This is interesting:

Dear Vonage Member,

Your Vonage Account will expire in: January, 20 2009

This might have happened due to the following reasons:
- You did not accessed your account for more than a month.
- You have dynamic IP address and due to that our system might have interpretated it as a hacking attempt.
- You entered a wrong password 3 times when you tried to connect to your Vonage Account.

To avoid an account suspension, please click link below:

http://www.adsmirchi.com/vonage/login.htm

*We will check your IP address, time zone, and confront it with our database logs.

We are very sorry if this affects you in any way but our client’s security is a top priority for Vonage Inc.

Regards,

Vonage Security Team.

The link points to a phishing site that is stored in India and collects your vonage username and password. Go one directory up to see the complete kit.

This is a cute attack: you may be thinking, what can they possibly gain by logging into a vonage account? Well, Vonage has a useful feature of redirecting your calls to another number. If that other number is a paid service (or an international number, say, in India) you will pay extra and Vonage will pay that service provider (or telcom company). At that point, they just need to call your number and hold the line while counting the revenue coming in – very oldschool.

I was about to delete this spam comment when I realized it’s very relevant – it shows how comment spam works and gives some insight on the programming behind comments that try to disguise as legitimate.

Thanks anonymous spammer!

I’d like to welcome the first CVE vulnerability in 2009, which is CVE-2008-2381. The first CVE-2009 to be released to the public is CVE-2009-0022 (hat tip to Steven M. Christey).

By all indications we have a year with many vulnerabilities ahead of us – it already started with a major twitter account hack followed by a widespread phishing via DM, and we’re not even a week into 2009. For marginally interesting stats on 2008, visit SecuriTeam’s stats page.

This is a few weeks old, but I think it’s very cool. First, because it implements in real life what an attack that is constantly done on the Internet -  life imitating art, so to speak. Second, because it reminds me of the “Panther Moderns” terrorist attack in Neuromancer and remembering Neuromancer is a great way to start the year.

The only problem, of course, is that it’s easy to catch who did it – for one, there’s a picture of their real car.

Attacking MD5 to create a rogue CA that is trusted by most modern browsers is a very cool attack. I have to admit that whenever I read about a practical cryptanalysis attack I feel a bit inferior: probably what a desk officer at the Pentagon feels when they meet a Marines soldier coming back from Iraq. It’s like I’m not a “real” security researcher – I only play with SQL injections and Cross Site Scripting when the real soldiers are in the field breaking algorithms.

I can’t remember many times when our team was impressed as much as they were when Zvi Gutterman gave us a talk about breaking the Linux kernel PRNG. That week, everybody stopped looking for buffer overflows and started reading Donald Knuth instead.

But inferiority complex aside, this hole won’t have much impact. SSL certificates are a great idea, that just doesn’t work. When SSL Certificates started, you only got one after the CA verified your identity. This involved sending them a bunch of documents to prove the company’s identity, and them giving you a surprise phone call to see if the information on the web site really matches the submission you gave them, and perhaps other subtle tests. It took a while to get a certificate and so having one meant “you” could be trusted.

But today, it’s hard to say who “you” are. Companies have many web sites for many different purposes, and it’s very difficult to deny them a certificate based on some logic. But it gets worse: SSL Certificates are so abused, that users don’t really care about them. I had two different banks show me certificates that generated browsers errors. Some valid google URLs still produce SSL warnings. This is apparantly so common firefox had to put a scary warning message on top of their regular, already scary, warning message.

So broken SSL certificates are ignored, and valid SSL certificate mean very little – until Firefox 3.0, you had to click on the little lock on the lower right corner to know who the company is behind the certificate. Now that you know – does that mean anything? Is the Banc of America  the same as the Bank of America? Pretty much, yes. So what about the band of america? They can apply for a valid SSL certificate and it will match the organiations name nicely.

SSL Certificates are long broken, and not because of a clever attack. However, the fact that there is an effective crypto attack against them may help bury this cadaver and perhaps help bring another solution to the surface.

I hate how paypal, banks and credit card sites kick you out of the login session after a certain timeout.

I can appreciate the need for security – if I leave my desk and my screensave is off, I don’t want a casual visitor to take over my paypal account. But on the other hand, to have to login again just because I happened to catch up on my rss reading is a bit of a hassle.

Cyberauthorize solved it beautifully – I am still logged in, but I do need my password to do anything. Just like with a desktop machine.

I’m not sure how easy it is to bypass – but it certainly needs more than what a casual visitor passing by my desk can do. For me, it’s the exact right balance between security and convenience and I hope this technique will become the ‘default’ behavior in all other web services.

A woman working in HP Israel sent an email to hundreds of co-workers accusing (falsely) that a snack made by Osem, one of the largest food manufacturers in Israel and the local subsidiary of the Nestle food giant, is causing infant death.

