by
Shijaz Abdulla on 12.05.2008 at 11:35
A "serious security flaw" in Gmail turns Google’s e-mail service into a spamming machine, according to a recent security report.
INSERT, the Information Security Research Team, has created a proof of concept that exploits the "trust hierarchy" that exists between mail service providers. By exploiting a flaw in the way Google forwards email messages, a spammer can send thousands of bulk e-mails through Google’s SMTP service, bypassing Google’s 500-address bulk e-mail limit and identity fraud protections.
Since email providers like Gmail are "auto-whitelisted" by ISPs and blocklist providers, the spam messages sent from Gmail are not looked upon with suspicion by many anti-spam technologies, which further magnifies the risk.
The INSERT report suggests that it does not require a rocket scientist to exploit this flaw:
In this regard, this document presents a vulnerability report and a proof of concept attack that demonstrate how anyone with no special internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail Account in order to be granted nearly unrestricted access to Google’s massive white-listed SMTP relay infrastructure
At the time of this writing, Google has not offered any official comment.
by
Shijaz Abdulla on 01.05.2008 at 10:53
Here’s a great tool that lets you find out if a particular user’s access to a resource is affected by ISA and by what rule:
http://sync-io.net/ISAAccessChk.aspx
As with all third party tools, Microsoft does not provide you with support for this tool.
by
Shijaz Abdulla on 23.04.2008 at 18:02
ITP today reported the YouTube security issue that this blogger wrote about on 19th April 2008. That’s 5 days after I discovered it! [That's another reason why you should subscribe to this blog.] 
ITP has confirmed my initial doubts over the cause of the issue – incorrect web caching by the ISP – Etisalat, in this case. Even thought I had written to YouTube regarding the issue, they have not responded to me till this date – neither have they responded to ITP. Etisalat had even gone to the extent of making my blog mysteriously unavailable in the UAE, the day after I posted about the problem.
Read the ITP article here.
by
Shijaz Abdulla on 18.04.2008 at 23:30
Hello world. The time is 12:31 AM in Abu Dhabi, United Arab Emirates, and I have logged in to YouTube to upload a short video. And guess what? I am automatically logged in as another Youtube user that I dont know anything about!!
I kept navigating on various pages in YouTube, and I found that I kept getting logged on as various other users! New vulnerability in Youtube/Google? I guess this will be published in a dozen other blogs by tomorrow and then maybe we can wait and see what Youtube/Google says.
Here are some screenshots. I’m cropping some of the images for ethical reasons
I clicked on My Favorites, and I get Zoobi4658‘s favorites!
Hmm, I clicked on Home, and I arrive at Just2koool‘s home.
I click on My Videos, here comes da54sk8er
Clicked a random link, and lo, here is koxlcxlk
No, I am not a hacker – neither white, nor grey, nor black hat. It just happened. I logged in with my username and password and the next thing I know I get redirected with a new identity. I keep clicking on other links, I get further new identities. I tried to logout and back in – the same story ensues.
This isn’t the first time with Google. The exact same problem was reported by GMail users in Kuwait a few months ago. Users were able to see other users’ inboxes and email. This was caused by a caching issue at a Kuwait ISP and in all probability, what I see with Youtube *might be* the same issue. Well, in my opinion, Google should write code that doesn’t allow the ISP web proxy cache to save somebody’s session and give it to someone else!
Updates:
19 Apr, 10:30 PM This problem seems to affect only users inside the United Arab Emirates. Most likely that the problem is caused by Etisalat, our ISP.
19 Apr, 9:30 PM My blog gets blocked in the UAE
20 Apr, 8:00 AM And we’re back online
23 Apr, 5:00 PM ITP reports the issue
27 Apr, 6.45 PM YouTube security issue in UAE fixed
USEFUL INFORMATION
Getting domain registration on cheap web hosting is no big deal. Getting it on a cheap but quality web hosting is something. At present we have 2 such names, dotster that is comparatively older, and aplus hosting.
by
Shijaz Abdulla on 08.04.2008 at 07:24
Your enterprise root CA is an important piece of your enterprise network. Especially if you issue a lot of certificates for a wide variety of purposes to your users.
A root CA also needs to be highly secured, both physically and over the network, because it contains the private key. A downtime on the root CA is seldom noticed because there is minimal need for using the server – except while issuing or renewing certificates. In fact, the Microsoft best practice is to power down your root CA when not in use.
Now, what to do if your enterprise root CA crashes? Information about the enterprise root CA is written on the Active directory, in the registry of the Windows Server hosting the CA, and most important of all, the private key is also stored on this machine.
Quite obviously, In the event of a total failure, a backup is required. Taking a backup of the root CA is often neglected. Believe me, it takes virtually no time to take a backup and it’s the only way to restore your CA with all private keys intact.
Microsoft KB Article 298138 explains how you can backup your CA and move it to separate hardware. The procedure is also applicable if the hardware running your root CA crashes totally and you want to set up the same CA on a new server hardware.
