CyberInsecure.com

Archive for the ‘Google’ Category

Already besieged by complaints of shoddy user privacy, Google Buzz is susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located, a security researcher said Tuesday.

The XSS, or cross-site scripting, vulnerability is unusual because it affects google.com, the domain that sets authentication cookies for a variety of popular Google services, including Mail, Calendar and Documents. That means an attacker might be able to hijack victims’ account simply by tricking them into visiting a booby-trapped link.

What’s more, the vulnerability ties into to the much-vaunted Google Location Services, making it possible for the attacker to learn the geographical location of users who have already opted in.

“It’s a pretty nasty vulnerability, actually,” Robert “RSnake” Hansen, CEO of secTheory.com, said. “If you’ve already agreed to that before being exploited, which most people will do, then the attacker also gets to know your location.”

The vulnerability is the result of web applications that fail to adequately scrutinize user input for malicious commands that inject unauthorized content and javascript into browsers visiting google.com addresses. The vulnerability, which Hansen said was reported by a hacker known as TrainReq, is also notable because it works over the SSL, or secure sockets layer, protocol.

The resulting “https” and “google.com” included in the address is likely to lead some victims into believing the address is safe, he said.

Over the years, Google engineers have done a good job at fortifying the site against XSS flaws. In the rare instances the bugs get through, Google personnel are usually quick at stamping them out once they’ve been reported.

Credit: The Register

Microsoft published an advisory today about a critical security vulnerability in all versions of Internet Explorer (apart from version 5). While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default.

According to McAfee, hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used this vulnerability to carry out at least some of the attacks.

The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.

Contrary to previous speculation, there was no evidence vulnerabilities in Adobe’s Reader or Acrobat applications were used in any of the attacks, Kurtz said. In its own statement, adobe concurred, saying researchers “have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident.”

Kurtz said his findings were based on malware samples taken from “three to five” of the targeted companies and he stressed that other zero days or exploits could have been used against other victims.

“In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer,” Kurtz wrote. “Our investigation has shown that Internet explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.”

Shortly after the report, Microsoft confirmed the new IE vulnerability was “one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.” A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions.

McAfee’s report is the latest to shed light on one of the most significant cyberattacks in years. Google first disclosed the “highly sophisticated and targeted attack” on Tuesday, saying it originated in China and targeted its intellectual property. It added that 20 other companies suffered similar assaults, a number that independent researchers soon raised to 34. So far, only Google and Adobe have been identified as victims.

Yahoo, Symantec, Northrop Grumman and Dow Chemical have also been penetrated according to The Washington Post, citing unnamed “congressional and industry sources.”

The malware that McAfee researchers analyzed was sent to a highly select group of employees of a handful of companies that Kurtz declined to identify.

“This wasn’t something that got blasted to 300,000 people in a corporation,” Kurtz said in an interview with The Register. “It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera.”

Kurtz has dubbed the attack “Aurora,” a reference to the filepath on the attacker’s machine that showed up in some of the malware code McAfee researchers analyzed. They believe that is the name the attackers gave to the operation. There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China.

The IE vulnerability stems from an invalid pointer reference that when exploited allows an attacker to execute malicious shell code on underlying machines. The malware caused exploited machines to download further malicious scripts that installed a backdoor. The machines then connected to command and control channels that were hosted on servers that resided in the US and Taiwan.

A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn’t say when an update would be released that patches the vulnerability.

Credit: The Register, SANS ISC

Google plans to curb its controversial practice of censoring search results in China after uncovering a “highly sophisticated and targeted attack” designed to steal information about human rights activists from its Gmail service and at least 20 other large companies.

The attack that hit Google in mid-December originated in China and was aimed at accessing the Gmail accounts of human rights activists. Although only two email accounts appear to have been breached, “accounts of dozens of US-, China- and Europe-based Gmail users who are advocates of human rights in China” have been routinely breached, most likely as a result of phishing or malware attacks, the company said Tuesday.

The discovery came as Google uncovered similar attacks on at least 20 other companies in the financial, technology, media, and chemical industries. In light of the revelations, Google said it is considering shuttering its Chinese operations altogether.

“These attacks and the surveillance they have uncovered - combined with the attempts over the past year to further limit free speech on the web - have led us to conclude that we should review the feasibility of our business operations in China,” Google’s chief legal officer David Drummond wrote. “We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.”

Drummond said Google has already used the investigation findings to introduce security improvements. The company is also in the process of sharing its findings with law enforcement authorities and the other targeted sites.

“We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” Drummond wrote.

He didn’t provide details about the two breached Gmail accounts except to say that “activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” The names of the 20 large companies were also omitted.

Google, whose corporate credo is “Don’t be evil,” entered the Chinese market in 2006 with the promise to censor search results that were objectionable to the country’s government.

Credit: The Register

Cybercrime affiliates of unlicensed pharmaceutical websites have begun moving on from attacks purely designed to poison Google search engine results, and are now targetting Microsoft’s web properties.