This email quickly spread and the immediate result was a 6% drop in Osem’s stock in just a few hours.

The email wasn’t very sophisticated. It wasn’t even remotely true and the ministry of health immediately issued a statement confirming the rumour is false. Still, Osem – one of the largest companies in Israel – will see its stock down a few percent over this rumor.

Earlier this month, Apple’s stock went down following rumors that Apple’s CEO Steve Jobs had a heart attack. The Apple stock takes a beating every time that rumor surfaces, and that happens regularly.

Stocks going up or down because of rumors is old as the invention of the stock market. But the Internet makes it easier to create a rumor that reaches far and wide within hours; there is just one more component that is missing: credibility.

Imagine if you saw a news item on Apple.com that discussed the death of CEO and chairman Steve Jobs. Imagine if you saw a clarification text on Osem’s web site explaining that the ‘bamba’ snack is indeed suspect of poisoning infants. This is not difficult to do – I don’t really need to break in or deface the web sites for this to happen – I just need to find a cross site scripting vulnerability and use it for attack.

In fact, we made a quick proof of concept to the Tel Aviv stock exchange a few years ago when we planted a false news item using a cross site scripting attack. The reaction from TASE was familiar to anyone who ever reported a XSS vulnerability: “oh, this is not really a problem as it does not permanently changes the page” (for something that is “not a problem” they sure fixed it within the hour, though).

We’ve repeated this exercise almost every time our vulnerability scanning service found a XSS vulnerability and we had to explain why the report claims it’s a serious issue. We planted false financial reports in the ‘investors’ section, altered news items and in almost all cases, met with the standard reaction: “this is not a real vulnerability” and “how can this really affect me?”

Most security researchers opt to explain XSS as an attack for stealing cookies. While this is true, I think there’s a greater risk in altering the information on the page to visitors which could be useful in a phishing attack, or like the examples above, a speculative attack.

I’m waiting for the first XSS attack that will tank a big company stock. If you’re reading this, make sure your company won’t be the one.

Online payment system infected with malware? not good.

You are receiving this message because you are a subscriber to online bill payment services through CheckFree or through a provider who contracts with CheckFree for these services. This message is sent on behalf of CheckFree by Silverpop Systems.

December 11, 2008
AVIRAM JENIK

[address omitted]

Dear AVIRAM JENIK,
We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may have been exposed to software that puts the security of your computer’s contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.

The malicious software affects some but not all customers who accessed online bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:

• You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
• You were using a computer with the Windows operating system, and
• You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
• After reaching the blank screen, your computer’s virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.

If all four of the conditions above are true, your computer may be infected. [marketing blurb about an AV vendor that was quick enough to cash in]

CheckFree will never ask for your password via email or via phone.  If you ever receive an email requesting your password, do not respond and delete the email immediately.

We value your business and your trust, and we apologize for any inconvenience this incident has caused.
Thank you,

Art D’Angelo
Vice President, CheckFree Customer Operations

I guess we’ll call this the CheckFree botnet?

Driving around Sao Paulo you don’t notice it. But when you drive back to the airport it suddenly hits you: billboard advertisements. They suddenly stick out, and you realize through all this time in the city there wasn’t a single billboard advertisement. Unsurprisingly, it’s too easy to get used to the lack of the big-city marketing assault on your senses that you usually see elsewhere. Sao Paulo may be polluted and congested, but when it comes to billboard advertisements there’s just none of it.

Spam is like that. You don’t miss it when it’s gone – you just get more attentive for spam that does get through.

A few months ago, Israel passed a law that might be the first of its kind(*): with very few exceptions, spam is now illegal in Israel. If you receive an email that you didn’t specifically opt-in for, and that email wants to sell you something, and either the entity who sent the email is Israeli or the company that benefits from the email is Israeli, you can sue in court and get the equivalent of $250 for every email you received(!) without any need to prove direct or indirect damages(!!). The law is phrased carefully to close all the obvious loopholes: Israeli companies are liable even if they were using off-shore machines to send the spam, and if you sue them, it’s them that have to prove that the email recepient voluntarily opted to receive those emails. Not only that, but you can’t use an opt-in consent to advertise someone else’s product (hence, list renting won’t work).

