Call Me What You Want's List: Online Security

• Not to defend Microsoft, as kernel exploits that provide privileged access are
   terrible flaws, but we had an interesting discussion in the talkbacks where
   several people acted as if Microsoft was the only place that could’ve made such
   mistakes. Well, the proof is in the pudding that this is a common flaw across
   operating systems that is difficult to catch due to the complexities of kernel
   code.
• Dann Frazier of Debian posted to Full Disclosure today about four
   vulnerabilities that allow local (this means you can’t do it over the Internet,
   unless you’ve already compromised a user account in some way remotely, the same
   applied to the Windows flaw that I spoke of, but there were questions around
   what exactly local meant, it does not mean you have to sit at the box
   physically) attacks against the kernel that result in arbitrary code execution
   or Denial of Service conditions. The contents of his email are posted below:
• CVE-2007-6694
   Cyrill Gorcunov reported a NULL pointer dereference in code specific to the
   CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial
   of Service (DoS).
• CVE-2008-0007
   Nick Piggin of SuSE discovered a number of issues in subsystems which register
   a fault handler for memory mapped areas. This issue can be exploited by local
   users to achieve a Denial of Service (DoS) and possibly execute arbitrary code.
   CVE-2008-1294
• David Peer discovered that users could escape administrator imposed cpu time
   limitations (RLIMIT_CPU) by setting a limit of 0.
   CVE-2008-1375
• Alexander Viro discovered a race condition in the directory notification
   subsystem that allows local users to cause a Denial of Service (oops) and
   possibly result in an escalation of privileges.
• For the stable distribution (etch), this problem has been fixed in version
   2.6.18.dfsg.1-18etch3.
   The unstable (sid) and testing distributions will be fixed soon.
   We recommend that you upgrade your linux-2.6, fai-kernels, and user-mode-linux
   packages.
• Some of these look to be pretty serious bugs. The two newest do not have
   security focus entries yet, but as far as I’m aware there currently exists no
   public exploit code for this, which is a good thing. It’s also important to
   note, but this should be obvious, this doesn’t just affect Debian, it’s simply
   that the advisory came from Debian’s folks today… so make sure you’re fixing
   your system up, whatever *Nix flavor you like.
• Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced
   Security Center in Chicago. The views and opinions expressed in this article are
   his own and do not represent the views and opinions of Ernst & Young Advanced
   Security Center or Ernst & Young, LLP. Nathan has performed web application,
   deep source code, Internet, Intranet, wireless, dial-up, and social engineering
   engagements for numerous clients in the Fortune 500 during his career at Ernst &
   Young and has spoken at a number of prestigious conferences, including Black
   Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and
   XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his
   industry affiliations.

7 more annotations...

• I’m thinking the date the attack took place is a significant piece of information. It was precisely the date you would leave your web site unattended for a period of one month. You reported that you’d contacted a number of people about your plans. My guess is that within that circle you might find the culprit, — or abetter, at the very least.

   

  It’s not easy to pinpoint physical locations attackers. The physical location in Iran may just be the location of a zombie server.

   

  It’s a strange tale, to be sure.

• I was informed that my website had disappeared, and that my domain name (www.davidairey.com) was now redirecting to some random website - bebu.net.

   

  I was confused, and anxious. How could this happen? I hadn’t received any notification of my domain name expiry, and I never divulge any passwords to anyone.

• This is when I found a disturbing support ticket, posted in my web host support panel. It was supposedly from me, addressed to ICDSoft’s support team, and was created on November 20th, the exact date of my departure from the UK. It read the following:

   

  Subject: Davidairey.com Transfer

   

  Hello,

   

  I want to transfer davidairey.com to another registrar please unlock it and send me the EPP transfer code.

   

  Kind regards,

   

  David

   

  Within just one minute (ICDSoft’s support team are very fast) the following response had been supplied:

   

  Hello,

   

  We unlocked your domain name as requested. Here is its EPP code:

   

  Domain name: davidairey.com
   Auth/EPP key: 6835892AE0087D66

   

  Best Regards,
   Support

   

  I immediately typed a reply to this ticket, asking for help, and wanting to know what I could do to resolve the situation. Here’s what I was told by the support team:

   

  Unfortunately, the domain name has been transferred successfully, and it cannot be reverted. The current registrar may be able to give you more information.

   

  The original ticket message was sent from this IP address: 207.36.162.100

   

  The person who posted it must have had access to your email, too, because transfers have to be approved by the administrative contact in order to be successful.

