This is not good. Researchers from INSERT found a vulnerability in the Gmail engine that could allow spammers to forward mail through Google, thereby bypassing blacklists and being accepted by whitelists. It works by using the same forwarding features that allow users, myself included, to forward their email through Gmail. The worst part of this is that it also bypasses Gmails 500 recipient limit for any email, though that part should be easy to fix. I hope.
INSERT has been courteous enough to omit a fair amount of the details of the vulnerability, but I think there’s enough general information in the notification that spammers will be able to figure it out soon if Google doesn’t act even faster than the bad guys. Given Google’s track record and the sneaking suspicion that Google was given advance warning of the vulnerability, I’m hoping Gmail can be made secure fairly quickly.
I’ll be interested to see what we hear on this over the next couple of weeks on the Full Disclosure/No Disclosure argument. Did INSERT give Google some warning or did they post this as soon as it was written up? How did Google react? Did Google take the Micorosoft stance of quietly taking the research and fixing the hole before anyone notices? Or did they take the Apple/Cisco approach and threaten to sue INSERT into non-existance? I’m hoping for the former.
Just goes to show you, even the best built, least offensive features in software can be subverted if you put enough brain power into solving the problem.
I love my DirecTivo, my DirecTV receiver with the Tivo built in. Without it I couldn’t find the time to watch half the television shows I do, and I’d have to actually, you know, *watch* the commercials. The DirecTivo is about four years old and I’m dreading the day something in the box dies, which I know can’t be too far off.
One of the features of the DirecTivo is a little advertisement that’s part of the main screen, usually a 3-5 minute infomercial. I often ignore it, but last night something caught my eye; the headline for the advertisement read “Crucial Wifi Security tips”. This was definitely something I had to take a few moments to check out, otherwise what kind of security professional would I be.
It turns out that its an advertisement for Symantec Norton 2008, but I have to give the guys at Symantec some credit, it’s also a pretty good primer on the dangers of using wireless hotspots. The video quality isn’t the highest quality, but that may be intentional (or it may be a factor of budget). It starts off by giving some general advice about security, or lack there of, at hotspots and explains in simple terms that the average user might not want to do any sensitive activities while using these hotspots.
I was impressed that Symantec decided to only explain two terms in the video and explained them in simple yet accurate language. The first term was ‘packet sniffing’ and the video explained in a few seconds how another curious patron or maybe a hacker could be sitting in the booth next to you capturing your passwords as they fly through the air. I immediately thought of Robert Graham and the grief he sometimes gives David Maynor concerning wireless.
The second term was ‘wi-phishing’. I’d never heard the term before, but I guess its easier to remember than man-in-the-middle or evil twin hotspot. The video explained that malicious attackers could set up hotspts that looked just like real hotspots but were just created to capture passwords and other account information or infect systems with malware. From that point on the video was an explanation of how Symantec Norton could protect users from these dangers as well as a host of others, but I’d heard most of this marketing before at RSA.
The video was only three minutes long and did a good job of explaining a few of the dangers of public wifi in the first two minutes. I’m actually pretty impressed with the content of the video and if I could get just the first part to use for educational purposes, I’d take it. This video would make a good starting point for a brown bag lunch or other short format awareness campaign at work. There are a couple more videos from Symantec waiting to be watched on the DirecTivo, which I might get to this weekend to see what they offer. Or maybe not; my tolerance for commercials has been greatly reduced over the last four years.
Researchers at the University of Washington want to use their own botnet to fight malicious botnets on the Internet. Basically, the paper suggests using a swarm of the Phalanx, the name of their system, computers as proxies with a small crypto-puzzle being required of the connecting computer at the start of the conversation. It would hopefully slow down or eliminate DDoS attacks by making the attacking botnet perform a massive amount of aggregate computations, thus limiting their effectiveness.
I see a number of problems with this approach, not the least of which is the fact that it would need to have a distributed DNS architecture that trusts the Phalanx system to work. If the Phalanx system itself was compromised, the potential for damage far outweighs any benefit that it might have created. While DDoS is still a problem, it’s not a common problem and it’s one that there are already a number of solutions for. The changes this would require and the potential vulnerabilities far outweigh the potential gain. Additionally, the thought of adding home computers to this proxy botnet adds a whole additional layer of security concerns, primarily more worries about the whole system being compromised and used to promote the exact sort of DDoS it was designed to prevent.
All in all, this is an interesting intellectual exercise, but nothing that’s actually going to see the light of day. At least it’s not a rehash of the ‘let’s infect computers with a friendly virus to combat malicious viruses’ concept.
