For those not familiar with RBL, the term means Real-time Blackhole List, it is mainly used for SPAM fighting. I have recently started playing around with Google as an RBL engine, the idea is that if the search term I use hits too many hits it is likely to be SPAM

The danger of course is that the term could be simply popular – but the trick here is that I’m using something very special as the search term – the IP address of the poster.

The IP address shouldn’t be popular; except for a few rare cases, IP addresses listed on Google are directly related to SPAM – either they are listed under wiki-like sites as being banned, or they appear as mass-comment posters. Simply put, if your IP is listed in Google you must be up to no good.

How good is this method? Nothing is bullet proof, but if you have a suspicion of something being SPAM, put the IP in Google and see there are hits; Almost all the comment SPAM I filtered out this month had more than 100 hits in Google, all non-SPAM had either 0 or below the 10 hits mark.

BTW: A good advantage of Google is that it is quick – a few seconds to get a respond – a disadvantage is that you cannot just “hammer” them with searches or they will block you – maybe someone can pickup this idea and make an RBL from IP addresses using Google as a back-engine.

Howdy ho from Brazil, folks.

Remember that vulnerability in Gmail filter feature reported by Petko D. Petkov in September? Google fixed this vulnerability a few days after it was disclosed, but something was missing: end users should be noticed about that.
Early this week I was made aware of someone who was hit hard by this vuln months after it was fixed. David Airey’s domain was hijacked and this vulnerability helped on that.

But Google fixed that, what’s the problem? They should have noticed all users about that. New filters could not be injected anymore after the fix, but filters injected before the fix were still there. A simple “please check you filters” Web two-dot-oh notice would be enough, only if new filters were added in the days between the vuln was disclosed and the fix. End users don’t read the same blogs, lists and security resources that we read. Users are not supposed to know the nuts and bolts of the vulnerability, but they should know what manual actions should be taken.
I don’t know about you, but I thought about some solutions for that:

1. Anything under settings should require password, in every change. I guess Yahoo! Mail works like that;
2. Filters that forward messages should be handled in a different way, maybe under “Forwarding and POP/IMAP” tab.

Another simple mitigation action that people should use for any online service is something like a privilege separation (I don’t have a better name for that). Use different accounts for different purposes, have a master account and child accounts that forward every message to the master account.

If you are a moderator in a Yahoo! Group don’t use your main personal profile for group management, for example. Reducing the lifetime of the session to 15 minutes and log in only on trustworthy networks are other paranoid measures that could be considered. If there’s a targeted attack against your account probably your less critical account will be affected.
Do you have any insight about this Gmail vuln? Comment.
More info:

• Google GMail E-mail Hijack Technique (GNUCITIZEN 09/25/07)
  
• New cracks in Google mail (The Register 09/26/07)
• Google Fixes Gmail Cross-site Request Forgery Vulnerability (Netcraft 09/30/07)
• WARNING: Google’s GMail security failure leaves my business sabotaged (David Airey Blog 12/24/07)

An Orkut based virus/worm appears to be on the loose, it propagates by posting notes on people’s scrapbook. So chances are that if you got a new scrapbook item on your long-unused Orkut it is because the worm has infected one of your friends there.

The virus/worm utilizes javascript code to propagate. The source of it can be found here: hxxp://files.myopera.com/virusdoorkut/files/virus.js
Update: Google apparently is actively deleting items from the scrapbook of people that were infected and that have infected others.

Update 2: More details can be found here: http://antrix.net/journal/techtalk/orkut_xss.html

According to several Israeli newspapers google has exposed the IP address of a blogger that was using the “blogger” service.

You might think he was posting instructions on how to prepare a nuclear bomb or the secret Coca Cola formula. It’s much much worse. He was defaming officials in the “Sha’arei Tikva” municipality, which most Israelis can’t even place on a map, and needless to say have little to no interest on the intrigues and political wars there.

My point is, there is no benefit to anyone for exposing the blogger’s IP except to let these officials take him to court, and while google gave a weak legal fight, the decision was reached by out of court settlement, which means they didn’t even try to go the distance in order to block this request.

I think the main issue is not the blogger’s right for anonymity; it’s more about google’s unclear policy on what they do with the information they have. We know google save search data. We know that they have access to deleted emails on gmail (for who knows how long). We don’t know what they do on google talk, but we can guess. What we already know is scary; the fact that we don’t know the rest is even scarier.
It’s clear to everyone that google has information about us and our private life more than any other Internet entity (we had a securitoon about it a while back). Now it’s clear they are playing loose cannon with that information.

