A case of mistaken identity

As far as facebook is concerned, your email is your identification. This is true for other social networks like linkedin, and is slowly catching on to many other Web 2.0 services. It actually makes a lot of sense that your unique identifier (your “ID”) would be your email – it’s unique by definition, it’s easy to remember and most services need the email information anyway (for example, to send you a password reset). So combining the ‘email’ and ‘username’ fields makes a lot of sense.

Unlike in the past where users switched emails frequently, we now have hotmail and gmail and personalized accounts that we can take with us as we switch jobs or ISPs. Email is private (at least, as private as snail mail) and if my bank feels comfortable sending me alerts and other information over email, than it is definitely secure enough for the rest of us.
So if email is destined to become the equivalent of your social security number or identification number (depending on which country you live in) how do we proof check that the email address we typed does not contain any typos? Most identification numbers have a controlling digit that acts like a checksum to make sure the ID was typed correctly. With email, we don’t have that and so you’re sending an email with the newest Vista joke to your coworker friend Bill Howards over at the Vista team and your finger slips and the mail goes to billg@microsoft.com.

Or worse – with gmail I’ve been receiving emails that belonged to some other Aviram that was too slow to catch aviram@gmail before I did. Most of this misguided email ranges from boring to funny, but today I got a purchase confirmation with the order number, amount and last 4 digits of the CC number. Since I “own” the email that is associated with this account, what prevents me from logging in to this guy’s account (have the e-commerce site send the password to “my” email due to my temporary amnesia) and redirecting the order to another zip code that happens to be my house?

Sure, I would never do that to a fellow Aviram. But what happens when our possible-future-Internet ID,  our email, is typed wrong into some government database and all our IRS information, special Internet-voting code and who-knows-what-else is sent to our alternate identity, the guy that lives right by us on the keyboard? Not good.

My receiving another person’s order information is an obvious lesson for web sites: Make sure you verify the email address. Sending a test email and waiting for confirmation is good security practice since you’re not only confirming the person typed his email address correctly but you’re also confirming he did not sign up his mother in law to your wonderful daily adult joke service as pay back for last thanksgiving.

Share

Arrested for security research?

Anyone who has ever done serious security research reached the line that separates good from evil. If you are working with phishing emails you get links to kiddie porn. If you research security holes you deal with exploits. If you are researching botnets you are up to your neck in sensitive information that was obtained illegally.

I’m sometimes asked if we ever get ‘tempted’ to cross over. The answer is simple: we may think like criminals and sometimes emulate their work, but it never ever enters our mind to do something malicious. Finding an SQL injections that gives you full access to the database is fun; using this information to steal money or order items for free is light years away from what we do.

But not everyone understands that, and that’s scary. A member of the THC got pulled over at Heathrow airport by the UK government. The story has a happy ending, but it must have been scary, not to mention frustrating. My good friend Zvi Gutterman found weaknesses in the Windows and Linux PRNG. Breaking the PRNG has consequences – while top-secret crypto systems will not use the standard Windows or Linux random number generators, who knows if there is a simple Linux based basic communication device used in one of the governments? An applicable weakness in the PRNG may have a serious impact and they might decide that shutting up Zvi is easier than replacing all their units.

If you think the previous paragraph is a paranoid conspiracy theory, lets talk about kiddie porn links. These pop up whenever we deal with botnets, phishing and malware. The police is trying to demonstrate zero tolerance for kiddie porn, usually by arresting anyone who has visited such an illegal web site. How will you explain to your family, when they see you on the 8 o’clock news arrested for kiddie porn charges, that you are not a dangerous paedophile but you had no idea the link you clicked was to a kiddie porn site?

There will be more incidents like the THC one. We can all tell the difference between a proof of concept device to show how vulnerable GSM encryption is and an illegal wiretapping device. But the law officials can’t, and often don’t seem to care about the difference. Some of the time it’s not even law officials: Fyodor had his site shut down to prevent spreading his nmap ‘hacking tool’. Dmitry Sklyarov was arrested in Las Vegas for breaking the PDF encryption. In the Fyodor incident the decision was made by godaddy. In the Dmitry Skylarov case it was Adobe who got the court order.

I wouldn’t want to see security research being a licensed profession (like a private detective license or a license to carry a firearm) – I’ve seen brilliant teenagers who think out of the box and find vulnerabilities no one else can, but are not old enough to drive a car. So what else can we do to make sure we hold a ‘get out of jail’ card?

