Microsoft Digital Crimes Unit (DCU), working together with the US Federal law enforcement units has brought down Rustock, the world’s largest email spam network.

Rustock, a botnet, that controlled around 2 million zombie machines worldwide, was sending out up to 30 million spam email messages each day into cyberspace.

Rustock was taken down piece by piece – the master controllers (botnet controllers that sent out commands to compromized ‘zombie’ machines) were identified. Microsoft, working together with the US Marshall Service, seized some of these machines in the US for analysis and collaborated with the Netherlands police to disable some of the controllers outside the US.

Microsoft then worked with service providers to black hole IP addresses that were being used to control the botnet, and with the Chinese CN-CERT to block registration of domains that could be used for these purposes.

Microsoft provides the best anti-spam solution available in the market today, and also provides a variety of best-in-class unified threat management, rights management, secure remote access and anti-malware solutions. For more information, check out the Forefront website, or speak to your Microsoft representative.

Further reading:

• Microsoft on the Issues: Taking down botnets and the Rustock botnet
• Article on Switched

A "serious security flaw" in Gmail turns Google’s e-mail service into a spamming machine, according to a recent security report.

INSERT, the Information Security Research Team, has created a proof of concept that exploits the "trust hierarchy" that exists between mail service providers. By exploiting a flaw in the way Google forwards email messages, a spammer can send thousands of bulk e-mails through Google’s SMTP service, bypassing Google’s 500-address bulk e-mail limit and identity fraud protections.

Since email providers like Gmail are "auto-whitelisted" by ISPs and blocklist providers, the spam messages sent from Gmail are not looked upon with suspicion by many anti-spam technologies, which further magnifies the risk.

The INSERT report suggests that it does not require a rocket scientist to exploit this flaw:

In this regard, this document presents a vulnerability report and a proof of concept attack that demonstrate how anyone with no special internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail Account in order to be granted nearly unrestricted access to Google’s massive white-listed SMTP relay infrastructure

At the time of this writing, Google has not offered any official comment.

Etisalat seems to have fixed the YouTube caching issue that resulted in a major security breach which allowed users to see other user’s favorites, videoes, profiles and messages.

ITP reports that Google has issued a public statement as follows:

We have had reports of this problem in the UAE and believe it was due to caching being done by a local ISP. We take our users’ security very seriously and have made necessary changes to resolve this issue. It should now be fixed, but if users see any more instances, we’d like for them to contact the YouTube support team at http://www.google.com/support/youtube.

It is interesting to note that Etisalat is still silent on this issue.

Hello world. The time is 12:31 AM in Abu Dhabi, United Arab Emirates, and I have logged in to YouTube to upload a short video. And guess what? I am automatically logged in as another Youtube user that I dont know anything about!!

I kept navigating on various pages in YouTube, and I found that I kept getting logged on as various other users! New vulnerability in Youtube/Google? I guess this will be published in a dozen other blogs by tomorrow and then maybe we can wait and see what Youtube/Google says.
Here are some screenshots. I’m cropping some of the images for ethical reasons

No, I am not a hacker – neither white, nor grey, nor black hat. It just happened. I logged in with my username and password and the next thing I know I get redirected with a new identity. I keep clicking on other links, I get further new identities. I tried to logout and back in – the same story ensues.

This isn’t the first time with Google. The exact same problem was reported by GMail users in Kuwait a few months ago. Users were able to see other users’ inboxes and email. This was caused by a caching issue at a Kuwait ISP and in all probability, what I see with Youtube *might be* the same issue. Well, in my opinion, Google should write code that doesn’t allow the ISP web proxy cache to save somebody’s session and give it to someone else!