   

  What? Not only did the hacker gain access to my web host control panel, but they also squirmed their way into my email account? This is when I began to get very worried. I kept a lot of personal emails behind my username and password, and this was a real invasion of privacy. For a few minutes I sat in the net café, my girlfriend beside me, and I didn’t know what to think.

• You’ve just hit on one reason why you should use a redirection service for your e-mail and not depend on an e-mail linked to your web site. Both Aliencamel and PO Box are good e-mail redirection services which protect you from ever losing your e-mail.

   

  You can direct your e-mail to two different places to avoid ever losing ANY e-mail ie. one local (on your home computer) and one to gmail. Splitting of e-mail like this is permitted by most services.

   

  This strategy solves your e-mail problem.

• I sent an email to GoDaddy, where my domain had been illegally transferred to, and asked them to prevent any further transfers. I wanted the domain in one place whilst I investigated. Here’s what GoDaddy said:

   

  Unfortunately if a transfer request is made and completed we will not be able to prevent this unless we receive the notice from a court or arbitration forum… I apologize for any inconvenience this may cause.

• The registrar of your domain name should be able to identify who paid for what and confirm that with the hosting company. The hosting company should then be able to confirm that the account has been hijacked by contacting the person who registered the account and verifying the details on file with the registrar (which the hijacker won’t have).

   

  If they are not willing to change the address over the registrar should be able to return your URL to you once they have gathered enough info to assure themselves you are who you claim to be. This should be at no cost.

   

  It’s my understanding that the legal process people are advising you to engage in is for cybersquatting (registering a name and then selling it to the business at a profit eg. KFC)… rather than out and out theft.

   

  As this is a criminal offence you can also get the authorities involved… this costs nothing and will result in the hijacker being charged with a criminal offence. Once the police get involved the hosting company should return your URL… as they will probably also be asked to provide the details of the guy who they are dealing with.

   

  There is no guarantee that paying the thief a fee will result in the return of your URL… although a escrow service is meant to assure this. However there are a number of bogus escrow services… and the thief may now be trying to get your credit card details… so if you do pay… make sure it’s only to an escrow site you know or is well known. You can also notify the escrow site that the account is being used to extort money and they may co-operate with you to pretend to pay the thief.

   

  Forwarding the correspondence to the new hosting company will allow them to follow the dispute. Publicising it as you have will allow other people to help.

   

  You are now engaged in a paper war… if you do the hard work you should get your URL back.

• How was I being hacked?

   

  After a little research, I found this exposé into Google’s GMail defficiences: Google GMail E-mail Hijack Technique

   

  It details the exact GMail hijack that I have just found applied to my account (right whilst writing this blog post).

   

  Here’s an excerpt:

   

  The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

   

  And here’s a three step illustration of just how this threat works (click each image for a larger version):
• 
• Don’t take the hosting companies word for anything… they won’t know the law in this area well and will mislead you. The various licensing agencies likewise often know the laws poorly. A solicitor specialising in either IT or contract law is much more likely to give you good advice… but may not be necessary if you’re willing to do a bit of hard yakka yourself: it usually takes just as long for you to do it as for you to hire someone else to do it… plus you usually get it done faster. You will feel better about all this if you do it all yourself… as lawyers charge like wounded bulls… and many of them know nothing about IT (you’ll be paying them to learn about it).
• 

• An invalid transfer of a URL is both a matter for criminal law (theft) and contract law (civil matter): the transfer of a contract is invalidated if no consideration has passed, if there was no intention to contract, etc… If you establish these things… then they have to give you your URL back… and no special forums or court proceedings should be required.

   

  If the hosting company does not co-operate they can become liable for damages (loss of earnings) which makes it in their best interests to help you.

   

  It is also remotely possible that the hosting company is colluding with the thief… in which case you can also have them charged.
• 

• Contacting as many law enforcement agencies as possible over this is a cheap and simple way to put a lot of pressure on the hosting company over what is for them a minor transaction that is now creating a lot of headaches (not worth it).

   

  Of course identifying the location of the thief as precisely as possible is necessary to get things happening as fast as possible.

   

  Get the hosting company to do a few other checks eg. If they were paid by the thief get them to check it was not a stolen credit card. If it was they won’t have been paid… and they won’t want to host the account. If the thief paid using his own money then you’ll know who the police need to ask to get details of the thief… and the thief has just put himself in the firing line.

   

• I took a look at the ‘Filter’ option in my own GMail settings, and it turns out that you can easily set incoming emails containing specific words to be forwarded automatically. For example, if you want any emails containing the word password to be sent to another address, no problem. It also appears that the Filter can delete the email from your GMail inbox as soon as it has been forwarded, so you’d be none the wiser if a hacker was playing havoc with your incoming mail.