Share

IPv6 and location based tracking

I remember hearing a lecture circa 1995-6 about Ipv6 and how the Internet world will come to an end if we don’t adopt it soon. The crisis was a dwindling allocation of IP’s (the early Internet version of a carbon footprint). The fear was that “In 10 years, every man on the planet will have between 10 to 20 IP addresses on him”. But when I heard that, I didn’t really think about the poor IP forests that are taken down every year to accommodate the greedy globalization economy, I thought of privacy.

The end of that discussion is now clear: shortly after I heard the lecture Network Address Translation (NAT) became popular, and IP allocation was no longer a problem. Not only that, but IPv6 went from a “must have” to “we’ll get around to it some day” and is still in the process of being rolled out (slowly) to this day. But the privacy issue still remains.

If every person has an IP (or more than one IP, although that seems less likely nowadays) then we know everything about him. Unlike the virtual world, where we no longer can connect a person with an IP address without correlating half a dozen logs, in the physical world an IP will likely be more like a phone number – something unique and personal.

I thought about this when I read about a Nokia experiment where people transmitted their location to a Nokia center to enable traffic monitoring. Nokia says data is sent anonymously, and I believe them; but even if not, every Nokia device has a private (NAT’ed) address changed almost randomly by DHCP. So tracking again requires long and tedious log correlation and privacy is difficult to compromise.

What, then, will happen with IPv6? If DHCP and NAT increase privacy, is IPv6 a threat? Not an imminent threat, of course, but it is definitely ‘creeping’ in, and some day if there are enough addresses and NAT is not necessary, perhaps every blackberry in the world will have a unique IP address that will be with it forever. That’s a scary thought – if you comment in this blog post using your real name, I can take this information with me and give it to a friend of mine that works in Nokia who will tell me where you are right now. Think about the scene in “Jay and Silent Bob” where they go and beat up the people who posted bad comments about their movie; it suddenly becomes a whole lot easier to do…

Share

My name is Zango, I am spyware and I found Facebook applications

The first spyware spreading with Facebook application has been discovered. Security company Fortinet reports that application called Secret Crush is installing Zango (aka AdWare.Win32.180Solution) with Iframe, technically from ZangoCash.com.

Shortly, this is the spreading mechanism:

In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using “Secret Crush” (this happens frequently with Facebook’s Platform Application). [Figure 2] exhibits the social engineering speech employed by the malicious widget to get the user to install it.

The text included to the request entry is “One of Your Friends Might Have a Crush on You!”. Additionally, the buttons are ‘Find Out Who!’ and typical ‘Ignore’.
It appears that Secret Crush is not included to Facebook Application Directory (no log-in needed) any more. Reportedly FortiGuard Team has informed Facebook guys and probably the application has been disabled already.

Update 4th Jan: The application mentioned is located here (renamed to My Admirer), still accessible and has “50,708 daily active users i.e. 4% of total”.

The exact number of affected users is not available.

Share

Cryptome: NSA has real-time access to Hushmail servers

A frequent source ‘A’ sending updated NSA-Affiliated IP resources to Cryptome’s Web site has reported the following new information:

Certain privacy/full session SSL email hosting services have been purchased/changed operational control by NSA and affiliates within the past few months, through private intermediary entities.

Reportedly the following services are controlled:

Hushmail – based in Canada,
Guardster – based in USA,
and
SAFe-mail.net – based in Israel.

Link here: NSA Controls SSL Email Hosting Services

Update 22nd Dec: Guardster Team has posted its response on 21st Dec to Cryptome:

We can assure you that we do not cooperate with the NSA or any other government agency anywhere in the world. We invite whomever is making this statement to provide proof, rather than making a baseless accusation.
….

Response from Safe-mail.net Team (24th Dec) is the following:

1. We never had any contacts, direct or indirect, with the NSA or any other
government agency anywhere in the world.
2. All software we use is in-house development.
3. We have never shared our technology with any other party.
….

Update 30th Dec: Hushmail Team has posted its response yesterday to Cryptome’s Web site:

Hush Communications Corporation, the company that provides the Hushmail.com email service, is not owned, wholly or in part, by any government agency.

Additionally, ‘More info on industry Windows security software’ has been released:

Zone Alarm, Symantec, MacAfee: All facilitate Microsoft’s NSA-controlled remote admin access via IP/TCP ports 1024 through 1030; ie will allow access without security flag. Unknown whether or not software port forward routing by these same programs will defeat NSA access.