Update: Someone identifying herself as “google employee” writes in the talkback comments to the article that google only handed the IP, but the ISP gave the complete identifying information from that IP, and that the press’s picking on google is unjustified. If that google worker is reading this, feel free to email me your version of the story and it will be posted here anonymously (or just leave a comment below).

According to the report of pdp several Web sites supporting open redircts are vulnerable to recent JAR: protocol vulnerability.

More information about these XSS vulnerabilities (hey, these are serious now!) is available at GNUCITIZEN entry here:

Severe XSS in Google and Others due to JAR protocol issues

Update 26th Nov: The author of Beford Blog has shared information that his “jarjarbinks.htm” PoC type link still works – when entering it manually to browser’s address bar. Google is still affected to JAR flaw.

Mr. Petko D. ‘Acrobat-Gmail’ Petkov has reported about very interesting Citrix issue:

When querying for public .ICA files (Independent Computing Architecture) you can do serious things in the remote system with this information. Opening Cmd.exe and listing the file system works etc. etc.

Report here and YouTube video of 1:28min here.
Googledork and Yahoodork(!) included, it appears there are many .mil and .gov sites. And hospitals too.
A real life example: A Finnish high school in Jyväskylä town fixed its problem in less than 20 minutes after receiving my e-mail this morning. Fine!

The good news are that Google has fixed a serious cross-site request forgery vulnerability in Gmail.

The exploitation technique was interesting – modifying Gmail’s Forwarding settings with JavaScript.

US-CERT Vulnerability Note VU#571584 is located here.

First this week started with news of three serious vulnerabilities in Google’s services and products – via hacademix.net post GoogHOle (XSS pwning GMail, Picasa and almost 200K customers).

But it appears information was public on Sat 22nd Sep already.

The report says Google security team was contacted before the release process. The exact date is not known, however.

Google has introduced the tool recently via its Online Security Blog.

The tool is released under GNU General Public License v2.

The home of the new project is here: code.google.com/p/flayer/

The visitors of WOOT ‘07 conference are aware already.

urls in this post should be considered as unsafe.

fake sites and se poisoning are nothing new. the use of blogs for this is far from new, either. thousands of new fake blogs pop up every day on blogspot, livejournal, etc.

web spam is a subject i have written about in the past, and some of you may be familiar with it regardless of me (no kidding), especially if you run a blog yourself.

a new fake blog which looks like blogspot, but has its own “domain”, recently popped up in a google alert on my name.

i get hits on these fake pages all the time as my name is a key word used by some of these spammers to grab attention to their pages.
this time around they really over-did it.

the page has a blogspot layout, and continues with ads to pornographic sites or malware (is there any difference anymore?)

then the site shows the youtube video which can be found under my name.
following that is a post i made to a mailing list recently (poorly formatted).
then we have a few pictures of girls, linking once more either to pornographic sites or malware drive-by sites (if there is a difference, again).

they finish the page off by adding comments, which are actually some old securiteam posts by me.

heck, it looks fake, but it is obvious the bad guys are investing more in their fake web pages. their auto-creation tools seem to be getting more impressive, and i believe we will see much improved believable sites, soon.

google blog search displays this site as (nasty words replaced with beep):

gadi evron
2 sep 2007
gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your head, asian virgins.asts. teen cherry action – nice brunette teen beeped hard on the bed and getting a beepy beepshot. beep beeping boy beep teen legs, …
untitled – h ttp://n ewadult.celeberia.com/

url:
h ttp://n ewadult.celeberia.com/sun-shine

again, i am unsure if these urls are safe.

for those of you wondering if these web pages mean anything to the bad guys, the answer is absolutely yes. search engine ranking, indexing, etc. helps them advance their own sites (or their clients’). then of course, there is advertising and google ads.
it works. and the advertising space on unrelated key words is a plus.

the concept is very similar to comment spam. comment spam may not contribute to se ranking anymore due to the nofollow tag attached to links in comments, but these get indexed and that’s all the bad guys care about. nofollow is crap, and what shows up when you search is what matters.

as an example of how these things work, in a recent blog post of mine a buddy left a comment (see here http://sunshine.livejournal.com/8859.html for the example).

he left a url for his legitimate python/math/music/origami blog in his comment, and now when you search for his blog you find my post placed in the 4th place with the title ‘a jew in a german camp’ (about the ccc camp in germany). he is not pleased, but it is obvious how the bad guys abuse this, and infect millions of computers just because their owners surf the net.

gadi evron,
ge@beyondsecurity.com.

