Network Security Blog

This is not good. Researchers from INSERT found a vulnerability in the Gmail engine that could allow spammers to forward mail through Google, thereby bypassing blacklists and being accepted by whitelists. It works by using the same forwarding features that allow users, myself included, to forward their email through Gmail. The worst part of this is that it also bypasses Gmails 500 recipient limit for any email, though that part should be easy to fix. I hope.

INSERT has been courteous enough to omit a fair amount of the details of the vulnerability, but I think there’s enough general information in the notification that spammers will be able to figure it out soon if Google doesn’t act even faster than the bad guys. Given Google’s track record and the sneaking suspicion that Google was given advance warning of the vulnerability, I’m hoping Gmail can be made secure fairly quickly.

I’ll be interested to see what we hear on this over the next couple of weeks on the Full Disclosure/No Disclosure argument. Did INSERT give Google some warning or did they post this as soon as it was written up? How did Google react? Did Google take the Micorosoft stance of quietly taking the research and fixing the hole before anyone notices? Or did they take the Apple/Cisco approach and threaten to sue INSERT into non-existance? I’m hoping for the former.

Just goes to show you, even the best built, least offensive features in software can be subverted if you put enough brain power into solving the problem.

If you’ve got an IIS server, you’ll want to take a long look at your traffic and make sure you’re not one of the ‘hundreds of thousands’ of the Microsoft web servers that’ve been compromised. Microsoft is staying quiet on this one, it’s F-secure and Panda Security are the one’s who are reporting the problem. And it appears to be quite a problem, since the script on the sites is redirecting web surfers to sites that aren’t nearly as wholesome as the original target site. There is a Microsoft advisory with a work around to block this vulnerability, and Dancho Danchev has a write-up that includes information about the malware that’s being served up with this attack.

A 0day with an automatic discovery and dissemination tool shouldn’t be a surprise to anyone. The fact that it’s hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis? This is another SQL injection attack against the servers, so I wonder if a web app firewall would have protected against this or if tuning would have just opened a whole for the attack vector.

Edit: Microsoft does have something to say after all. Thanks Ben

If your CEO received an email stating that you’re company was being sued in Federal court and that he had to install software to view the court documents properly, what are the chances that he’d do it without thinking? They’re probably pretty good, since the fear of a lawsuit would outweigh any concern over malware, if yours is a CEO who’s prone to even think about security when it comes to their computer. Network World is stating that this may be one of the biggest examples of spear phishing so far. And the reason it works is because it does such a good job of playing on one of the biggest fears many CEO’s have, getting sued.

I’ll be honest, even as a security professional, I might have fallen for this one. It’s scary the amount of detail that went into crafting these emails. The name, address, phone number and other corporate information is correct, eliminating one of the easiest ways to determine if an email is spam or a phishing attack. The same group is suspected of being responsible for a similar attack last month. Given that Verisign says that over 1800 CEO’s have been compromised, that’s a lot of corporate information that’s now in the hands of criminals, even if only a small fraction of those result in data leakage. To make matters even better, the major AV vendors can’t even catch the malware used on this one; this backs up a comment I heard on PauldotCom recently stating that even the best AV vendors are missing 20-30% of all viruses out there today.

This is a really good argument for egress filtering on the firewalls. That’s not enough by a long shot, but it’s a start. We can’t prevent our CEO’s from installing software and we can’t blame them if our anti-virus/anti-malware manufacturers can’t catch this stuff. The best we can hope to do is limit the impact of a compromise such as this. Next time your CEO wants access to the company databases, point him to this article as a valid reason to just say no.

Update: The issue’s been fixed over at MCWResearch. Someone got in touch with the author and he fixed the problem before going to get belay certified. That’s rock climbing terminology if you don’t know, and I’m jealous. I haven’t been in any shape to go climbing in a few years. And I’ve been told I need to update some of my own code too, which may be what I spend this afternoon doing.

Update 2: Why didn’t I update sooner? It took me all of 30 seconds after I logged in to find the link for an update, click on it and be done. Thanks BlueHost!

Update 3: Thanks to Garrett Gee for walking me through some minor code changes to fix the search.php function in the blog’s template.[end updates, no, really this time]

I like MCWResearch; I’ve been following the site for quite a while. But the truth is, I really don’t know for certain who’s behind the curtain and the site’s pretty obviously been compromised. I’m barely willing to open the page, let alone use the contact page that requires me to trust a script, so I don’t know how to get in contact with them. If anyone knows the guys behind the site, give them a call and let them know someone’s taken over their site and is using it for spam postings. And don’t click on any of their links in the mean time.

A grocery store chain of about 1500 stores, Hannaford Brothers and Sweetbay, reported on February 27th that they’d been compromised and 4.2 million credit card and debit card numbers had been stolen. While the details in the InfoWorld article are scarce, one interesting factor of this compromise is that the card data was stolen in the authorization phase of the process. This means the attackers either compromised a border system responsible for the authorization or they compromised the network itself and were able to capture authorization traffic directly. These are the only two places credit card data should be appearing unencrypted.

There has been some identity theft associated with this compromise, but here’s the silver lining: Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses. This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have a record of every embarrassing purchase you’ve ever made. The downside to this lack of association between card numbers and cardholder names is that they have no way of knowing who should be contacted in the breach. I’m not sure if that will absolve them of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either.