The post released in Cryptome.org on 1st Nov informed about the future updates with details related to this issue and this is the first piece of information.

To the new readers: Cryptome: NSA has access to Windows Mobile smartphones

Share

And the winner is …

Researchers from the Netherlands have predicted that the next president will be Paris HiltonOprah WinfreyAl Gore… well actually they don’t know, but what they do know is that they can created PDFs, or any other file format that allows storing random bits inside of it without affecting it, that all share the same MD5 value 3D515DEAD7AA16560ABA3E9DF05CBC80.

More details on the research can be found at their Predicting the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 paper.

Share

Google handing over a blogger’s IP

According to several Israeli newspapers google has exposed the IP address of a blogger that was using the “blogger” service.

You might think he was posting instructions on how to prepare a nuclear bomb or the secret Coca Cola formula. It’s much much worse. He was defaming officials in the “Sha’arei Tikva” municipality, which most Israelis can’t even place on a map, and needless to say have little to no interest on the intrigues and political wars there.

My point is, there is no benefit to anyone for exposing the blogger’s IP except to let these officials take him to court, and while google gave a weak legal fight, the decision was reached by out of court settlement, which means they didn’t even try to go the distance in order to block this request.

I think the main issue is not the blogger’s right for anonymity; it’s more about google’s unclear policy on what they do with the information they have. We know google save search data. We know that they have access to deleted emails on gmail (for who knows how long). We don’t know what they do on google talk, but we can guess. What we already know is scary; the fact that we don’t know the rest is even scarier.
It’s clear to everyone that google has information about us and our private life more than any other Internet entity (we had a securitoon about it a while back). Now it’s clear they are playing loose cannon with that information.

Update: Someone identifying herself as “google employee” writes in the talkback comments to the article that google only handed the IP, but the ISP gave the complete identifying information from that IP, and that the press’s picking on google is unjustified. If that google worker is reading this, feel free to email me your version of the story and it will be posted here anonymously (or just leave a comment below).

Share

Fact of the week: iPhone widgets doesn’t send IMEI

I’m sure there are people not aware of the recent state of Apple iPhone IMEI case.
It was reported by UNEASYsilence blog (pointing to the older forum post of Hackint0sh.org) that “Stocks” and “Weather” widgets send the IMEI number to Cupertino.

I.e. like this:

iphone-wu.apple.com/dgw?imei=%@&apptype=finance

The fact is, however, that the string being sent is not the International Mobile Equipment Identity code.

Reference: Docpool.org/iphone/The day after.en.html

What the widget sends is UUID code (Universally Unique Identifier).

Hey, IMEI has 15 characters (and only numbers) and UUID has 32 characters.

Share

Cryptome: NSA has access to Windows Mobile smartphones

First time in history Cryptome.org has released information about the characteristics of NSA’s network surveillance.

According to the newest IP address listing

IP ranges published by Cryptome are used by NSA, by NSA’s private sector contractors, and by NSA-friendly non-US national government agencies to access both stand-alone systems and networks running Microsoft products.

The post continues:

This includes wireless wiretapping of “smart phones” running Microsoft Mobile. Microsoft remote administrative privileges allow “backdooring” into Microsoft operating systems via IP/TCP ports 1024 through 1030.

The site has published NSA-affiliated IP addresses since July ’07. It’s not known if this mysterious source ‘A’ has connections to National Security Agency.

Share

Gmail as an email honeypot

You all remember cybersquatting, a popular sport in the late 90s, right?
McDonalds.com, JenniferLopez.com, Hertz.com and Avon.com thankfully all point to the right web sites today, but thaiairline.com, mcdonald.com, luftansa.com, gugle.com, barnesandnobles.com and other misspellings are fake web sites intended to trap the casual surfer with a hand that’s a bit too much quicker than the eye.

These web site traps are successful because web sites are so easy to remember, people don’t bother bookmarking them. It used to be that if you wanted to know the weather in Minnesota you had to go to http://www.geocities.com/Athens/rubytuesday71/weatherinminnesota281007.html . Today you go to weather.com (or type “weather for Minnesota” in google) and get an immediate response.
If you want to go to the McDonalds web site, you don’t even spend the 10 seconds to look it up – you will type McDonalds.com and expect to see the latest dollar meal menu.
But the same is true for the other popular form of communication – email. If I know the person’s name and company (or free email system) I will generally just type it up rather than look it up on my address book.
Of course, back in the hotmail days when John was john_sm1th253@hotmail.com I couldn’t rely on my memory alone. But today, if your name isn’t John Smith, it’s probably not too difficult to get a decent first name/last name combination on gmail, yahoo or some other free mail system, and certainly on your corporate email system.