In this post, I will explain how you can automate a backup of the CA. Restoration can be done as per the article mentioned above. Write a script “backupCA.bat” with the following code:
certutil -backup D:\backup
certutil -backupkey D:\backup
certutil -backupdb D:\backup
reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration D:\backup\regbackup.reg
Make sure the D:\backup folder is picked up by your centralized tape backup solution. Be extra careful with the tape because this contains the private key of your CA. Your organization should have the handling of tapes included in the security policy.
by
Shijaz Abdulla on 23.03.2008 at 14:02
FACT: A clean install of Windows Vista will not have the Power Users local group.
The Power Users group in Windows XP, Windows 2000 and Windows Server 2003 was a little ‘too powerful’.
One of the main reasons why users were made Power Users was because this group had rights install software and device drivers. If you can install software and drivers, then this means you can elevate yourself to an Administrator or run programs in the SYSTEM context.
This is no longer a neccessity with Windows Vista because it includes a signed installer that allows normal users to install packages signed by a trusted root. (The “Trusted Installer” is a service that has a SID, so you’ll see it in the permissions list on various objects throughout the operating system.) The installer validates the digital signature certificate chain, then elevates itself to perform the actual installation. (Does User Account Control ring a bell?!)
At the end of the day, users get the ability to install and update approved software packages without being a “Power” user.
by
Shijaz Abdulla on 01.03.2008 at 16:03
Talk about security – and Google.
GMail users in Kuwait and some other countries reporting being able to read other GMail users’ email without having to log in.
Full Story:
http://www.news.com/8301-10784_3-9875714-7.html
Google claims that an ‘ISP caching problem’ that allowed users to log in to other users’ mailboxes. This talks volumes about Google’s security, doesn’t it? Does this mean that an ISP can break Gmail security if it really wants? Wait a minute – how can ‘caching’ at the ISP preserve Gmail sessions? Some neat security, huh?
No wonder Gmail is still in Beta.
by
Shijaz Abdulla on 09.01.2008 at 10:23
Some file extensions are blocked by Microsoft Outlook for the potential damage that they may cause. File types blocked include EXE, COM, MDB and many others.
Outlook displays a message that it has blocked the attachment:
Sometimes it becomes necessary to “unblock” a particular file extension. One of the most common requests is to unblock Access database files (*.mdb). Let’s see how this can be done:
- On the desktop running Outlook, open Registry Editor.
- Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\xx.x \Outlook\Security where xx.x is your Outlook version number (9.0, 10.0, or 11.0)
- Add a new string named Level1Remove
- Add value to this string with all the extensions that you want to unblock, separated by a semicolon. (For example: .mdb;.url ) Remember to put the dot before the extension.
It should, however, be kept in mind that unblocking a particular file type introduces new risk, as the user can also receive a malicious file of the same type from another user or the internet and he/she might inadvertently open it.
For Outlook 2007, you need to insert the string in the following key HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security. If the key path doesn’t exist, you can create it.
by
Shijaz Abdulla on 08.01.2008 at 08:51
Thats’ right. No more /console switch on the Windows Remote Desktop Connection tool, MSTSC.exe, starting from Windows XP Service Pack 3, Windows Vista Service Pack 1 and Windows Server 2008.
This is because of the design enhancements in Windows Vista and Windows Server 2008, by virtue of which you cannot connect to Session 0, which is the default session. Running services and user applications together in Session 0 poses a security risk because services in Session 0 run at elevated privileges and therefore can be targeted by malware that attack by attempting and exploiting a privilege escalation.
The new generation of the Windows operating system mitigates this security risk by isolating services in Session 0 and making Session 0 non-interactive to the user. In Windows Vista (and Windows Server 2008), only system processes and services run in Session 0. The first user logs on to Session 1. Subsequent users log on to subsequent sessions (Session 2, Session 3 etc). This means that services (like printer drivers loaded by spooler service, UMDF drivers, user/window interactive services, etc) never run in the same session as users’ applications and are therefore protected from attacks that originate in application code. [More info]
Session Zero in Windows XP/Windows Server 2003: The first user logs in to Session Zero itself.
Session Zero Isolation in Windows XP SP3/Windows Vista SP1/Windows Server 2008: First user’s Session is not within Session Zero, a separate session is created, thereby improving security.
Since there is no longer the ability to connect to Session 0, the /console switch is no longer required. But, what if I want to connect to Session 0 on a Windows Server 2003/XP or earlier machine using RDP 6.1? Let’s find out.
When I typed “mstsc /?” on my Windows Server 2008 machine, these are the options that are available to me:
Notice that the /console option is not available, but there is a /admin option. The /admin option lets you connect to Session 0 on a remote computer that doesn’t have Windows Vista SP1, Windows XP SP3 or Windows Server 2008 or later installed.
However, if you try to pull the /console switch on a Windows Server 2008 or Vista SP1 machine, you get an error “An unknown parameter was specified in the computer name field“.
I hope you found this post interesting – subscribe to my blog to get instant updates on new posts!
by
Shijaz Abdulla on 12.11.2007 at 16:05
I don’t know about you, but I’m going to be there when it happens.
Register here.
< Previous postsNext posts >
