CyberInsecure.com

Archive for the ‘Google’ Category

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site.

The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that this JavaScript code was run on the machines of surfers viewing the same video clip.

Predictable enough, pranksters at 4Chan have begun using the vulnerability to redirect surfers looking for Justin Bieber video clips to goatse or false reports that the irksomely clean-cut Canadian singer had died in a car crash. Denizens of 4Chan are separately trying to rig an online poll to encourage Beiber to play North Korea in an upcoming tour.

In other cases the flaw has become the fodder of comment spam. Google iced the problem hours after it first appeared, techie-buzz.com reports.

“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago,” said Google. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.”

The appearance of the vulnerability sparked rumours on Twitter and elsewhere that a virus was spreading across YouTube. A blog post by Chris Boyd of Sunbelt charts the genesis of this rumour, which is just the sort of thing that’s likely be used in new anti-virus (scareware) scams.

Security watchers at the Internet Storm Centre note that the vulnerability on YouTube might potentially have been used for all manner of hacking attacks, including password stealing scams.

“They [hackers] could steal your YouTube cookies, which probably doesn’t mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube,” an ISC handler writes. “I’ve seen nasty XSS attacks that are used to fake whole login screens and we know how many people use [the] same passwords for multiple accounts.”

Credit: The Register

Google has said that its world-roving Street View cars have been collecting information sent over open WiFi networks, contradicting previous assurances by the company. This means that Google may have collected emails and other private information if they traveled over WiFi networks while one of the cars was in range. Previously, the company said no payload data was ever intercepted.

In a blog post published on Friday afternoon, the company said that it collected the data by “mistake” and that the data has not been used in any Google products. Street View cars have now been grounded, according to the post, and the company has promised to delete the data. But before doing so, it will be asking regulators in “the relevant countries” how this should be done.

It arrives less than three weeks after the company said that such data was not being collected. But since then, Google conducted a review of the data being collected by its Street View cars after the data protection authority (DPA) in Hamburg, Germany requested such an audit.

Ginger McCall, a staff counsel with the Electronic Privacy Information Center (EPIC), a public watchdog, calls the data collection a “violation of customers’ trust,” and she questions Google’s claim that it was collecting the data by mistake. “People need to ask why was Google was collecting this information,” McCall told The Reg. “It’s difficult to believe that this would be done accidentally.

“This really flies in the face of their assertion that customers should just trust them.”

On April 27, in response to a complaint from the German DPA, a Google blog post said that in scanning open WiFi networks its Street View cars were collecting only the SSIDs that identify the networks and MAC addresses that identify particular network hardware, including routers. Google uses this data in products that rely on location data, such as Google Maps.

But the company now says that when Street View cars began collecting this data, it accidentally included some additional code with the cars’ software. “So how did this happen? Quite simply, it was a mistake,” today’s blog post reads. “In 2006, an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data.

“A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software — although the project leaders did not want, and had no intention of using, payload data.”

As EPIC’s McCall says that Google’s admission undermines trust in the company, Google seems to acknowledges as much. “Maintaining people’s trust is crucial to everything we do, and in this case we fell short,” the company says.

In response, the company says it will ask a third party to review the its WiFi data collection software and to confirm that it deleted the data appropriately. It also says it will review its “procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.”

Separately, the company will soon offer SSL encryption for its core search service. In July 2008, Google added an HTTPS-only option to its Gmail email service, and in mid-January, just after announcing that alleged Chinese had nabbed intellectual property from its internal systems, it turned on SSL by default.

It also offers SSL as an option with its Calendar, Docs, and Sites services, and just recently, it began doing the same with Google Web History and Google Bookmarks, after a security vulnerability was found in the search personalization service that taps Web History.

Google says that following today’s admission, its Street View cars will stop collecting WiFi data entirely, including SSIDs and MAC addresses. But presumably, they will not stop collecting photos of every street on the planet and posting them online.

Credit: The Register

Miscreants have created a Trojan that poses as a Google Chrome extension. Spammed messages attempt to dupe prospective marks into trying an add-on that “helps you better organize your documents received in your email”.

Interested parties are pointed towards a counterfeit Google Chrome Extensions page, which offers a malware executable. More observant punters will notice that the download is offered in an .exe file and not a .crx Google Chrome extension. Such markers are easily missed, however.

