It’s fun being other people

As I wrote before, I have a very nice gmail address that doubles as an email honeypot.

This is a fun way to pass the time. First, I have a unique peak into other people’s lives. Second, I can see how people treat the possible situation of sending email to the wrong address.

One “Aviram” was on some kind of PTA mailing list. At some point they figured out they are CCing the wrong address and I no longer know what each person brings to those meetings, which is a shame.

Another “Aviram” is co-producing a TV show – seems like some kind of a reality show. If I ever need to know how to convince a “rich bitch” celebrity into joining a reality show that could be useful information. If it ever materializes into an actual show I promise to leak the identity of the winner in this blog.

A more interesting recent addition is the “Aviram” that signed up to a religious dating site. What is so interesting about a bunch of 21 yo girls who are looking to marry? Well, the dating site sent me a registration confirmation to my email, without actually checking if the email is correct. Now all I need to do is login (by selecting “forgot my password”) and change his password, and he is forever locked out.

But to top it off, the site started sending me alerts (it seems there is no shortage of young females looking to marry at this age) and every alert includes: you guess it, the username and password inside the email. And some place on the Internet a lonely guy is waiting for his solemate not knowing the mailbox is overflowing with candiates.

Probably my favorite email received was a confirmation that the transfer for 900,000 NIS (about $215,000) is about to go through as planned. I had to resist the temptation to send an email back with the ‘updated’ account details.

All this got me thinking: What are the legal consequences of receiving those mistaken-identity emails? Lets put aside the discussion of the silly mile-long footers (“if you are not the intended recipient please commit suicide after formatting your hard drive”). What if I receive a standard email, without any disclaimers, and choose to use it: leak the identity of the reality show participant, dating the girls that wanted to meet an “Aviram” or tell the PTA women to bring lasagna to the next meeting?

What about a responsibility to forward these emails to their correct recipient (or letting the sender know he has the wrong address) – am I required to? Would it be “the right thing” to do?


Your local security group meeting

If you ever went to a blackhat you probably think that the security crowd is a bunch of stuck up, unfriendly, egomaniacs.

That’s why I like the local meetups – the gatherings that bring together people who live in the area and like security as much as you do. Suddenly those same egomaniacs become fun drinking buddies who like to have interesting discussion and share interests.

I just saw an announcement about ARBSEC – “an informal CitySec meetup of local security professionals” in Ann Arbor, Michigan. I spoke at a “rubi-con” conference in Michigan once (is rubi-con still around?) and really liked the local guys. I recommend anybody who likes security and is in the MI area to check it out. If I get to the midwest area on that date I’ll be sure to attend.

The problem with these local meetups is that everybody knows where blackhat is held, but not too many people know where their local security ‘meetup’ is, or if one even exists. I know that there used to be a group meeting in the DC/VA area, and a “Security n’ Suds” monthly gathering in Northern California – both were almost secret and if you didn’t know who to ask, you had no chance of knowing they exist. Other groups like Austin Hackers seem to be defunct or at least stopped updating their web site a few years ago.

So what meetups are currently active? Please share if you know of a local security meeting club. If you want to start a local meetup in your area, try your luck here in the comments section and maybe you’ll find others who would like to join…


Not all tweeter clients are nice

Richard Stiennon has a nice writeup on TweetTornado. It started with a previous post where Stiennon detailed how TweetTornado may be damaging for tweeter. Judging by this last post it seems the TweetTornado guy is quite the asshole which may indicate that those features in TweetTornado were not really accidental.

I think one of the largest weaknesses of Twitter is the fact that the open API and easy interconnectivity between all users makes it easier for spammers to write clients that ‘cheat’ the system, while its reliance on a single infrastructure will make it easy for someone to take it down or make it practically unusuable for everyone. Look at Orkut, for example.