   

  IMPORTANT: If you use GMail, it’s absolutely vital that you check your account settings now.

   

  Here’s what to do:

   

  When logged into GMail, click on the ’settings’ tab in the upper right of the screen. Then check both the ‘Filters’ and the ‘Forwarding and POP’ sections. This is what I only just found in my ‘Filters’ tab:

   

  The following filters are applied to all incoming mail:

   

  Matches: transfer-approval.com
   Do this: Forward to ba_marame_pooli@yahoo.com, Skip Inbox, Delete it

   

  Matches: from:(transfer-approval.com)
   Do this: Forward to ba_marame_pooli@yahoo.com, Skip Inbox, Delete it

   

  I have absolutely no idea who’s email address that is, but it seems to me that some of my personal emails were bypassing my inbox entirely, instead being forwarded to the yahoo.com address.

   

  It appears that the GMail security issue is fixed, but that won’t remove any previously installed Filters from your GMail account.

• To get more details about the thief you could ask how he wants to be paid and then contact the escrow site and ask them to help.

   

• During the site move, I found to my detriment that I was linking to my blog images entirely the wrong way. I had been uploading my picture files to a subdomain (blog.davidairey.com/images) then placing them inside my blog posts from there. This meant that whenever the domain name changed to davidairey.co.uk, so did that subdomain. It now became blog.davidairey.co.uk/images. Therefore, my site was missing every single image I’d ever added.

   

  In order to fix this, I moved all the picture files to a new folder, in the root directory at davidairey.co.uk/images. Now, when I insert an image into a blog post, I don’t use the full URI, but cut the address to it’s bare minimum, like so: img src=”/images/example_filename.jpg”

   

  This means that should I ever re-change my domain name, back to the .com for instance, the images will automatically pull whatever domain name I’m using, without the need for a change.

   

  I’m now also using this technique for internal hyperlinks. Rather than linking to my contact page like so: “http://www.davidairey.co.uk/contact”, I’ll simply use “/contact”
• Don’t use a free, web-based email service for very sensitive information. Thinking that they will always be secure is the first mistake.

• Dear sir:

   

  Having just complained to the Federal Trade Commission about Best Buy advertising cheap laptops just to get people in thier store to purchase more sxpensive ones, I was informed of the following. It seems that the FTC does not investigate single complaints but will investigate when a trend of complaints happen. If you have a large group of followers they could all lauch thier own complaints, could maybe get an investigation started. This would be completely free of charge and the FTC has teeth if they are invoked. I would join in if you were to initiate such action. I am sure many others would too. I also happen to know that the FBI is swamped with cybercrime cases and that they are years behind.

   

  Sorry to hear about your story. Good people should band together for the sake of justice. Good luck to you sir.
• http://ghh.sourceforge.net/userfaq.php
   for future use.. just so you dont get caught again… ;]

• This is what happens when “the internets” get filled up with idiots with no true “puter” skillz.

   

  Sh*t Happens. The point is be prepared. That being said, I feel bad for your situations, but it really is your fault.

   

  Using gmail? Lets go for security instead of cost next time.

   

  Using one email address for both your business and personal choices? Lets think organization.

   

  Finally, mixing business time and personal time(which you did by using the same email address for both) major no no.

   

  Finally, don’t you use firefox? Check your plugins and version, it most likely would’ve protected you from this. Adblock Plus, for example, would’ve most likely helped in this situation.

   

  You have my empathy, but no sympathy. But, oh well, add it to stumbleupon and your numbers will do just fine.

   

  Oh, and BTW, you just won the International Lottery of Istanbul, please forward $4,589.54 to me via Western Union to cover taxes and I’ll give you 1.5 Million US Dollars(Sorry, but the same guy that does that, is probably doing this domain name thing. Can we say Nigeria?
• You did damn well not to pay, bravo ! This is quite a terrible incident, but in a way, you’ve been very lucky. Thanks to your resourcefulness and because your blog seemingly gets a steady number of visitors, you received media attention and the help of well-acquainted people. Without that, maybe the outcome wouldn’t have been so smooth, maybe someone like Bob Parsons wouldn’t have come to your help. That must be a lot worse when you’re inexperienced, when you have no one to turn to, no tech-savvy friends or helpful readers.
• I just want to say that although you got your domain back, you should look into questioning the people who have left comments along the lines of advising you that you should have paid the scammer. To me that would have been the most ridiculous thing you could have done, and I’m so glad you didn’t, but have you noticed that the person that hacked your domain had a foreign name and the people who’s advise was that you should have paid him also have foreign names…..Mmmm I wonder!