For me, seeing this type of law actually working is nothing short of incredible. My inbox was routinely filled with Hebrew emails from some of the largest consumer brands in Israel, who figured it’s cheaper to pay fractions of a cent per email to tell me about attractive deals for mineral water dispensers than take out a TV spot. Having qmail as my mail server allows me to make up emails addresses on-the-fly so I can easily track where a certain advertiser got my email: I signed up for the Jerusalem post alerts and got ads from a bunch of other advertisers. I opened an account in a now-defunct web 1.0 service and my email address for that service was sold on to about a hundred different small-time spammers. I signed up for the Israeli version of ‘classmates’ and in return got bombarded by offers to by TVs at a discount. Oh, and of course the typical spammers who just guessed my email address and are sending me updates about discounted airline tickets to Africa. The typical viagra-style emails arrive in quantities as well, but those are easily filtered out. Hebrew spam is a bit more difficult to filter because some of the legitimate email I get is Hebrew newsletters that I did actually sign up for.

So to think that from December 1, 2008, when the spam law becomes active, I will cut down on my delete-key presses was beyond what I could imagine.

The month of November was as you might expect:unbelievable quantities of emails asking me to opt-in to lists I never heard of. Each trying to convince me of the huge benefits of receiving unsolicited advertisements that might change my life. Some of these emails were angry: spammers don’t like it when their work is interfered, and a group claiming to represent the small businesses who ‘have no other choice than to send spam’ tried to tell me why the law is an immediate threat to small businesses. And when I say ‘tried to tell me’ I mean sent me a few dozen emails a day almost every day that month. Well, I stand unconvinced.

December 1st came, and the flood slowed down. Still the occasional email, usually treading on the border between legal and illegal – like emails that contained a request to opt-into the newsletter (this is allowed by the new law – once only) with a small commercial pitch towards the end. The notorious ‘people and computers’, a hitech magazine and an Israeli representatives of ‘information week’ sent me daily reminders that I have not yet opted in and ‘soon’ will stop receiving their daily newsletter if I don’t fix my ways. I would have sued, but the general manager of P&C met Bill Gates once and told him: “can I please have your card?” and when gates gave him his business card he replied with “No, your credit card”. You’ve got to hand it to him: he may be a bit of a jerk, but he is funny.

A couple of newsletters keep coming regularly, beginning the email with a long disclaimer that they are not an advertisement (the content is again borderline, I imagine at some point someone will challenge them in court) and there was the one spam email that arrived last week which I am taking to small claims court to get my $250 charity money.

But other than those – barely a handful, really – a peaceful silence. I can really get used to not getting Hebrew spam. Now if only we can get Russia to follow suit!

By the way: for those wondering where the ‘catch’ is in the spam law – or as the cynics would put it: how is it possible that politicians create an actually useful law – here’s a solution to the paradox. Being the parliamentarian state that Israel is, the law specifically allows political spam to be sent. So not to worry: the politicians excluded themselves nicely. Still, it’s a small price to pay for a relatively clean inbox.

Lets see how long this serenity will last – email is still a very tempting advertising channel. But when the potential cost is $250 per email, suddenly the ROI is not as not as attractive.

(*) I’m not aware of an opt-in spam law that allows anyone to sue the body who benefits from the spam without proof of damage. Please enlighten me if I’m wrong.

I almost never mistype domain names, so I’m glad firefox was able to catch my error when I did:

(click the image for a larger version)
If you haven’t noticed (I didn’t notice myself in the first 3-4 times; I kept clicking ok and reloading, I thought firefox was acting up) the url is adwords.gogole.com. The good news is that the site is owned by google, so I wouldn’t have been phished in any case. The bad news is that google should have either redirected me to the right site or give me an error message instead of showing me the site with the wrong certificate. I know why they are doing it – it’s easier to do a domain catch-all then a redirect, but it’s not good in terms of user experience.

Firefox’s behavior is interesting too. Note that the warning I got was accompanied with a popup dialog that forced me to press ‘ok’ to get to to a second warning on the page itself.

If you don’t remember the typical error message, here is what anybody surfing more than a day with firefox has seen:

(click the image for a larger version)

This typical firefox warning tries to let me know something is wrong. The problem is, I’m seeing it so much that I’m adding exceptions left-and-right. In this case of the ‘gogole’ typo, the problem is more sever (gogole.com is claiming to be google.com) so I guess firefox decided to add a dialog box to the error. I’m not sure what triggers it and how often it’s displayed, but for me this is the first time seeing it, so my guess is that firefox is trying to keep it for the rare occasion when you need the user to understand the warning has escalated.
I wonder if the next escalation will be a warning siren through the speakers with a small electric shock through the keyboard.

I guess one of the signs that your web service is taking off is that spammers are targeting you. In the last few days more and more fictitious followers have surfaced, obviously for the purpose of sending twitter spam once you follow the person who is following you (as most people do almost without thinking).

The twitter team seem to be doing a good job on suspending those accounts immediately (perhaps automatically?) now they just need to figure out how to prevent them from signing up in the first place.

Update: Definitely not automatically. The last batch of spam followers are still active accounts. Or maybe they figured twitter’s threshold and they are avoiding the automatic suspension.