No one should be surprised that profits are more important to an ISP than the security of their customers. They are a business and the same rules apply to them that apply to any business: if they’re not profitable, they don’t stay in business for long. I don’t approve of the practice, but I am not even slightly surprised to hear that Earthlink is redirecting non-existent domain names to their own search pages in the hope of a small profit. And I’m even less surprised to find that it’s Dan Kaminsky who’s reporting the issue; it is a DNS issue after all. (Side note: IOActive’s web site appears to be down while I’m writing this; I wonder if they’re experiencing heavy traffic or if something else is going on)
The problem with Earthlink and their partner, Barefruit, is that they had a weakness in their code that allowed their servers to be used in a JavaScript attack. They’d been doing this redirection since 2006 and no one had commented on it. But Dan, being the King of DNS Misuse, found the vulnerability and reported it. The worst part of this is the fact that Earthlink is just one of many ISP’s that are providing their customers with this “service”.
The only reason an ISP is going to stop this practice is because the negative publicity outweighs the potential profit. Even though the profits are minuscule, they can make the difference between staying in business or not. More likely, they make the difference between someone in corporate making their numbers and getting a bonus or not. This isn’t a new practice nor is it without it’s own controversy, but as long as there’s a profit to be made by it, non-existent domain name redirection will continue.
Update: IoActive site appears to be back up, don’t know what the issue was. Maybe my ISP was redirecting me to a 404 error?
This isn’t a new idea, the concept of creating worms that patch your computer when you catch them. There are even some malware out there now that patches vulnerabilities on systems to make sure other worms can’t exploit the same vulnerabilities. But the problem is, if both beneficial and malign software show the same basic behavior patterns, how do you differentiate between the two? And what’s to stop the worm from being mutated once it’s started, since bad guys will be able to capture the worms and possibly subverting their programs.
The article isn’t clear on how the worms will secure their network, but I don’t believe this is the best way to solve the problem that’s being expressed. The problem being solved here appears to be one of network traffic spikes caused by the download of patches. We already have a widely used protocols that solve this problem, bittorrents and P2P programs. So why create a potentially hazardous situation using worms when a better solution already exists. Yes, torrents can be subverted too, but these are problems that we’re a lot closer to solving than what’s being suggested.
I don’t want something that’s viral infecting my computer, whether it’s for my benefit or not. The behavior isn’t something to be encouraged. Maybe there’s a whole lot more to the paper, which hasn’t been released yet, but I’m not comfortable with the basic idea being suggested. Worm wars are not the way to secure the network.
I use Gmail as my central email repository and usually the spam filters they use are pretty good. But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally. There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.
I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email. There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk. But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”. It’s honest and straight forward even if it is just an attempt to rip off people around the globe.
On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days. It’s been interesting watching the number of spams spike and drop. At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day. Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see. I guess being subscribed to ten or so mailing lists had to have some benefit.
Mine is just a single data point, compared to the millions some anti-spam vendors get to see. But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like F-secure report. Anyone else out there keep track of the spam they receive for fun?
This makes sense in a twisted way: scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.
Do you remember Julie Amero, the substitute teacher who got convicted of felony charges because she couldn’t stop pornographic pop-ups from malware infecting the school desktop? Today a judge ordered a retrial for her, stating that there was information discovered after the fact that directly impacts her case. I’ll be very surprised if she gets convicted of anything in her new trial. It actually looks to me that the State now has the option to not pursue this any farther, which might be in their best interest.
I’m not a forensics investigator, but it sounds like the initial investigators made almost every mistake in the book during the process and that her first lawyer barely knew enough about the technology to use email. Everything I’m reading says this case probably shouldn’t have even gone to court. Little things like your anti-virus and patches help a little in preventing this from ever happening too. I’m glad people like Alex Eckelberry are helping to straighten this out.
Added: A good summary and some good links over at Threat Level.
I’ve only met Raven twice, once at Linux World last year and at Shmoocon this year. I had lunch with her at Linux World, which means I know her well enough to say hi and that’s about it. But there are a lot of people at Shmoocon who consider her a friend and really got upset when she was asked about having her laptop compromised at last year’s Shmoocon. It was not so much that the person asked the question, it was that he added the question “If you can’t protect your laptop, how can you protect the backbone networks?”
This was a stupid question. Raven’s laptop was compromised by a 0-day vulnerability, something very few people could protect themselves from. You could argue that she shouldn’t have had wireless enabled at a hacker event, but I’m sure she knew the dangers involved. But more importantly, the reality is, protecting the backbone of the network is so completely different from protecting a single laptop that the question was pointless to begin with. After all, how many of us know firewall or router jockey’s that could build a company backbone in their sleep but couldn’t figure out how to turn on the XP firewall if their life depended on it?
The folks at Shmoocon took great exception at this question, and I think it was inappropriate too. I wasn’t at Raven’s talk, so I don’t know how the crowd really reacted, but I know everyone who mentioned it later was more than a little hot under the collar. No one really knew who asked the question, which is probably for the best. After all, if you have the balls to ask a question like this in public, you’d better hope your own laptop is in perfect shape or you might be the one having to face this sort of question in the future.
I got a chance to review this paper on botnet trends before it was presented at Black Hat Europe. If you’re at all interested in what’s going to be happening in the near future in botnets, you’ll like it. I know the botnet trends presentation at SANS San Diego was pretty well attended, and I hope Augusto’s was too.