Vonage phish

This is interesting:

Dear Vonage Member,

Your Vonage Account will expire in: January, 20 2009

This might have happened due to the following reasons:
- You did not accessed your account for more than a month.
- You have dynamic IP address and due to that our system might have interpretated it as a hacking attempt.
- You entered a wrong password 3 times when you tried to connect to your Vonage Account.

To avoid an account suspension, please click link below:

*We will check your IP address, time zone, and confront it with our database logs.

We are very sorry if this affects you in any way but our client’s security is a top priority for Vonage Inc.


Vonage Security Team.

The link points to a phishing site that is stored in India and collects your vonage username and password. Go one directory up to see the complete kit.

This is a cute attack: you may be thinking, what can they possibly gain by logging into a vonage account? Well, Vonage has a useful feature of redirecting your calls to another number. If that other number is a paid service (or an international number, say, in India) you will pay extra and Vonage will pay that service provider (or telcom company). At that point, they just need to call your number and hold the line while counting the revenue coming in – very oldschool.


spam comment template

I was about to delete this spam comment when I realized it’s very relevant – it shows how comment spam works and gives some insight on the programming behind comments that try to disguise as legitimate.

Thanks anonymous spammer!


First CVE of 2009

I’d like to welcome the first CVE vulnerability in 2009, which is CVE-2008-2381. The first CVE-2009 to be released to the public is CVE-2009-0022 (hat tip to Steven M. Christey).

By all indications we have a year with many vulnerabilities ahead of us – it already started with a major twitter account hack followed by a widespread phishing via DM, and we’re not even a week into 2009. For marginally interesting stats on 2008, visit SecuriTeam’s stats page.


Joe-jobing in the real world

This is a few weeks old, but I think it’s very cool. First, because it implements in real life what an attack that is constantly done on the Internet -  life imitating art, so to speak. Second, because it reminds me of the “Panther Moderns” terrorist attack in Neuromancer and remembering Neuromancer is a great way to start the year.

The only problem, of course, is that it’s easy to catch who did it – for one, there’s a picture of their real car.


So you can fake your SSL Certificate. That don’t impress me much

Attacking MD5 to create a rogue CA that is trusted by most modern browsers is a very cool attack. I have to admit that whenever I read about a practical cryptanalysis attack I feel a bit inferior: probably what a desk officer at the Pentagon feels when they meet a Marines soldier coming back from Iraq. It’s like I’m not a “real” security researcher – I only play with SQL injections and Cross Site Scripting when the real soldiers are in the field breaking algorithms.

I can’t remember many times when our team was impressed as much as they were when Zvi Gutterman gave us a talk about breaking the Linux kernel PRNG. That week, everybody stopped looking for buffer overflows and started reading Donald Knuth instead.

But inferiority complex aside, this hole won’t have much impact. SSL certificates are a great idea, that just doesn’t work. When SSL Certificates started, you only got one after the CA verified your identity. This involved sending them a bunch of documents to prove the company’s identity, and them giving you a surprise phone call to see if the information on the web site really matches the submission you gave them, and perhaps other subtle tests. It took a while to get a certificate and so having one meant “you” could be trusted.

But today, it’s hard to say who “you” are. Companies have many web sites for many different purposes, and it’s very difficult to deny them a certificate based on some logic. But it gets worse: SSL Certificates are so abused, that users don’t really care about them. I had two different banks show me certificates that generated browsers errors. Some valid google URLs still produce SSL warnings. This is apparantly so common firefox had to put a scary warning message on top of their regular, already scary, warning message.

So broken SSL certificates are ignored, and valid SSL certificate mean very little – until Firefox 3.0, you had to click on the little lock on the lower right corner to know who the company is behind the certificate. Now that you know – does that mean anything? Is the Banc of America  the same as the Bank of America? Pretty much, yes. So what about the band of america? They can apply for a valid SSL certificate and it will match the organiations name nicely.

SSL Certificates are long broken, and not because of a clever attack. However, the fact that there is an effective crypto attack against them may help bury this cadaver and perhaps help bring another solution to the surface.