Search engine poisoners are actively making use of Microsoft’s Windows Live Spaces blog hosting environment, net security firm eSoft reports. Miscreants are creating accounts which they use only to push links to the pharma-fraud sites. As a result the search engine ranking of these spamvertised sites is pushed up.

In addition, spam emails contain the URLs of fake blogs, from which surfers are redirected onto penis pill sites. The tactic is designed to evade spam filters that might already have blacklisted the fraudulent website.

The misuse of fake blogs on Live Spaces is a refinement of the well established practice of link spamming: posting “comments” on legitimate blogs that supply links to dodgy pharmaceutical websites and the like.

Attacks similar to the Live.com blogspamming for fraudulent pharmacy sites have also recently been thrown against both Yahoo and Blogger sites, eSoft adds. The security firm adds that the recent Google job spam scam also infiltrated Microsoft’s Life Space environment.

Whatever the distribution method, its clear these cybercriminals will continue to evolve new ways of advertising their bogus sites. An alert by eSoft containing screen shots of the fake pharma punting blogs that have begun affecting Live Spaces can be found here.

Credit: The Register, Threat Center Live Blog

Scareware slingers have begun hiding links to rogue anti-virus sites behind Google Doodle. The development leaves surfers who click on Google’s picture of the day at risk of being exposed to sites that run fake security scans, before strong-arming users into buying worthless software in order to clean-up non-existent security risks

Scammers have been manipulating the search engine ranking of terms in the news to promote scamware portals for months. In the latest twist to this wheeze, fraudsters poisoned the sites offered up to surfers who clicked on Google’s front-page Doodle sketch, dedicated to the 150th anniversary of birth of the creator of the Esperanto language, L. L. Zamenhof, on Tuesday.

The latest variant to previous black hat search engine optimisation techniques resulted in links to hacked pages on legitimate websites, including a hair Salon in New Jersey and a science fiction site. Users visiting these sites via Google (and only via Google) are redirected towards scareware scam portals.

Tainted results appeared among the top five to 10 search results for people who clicked on the Google doodle link on Tuesday, according to security researchers at Barracuda Networks. “Poisoning as a trend is nothing new, but in this particular case, it’s a search where you actually click on Google’s logo and you get results back from sites where half of the links have been compromised,” Dave Michmerhuizen, said a research scientist at Barracuda Networks.

Google, which stated other search engines are also targeted by black hat search engine optimisation techniques, said most of the tainted links were quickly removed from its index. Google uses a combination of continuously-refined automated and manual processes to clean-up its index, a spokesman for the search engine giant added.

Google and security researchers are in a continuous battle against distributors of rogue anti-virus scanners, one of the most prevalent information security threats contaminating the internet at present. FBI estimates out this week suggest that the scareware market brought in $150m in illicit income over an unspecified period.

Credit: The Register

A bug in the latest version of the Google Chrome browser could leak the identity of users trying to surf anonymously, developers warn.

The flaw means that domain-name queries are made by a user’s local network even when Chrome is configured to used a third-party proxy. Users typically use proxies to conceal their local IP address in an attempt to browse anonymously. When the feature is set up, domain-name queries are supposed to be funneled through the proxy, rather than being made by a user’s local network.

“This presents a serious risk for the users of the services such as Tor, as their DNS data and the little anonymity they have with Tor is leaked outside and in the clear,” according to an advisory published Monday on the Full-Disclosure mailing list.

Short for the onion router, Tor is a free service that routes internet connections through an unpredictable series of IP addresses to prevent the true source of a user’s connection from being detected. It is used by configuring a browser or other internet-facing application to use an IP address that belongs to the Tor project. Those using Chrome 3.0.195.33, the most recent version of the Google browser, receive no such protection.

There seems to be some confusion about what’s causing the bug. According to the Full-Disclosure advisory, a feature known as DNS pre-fetching, which is enabled by default, is responsible for the loss of anonymity. But some developers say the vulnerability exists even when pre-fetching is disabled.

It’s unclear when the hole might be patched.

“We’re looking into fixing this issue,” a Google spokesman said, “but it only potentially impacts a very small number of people who make use of anonymity services like Tor.”

Those looking for more dependable anonymous browsing are better off using Firefox in concert with the Torbutton.

Credit: The Register

A bug in Microsoft’s Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said.

The documents stored in Adobe’s PDF format display the internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other information that is better kept private. The data can then be retrieved using simple web searches.

Google searches such as this one expose almost 4 million documents residing on users’ C drives alone. Combined with searches for other common drives, the technique exposes more than 50 million files that display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used.

“If they have those kind of PDFs, somebody can use search engines to find out user names or do more reconnaissance on the operating systems used,” he told The Register. “That actually invades the privacy of a user.”

The potentially sensitive data is included in PDFs that have been printed using Internet Explorer. The full path location is appended to its contents as soon as the Microsoft browser is used to print the document. Although the data isn’t always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines.