Updates:

19 Apr, 10:30 PM This problem seems to affect only users inside the United Arab Emirates. Most likely that the problem is caused by Etisalat, our ISP.
19 Apr, 9:30 PM My blog gets blocked in the UAE
20 Apr, 8:00 AM And we’re back online
23 Apr, 5:00 PM ITP reports the issue
27 Apr, 6.45 PM YouTube security issue in UAE fixed

USEFUL INFORMATION
Getting domain registration on cheap web hosting is no big deal. Getting it on a cheap but quality web hosting is something. At present we have 2 such names, dotster that is comparatively older, and aplus hosting.

Microsoft has re-released Internet Explorer 7.0 yesterday. The added features include:

A client wanted to publish two web services on SSL using ISA Server 2006: Outlook Web Access and Sharepoint Portal Server.

We know that ISA Server can only bind one SSL certificate per socket. This translates to one HTTPS URL/website per socket. What does this mean? Lets say I have my OWA at https://owa.shijaz.com/ and I have an SSL certificate issued to owa.shijaz.com. I also have my Sharepoint portal at https://portal.shijaz.com/ for which I have acquired a certificate with common name portal.shijaz.com.

While publishing, I can have only one web listener per socket and a web listener can accept at most ONE SSL certificate. If I apply the owa.shijaz.com certificate on my web listener, OWA will work fine, but users browsing to portal.shijaz.com will get a certificate warning/error. If I apply the portal.shijaz.com certificate, users browsing to owa.shijaz.com will get a certificate warning/error.

So what’s the solution? Wouldn’t it be great if we could order a certificate with common name *.shijaz.com and use the same certificate for both (or more) websites? Yes, you can! That’s called the WILDCARD Certificate!

Ordering a wildcard certificate is fairly simple, if you know how to order a normal SSL certificate. While generating an SSL request, simply enter *.yourdomain.com as the common name for the new certificate.

Wildcard certificates have a limitation that they are not available in 128-bit SGC and available only in standard encryption. The encryption level is decided by the user’s browser, rather than the certificate. So, if you’re securing a electronic payment website or a finance-related website, a wildcard certificate may not be what you should be looking at.

I normally don’t blog about anything thats not technical enough. But this was asking for it.

Some of my readers who saw ‘Live Free or Die Hard 4′ said that they were fascinated by the technical possibility of the feats demonstrated by hackers in the movie. I’m not really the movies guy — but yielding to the awe of the readers, I was tempted to watch it.

Many have asked me “Can they really do it some day to a country?”; “Is IT warfare real?”, etc.

I’m not a movie critic and this is definitely not a movie review. This is a serious (ahem!) technology blog. So what’s ‘Die Hard 4′ doing here? Damn, I started this post, so let me begin and let me end. I promise to keep it technical.

1. How can simply copying financial information (or ‘downloading’ it – as in the movie) help the hackers steal money? Tell me how you can get rich just by copying a bank’s database to a portable hard drive?

2. The so-called “Financial Records” are 500 TB (Terabytes) as per the message on the screen and Hacker 101 says he’s going to copy the data to a portable hard drive. I’ve never seen a 500TB portable drive. Have you?

3. Every time they want to hack a system (traffic lights, tunnels, F11 controllers, CCTV cameras), our Harry Potter hacker boy just punches some buttons on his keyboard and says “we’re in”. Is it really that simple?
The encryption technologies of today require hundreds of computers working together for months and years to crack just one key, that may give access to just one system. And of course, within this long period, the key itself may change. The government of any country would not be dumb enough to protect all their systems with just one key, and passwords/keys will change frequently.

4. In the story, if system breaks, it ‘downloads’ all the data to a machine in a remote location. What kind of disaster recovery solution is that?! Data to a disaster recovery center is usually replicated in real time/periodically and does not ‘begin’ when an outage happens.

5. I believe there is always a way to manual over-ride things like traffic lights and power grids. Even when a hacker has control over traffic lights, I don’t think those systems allow anyone to set ‘green’ on every lane! I’m not a developer, but has anyone heard of user input validation?