Lock me out. Don’t log me out!

I hate how paypal, banks and credit card sites kick you out of the login session after a certain timeout.

I can appreciate the need for security – if I leave my desk and my screensave is off, I don’t want a casual visitor to take over my paypal account. But on the other hand, to have to login again just because I happened to catch up on my rss reading is a bit of a hassle.

Cyberauthorize solved it beautifully – I am still logged in, but I do need my password to do anything. Just like with a desktop machine.

lockout, not logout!

I’m not sure how easy it is to bypass – but it certainly needs more than what a casual visitor passing by my desk can do. For me, it’s the exact right balance between security and convenience and I hope this technique will become the ‘default’ behavior in all other web services.


Cross Site Scripting can cause your stock to tank

A woman working in HP Israel sent an email to hundreds of co-workers accusing (falsely) that a snack made by Osem, one of the largest food manufacturers in Israel and the local subsidiary of the Nestle food giant, is causing infant death.

This email quickly spread and the immediate result was a 6% drop in Osem’s stock in just a few hours.

The email wasn’t very sophisticated. It wasn’t even remotely true and the ministry of health immediately issued a statement confirming the rumour is false. Still, Osem – one of the largest companies in Israel – will see its stock down a few percent over this rumor.

Earlier this month, Apple’s stock went down following rumors that Apple’s CEO Steve Jobs had a heart attack. The Apple stock takes a beating every time that rumor surfaces, and that happens regularly.

Stocks going up or down because of rumors is old as the invention of the stock market. But the Internet makes it easier to create a rumor that reaches far and wide within hours; there is just one more component that is missing: credibility.

Imagine if you saw a news item on that discussed the death of CEO and chairman Steve Jobs. Imagine if you saw a clarification text on Osem’s web site explaining that the ‘bamba’ snack is indeed suspect of poisoning infants. This is not difficult to do – I don’t really need to break in or deface the web sites for this to happen – I just need to find a cross site scripting vulnerability and use it for attack.

In fact, we made a quick proof of concept to the Tel Aviv stock exchange a few years ago when we planted a false news item using a cross site scripting attack. The reaction from TASE was familiar to anyone who ever reported a XSS vulnerability: “oh, this is not really a problem as it does not permanently changes the page” (for something that is “not a problem” they sure fixed it within the hour, though).

We’ve repeated this exercise almost every time our vulnerability scanning service found a XSS vulnerability and we had to explain why the report claims it’s a serious issue. We planted false financial reports in the ‘investors’ section, altered news items and in almost all cases, met with the standard reaction: “this is not a real vulnerability” and “how can this really affect me?”

Most security researchers opt to explain XSS as an attack for stealing cookies. While this is true, I think there’s a greater risk in altering the information on the page to visitors which could be useful in a phishing attack, or like the examples above, a speculative attack.

I’m waiting for the first XSS attack that will tank a big company stock. If you’re reading this, make sure your company won’t be the one.


Paying bills online? You might be pwned

Online payment system infected with malware? not good.

You are receiving this message because you are a subscriber to online bill payment services through CheckFree or through a provider who contracts with CheckFree for these services. This message is sent on behalf of CheckFree by Silverpop Systems.

December 11, 2008

[address omitted]

We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may have been exposed to software that puts the security of your computer’s contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.

The malicious software affects some but not all customers who accessed online bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:

  • You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
  • You were using a computer with the Windows operating system, and
  • You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
  • After reaching the blank screen, your computer’s virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.

If all four of the conditions above are true, your computer may be infected. [marketing blurb about an AV vendor that was quick enough to cash in]

CheckFree will never ask for your password via email or via phone.  If you ever receive an email requesting your password, do not respond and delete the email immediately.

We value your business and your trust, and we apologize for any inconvenience this incident has caused.
Thank you,

Art D’Angelo
Vice President, CheckFree Customer Operations

I guess we’ll call this the CheckFree botnet?