The Trojan horse malware on offer (identified by Romanian security firm BitDefender as the Agent-20577) blocks access to Google and Yahoo webpages. Attempts to reach these sites on infected machines are hijacked and redirected to counterfeit sites. Such trickery is commonly a prelude to either phishing attacks or a technique by the hackers behind the trick to gain affiliate income from scareware slingers or other undesirables.

The appearance of the attack shows that cybercrooks have begun targeting Google Chrome users, something that only tends to happen when a product or service becomes widely used among end users and is therefore a compliment (of sorts) to the success of Google’s browser technology.

Credit: The Register

A recently launched anonymization service suffered a setback last week when Gandi.net, a France-based registrar that bills itself as a “no bullshit company,” revoked its secure sockets layer certificate without warning.

Last week’s move against GoogleSharing caused its 30,000 users to instantly lose service, according to Moxie Marlinspike, the hacker who announced the anonymization proxy in mid January. It took him four days to get the site operational again, and by then, the vast majority of those users had stopped using the service.

In an email sent more than 24 hours later, a member of Gandi.net’s abuse department said the certificate was revoked “due to multiple and deliberate serious breaches” of the registrar’s terms of service. Specifically, the violations were incorrect information provided to Gandi.net’s Whois database, a trademark violation for the unauthorized use of “google” in the domain name and the use of the certificate for unspecified “fraudulent activities.”

GoogleSharing prevents Google from tracking searches and websites visited by specific individuals by mixing together requests from many different users so it’s impossible to tell where the queries originate. A Firefox plugin redirects Google-bound traffic to a proxy, where requests are stripped of all identifying information and replaced with the details of a different GoogleSharing user. The Google response is them proxied back to the originating user.

“GoogleSharing thrives by being totally transparent to the end user,” Marlinspike wrote in an email. “They install the addon and never have to think about it again. They don’t have to do anything special or visit any special websites. By causing a four day interruption, they’ve likely killed the majority of our user base.”

The hacker said it was true that some of information contained in the Whois database was not correct, but he insisted the service doesn’t engage in fraud and that the the inclusion of “google” in his domain name is protected by the fair use doctrine.

The revocation meant in an instant people who relied on GoogleSharing to anonymize Google search requests were unable to use the service. Because the service relies on a Firefox add-on that uses an authenticated page, their connections were killed with little explanation and no recourse.

The episode demonstrates the hazards of relying on internet companies that enforce terms of service reserving the right to play judge, jury and executioner with their customers’ websites. Gandi.net took the action with no warning and didn’t provide an explanation for more than a day. And even then, it failed to say exactly what “fraudulent activities” GoogleSharing had carried out.

So much for Gandi.net’s claims of being a “no bullshit company.”

“It’s a big claim to make,” the company’s marketing monkeys write. Among other things, it means employees “are honest about what we do; we will be straightforward in how we deal with you” and “if we’re ever hypocritical we will hold our hands up and clean up.”

Conspiracy-minded observers might be tempted to point out that over the past decade Marlinspike has regularly been a thorn in the side of companies who make big bucks issuing the certificates used to authenticate banks, online retailers, and other groups with sensitive websites. By demonstrating practical attacks that allow hackers to spoof the widely used credentials, his research calls into question the effectiveness of SSL certificates and the companies that issue and use them.

Already, eBay-owned PayPal has retaliated against the independent researcher for showing how the criminals could impersonate the online payments processor. Now, Gandi.net has followed a similar course.

But the consequences of the revocation are far from over. Whereas the service pushed an average of 4Mbps before, it was generating only about 300kbps after it came back online.

Which seems to suggest that if you’re doing anything considered remotely controversial on the net, you’re better off relying on yourself for payment and certificate services. The internet isn’t a democracy, and companies with self-serving terms of service can’t be counted on to deliver due process. Not even those that bill themselves as “no bullshit.”

Credit: The Register

Already besieged by complaints of shoddy user privacy, Google Buzz is susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located, a security researcher said Tuesday.

The XSS, or cross-site scripting, vulnerability is unusual because it affects google.com, the domain that sets authentication cookies for a variety of popular Google services, including Mail, Calendar and Documents. That means an attacker might be able to hijack victims’ account simply by tricking them into visiting a booby-trapped link.

What’s more, the vulnerability ties into to the much-vaunted Google Location Services, making it possible for the attacker to learn the geographical location of users who have already opted in.