In a recent blog entry, Google announced the production of a 4.5 minute movie about search privacy in Google. Let me quote the presenter, Maile Ohye:

“As you can see, logs don’t contain any truly personal information about you.” – Maile

I strongly suggest you watch the clip and have your own opinion. Below is my own:

What Maile neglects to mention is that Google keeps all the queries you submit together, correlated by your cookie, including the user you use to login to Google, the links you clicked on in search results, any site you visited with a Google ad, every address you mapped, every product you searched, every video you watched, etc. which makes up a nice profile of your behavior online.

If you slip – once – and search for something which is personal – a name of someone you know, your home address in Google maps, a nearby store, your email address – and it has that information in your profile too. If you use a Google account, it doesn’t even matter if you switch computers or expire the cookies.

I use Google a lot, I have a Google account and if you look it up you’ll probably know pretty much most of my interests and generally a lot about me. I am aware of the fact that this is so. It doesn’t stop me from using Google’s services – I like using Google’s services, and I know that one of the things that make them of value to me is the fact that Google knows a lot about me and what I do and where I go and what I care about. I don’t care, because I do not search with the same account, browser, cookie or IP address for things I don’t want Google to know about. How many people know enough about the Internet to take such measures? Not many, I guess.

So back to the clip. The video clip is market-speak (doublespeak? duckspeak?). It is marketing privacy as a differentiator for Google’s services, and portrays Google’s privacy practices as benign. In that sense, it serves its purpose. The problem that I can see is that privacy doesn’t need a lot of marketing. I don’t think you really need to market your privacy practices. The way I see it, the world is made out of 3 kinds of people:

1. Those who don’t care about privacy, they just graze around where the grazing is good, and are pretty much oblivious to such concerns. For these people, if you make an appealing product (not even a good product) and market it properly, and make it cool, they will come. Even if you trample their privacy, they will still come, because they don’t care. Reference: iPod. OMG I’m using a MacBook Pro now. Busted, I guess. People from this group wouldn’t care much, even if you wouldn’t have a privacy policy in place. Google already won them over, making Google a household name. Want to increase your market share here? Add a scroll wheel. Oh wait, that’s so early 2000s. add a touch screen.

2. Those who like their privacy but don’t really know much about privacy or privacy technology. These people are the to an extent conspiracy theorists. “Google keeps my email for good so they must be trying to control my mind! We’re dooooomed! Run away, run away!”. They are, as far as I can tell, a loud but small minority. Some times they’re so loud that it makes people from group #1 look around from their pasture, cock their head to one side, and, well, keep on grazing. Marketing privacy to these people will most likely just compound the conspiracy theories, because you wouldn’t do it unless you have something to hide. These people might just as well use Google’s services and perform some token ceremony to make sure that Google isn’t watching them, like expire their cookies or perhaps even clean their pages with greasemonkey. Oh well. I say to Google – let them be. There’s little you can do about it.

3. These are the people who are aware of the implications of using technology and either come to terms with it, or don’t play. I know some people who don’t play, and I can’t blame them. I personally am less hard-core, perhaps, because I agree to make a lot of my life more open to scrutiny in order to reap the benefits. It’s a risk, a managed risk. If there is some way this might come back to haunt me despite the precautions I’ve taken, well, I guess I’ll know it eventually, and I can only blame myself.

Have a doubleplus good day.

Disclaimer: All of the opinions presented here are my own and do not necessarily reflect the opinions of any entity I may be affiliated with.

Yeah, I hate sensational titles with little to no substance just like you do. But I guess at google corporate people are so used to dealing with titles in their search result and adsense products they forgot somebody has to write the content behind the “title” tag.

The sky is falling! So says google in the most content-less article I’ve read since Paris Hilton was released from prison. We can’t tell you how, or why, or how to fix it, or any really useful information besides the fact it is a problem in Java. But we’d really want you to know there’s a problem, or else we wouldn’t have released this information from the leak-proof google security team.

Is the vulnerability even real? Well, does it matter? Disclosing a vulnerability without details is the equivalent of the sound of one hand clapping (here’s an explanation for all you google guys. See, unlike you I try to explain myself).

