A frequent source ‘A’ sending updated NSA-Affiliated IP resources to Cryptome’s Web site has reported the following new information:

Certain privacy/full session SSL email hosting services have been purchased/changed operational control by NSA and affiliates within the past few months, through private intermediary entities.

Reportedly the following services are controlled:

Hushmail – based in Canada,
Guardster – based in USA,
and
SAFe-mail.net – based in Israel.

Link here: NSA Controls SSL Email Hosting Services

Update 22nd Dec: Guardster Team has posted its response on 21st Dec to Cryptome:

We can assure you that we do not cooperate with the NSA or any other government agency anywhere in the world. We invite whomever is making this statement to provide proof, rather than making a baseless accusation.
….

Response from Safe-mail.net Team (24th Dec) is the following:

1. We never had any contacts, direct or indirect, with the NSA or any other
government agency anywhere in the world.
2. All software we use is in-house development.
3. We have never shared our technology with any other party.
….

Update 30th Dec: Hushmail Team has posted its response yesterday to Cryptome’s Web site:

Hush Communications Corporation, the company that provides the Hushmail.com email service, is not owned, wholly or in part, by any government agency.

Additionally, ‘More info on industry Windows security software’ has been released:

Zone Alarm, Symantec, MacAfee: All facilitate Microsoft’s NSA-controlled remote admin access via IP/TCP ports 1024 through 1030; ie will allow access without security flag. Unknown whether or not software port forward routing by these same programs will defeat NSA access.

The post released in Cryptome.org on 1st Nov informed about the future updates with details related to this issue and this is the first piece of information.

To the new readers: Cryptome: NSA has access to Windows Mobile smartphones

Researchers from the Netherlands have predicted that the next president will be Paris HiltonOprah WinfreyAl Gore… well actually they don’t know, but what they do know is that they can created PDFs, or any other file format that allows storing random bits inside of it without affecting it, that all share the same MD5 value 3D515DEAD7AA16560ABA3E9DF05CBC80.

More details on the research can be found at their Predicting the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 paper.

According to several Israeli newspapers google has exposed the IP address of a blogger that was using the “blogger” service.

You might think he was posting instructions on how to prepare a nuclear bomb or the secret Coca Cola formula. It’s much much worse. He was defaming officials in the “Sha’arei Tikva” municipality, which most Israelis can’t even place on a map, and needless to say have little to no interest on the intrigues and political wars there.

My point is, there is no benefit to anyone for exposing the blogger’s IP except to let these officials take him to court, and while google gave a weak legal fight, the decision was reached by out of court settlement, which means they didn’t even try to go the distance in order to block this request.

I think the main issue is not the blogger’s right for anonymity; it’s more about google’s unclear policy on what they do with the information they have. We know google save search data. We know that they have access to deleted emails on gmail (for who knows how long). We don’t know what they do on google talk, but we can guess. What we already know is scary; the fact that we don’t know the rest is even scarier.
It’s clear to everyone that google has information about us and our private life more than any other Internet entity (we had a securitoon about it a while back). Now it’s clear they are playing loose cannon with that information.

Update: Someone identifying herself as “google employee” writes in the talkback comments to the article that google only handed the IP, but the ISP gave the complete identifying information from that IP, and that the press’s picking on google is unjustified. If that google worker is reading this, feel free to email me your version of the story and it will be posted here anonymously (or just leave a comment below).

I’m sure there are people not aware of the recent state of Apple iPhone IMEI case.
It was reported by UNEASYsilence blog (pointing to the older forum post of Hackint0sh.org) that “Stocks” and “Weather” widgets send the IMEI number to Cupertino.

I.e. like this:

iphone-wu.apple.com/dgw?imei=%@&apptype=finance

The fact is, however, that the string being sent is not the International Mobile Equipment Identity code.

Reference: Docpool.org/iphone/The day after.en.html

What the widget sends is UUID code (Universally Unique Identifier).

Hey, IMEI has 15 characters (and only numbers) and UUID has 32 characters.

First time in history Cryptome.org has released information about the characteristics of NSA’s network surveillance.