10 days later: The Israeli anti-spam law seems to work

Driving around Sao Paulo you don’t notice it. But when you drive back to the airport it suddenly hits you: billboard advertisements. They suddenly stick out, and you realize through all this time in the city there wasn’t a single billboard advertisement. Unsurprisingly, it’s too easy to get used to the lack of the big-city marketing assault on your senses that you usually see elsewhere. Sao Paulo may be polluted and congested, but when it comes to billboard advertisements there’s just none of it.

Spam is like that. You don’t miss it when it’s gone – you just get more attentive for spam that does get through.

A few months ago, Israel passed a law that might be the first of its kind(*): with very few exceptions, spam is now illegal in Israel. If you receive an email that you didn’t specifically opt-in for, and that email wants to sell you something, and either the entity who sent the email is Israeli or the company that benefits from the email is Israeli, you can sue in court and get the equivalent of $250 for every email you received(!) without any need to prove direct or indirect damages(!!). The law is phrased carefully to close all the obvious loopholes: Israeli companies are liable even if they were using off-shore machines to send the spam, and if you sue them, it’s them that have to prove that the email recepient voluntarily opted to receive those emails. Not only that, but you can’t use an opt-in consent to advertise someone else’s product (hence, list renting won’t work).

For me, seeing this type of law actually working is nothing short of incredible. My inbox was routinely filled with Hebrew emails from some of the largest consumer brands in Israel, who figured it’s cheaper to pay fractions of a cent per email to tell me about attractive deals for mineral water dispensers than take out a TV spot. Having qmail as my mail server allows me to make up emails addresses on-the-fly so I can easily track where a certain advertiser got my email: I signed up for the Jerusalem post alerts and got ads from a bunch of other advertisers. I opened an account in a now-defunct web 1.0 service and my email address for that service was sold on to about a hundred different small-time spammers. I signed up for the Israeli version of ‘classmates’ and in return got bombarded by offers to by TVs at a discount. Oh, and of course the typical spammers who just guessed my email address and are sending me updates about discounted airline tickets to Africa. The typical viagra-style emails arrive in quantities as well, but those are easily filtered out. Hebrew spam is a bit more difficult to filter because some of the legitimate email I get is Hebrew newsletters that I did actually sign up for.

So to think that from December 1, 2008, when the spam law becomes active, I will cut down on my delete-key presses was beyond what I could imagine.

The month of November was as you might expect:unbelievable quantities of emails asking me to opt-in to lists I never heard of. Each trying to convince me of the huge benefits of receiving unsolicited advertisements that might change my life. Some of these emails were angry: spammers don’t like it when their work is interfered, and a group claiming to represent the small businesses who ‘have no other choice than to send spam’ tried to tell me why the law is an immediate threat to small businesses. And when I say ‘tried to tell me’ I mean sent me a few dozen emails a day almost every day that month. Well, I stand unconvinced.

December 1st came, and the flood slowed down. Still the occasional email, usually treading on the border between legal and illegal – like emails that contained a request to opt-into the newsletter (this is allowed by the new law – once only) with a small commercial pitch towards the end. The notorious ‘people and computers’, a hitech magazine and an Israeli representatives of ‘information week’ sent me daily reminders that I have not yet opted in and ‘soon’ will stop receiving their daily newsletter if I don’t fix my ways. I would have sued, but the general manager of P&C met Bill Gates once and told him: “can I please have your card?” and when gates gave him his business card he replied with “No, your credit card”. You’ve got to hand it to him: he may be a bit of a jerk, but he is funny.

A couple of newsletters keep coming regularly, beginning the email with a long disclaimer that they are not an advertisement (the content is again borderline, I imagine at some point someone will challenge them in court) and there was the one spam email that arrived last week which I am taking to small claims court to get my $250 charity money.

But other than those – barely a handful, really – a peaceful silence. I can really get used to not getting Hebrew spam. Now if only we can get Russia to follow suit!