By the way, I stumbled today on a vulnerability in the google search engine that allows me to take over every browser who visits google.com. Or maybe I didn’t. But feel free to tell zdnet about this phenomenal discovery. That, and my foolproof method to sleep with any woman on the first date (which I won’t disclose due to clear and imminent threat to the human race).

The MOSEB campaign (Month of Search Engine Bugs) shared a good example of dangers of Googledorks this week.

When using the search string

site:youtube.com “clicks from ftp @” we’ll see 257 results.

When googling

“clicks from ftp” + filter=0, in turn, we will get 508 results.

A combination of an XSS in Google Group web site, with a “feature” of Google Gmail integration with Google Groups allows an attacker that can trick you into click on a specially crafted URL to steal:

• All Contacts you’ve ever mailed (Name and Email address)
• Your Gmail authentication token

For more details go to this page.
(NOTE The vulnerability still works as of 2007-03-15 16:12 GMT+0)

update:

read this before reading this blog entry.

this was posted to bugtraq today. let’s see what this is about…

date: thu, 15 feb 2007 13:02:46 -0800
from: zulfikar ramzan
subject: drive-by pharming threat

we discovered a new potential threat that we term “drive-by pharming”. an attacker can create a web page containing a simple piece of malicious javascript code. when the page is viewed, the code makes a login attempt into the user’s home broadband router and attempts to change its dns server settings (e.g., to point the user to an attacker-controlled dns server).
once the user’s machine receives the updated dns settings from the router (e.g., after the machine is rebooted) future dns request are made to and resolved by the attacker’s dns server.

the main condition for the attack to be successful is that the attacker can
guess the router password (which can be very easy to do since these home
routers come with a default password that is uniform, well known, and often
never changed).  note that the attack does not require the user to download
any malicious software – simply viewing a web page with the malicious
javascript code is enough.

we\’ve written proof of concept code that can successfully carry out the
steps of the attack on linksys, d-link, and netgear home routers.  if users
change their home broadband router passwords to something difficult for an
attacker to guess, they are safe from this threat.

additional details on the attack can be found at:
http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html

thanks,

zulfikar ramzan

________________________________________

zulfikar ramzan
sr. principal security researcher
advanced threat research
symantec corporation
- —————————————————–
- —————————————————–
this message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney

the main condition for the attack to be successful is that the attacker can guess the router password (which can be very easy to do since these home routers come with a default password that is uniform, well known, and often never changed). note that the attack does not require the user to download any malicious software – simply viewing a web page with the malicious javascript code is enough.

we’ve written proof of concept code that can successfully carry out the steps of the attack on linksys, d-link, and netgear home routers. if users change their home broadband router passwords to something difficult for an attacker to guess, they are safe from this threat.

additional details on the attack can be found at:
drive-by phraming

thanks,

zulfikar ramzan
__________

zulfikar ramzan
sr. principal security researcher
advanced threat research
symantec corporation
www.symantec.com

in discussions of this issue, fergie (paul ferguson) said, and i replied:

on fri, 16 feb 2007, fergie wrote:
>
> i don’t know — i found this whole “report” somewhat dubious, if
> not downright opportunist: hasn’t this “vulnerability” basically
> existed since, like, forever?
>
> i write it off as marketing opportunism… among other things.

well duh. think rsa and a brand new idea they did a pr about – phishing mitm kit (think phishing: user >> fake site >> bank).

nothing is really new in security, we have seen malware/etc. change the hosts file for years now, not to mention domain hijacking.

we have also seen wireless brute-forcing/etc./what-not.

the one thing about the folks at symc who did this release is that they actually know their ****. meaning, someone took these two technology ideas and made something new from them, which is:
break into wireless routers and put your dns server in them for hijacking purposes. symantec just reported it to us.

it’s cool, it’s “new” and it won’t be a huge problem quite yet.

i remember a thread from nanog a couple of years back when i mentioned google and all these other national/international wireless providers better be ready with physical operational folks that will track down rougeaps, etc. cop cars with triangulation devices?

it was a vulnerability waiting to happen which wasn’t exploited, meaning it didn’t get much attention. this is much like the days when bots weretrojan horses as botnets didn’t yet exist.

wireless used to be used for hacking into a network-connected machine, now it is suddenly used for the sake of it being wireless. still network-connected as a goal, but it is no longer just tcp/ip which playsthe game.

good news: these are dns servers we can take-down. fun, yet another escalation war.