According to the newest IP address listing

IP ranges published by Cryptome are used by NSA, by NSA’s private sector contractors, and by NSA-friendly non-US national government agencies to access both stand-alone systems and networks running Microsoft products.

The post continues:

This includes wireless wiretapping of “smart phones” running Microsoft Mobile. Microsoft remote administrative privileges allow “backdooring” into Microsoft operating systems via IP/TCP ports 1024 through 1030.

The site has published NSA-affiliated IP addresses since July ’07. It’s not known if this mysterious source ‘A’ has connections to National Security Agency.

You all remember cybersquatting, a popular sport in the late 90s, right?
McDonalds.com, JenniferLopez.com, Hertz.com and Avon.com thankfully all point to the right web sites today, but thaiairline.com, mcdonald.com, luftansa.com, gugle.com, barnesandnobles.com and other misspellings are fake web sites intended to trap the casual surfer with a hand that’s a bit too much quicker than the eye.

These web site traps are successful because web sites are so easy to remember, people don’t bother bookmarking them. It used to be that if you wanted to know the weather in Minnesota you had to go to http://www.geocities.com/Athens/rubytuesday71/weatherinminnesota281007.html . Today you go to weather.com (or type “weather for Minnesota” in google) and get an immediate response.
If you want to go to the McDonalds web site, you don’t even spend the 10 seconds to look it up – you will type McDonalds.com and expect to see the latest dollar meal menu.
But the same is true for the other popular form of communication – email. If I know the person’s name and company (or free email system) I will generally just type it up rather than look it up on my address book.
Of course, back in the hotmail days when John was john_sm1th253@hotmail.com I couldn’t rely on my memory alone. But today, if your name isn’t John Smith, it’s probably not too difficult to get a decent first name/last name combination on gmail, yahoo or some other free mail system, and certainly on your corporate email system.

So will we start seeing cyber-squatting on email addresses? Maybe we already do. There is no real way to know who’s behind a certain email address and while it’s merely funny if a guy names Roo Taylor gets the email root@aol.com, it could actually be dangerous if some bad guy owns john@gmail.com, johnsmith@gmail.com, johns@gmail.com, etc. Imagine how much legitimate mail is accidentally sent to those accounts by people who send the latest budget figures to their boss at work and also CC his personal address so he can watch it from his home machine too.

I have first-hand experience of this ‘attack’. Luckily for me I’ve got the login to aviram@gmail.com (piece of cake. All you need is to have a “google-in-law”. For me it was as simple as my office neighbor’s wife having a cousin that works for google. Then they sign you up for a new experimental beta google product called “google mail” and you get not only to pick your first name as login, but send invites to a bunch of envying friends). As gmail becomes more popular I’m receiving invitation to birthday parties of people I don’t know, detailed minutes of brainstorming meetings I’ve never been to and last week a bunch of emails with the list of hospital equipment and inventory, all sent to some other ‘aviram’. I can’t imagine what would have happened if my first name was more common. I’m also pretty sure it’s still possible to register gmail accounts with common misspellings and dig out some of the emails that come out.

At the very least, this would give the bad guys get a fresh harvest of active email addresses. But if they’re lucky, they may receive an email that carries a personal story that can be exploited further. Think about a young guy sending his parents pictures from an Internet cafe about his Africa safari trip. A simple typo sends the email to our bad guy who then forges a follow-up email to the parents telling them his wallet was stolen and that they need to wire money to help their stranded son.

Cybersquatting is easy to identify and is usually settled in court. With “email-squatting” I don’t see a clear and obvious solution; in the meanwhile, be sure to only use your address book…

In a recent blog entry, Google announced the production of a 4.5 minute movie about search privacy in Google. Let me quote the presenter, Maile Ohye:

“As you can see, logs don’t contain any truly personal information about you.” – Maile

I strongly suggest you watch the clip and have your own opinion. Below is my own:

What Maile neglects to mention is that Google keeps all the queries you submit together, correlated by your cookie, including the user you use to login to Google, the links you clicked on in search results, any site you visited with a Google ad, every address you mapped, every product you searched, every video you watched, etc. which makes up a nice profile of your behavior online.

