Ever been to a coffee shop and got worried about hopping on their public wifi network to check your email? If not, you should have been, and you should presently be concerned about wifi security anywhere you go — a topic we have covered here many times. Continue Reading
Security
I’m on my way back from the Black Hat DC 2009 briefings, and thought I’d give a brief synopsis of my experience there while waiting to catch a plane.
This was the first opportunity I’ve had to attend such a conference, and it was made possible by Alan over at StillSecureAfterAllTheseYears.com (yes, you made my year!). Being in the DC area, this smaller-brother version of the Black Hat Vegas conference is geared more towards the federal sector, which was perfect for me since that is where I work.
The conference was kicked off by Paul Kurtz (check it out here), former advisor to Presidents Clinton and Bush, and current candidate for President Obama’s Cyber-Czar position. He described the complex, if not disturbing, state of our country’s cyber-readiness in response to a “cyber Katrina” disaster.
It is a grim situation for which a lack of communication between the various parts of our cyber infrastructure are at fault. He likened it to the pilot training facility in Florida, which trained the pilots of the 9/11 attack, not passing along any info to the government about what was going on. The same thing, said Kurtz, is occuring with our country’s ISP’s. He didn’t really go into how to solve it in detail, but I was left fearing that an increase in communication between ISP’s and the government would only lead to more of a Big Brother scenario than we already have.
I chose to attend the Attack and Defense tract of briefings as opposed to the Reverse Engineering tract at Black Hat. All in all, I was not disappointed, though a few of the topics were very dry and very granular. Some of the other attendees I talked to were in agreement that the level of detail tended to get very specific, and thus less relevant to the majority of the people attending.
Still, I learned a lot in many of the briefings, including:
- Blinded by Flash: Widespread Security Risks Flash Developers Don’t See (presentation here)
- Dissecting Web Attacks (presentation here)
- Windows Vista Security Internals (presentation here)
The best presentation I saw this week was by an independent hacker going by the name of Moxie Marlinspike, who’s presentation on New Techniques for Defeating SSL/TLS generated the most buzz amongst the conference attendees and the blogosphere.
Moxie demonstrated a method he devised using a tool he wrote called SSLStrip, which allows one to launch a man-in-the-middle attack on someone attempting to log onto a secure site by taking advantage of “positive feedback” techniques currently employed by modern web browsers, and making someone think they are on a secure web site. In actuality, they are on your version of the site, and once you have their login credentials captured, you send them on their way without knowing the difference.
Moxie had a 100% success rate of fooling people on the Tor network using this technique, collecting passwords for Paypal, Facebook, and other popular “secure logon” sites.
There were other good briefings, and I met a bunch of cool people. As I posted on Twitter during the conference, rubbing elbows with the DC securiy elite made me realize how quaint Asheville is. I hope to be able to attend more conferences of this genre, and the opportunity for learning is much greater than sitting in a training room listening to a teach drone on about a single subject.
We here at Geekamongus are by no means partial to one operating system over another. We love Macs, we love Linux, we love Solaris, and we love those other guys. Seriously, in no way do we ever intend on taking sides, and articles such as this one are not to be mistaken as an attack upon a particular vendor, nor should they be misconstrued as a statement proclaiming that we prefer other platforms.
That said, some news items of late have raised a few eyebrows upon the foreheads of the security-minded regarding Apple and their operating system, OS X. For example, there seems to be a new variant of an OS X trojan out there, according to the folks at macnn.com.
Judging by the responses from the opinionated users at the bottom of that article, the Mac fan base may be smart enough to avoid such malicious software. Cynicism aside, it is clear there is an entirely untapped user base upon which Phishing attacks may be starting to prey. One must consider the fact that people who have used Macs their whole lives may not be as familiar with such vulnerabilities, where web sites attempt to trick you into downloading a plugin with ulterior motives in mind, and that they could be more easily fooled into taking the bait. Heck, it would seem the folks at Apple could use some tutelage about Microsoft viruses too.
Seeing as Apple still considers themselves to be rather impervious to viruses, trojans, worms, and their ilk, I don’t forsee this getting better any time soon, even though they did briefly post a note about using antivirus software on their website. One thing Microsoft users have going for them is that they are by-and-large more aware of common Internet vulnerabilities because they run into them more often, and they must take steps to avoid them. Some may even have received training in the workplace or from a geeky neice or nephew.