So will we start seeing cyber-squatting on email addresses? Maybe we already do. There is no real way to know who’s behind a certain email address and while it’s merely funny if a guy names Roo Taylor gets the email root@aol.com, it could actually be dangerous if some bad guy owns john@gmail.com, johnsmith@gmail.com, johns@gmail.com, etc. Imagine how much legitimate mail is accidentally sent to those accounts by people who send the latest budget figures to their boss at work and also CC his personal address so he can watch it from his home machine too.

I have first-hand experience of this ‘attack’. Luckily for me I’ve got the login to aviram@gmail.com (piece of cake. All you need is to have a “google-in-law”. For me it was as simple as my office neighbor’s wife having a cousin that works for google. Then they sign you up for a new experimental beta google product called “google mail” and you get not only to pick your first name as login, but send invites to a bunch of envying friends). As gmail becomes more popular I’m receiving invitation to birthday parties of people I don’t know, detailed minutes of brainstorming meetings I’ve never been to and last week a bunch of emails with the list of hospital equipment and inventory, all sent to some other ‘aviram’. I can’t imagine what would have happened if my first name was more common. I’m also pretty sure it’s still possible to register gmail accounts with common misspellings and dig out some of the emails that come out.

At the very least, this would give the bad guys get a fresh harvest of active email addresses. But if they’re lucky, they may receive an email that carries a personal story that can be exploited further. Think about a young guy sending his parents pictures from an Internet cafe about his Africa safari trip. A simple typo sends the email to our bad guy who then forges a follow-up email to the parents telling them his wallet was stolen and that they need to wire money to help their stranded son.

Cybersquatting is easy to identify and is usually settled in court. With “email-squatting” I don’t see a clear and obvious solution; in the meanwhile, be sure to only use your address book…

Share

Privacy, The Illusion Of

In a recent blog entry, Google announced the production of a 4.5 minute movie about search privacy in Google. Let me quote the presenter, Maile Ohye:

“As you can see, logs don’t contain any truly personal information about you.” – Maile

I strongly suggest you watch the clip and have your own opinion. Below is my own:

What Maile neglects to mention is that Google keeps all the queries you submit together, correlated by your cookie, including the user you use to login to Google, the links you clicked on in search results, any site you visited with a Google ad, every address you mapped, every product you searched, every video you watched, etc. which makes up a nice profile of your behavior online.

If you slip – once – and search for something which is personal – a name of someone you know, your home address in Google maps, a nearby store, your email address – and it has that information in your profile too. If you use a Google account, it doesn’t even matter if you switch computers or expire the cookies.

I use Google a lot, I have a Google account and if you look it up you’ll probably know pretty much most of my interests and generally a lot about me. I am aware of the fact that this is so. It doesn’t stop me from using Google’s services – I like using Google’s services, and I know that one of the things that make them of value to me is the fact that Google knows a lot about me and what I do and where I go and what I care about. I don’t care, because I do not search with the same account, browser, cookie or IP address for things I don’t want Google to know about. How many people know enough about the Internet to take such measures? Not many, I guess.

So back to the clip. The video clip is market-speak (doublespeak? duckspeak?). It is marketing privacy as a differentiator for Google’s services, and portrays Google’s privacy practices as benign. In that sense, it serves its purpose. The problem that I can see is that privacy doesn’t need a lot of marketing. I don’t think you really need to market your privacy practices. The way I see it, the world is made out of 3 kinds of people:

1. Those who don’t care about privacy, they just graze around where the grazing is good, and are pretty much oblivious to such concerns. For these people, if you make an appealing product (not even a good product) and market it properly, and make it cool, they will come. Even if you trample their privacy, they will still come, because they don’t care. Reference: iPod. OMG I’m using a MacBook Pro now. Busted, I guess. People from this group wouldn’t care much, even if you wouldn’t have a privacy policy in place. Google already won them over, making Google a household name. Want to increase your market share here? Add a scroll wheel. Oh wait, that’s so early 2000s. add a touch screen.