If you slip – once – and search for something which is personal – a name of someone you know, your home address in Google maps, a nearby store, your email address – and it has that information in your profile too. If you use a Google account, it doesn’t even matter if you switch computers or expire the cookies.

I use Google a lot, I have a Google account and if you look it up you’ll probably know pretty much most of my interests and generally a lot about me. I am aware of the fact that this is so. It doesn’t stop me from using Google’s services – I like using Google’s services, and I know that one of the things that make them of value to me is the fact that Google knows a lot about me and what I do and where I go and what I care about. I don’t care, because I do not search with the same account, browser, cookie or IP address for things I don’t want Google to know about. How many people know enough about the Internet to take such measures? Not many, I guess.

So back to the clip. The video clip is market-speak (doublespeak? duckspeak?). It is marketing privacy as a differentiator for Google’s services, and portrays Google’s privacy practices as benign. In that sense, it serves its purpose. The problem that I can see is that privacy doesn’t need a lot of marketing. I don’t think you really need to market your privacy practices. The way I see it, the world is made out of 3 kinds of people:

1. Those who don’t care about privacy, they just graze around where the grazing is good, and are pretty much oblivious to such concerns. For these people, if you make an appealing product (not even a good product) and market it properly, and make it cool, they will come. Even if you trample their privacy, they will still come, because they don’t care. Reference: iPod. OMG I’m using a MacBook Pro now. Busted, I guess. People from this group wouldn’t care much, even if you wouldn’t have a privacy policy in place. Google already won them over, making Google a household name. Want to increase your market share here? Add a scroll wheel. Oh wait, that’s so early 2000s. add a touch screen.

2. Those who like their privacy but don’t really know much about privacy or privacy technology. These people are the to an extent conspiracy theorists. “Google keeps my email for good so they must be trying to control my mind! We’re dooooomed! Run away, run away!”. They are, as far as I can tell, a loud but small minority. Some times they’re so loud that it makes people from group #1 look around from their pasture, cock their head to one side, and, well, keep on grazing. Marketing privacy to these people will most likely just compound the conspiracy theories, because you wouldn’t do it unless you have something to hide. These people might just as well use Google’s services and perform some token ceremony to make sure that Google isn’t watching them, like expire their cookies or perhaps even clean their pages with greasemonkey. Oh well. I say to Google – let them be. There’s little you can do about it.

3. These are the people who are aware of the implications of using technology and either come to terms with it, or don’t play. I know some people who don’t play, and I can’t blame them. I personally am less hard-core, perhaps, because I agree to make a lot of my life more open to scrutiny in order to reap the benefits. It’s a risk, a managed risk. If there is some way this might come back to haunt me despite the precautions I’ve taken, well, I guess I’ll know it eventually, and I can only blame myself.

Have a doubleplus good day.

Disclaimer: All of the opinions presented here are my own and do not necessarily reflect the opinions of any entity I may be affiliated with.

The Jerusalem Post just sent me an interesting apology today. Here is how I would summarize it:

“We sold the email you gave us to a third party so that they can send you advertisements. Unfortunately they forgot to mark it clearly as spam – no idea how that happened and we’ll ask future spammers to clearly say so when we sell them the list again”.

Of course they are wrapping it with niceties and sincere apologies; I would appreciate a proper explanation on why the email I gave them when I asked to view an article online was later used to send me “alerts” and “updates” not to mention given to 3rd parties I’m not gonna vote for. BTW, this is not the first time I get an advertisement from the jp, but they are usually better disguised as “informationals”.

From:
The Jerusalem Post

To:
Aviram Jenik (an email address reserved only for the Jerusalem Post)

Date:
Today 04:37:28 pm

Clarification:

In recent days, registered users of jpost.com have received a paid email advertisement for Rudy Giuliani.

The bottom of this email advertisement stated that it was “Paid for by the Rudy Giuliani Presidential Committee, Inc.” However, correct practice is to mark such emails as advertising in the “Subject” box as well. Because of an internal error, this practice was not followed. We have taken steps to insure that it will be in future.