Granted, OS X is based upon a relatively secure Unix kernel and the Apple marketshare is much smaller than that of Microsoft. That can certainly help when talking about the prevention of spreading traditional viruses, trojans, and worms. However, when a user is unaware and clicks “OK” to download and install seemingly legitimate plugin, all bets are off. And who know what evil is brewing in the basements of evildoing jerkfaces to target OS X itself in ways which Windows users are unfamiliar with.
The other day I had an old client forward me an email from their credit card processing company, saying that the server upon which their website was hosted failed their PCI Compliance security check. I had never heard of this and was wary that it might be a service they were being tricked into adding on, but upon further investigation, I learned that many credit card processing companies are now instituting this new security policy, which is designed to tighten up security on web servers in order to decrease the chances of credit card theft.
This sounded all well and good, and I figured that with my background in securing servers to meet Department of Defense standards it ought to be a breeze. Little did I know that the server in question would put up quite a battle for the lone reason that it was running Plesk, the web host management tool. I had written off Plesk long ago, having ditched the server I had it running on after many issues with it, and I thought I would never have to work with it again, but alas…
I started Googling, of course, and found some great resources out there which cover the tightening up of Plesk in order to meet PCI compliance.
One of the best articles I found was at linux-advocay.org, which explains how to fix issues with Courier, Qmail, Apache, SSL, and iptables in case you don’t have Plesk’s Firewall add-on.
Also, a fellow by the name of DrJermy writes of his solutions about dealing with Plesk and PCI Compliance.
For some general information about what PCI compliance is all about, check out pcicomplianceguide.org.
My Take
As I worked through the PCI issues with the client who contacted me, I started realizing that the standards by which the server was being scanned were presumptuous in that they didn’t take into account back porting, as implemented by RedHat, and that they were making me fix issues which seemed rather trivial in regards to credit card processing security.
If they really wanted to do something that mattered, they should have a look at the NSA’s hardening guides.
Google says the recent GMail account breeches were due to typical phishing scams, not a vulnerability in GMail itself.
With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords.
They don’t say exactly how the usernames and passwords were harvested, however. Were people just dumb/gullible enough to type their Google usernames and passwords into some other web site? Or was there a way for these phishing sites to grab the authentication info from the user’s browser? Is this the fault of the web browser or a faulty plugin?
While the fingers continue to be pointed, the specific methodology for adding malicious filters to a GMail account by way of a phishing attack remains a threat.
I’ve been following the story about the domain name hijacking of MakeUseOf.com the last few weeks with interest. All signs are pointing to the domain thief having cracked the MakeUseOf.com Gmail account in order to retrieve their GoDaddy.com password and transfer the owenership of the domain.
This is not good for any GMail user, let alone domain name owners who have registered their domains through GMail.
Apparently, this one hacker has stolen over 850 domains this way, and holds them for ransom at $2000 a piece.
The latest part of the saga details how the MakeUseOf.com folks think this happened, right down to the hacking of the GMail account. If there is indeed a security flaw in GMail, which there appears to be, MakeUSeOf.com offers prudent steps to take in order to secure yourself (emphasis added by me):
(1) Well, my very first advice would be to check your email settings and make sure your email is not compromised. Check fowarding options and filters. Also make sure to disable IMAP if you don’t use it. This also applies to Google Apps accounts.
(2) Change contact email in your sensitive web accounts (paypal, domain registrar etc.) from your primary Gmail account to something else. If you own the website then change the contact email for your host and registrar accounts to some other email. Preferably to something that you aren’t logged in to when browsing web.
(3) Make sure to upgrade your domain to private registration so that your contact details don’t show up on WhoIS searches. If you’re on GoDaddy I’d recommend going with Protected Registration.
(4) Don’t open links in your email if you don’t know the person they are coming from. And if you decide to open the link make sure to log out first.
I would add to that list:
(5) Always use secure, encrypted GMail. There is an option at the bottom of the main Settings page in GMail for “Always use https” under the “Browser Connection” heading. Select this and leave it selected! Otherwise, anything you do in GMail is sent unencrypted over the Internet. Not good!
Keep in mind that this security flaw not only matters to domain name owners, but to anyone who has any sensitive email in their GMail account, whether it be online banking info, love letters, or whatever.
This will be interesting to watch, and I hope Google takes notice of this.
UPDATE: This fellow here has posted a proof-of-concept on creating malicious filters in someone’s GMail account.