2. Those who like their privacy but don’t really know much about privacy or privacy technology. These people are the to an extent conspiracy theorists. “Google keeps my email for good so they must be trying to control my mind! We’re dooooomed! Run away, run away!”. They are, as far as I can tell, a loud but small minority. Some times they’re so loud that it makes people from group #1 look around from their pasture, cock their head to one side, and, well, keep on grazing. Marketing privacy to these people will most likely just compound the conspiracy theories, because you wouldn’t do it unless you have something to hide. These people might just as well use Google’s services and perform some token ceremony to make sure that Google isn’t watching them, like expire their cookies or perhaps even clean their pages with greasemonkey. Oh well. I say to Google – let them be. There’s little you can do about it.

3. These are the people who are aware of the implications of using technology and either come to terms with it, or don’t play. I know some people who don’t play, and I can’t blame them. I personally am less hard-core, perhaps, because I agree to make a lot of my life more open to scrutiny in order to reap the benefits. It’s a risk, a managed risk. If there is some way this might come back to haunt me despite the precautions I’ve taken, well, I guess I’ll know it eventually, and I can only blame myself.

Have a doubleplus good day.

Disclaimer: All of the opinions presented here are my own and do not necessarily reflect the opinions of any entity I may be affiliated with.

Share

Oh, did we forget to write “spam” in the subject line?

The Jerusalem Post just sent me an interesting apology today. Here is how I would summarize it:

“We sold the email you gave us to a third party so that they can send you advertisements. Unfortunately they forgot to mark it clearly as spam – no idea how that happened and we’ll ask future spammers to clearly say so when we sell them the list again”.

Of course they are wrapping it with niceties and sincere apologies; I would appreciate a proper explanation on why the email I gave them when I asked to view an article online was later used to send me “alerts” and “updates” not to mention given to 3rd parties I’m not gonna vote for. BTW, this is not the first time I get an advertisement from the jp, but they are usually better disguised as “informationals”.

From:
The Jerusalem Post

To:
Aviram Jenik (an email address reserved only for the Jerusalem Post)

Date:
Today 04:37:28 pm

Clarification:

In recent days, registered users of jpost.com have received a paid email advertisement for Rudy Giuliani.

The bottom of this email advertisement stated that it was “Paid for by the Rudy Giuliani Presidential Committee, Inc.” However, correct practice is to mark such emails as advertising in the “Subject” box as well. Because of an internal error, this practice was not followed. We have taken steps to insure that it will be in future.

We would like to stress again that the content of this advertisement has no connection to The Jerusalem Post newspaper or its online content, and does not reflect the editorial views of The Jerusalem Post in any way.

Commercial Department

The Jerusalem Post online

Share

I’m Federal Air Marshal and I found my identity from TSA’s HD

From USA Today article:

“If that information is out there, it’s very easy to find out who they are,” said John Adler, executive vice president of the Federal Law Enforcement Officers Association, whose members include air marshals. Adler said terrorists could use personnel information to find where air marshals live, photograph them and disseminate the photos.

This is really serious now.

The subject could be “I’m Federal Air Marshal and I bought my identity from TSA’s HD” as well.

Share

Cryptome has a new ISP

It appears that Cryptome.org has switched to the new ISP today.

This is what the site is reporting at their main page:

Cryptome is now on a new ISP, Network Solutions, another US giant like Verio,
closely linked to the authorities. We’ll see if it can take the heat or cave.
We intend to test all the giants if necessary to see what is up with them and
the censors: if one buckles we’ll sign up with another.

Some background information is available via this link: Cryptome Shutdown by Verio/NTT Prime Suspect.

Share

Follow up to my post about my ex-ISP’s backdoor

It’s been roughly two months since Accidental backdoor by ISP. Dan Goodin has written this whole thing nicely for everyone to read.
ISP ejects whistle-blowing student
Don’t forget to digg it :p

Share

Gozi Trojan analysis

SecureWorks have posted analysis of another Trojan that used to to steal SSL/TLS encrypted data transfered from the victimized PC.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

  • Steals SSL data using advanced Winsock2 functionality
  • State-of-the-art, modularized Trojan code
  • Spread through IE browser exploits
  • Undetected for weeks, months by many AV vendors
  • Customized server/database code to collect sensitive data
  • Customer interface for on-line purchases of stolen data
  • Accounts compromised by stealing data primarily from infected home PCs
  • Accounts at top financial, retail, health care, and government services affected
  • Data’s black market value at least $2 million

Full article is here.

Share