We would like to stress again that the content of this advertisement has no connection to The Jerusalem Post newspaper or its online content, and does not reflect the editorial views of The Jerusalem Post in any way.

Commercial Department

The Jerusalem Post online

From USA Today article:

“If that information is out there, it’s very easy to find out who they are,” said John Adler, executive vice president of the Federal Law Enforcement Officers Association, whose members include air marshals. Adler said terrorists could use personnel information to find where air marshals live, photograph them and disseminate the photos.

This is really serious now.

The subject could be “I’m Federal Air Marshal and I bought my identity from TSA’s HD” as well.

It appears that Cryptome.org has switched to the new ISP today.

This is what the site is reporting at their main page:

Cryptome is now on a new ISP, Network Solutions, another US giant like Verio,
closely linked to the authorities. We’ll see if it can take the heat or cave.
We intend to test all the giants if necessary to see what is up with them and
the censors: if one buckles we’ll sign up with another.

Some background information is available via this link: Cryptome Shutdown by Verio/NTT Prime Suspect.

It’s been roughly two months since Accidental backdoor by ISP. Dan Goodin has written this whole thing nicely for everyone to read.
ISP ejects whistle-blowing student
Don’t forget to digg it :p

SecureWorks have posted analysis of another Trojan that used to to steal SSL/TLS encrypted data transfered from the victimized PC.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

• Steals SSL data using advanced Winsock2 functionality
• State-of-the-art, modularized Trojan code
• Spread through IE browser exploits
• Undetected for weeks, months by many AV vendors
• Customized server/database code to collect sensitive data
• Customer interface for on-line purchases of stolen data
• Accounts compromised by stealing data primarily from infected home PCs
• Accounts at top financial, retail, health care, and government services affected
• Data’s black market value at least $2 million

Full article is here.

I’ve been a happy customer of my ISP BeThere for a few months now. Overall they’re great, they are quick to sort you out with your connection, their emails and other communications are very humerous and actually make good reading (I remember the routers documentation CD has a warning label reading something like “warning: geeky content inside”). When I signed up I managed to get the username root, this pleased me no end and I thought I’d finally found an ISP I want to stay with forever.

Finding the hole
Recently though a friend of mine was extremely bored and decided to nmap my IP address. He found, and told me, that I seemed to be listening on port 23, telnet. I was extremely puzzled by this, I haven’t port forwarded port 23, I would never use a telnet daemon for anything. It occured to me that it must be the router itself running the daemon. I telnetted to 192.168.1.254 and lo and behold it asked me to log in. I log in with default credentials (yes, I had never gotten around to changing those), which are Administrator:null
(more…)

Several users of Flickr.com noticed that there was wrong photos included to their photo galleries during the weekend.

Information posted to Flickr forum states that problems in cache servers enabled to see private, porn-type pictures too.

And how the users react: some users changed their passwords and some users just deleted the pictures appeared to their galleries!

The number of comments posted to the thread is worth of noticing – 900+!

none of the quotes in this text are in any way exact or even close to what was said, and are very much biased to what i heard. this is just an opinion piece in a blog, please treat it as such.

at rsa much like with most conferences, networking is key and talks are secondary, or at least that’s the way it is for me. one of the talks i went to was the end keynote – colin powell.

dr. powell is a very impressive and charismatic fellow. he has a good sense of humour and gives the impression of a knowledgeable person. he started his talk with a joke “i am very happy to be welcome here at rsa.” *pause* “in fact, i’m happy to be welcome just about anywhere.”

(more…)

So after the takedown of seclists.org, and all the different points of view that were being aired, on the various web sites, I decided to contact Fyodor and ask him exactly what happened, and what’s going to happen in the future in regard to godaddy.com. Once again, thanks to Fyodor for taking the time to answer my questions.
The following is taken from an interview that I did with Fyodor last night, so here it is:

In your words could you please describe what happened to
seclists.org, I know that you have probably been asked this countless
times, but there are also countless sites that don’t mention your
point of view? Also, on these same sites, some are saying that you
had 60 seconds warning, others are saying 60 minutes, what’s the
exact figure?