The only way to remove the path is erase the text in an editor and save the document.

All versions of IE suffer from the bug. A Microsoft spokeswoman said company engineers are working to reproduce the reported behavior. “We can confirm that this is not a vulnerability,” she wrote in an email. Adobe representatives didn’t reply to requests for comment.

Credit: The Register

Microsoft has helped discover a flaw in the Google Chome Frame plug-in for Internet Explorer users.

The plug-in allows suitably coded web pages to be displayed in Internet Explorer using the Google Chrome rendering engine. Redmond warned that the plug-in made IE less secure as soon as it became available back in September, an argument bolstered by the discovery of a cross-origin bypass flaw in the add-in

Successfully exploiting the flaw creates a means for hackers to bypass security controls though not to go all the way and drop malware onto vulnerable systems.

Microsoft and security researcher Lostmon are jointly credited with discovering the vulnerability in Google’s browser add-on.

Google acknowledged the flaw and urged users to update to version 4.0.245.1 of Google Chrome Frame. All users should be updated automatically to the latest version of the software, which also tackles a number of performance and stability glitches. Chief among these are problems handling iFrames, as explained in Google’s security advisory at http://googlechromereleases.blogspot.com/2009/11/google-chrome-frame-update-bug-fixes.html

Credit: The Register

Google has launched a Dashboard service that’s designed to show how much the search engine giant knows about its users online activities.

The service (http://www.google.com/dashboard) provides a summary of data associated with a specified Google account. Users gain the ability to view and manage data, which ranges from search engine queries and emails sent through Gmail through to videos viewed on YouTube, and much else besides. Users will usually have already consented to allow Google to keep tabs on their activities online, but the search engine giant’s tentacles reach so far that it’s tough to know how much information it holds on each of us.

Google Dashboard - which is designed to address privacy concerns over the search engine giant’s propensity to catalogue data - is accessed by logging into a Google account. Surfers get a list of the number of items held on particular services (Calenders, Blogger, Shopper, Chat, Gmail etc. etc.) linking to the data repositories of these services for more detailed information.

Although the Dashboard service goes some way towards answering the question of what Google knows about our lives online, it doesn’t really provide many clues about how Google uses this information. In addition, one thing not included in the run-down is cookie-based data Google collects via its huge online ad-serving business.

Even so, Google Dashboard holds a lot of potentially sensitive data, providing yet another good reason for users to use hard to guess (strong) passwords on their Gmail or other Google accounts.

More details on Google Dashboard can be found in a blog at http://googlesystem.blogspot.com/2009/11/google-dashboard.html

Credit: The Register

A security researcher has discovered a weakness in a core browser protocol that compromises the security of Google, Facebook, and other websites by allowing an attacker to tamper with the cookies they set.

The weakness stems from RFC 2965, which dictates that browsers must allow subdomains (think www.google.com) to set and read cookies for their parent (google.com). The specification also states that if a cookie for a subdomain doesn’t already exist, the browser should use the cookie belonging to the parent instead.

The arrangement makes it possible for attackers to steal or even alter the cookies that websites use to authenticate their users. Attackers would first have to identify an XSS, or cross-site scripting, bug in some part of the site they are targeting. But because virtually any subdomain will suffice, the scenario isn’t unrealistic, two web security experts said.

“Most websites actually will store session IDs in a cookie and that’s actually how they keep track of users throughout the use of their website,” said Mike Bailey, a senior researcher for Foreground Security who first documented the flaw at last month’s Toorcon hacker conference. “Using the same techniques to attack those cookies, I can really damage sessions and cause some problems.”

Bailey’s paper goes on to demonstrate how he used the technique to bypass a feature Google recently implemented to beef up security on Gmail and other properties. By exploiting a minor vulnerability in sites.google.com, he was able to falsify the contents of his global Google cookie. Google has since fixed the XSS hole in the subdomain.

In turn, that allowed him fool the Google protection, which checks to make sure the value in the cookie matches a hidden parameter of the login page.

Bailey lists several other sites that have been known to be vulnerable to similar attack techniques. Using an XSS hole on www.advertising.expedia.com, he found it was possible to poison the global cookies for the entire expedia.com domain. Because the site didn’t set the cookies with proper escaping, an attacker could have used the weakness to inject malicious javascript into expedia pages.

Chase.com, capitalone.com and chasevisasignature.com either are or were vulnerable to similar attacks because they shared code with images.bigfootinteractive.com, which was vulnerable to XSS exploits.

Bailey said it’s not hard to imagine university websites would be vulnerable to such attacks because the domain names frequently use names such as psychology.school.edu, geography.school.edu and so forth. A single bug in a student-maintained computer science project might be enough to compromise personal data stored on the college’s student enrollment server, he said.

Websites can guard against attacks by regularly checking their pages for bugs, but because the attack exploits the way browsers are supposed to handle cookies, a more comprehensive fix will probably require a change to the underlying protocols. Which means this attack will probably be around for a while to come.

Credit: The Register