I’m glad to hear that at least one company has disassociated the data in this way, making it harder on the attackers. I can only assume that this is because the chain is owned by a Belgium company; the European laws concerning privacy and the data collected on customers is much stricter than anything we have in the US. What I’ve chosen to view as a bit of forward thinking by an American grocery chain may be nothing more than an attempt meet with European Union laws. In either case, it’s to the benefit of Hannaford Brothers’ and Sweetbay’s customers.

So the week I’m in Montreal there’s a total lunar eclipse and the Montreal police bust a ring of hackers ranging in age from 17 to 26.  I want to state for the record that I had absolutely nothing to do with either event, though I got some really nice pictures of the eclipse.  All I had to do was drive 15 miles north to get out of the light pollution and sit in -15C for a couple of hours.  I think busting the hackers took a little longer and that the police had nice warm offices to sit in.

After I caught up with Robert Graham at Defcon and interviewed him for Podtech this summer, I installed CustomizeGoogle to force my browser to always use HTTPS when connecting to Gmail.  I thought that would be enough but now Robert has figured out that even switching to HTTPS isn’t enough to protect you on Gmail or many of the other common email sites. Not that I’d ever check my email or do my banking using public wifi even before this, but it’s one more reason to avoid the wireless at Starbucks in the future.  It’s also a good reason to turn off your wifi card if you ever see Robert face to face.

And just in case you missed the video the first time, here you go again.  Note to self, recording an interview in a echoing stairwell isn’t much better than getting the same interview on a noisy convention floor. 

One of the basic tenets I’ve been living with for a while is if it’s online, it’s public.  I consider everything I write online to be available to the public, whether it’s something I blog about, something I write on a closed mailing list or something I put on a social networking site.  Most people don’t realize how true that really is and that their data is only a couple of lines of code from being posted all over the Internet at the best of times.  Half a million MySpace users found out this week exactly how true that is; the photos they considered private were recently placed online in a 17 Gb file. 

One of the things I find mildly surprising is that creator of the file, DMaul, says he hasn’t found any photos that we’re “obviously illegal”.  I guess that means the folks doing bad things on the Internet are smart enough not to place photographic proof on a social networking site.  The good news is even if your pictures were amongst those downloaded, the sheer size of the file is enough to keep most people from downloading it.  Someone might index the files and place them in an online database though, which would make things interesting again.

The average end user thinks their information is safe with their social media company, if they think about it at all.  But this isn’t the case, whether due to a vulnerability similar to what MySpace suffered or a business model that makes your private information a commodity like Facebook’s Beacon.   This is a lesson we’ll have to teach our friends and end users, along with others like “never accept links from a stranger” and “don’t open unknown files”.

I don’t know if this is fact or fiction, but haven’t we all wanted to sick some hacker’s mother on him?  “Wait until your father get’s home!”

It’s a legitimate question to ask if “The New Face of CyberCrime” is a documentary on the state of security or just a marketing piece for Fortify.  They could have easily made a 20-minute movie that was all about Fortify, but they didn’t.  The movie was a short, straight forward look at some of the issues facing internet users today regarding the security of the Internet.  There are bad people out there and they’re becoming more organized in their efforts to get your data.  It was meant to mildly shock the members of your board room or a class you might be teaching, without sending too strident of a message.  Fortify hit their goal of making a movie that could be used to educate end users who aren’t that familiar with the Internet. 

There were two things that disappointed me about the film though.  The first was that there was nothing in the film that the audience hadn’t seen or read before.  Much of the film was like reading an article from any one of the half dozen glossy security magazines that come out on a monthly basis.  They rehashed many of the same subjects we’ve seen before, with many of the people we’ve all read before.  There were a lot of people in the audience who would have like to see something that added to the body of knowledge, not just rehash what we know.  In the director’s defense, they we weren’t his target audience.  He was aiming for people who were like himself and barely understood computers. 

The second thing I thought the film was lacking was a call to action.  There was enough information in the movie to scare some people, but there was no “now go do this…” in the movie.  There was a slight bias towards securing the applications, but nothing you’d notice if you weren’t in a theater surrounded by Fortify staff.  But there was no suggestion of something to do about it, no suggestions of where to look for further information.  If the film works and there’s an emotional charge worked up by viewing the film, you want to give people something to do with that energy.  But I guess that’s for the person presenting after the film to take control of.  The director says they thought of that, but that any call to action would have made The New Face of CyberCrime into a marketing piece and he may be right.

I went into The New Face of CyberCrime expecting to see something new and interesting; instead I saw Rsnake pointing to a screen while saying “Cross site scripting” a number of times and a good view of Marcus Ranum’s backyard.  It wasn’t what I was hoping for, I would have liked to have heard some of the deeper conversations that went around the sound bites.  But I think the movie was what Fortify and the director were hoping for. The New Face of Cybercrime would make a good brown bag lunch movie, something where you lead a conversation afterwards and educate your users.  As far as using it in the board room though, I’m not too sure I’ve ever worked in a company where I could get the board to listen to me for 20 minutes, let alone watch a movie that long.