Basically, GoDaddy suspended one of the domain names I had registered
with them based on a complaint by MySpace without giving me a chance
to respond or requiring any sort of court order from MySpace. GoDaddy
wasn’t even my ISP or web host. Policing web content of the 18
million domains in their registry is not their job. Worse, it was
extraordinarily hard and frustrating to reach them and get an actual
reason for the shutdown. I’ve described the shutdown in far more
detail at http://NoDaddy.Com .

As for the timing, they left me a voicemail at ’9:39:31 AM PST’
according to the time stamp from my voicemail provider. In the
voicemail, they say my domain is “scheduled for suspension”. Then at
’9:40:23′ (according to my time-synced mail server) they emailed me a
“Domain Suspension Notice” saying that my “domain names have been
suspended”. So they only gave me 52 seconds to respond to their
voicemail! Plus, their voicemail didn’t include a phone number to
reach them at! I have posted both the email and voicemail recording at
NoDaddy.Com.

GoDaddy nevertheless tried to claim that they gave me an hour of
notice. Their general counsel Christine Jones was caught by Wired in
that lie at
http://blog.wired.com/27bstroke6/2007/01/godaddy_defends.html .

Aside from nodaddy.com do you plan on taking any action, namely
legal, against godaddy.com?

They certainly deserve it, and some lawyers have offered to help. But
I haven’t even asked them for monetary restitution for the damage they
have caused — I just want them to change their policies to be more
customer-friendly. Or if they don’t, I want their behavior to be
well-known so that other consumers can make a better choice. So
unless they do something outrageous (such as sueing me for speaking
out against them on NoDaddy.Com), I’m not presently planning any legal
action against GoDaddy.
Will you be taking any action against myspace.com because of this
atrocity at all?

I would cancel my account if I was pathetic enough to have one .
They should have contacted me directly to remove the page. My email
address and phone number were availble on the public whois, and I also
watch the abuse@seclists.org email address for complaints about
illegal postings to the mailing lists. Ironically, GoDaddy shut down
the complaint email address when they shut down the whole doamin
SecLists.org.

So while MySpace made a mistake by sending the request directly to
GoDaddy, I hold GoDaddy much more culpable for agreeing to the
outrageous domain.

How much of an impact do you feel this had on the security
community in general?

I hope it has raised awarness of the problem of vigilante domain
registrars hijacking their customers’ domains because they find the
web content objectionable. This isn’t just a security community
issue, but an issue for all web sites. Particularly those which
accept user-generated content such as forum posts or blog comments.
My whole domain was shut down with no notice or reason immediately
given based on a 3rd party post I had nothing to do with.

How much of an impact has this had on your life?

It has kept me very busy for the last week. But I’m hoping it will
calm down so I can return to focusing the majority of my time to
maintaining Nmap and my web sites.

I know that it mentions this on nodaddy.com, but what can people
do to help on the nodaddy.com site?

The site is meant to be a community effort, so help is appreciated.
Here are some ideas:

o Forum Operator — If someone wants to start a web forum system where
uses can post their GoDaddy horror stores and seek advice, that
would be useful. We would be happy to provide a subdomain such as
forums.noddady.com for this.

o Webmaster help — If someone wants to help maintain the site content
(post new news stories, etc.), I would be happy for the help. They
need to know (or learn to use) the Subversion version detection system.

o Creative content, like cartoons, pictures for the “NoDaddy Girls”
contest, etc. The point of the site is to spread the word about
GoDaddy abuses, but also to have fun .

Last but not least, any new and exciting things coming along in the
next release of nmap that you’d be willing to share?

We are very excited about a new scripting language, which is already
in alpha stage. You can see our writeup here:

http://insecure.org/nmap/nse/

Also, we have received tons of user OS submissions for the second
generation OS detection system http://insecure.org/nmap/osdetect/,
so the next release should work even better in that respect.