“It’s a pretty nasty vulnerability, actually,” Robert “RSnake” Hansen, CEO of secTheory.com, said. “If you’ve already agreed to that before being exploited, which most people will do, then the attacker also gets to know your location.”

The vulnerability is the result of web applications that fail to adequately scrutinize user input for malicious commands that inject unauthorized content and javascript into browsers visiting google.com addresses. The vulnerability, which Hansen said was reported by a hacker known as TrainReq, is also notable because it works over the SSL, or secure sockets layer, protocol.

The resulting “https” and “google.com” included in the address is likely to lead some victims into believing the address is safe, he said.

Over the years, Google engineers have done a good job at fortifying the site against XSS flaws. In the rare instances the bugs get through, Google personnel are usually quick at stamping them out once they’ve been reported.

Credit: The Register

Microsoft published an advisory today about a critical security vulnerability in all versions of Internet Explorer (apart from version 5). While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default.

According to McAfee, hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used this vulnerability to carry out at least some of the attacks.

The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.

Contrary to previous speculation, there was no evidence vulnerabilities in Adobe’s Reader or Acrobat applications were used in any of the attacks, Kurtz said. In its own statement, adobe concurred, saying researchers “have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident.”

Kurtz said his findings were based on malware samples taken from “three to five” of the targeted companies and he stressed that other zero days or exploits could have been used against other victims.

“In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer,” Kurtz wrote. “Our investigation has shown that Internet explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.”

Shortly after the report, Microsoft confirmed the new IE vulnerability was “one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.” A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions.

McAfee’s report is the latest to shed light on one of the most significant cyberattacks in years. Google first disclosed the “highly sophisticated and targeted attack” on Tuesday, saying it originated in China and targeted its intellectual property. It added that 20 other companies suffered similar assaults, a number that independent researchers soon raised to 34. So far, only Google and Adobe have been identified as victims.

Yahoo, Symantec, Northrop Grumman and Dow Chemical have also been penetrated according to The Washington Post, citing unnamed “congressional and industry sources.”

The malware that McAfee researchers analyzed was sent to a highly select group of employees of a handful of companies that Kurtz declined to identify.

“This wasn’t something that got blasted to 300,000 people in a corporation,” Kurtz said in an interview with The Register. “It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera.”

Kurtz has dubbed the attack “Aurora,” a reference to the filepath on the attacker’s machine that showed up in some of the malware code McAfee researchers analyzed. They believe that is the name the attackers gave to the operation. There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China.

The IE vulnerability stems from an invalid pointer reference that when exploited allows an attacker to execute malicious shell code on underlying machines. The malware caused exploited machines to download further malicious scripts that installed a backdoor. The machines then connected to command and control channels that were hosted on servers that resided in the US and Taiwan.

A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn’t say when an update would be released that patches the vulnerability.

Credit: The Register, SANS ISC

Google plans to curb its controversial practice of censoring search results in China after uncovering a “highly sophisticated and targeted attack” designed to steal information about human rights activists from its Gmail service and at least 20 other large companies.

The attack that hit Google in mid-December originated in China and was aimed at accessing the Gmail accounts of human rights activists. Although only two email accounts appear to have been breached, “accounts of dozens of US-, China- and Europe-based Gmail users who are advocates of human rights in China” have been routinely breached, most likely as a result of phishing or malware attacks, the company said Tuesday.

The discovery came as Google uncovered similar attacks on at least 20 other companies in the financial, technology, media, and chemical industries. In light of the revelations, Google said it is considering shuttering its Chinese operations altogether.

“These attacks and the surveillance they have uncovered - combined with the attempts over the past year to further limit free speech on the web - have led us to conclude that we should review the feasibility of our business operations in China,” Google’s chief legal officer David Drummond wrote. “We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.”

Drummond said Google has already used the investigation findings to introduce security improvements. The company is also in the process of sharing its findings with law enforcement authorities and the other targeted sites.

“We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” Drummond wrote.

He didn’t provide details about the two breached Gmail accounts except to say that “activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” The names of the 20 large companies were also omitted.

Google, whose corporate credo is “Don’t be evil,” entered the Chinese market in 2006 with the promise to censor search results that were objectionable to the country’s government.

Credit: The Register

Cybercrime affiliates of unlicensed pharmaceutical websites have begun moving on from attacks purely designed to poison Google search engine results, and are now targetting Microsoft’s web properties.