6. How did they manage to blow up hacker good-boy’s computer when he pressed the delete button? If they were around, why didn’t they just plant a remote-controlled bomb in his apartment. Would have been more reliable

7. When they played images of blowing up government buildings, why did hacker boy have to type the messages that were being posted on TV screens manually at the time of broadcast. Couldn’t he write a simple script or at least copy-paste it from Notepad?

8. Why couldn’t somebody at the television station just physically pull the plug off the transmitter? Isn’t it better to have no transmission than to broadcast as per the hacker’s whims and fancies?

9. I wonder why some of the IP addresses are from the private IANA range – 10.x.x.x, 192.168.x.x. Were they hacking the US govt, or the neighbor’s PC?

10. Those racks in the server room look strange. Why do the servers make wierd noises when our hackerboy presses a key?

Here’s the bottom line: I don’t think that an attack of such magnitude can be done with today’s available security technologies at least for a reasonable time into the future. And beyond that – as they say – ‘Security Transcends Technology’.

Intelligent Application Gateway 2007 (IAG) is Microsoft’s new addition to the ForeFront Edge Security family. IAG provides web-based SSL-VPN connections for secure access to applications from outside the organization’s network perimeter. IAG 2007 was previously known as Whale SSL VPN before Microsoft acquired Whale Communications.

I had always wanted to get my hands on an IAG appliance, but appliances are costly, and the only way to work on one was to get my company to buy one of those babies. However, I was excited when I saw that the IAG VHD is available for download! It’s a scenario-based demo, which involves a virtual machine image (VHD) running DC/Exchange 2007/SPS 2007 and another virtual machine running the IAG appliance itself. Also, there were two client machine VHDs – one ‘managed’ and the other an ‘unmanaged’ client.

I downloaded the whole demo lab, and put it together on my 64-bit Virtual Server 2005 R2. I got a preview of the IAG features, but found that the Network Connector feature (the one that lets a remote client connect to the corporate network – ‘VPN-style’) wasn’t working. Upon closer examination, I found that the “Whale Network Connector Server” service was not running on the IAG virtual machine. When I tried to manually start the “Whale Network Connector Server” service, i got the message that the service stopped after starting. My repeated attempts to start the service were in vain.

So I opened the IAG Configuration console, and navigated to Admin > Network Connector Server option. IAG appliance has two physical network cards – one sticking in to the internal network and the other sticking in to the external network. There is a third network interface named Whale Network Connector (a virtual NIC), which appears to be “unplugged”. I made sure that the correct network interface card was selected (it should be the NIC thats on the internal network), and then de-activated Network Connector by de-selecting the “Activate Network Connector” checkbox. Then, I applied my changes by clicking File > Activate.

Once again, I navigated to Admin > Network Connector Server. This time I selected the “Activate Network Connector” and click OK. Once again I applied my changes by clicking Activate. In a few moments, the “Whale Network Connector Server” services started and a third network interface (Whale Network Connector) started showing status as “Active”.

In short, I just de-activated and re-activated the Network Connector Server after making sure that the correct internal NIC is configured on it. So if you’ve downloaded the IAG demo lab, hope this helps you!

Thawte gives away free personal email certificates at their website.

A thawte Personal E-mail Certificate in conjunction with the thawte Web of Trust allows you to secure and guarantee authorship of your e-mail communications by digitally signing and encrypting your e-mails.

IN SHORT: A personal email certificate lets you digitally sign all your outgoing email so that the recipient knows that you sent it!

Click here to get a certificate.

A word of caution here, read everything carefully whilst you apply for digital certificate. Remember the password and the question-answer pairs otherwise you will *never* be able to get another certificate for the same email ID. Also keep your password totally secret – a recipient can take you to court for documents that appear to be digitally signed by you, but was in reality signed in your name by an identity thief!

• Network with technology partners, peers and experts
• Attend technical sessions with Microsoft experts
• Test-drive Forefront and System Center technologies
• Receive valuable Trial CDs of Microsoft software
• Partake in the “You’re in Control” launch party