sunshine.

this is very interesting, although not too exciting. nice work by the guys at symantec.

gadi evron,
ge@beyondsecurity.com.

in a non-operational nanog discussion about google bandwidth uses, several statements were made. it all started from the following post by mark boolootian:

> cringley has a theory and it involves google, video, and oversubscribed backbones:
> http://www.pbs.org/cringely/pulpit/2007/pulpit_20070119_001510.html

in the discussion, the following statement was made by rodrick brown:

> the following comment has to be one of the most important comments in
> the entire article and its a bit disturbing.
>
> “right now somewhat more than half of all internet bandwidth is being
> used for bittorrent traffic, which is mainly video. yet if you
> surveyed your neighbors you’d find that few of them are bittorrent
> users. less than 5 percent of all internet users are presently
> consuming more than 50 percent of all bandwidth.”

from there it went down-hill with discussion of the future, with the venice project (streaming p2p for tv), etc. being mentioned. some points were raised about how isps currently fight p2p technologies and may fight these new worlds of functionality, denying what the users want rather than work with them, citing as we have seen above that today, a very small percentage of internet users account for about 50% of all internet traffic. that of course, will increase dramatically in the future — it is where the users want to go.

the isps inhibit this progress, just like in my opinion a bad security “guy” or “gal” would try to prevent functionality from their users as part of their security strategy, rather than work with their users and enable functionality first.

in this discussion, randy bush (who i have had my share of strong disagreements with in the past) said the following, which is admirable:

> the heavy hitters are long known. get over it.
>
> i won’t bother to cite cho et al. and similar actual measurement
> studies, as doing so seems not to cause people to read them, only to say
> they already did or say how unlike japan north america is. the
> phenomonon is part protocol and part social.
>
> the question to me is whether isps and end user borders (universities,
> large enterprises, …) will learn to embrace this as opposed to
> fighting it; i.e. find a business model that embraces delivering what
> the customer wants as opposed to winging and warring against it.
>
> if we do, then the authors of the 2p2 protocols will feel safe in
> improving their customers’ experience by taking advantage of
> localization and proximity, as opposed to focusing on subverting
> perceived fierce opposition by isps and end user border fascists. and
> then, guess what; the traffic will distribute more reasonably and not
> all sum up on the longer glass.

it has been a long time since i bowed before mr. bush’s wisdom, but indeed, i bow now in a very humble fashion.

thing is though, it is equivalent to one or all of the following:
-. eff-like thinking (sticking to the moral high-ground or (at times!) impractical concepts. stuff to live by.
-. (very) forward thinking (not yet possible for people to get behind – by people i mean those who do this daily), likely to encounter much resistence until it becomes mainstream a few years down the road.
-. not connected with what can currently happen to affect change, but rather how things really are which people can not yet accept.

as randy is obviously not much affected when people disagree with him (much the same as me), nor should he be, i am sure he will preach this until it becomes real. with that in mind, if many of us believe this is a philosophical as well as a technological truth — what can be done today to affect this change?

the service providers are not evil — they do this out of operational necessity and business needs. how can this change or shown to be wrong?

some examples may be:
-. working with network gear vendors to create better equipment built to handle this and lighten the load.
-. working on establishing new standards and topologies to enable both vendors and providers to adopt them.
-. presenting case studies after putting our money where our mouth is, and showing how we made it work in a live network.

staying in the philosophical realm is more than respectable, but waiting for fussp-like wide-adoption or for sheep to fly is not going to change the world, much.

for now, the p2p folks who in most cases are not eveel “internet pirates”, are mostly allied whether in name or in practice with illegal activities. the technology isn’t illegal and can be quite good for all of us to save quite a bit of bandwidth rather than waste it (quite a bit of redundancy there!).

so, instead of fighting progress and seeing it [p2p technology] left in the hands of the “pirates” and the privacy folks trying to bypass the firewall of [insert evil regime here], why not utilize it?

how can service providers make use of all this redundancy among their top talkers and remove the privacy advocates and warez freaks from the picture, leaving that front with less technology and legitimacy while helping themselves?

this is a pure example of a problem from the operational front [realm] which can be floated to research and the industry, with smarter solutions than port blocking and qos.

it’s about progress and how change is affected and feared, not about who is evil. it is about who will step up and make a difference, and whether business today is smart enough to lead the road rather than adapt after the avalanche has already fallen.

gadi evron,
ge@beyondsecurity.com.