licensed with a Visual Studio subscription—on centrally-managed hardware. This systems engineer is not doing any software development or testing. Because a license is required for any use of Microsoft software (installing is a use of the software), they must either acquire production licenses for all software being used in this environment or they must acquire a Visual Studio subscription for the systems engineer that includes the software he or she is installing.

 

Where the Software can be Installed and Run

The licensed user can install and use the software on any number of devices. The software can be installed and used on your devices at work, at home, at school, and even on devices at a customer’s office or on dedicated hardware hosted by a third party. Most subscriber software can also be run in Microsoft Azure VMs. However, the software is otherwise not licensed for use in production environments.

A production environment is defined as an environment that is accessed by end users of an application (such as an Internet Website) and that is used for more than Acceptance Testing of that application or Feedback. Some scenarios that constitute production environments include:

  • Environments that connect to a production database.
  • Environments that support disaster-recovery or backup for a production environment.
  • Environments that are used for production at least some of the time, such a server that is rotated into production during peak periods of activity

 

For more info please review Visual Studio 2017 Licensing Whitepaper

Patch Tuesday, June 2018 | Pushing 11 Critical Security Updates

Are you ready for the latest in security patch updates?  I’m not, but it’s that time again.

Ref: https://www.catalog.update.microsoft.com/Search.aspx?q=windows+security+update+2018

 

Microsoft today released security patch updates for more than 50 vulnerabilities, affecting Windows, Internet Explorer, Edge, MS Office, MS Office Exchange Server, ChakraCore, and Adobe Flash Player—11 of which are rated critical and 39 as important in severity.

Only one of these vulnerabilities: CVE-2018-8267 | Scripting Engine Memory Corruption Vulnerability is a remote code execution flaw (CVE-2018-8267) in the scripting engine, is listed as being publicly known at the time of release. The flaw exists within the IE rendering engine and triggers when it fails to properly handle the error objects, allowing an attacker to execute arbitrary code in the context of the currently logged-in user.

There are a few others included are:

CVE-2018-8225 | Windows DNSAPI Remote Code Execution Vulnerability

The most critical bug Microsoft patched this month is a remote code execution vulnerability (CVE-2018-8225) exists in Windows Domain Name System (DNS) DNSAPI.dll, affecting all versions of Windows starting from 7 to 10, as well as Windows Server editions.

The vulnerability resides in the way Windows parses DNS responses, which could be exploited by sending corrupted DNS responses to a targeted system from an attacker-controlled malicious DNS server.

CVE-2018-8231 | HTTP Protocol Stack Remote Code Execution Vulnerability

The critical bug is a remote code execution flaw (CVE-2018-8231) in the HTTP protocol stack (HTTP.sys) of Windows 10 and Windows Server 2016, which could allow remote attackers to execute arbitrary code and take control of the affected systems.

CVE-2018-8213 | Windows Remote Code Execution Vulnerability

Critical remote code execution vulnerability (CVE-2018-8213) affecting Windows 10 and Windows Server exist in the way the operating system handles objects in memory. Successful exploitation could allow an attacker to take control of an affected Windows PC.