By the way: for those wondering where the ‘catch’ is in the spam law – or as the cynics would put it: how is it possible that politicians create an actually useful law – here’s a solution to the paradox. Being the parliamentarian state that Israel is, the law specifically allows political spam to be sent. So not to worry: the politicians excluded themselves nicely. Still, it’s a small price to pay for a relatively clean inbox.

Lets see how long this serenity will last – email is still a very tempting advertising channel. But when the potential cost is $250 per email, suddenly the ROI is not as not as attractive.

(*) I’m not aware of an opt-in spam law that allows anyone to sue the body who benefits from the spam without proof of damage. Please enlighten me if I’m wrong.


Not your typical firefox SSL error message

I almost never mistype domain names, so I’m glad firefox was able to catch my error when I did:

firefox warning

(click the image for a larger version)
If you haven’t noticed (I didn’t notice myself in the first 3-4 times; I kept clicking ok and reloading, I thought firefox was acting up) the url is The good news is that the site is owned by google, so I wouldn’t have been phished in any case. The bad news is that google should have either redirected me to the right site or give me an error message instead of showing me the site with the wrong certificate. I know why they are doing it – it’s easier to do a domain catch-all then a redirect, but it’s not good in terms of user experience.

Firefox’s behavior is interesting too. Note that the warning I got was accompanied with a popup dialog that forced me to press ‘ok’ to get to to a second warning on the page itself.

If you don’t remember the typical error message, here is what anybody surfing more than a day with firefox has seen:

typical firefox warning

(click the image for a larger version)

This typical firefox warning tries to let me know something is wrong. The problem is, I’m seeing it so much that I’m adding exceptions left-and-right. In this case of the ‘gogole’ typo, the problem is more sever ( is claiming to be so I guess firefox decided to add a dialog box to the error. I’m not sure what triggers it and how often it’s displayed, but for me this is the first time seeing it, so my guess is that firefox is trying to keep it for the rare occasion when you need the user to understand the warning has escalated.
I wonder if the next escalation will be a warning siren through the speakers with a small electric shock through the keyboard.


Spam coming to twitter

I guess one of the signs that your web service is taking off is that spammers are targeting you. In the last few days more and more fictitious followers have surfaced, obviously for the purpose of sending twitter spam once you follow the person who is following you (as most people do almost without thinking).

The twitter team seem to be doing a good job on suspending those accounts immediately (perhaps automatically?) now they just need to figure out how to prevent them from signing up in the first place.
Twitter spam

Twitter account suspended

Update: Definitely not automatically. The last batch of spam followers are still active accounts. Or maybe they figured twitter’s threshold and they are avoiding the automatic suspension.


Fooling biometric face recognition

CNet has a nice article about a Vietnamese company called BKIS that was able to login to the reporter’s laptop by simply recording him in a video chat and then using the blurry printout to authenticate with the face-recognition software.

I like to make fun of biometric authentication, mainly because it was overhyped in the 90′s as the authentication that will make remembering passwords obsolete. But it’s not useless technology – you just have to know how to use it.

Using a biometric system (this, or another) in a public place with a guard watching is good enough to make it difficult to hack. I imagine even a minimum-wage rentacop will notice when someone looking like Tom Cruise comes up to the biometric system with someone’s eyeballs in his hand. They should even notice if I come with a printout of someone else’s face. The same is true for passwods: a 50-character long password can be practically as strong as a 4 digit PIN if the proper lock out procedures are in place. Likewise, if I can try billions of password combinations per second then the difference between guessing a 8 character password and a 10 character password is just a few hours.


Bill Gates on linkedin

I wonder why it took so long.

thanks for the invitation, bill!

He even has 2 nice recommendations. Quite an effort was put on his profile:

86 people couldn't resist accepting. Me makes 87...

And it’s only the contact information that tells the sad story. Note how many variations of ‘bill gates’ were taken in gmail that the pranksters had to use this one:

Bill using gmail? Figures.