CNet has a nice article about a Vietnamese company called BKIS that was able to login to the reporter’s laptop by simply recording him in a video chat and then using the blurry printout to authenticate with the face-recognition software.

I like to make fun of biometric authentication, mainly because it was overhyped in the 90′s as the authentication that will make remembering passwords obsolete. But it’s not useless technology – you just have to know how to use it.

Using a biometric system (this, or another) in a public place with a guard watching is good enough to make it difficult to hack. I imagine even a minimum-wage rentacop will notice when someone looking like Tom Cruise comes up to the biometric system with someone’s eyeballs in his hand. They should even notice if I come with a printout of someone else’s face. The same is true for passwods: a 50-character long password can be practically as strong as a 4 digit PIN if the proper lock out procedures are in place. Likewise, if I can try billions of password combinations per second then the difference between guessing a 8 character password and a 10 character password is just a few hours.

I wonder why it took so long.

He even has 2 nice recommendations. Quite an effort was put on his profile:

And it’s only the contact information that tells the sad story. Note how many variations of ‘bill gates’ were taken in gmail that the pranksters had to use this one:

Xyberpix posted his challenge without giving us any advance notice, but being the ego-driven macho man that I am, even with mediocre writing skills, I can’t not accept it.

So here’s a random thought for the day. AppleTV is a useless brick unless hacked to run something like boxee or another front-end player for custom movie files. It’s safe to say most AppleTV users use it to play content outside iTunes.

The latest AppleTV update (version 2.3) has two interesting qualities.

One, it fixes several vulnerabilities involving playing malformed movie files (kuddos for ZDI for the finds). It shouldn’t be difficult to compare 2.3 to 2.2 and find where the problems are exactly. Some reverse-assembly requires, but definitely doable.

Two, it breaks many of the hacks like mounting external USB drives, and creates problems for applications like boxee.

From problem #2, I’m willing to guess many (most?) of the ATV users that hacked the machine haven’t upgraded. From problem #1 I know that those who haven’t upgraded are vulnerable. They will remain vulnerable for some time, until the hacks improve and find a way around this infamous update.

So will we see an attack targeting AppleTV any time soon? It’s a cute little linux-based device that sits in the network with a connection to the local home LAN. All it takes is the right AVI on the piratebay (or youtube?) to create a little AppleTV zombie net.

In a hotel in Beijing, using their wifi in the lobby. Everything goes fine until Noam tells me my email headers are weird.

Return-Path: aviram@hsia.com.cn
[...]
Received: (qmail 9613 invoked from network); 19 Nov 2008 13:26:43 -0000
Received: from mail.hsia.com.cn (HELO hsia.com.cn) (61.152.154.60)
by 0 with SMTP; 19 Nov 2008 13:26:43 -0000
Received: from FBH.hsia.com.cn ([123.124.225.63])
by hsia.com.cn (8.13.1/8.13.1) with ESMTP id mAJDTJlY005475;
Wed, 19 Nov 2008 21:29:20 +0800
Received: from beat.local (unknown [172.31.8.65])
by FBH.hsia.com.cn (Postfix) with ESMTP id 8AFEB520B0;
Wed, 19 Nov 2008 21:13:54 +0800 (CST)

Clearly I’m sending through another SMTP server, who goes as far as mangling my ‘Return-Path’ address header.

Only I’m not. My SMTP server is set (as always) to the corporate SMTP who is accessible through the VPN, in an encrypted connection that should not allow anyone to change fields. Just in case, I check it again. Yup, the SMTP server is there. So what’s up?
A quick investigation shows the following: The hotel’s network blocks my VPN (as some of them do) but happily resolves any unresolvable host name (such as my SMTP server’s hostname). This is resolved to a catch-all server that proxies everything. Transparently. (well, almost)

Lesson learned. Changed the hostname to the IP, and will soon switch to SSL based SMTP who will authenticate the server. In the meanwhile – be careful from helpful Beijing wifi providers who are only too happy to forward your mail on! (with some changes, of course).

Calcalist reports that the wired network in a recent google developers conference in Israel was hacked during the conference. I haven’t seen that report anywhere else, but the reporter Dora Kishinevski is fairly level headed with little tendency for sensational stories so I’m marking it as probably true.

According to the article, google sent a follow up email to the participants and warned them the network was compromised. This is interesting first because the attack was on the wired and not wireless Internet, which is considerably harder to do without being caught, and second because it reminds us how insecure gmail is over compromised lines (as opposed to, for example, a corporate VPN). I’m willing to bet close to 100% of the participants used gmail while in the google conference.

The article also quotes google as writing “We recommend you change your password, just in case, to any site you visited using the wired connection”. Definitely.