Search engine poisoners are actively making use of Microsoft’s Windows Live Spaces blog hosting environment, net security firm eSoft reports. Miscreants are creating accounts which they use only to push links to the pharma-fraud sites. As a result the search engine ranking of these spamvertised sites is pushed up.

In addition, spam emails contain the URLs of fake blogs, from which surfers are redirected onto penis pill sites. The tactic is designed to evade spam filters that might already have blacklisted the fraudulent website.

The misuse of fake blogs on Live Spaces is a refinement of the well established practice of link spamming: posting “comments” on legitimate blogs that supply links to dodgy pharmaceutical websites and the like.

Attacks similar to the Live.com blogspamming for fraudulent pharmacy sites have also recently been thrown against both Yahoo and Blogger sites, eSoft adds. The security firm adds that the recent Google job spam scam also infiltrated Microsoft’s Life Space environment.

Whatever the distribution method, its clear these cybercriminals will continue to evolve new ways of advertising their bogus sites. An alert by eSoft containing screen shots of the fake pharma punting blogs that have begun affecting Live Spaces can be found here.

Credit: The Register, Threat Center Live Blog

Scareware slingers have begun hiding links to rogue anti-virus sites behind Google Doodle. The development leaves surfers who click on Google’s picture of the day at risk of being exposed to sites that run fake security scans, before strong-arming users into buying worthless software in order to clean-up non-existent security risks

Scammers have been manipulating the search engine ranking of terms in the news to promote scamware portals for months. In the latest twist to this wheeze, fraudsters poisoned the sites offered up to surfers who clicked on Google’s front-page Doodle sketch, dedicated to the 150th anniversary of birth of the creator of the Esperanto language, L. L. Zamenhof, on Tuesday.

The latest variant to previous black hat search engine optimisation techniques resulted in links to hacked pages on legitimate websites, including a hair Salon in New Jersey and a science fiction site. Users visiting these sites via Google (and only via Google) are redirected towards scareware scam portals.

Tainted results appeared among the top five to 10 search results for people who clicked on the Google doodle link on Tuesday, according to security researchers at Barracuda Networks. “Poisoning as a trend is nothing new, but in this particular case, it’s a search where you actually click on Google’s logo and you get results back from sites where half of the links have been compromised,” Dave Michmerhuizen, said a research scientist at Barracuda Networks.

Google, which stated other search engines are also targeted by black hat search engine optimisation techniques, said most of the tainted links were quickly removed from its index. Google uses a combination of continuously-refined automated and manual processes to clean-up its index, a spokesman for the search engine giant added.

Google and security researchers are in a continuous battle against distributors of rogue anti-virus scanners, one of the most prevalent information security threats contaminating the internet at present. FBI estimates out this week suggest that the scareware market brought in $150m in illicit income over an unspecified period.

Credit: The Register

A bug in the latest version of the Google Chrome browser could leak the identity of users trying to surf anonymously, developers warn.

The flaw means that domain-name queries are made by a user’s local network even when Chrome is configured to used a third-party proxy. Users typically use proxies to conceal their local IP address in an attempt to browse anonymously. When the feature is set up, domain-name queries are supposed to be funneled through the proxy, rather than being made by a user’s local network.

“This presents a serious risk for the users of the services such as Tor, as their DNS data and the little anonymity they have with Tor is leaked outside and in the clear,” according to an advisory published Monday on the Full-Disclosure mailing list.

Short for the onion router, Tor is a free service that routes internet connections through an unpredictable series of IP addresses to prevent the true source of a user’s connection from being detected. It is used by configuring a browser or other internet-facing application to use an IP address that belongs to the Tor project. Those using Chrome 3.0.195.33, the most recent version of the Google browser, receive no such protection.

There seems to be some confusion about what’s causing the bug. According to the Full-Disclosure advisory, a feature known as DNS pre-fetching, which is enabled by default, is responsible for the loss of anonymity. But some developers say the vulnerability exists even when pre-fetching is disabled.

It’s unclear when the hole might be patched.

“We’re looking into fixing this issue,” a Google spokesman said, “but it only potentially impacts a very small number of people who make use of anonymity services like Tor.”

Those looking for more dependable anonymous browsing are better off using Firefox in concert with the Torbutton.

Credit: The Register