• Hi David,
   I have just found that my Adsense account and all associated accounts have been hijacked. The email address that is the primary address I do not recognize and I cannot change it. I have a very small adsense balance. I do not know how to rectify this situation. I was wondering whether I should close the accounts, but apparently if I close the adsense account, I cannot re-open it again. I am green about the internet - I googled for help and found this page. How do I contact Google and why can’t I change the default email address?? I am sorry, but I recognize that you have problems of your own, but you have done all the research, so you may possibly have the answers.

   

• Karen,

   

  Sorry to learn of your AdSense account issue.

   

  I’m not familiar with changing the default address, and can’t advise on contacting Google either. It took a couple of months before one of Google’s employees responded to me

22 more annotations...

• Corey, the issue is that your session cookie is available in the clear when using HTTP. Any web application can be hijacked by taking its session cookie, not just GMail. For example, you’re using public WiFi in a Starbucks. The guy next to you is running AirSnort/Wireshark/tcpdump/etc. and grabs your cookies out of the air. He can then send requests to the web application as you. Using https prevents this.

• • I don't really understand these things and as of this writing I haven't even started a blog to test all these stuff out so if there's anyone out there who can communicate some of these to a non-techie, the help would be well appreciated.
  Add Sticky Note
• Google is one of the Internet's darlings, universally loved by just about everyone. Everyone, that is, but webmasters who've had their domain networks wiped from Google's results. Some sites deserve it and some don't, but the bottom line is that a Google hit doesn't have to be devastating.
• Read on to find out how you can segment your domain network so that Google can't take your entire portfolio down in one fell swoop.

• Identity

  Use these methods to segment and conceal your identity.
• Keep separate ventures separate. Don't try to mash your cooking blog, Web-design site and photography business all into the same space. Create separate legal entities for each, and you'll not only be safe from Google, you'll also be more organized.

  • The link seems to just imply that the lesser the sites one owns the better because more focus can be put into a specific site which sounds like it's besides the point of what the article texts are saying if not wholly contradictory.
    
    While cutting sites up into categories would be one way of organizing several sites, it would also increase the number of blogs one has to manage and market. It's not a bad idea, I just don't get the relevance between it and the page linked to it. Thanks to anyone who can explain the connection there.
  Add Sticky Note
• Don't list all of your domains together. Have you listed all of your domains on your résumé and put said résumé online where it can be found by Google? You've just handed over a cheat sheet. Don't make this blunder or a similar mistake — never list all of your domains in the same place.

  • This is the first I've heard of this before and sounds like it's leaning more towards paranoia than effectiveness.
    
    I know it sounds weird commenting about paranoia on a list designed for people wearing tin foil hats but usually the tone I get from reading stuff like these is that it's more aimed towards effective anonymity (emphasis on effective) than random paranoia.
    
    Especially in an age of social networking, I do question the use of this. Even if one does not list all their domains in one place, wouldn't contact details in Gmail or any other Google Services be enough?
  Add Sticky Note
• Log out of Google. When visiting your own sites, make sure that you're logged out of Google services. It doesn't hurt to run through a few different proxies, either.

• Domains and Private Registration

  One of the easiest ways to connect your domain network is by checking out your WHOIS information. Here's how to muddy the waters.
• Know that Google is in on private registration. It's been discussed that Google probably has access to private registration data, so doing this may offer little help.

  • If Google can see the private registration info, then it’s not private and a lot of people are being ripped off because they are paying for a service they are not receiving. It also means that domain registrars are falsely advertising their service.

  • From a link in the previous highlights:
    
    Private registration can lead to your mail being blocked by a lot of people, so I wouldn’t necessarily agree with that method.
  Add Sticky Note

7 more annotations...

• DARKNET: What this is varies, but ultimately boils down to using existing infrastructure. That infrastructure is used with encryption protocols to obfuscate identity or otherwise anonymise users. This is often over Tor, but not always.
  
• MESHNET: This is more along the lines of Hyperboria or similar technologies. It's an infrastructure for communications. See here: http://www.reddit.com/r/hyperboria/
  
• Maidsafe adds in a new aspect to the equation that isn't Darknet (Tor/I2P), and isn't MeshNet (CJDNS), but is something entirely new that fits right on top of all that other wonderfully crypto-anarchical goodness!
• Crypto-anarchy is winning, and will win. The effort to encrypt compared to the effort to decrypt without keys is disproportionate in many, many orders of magnitude.
• Crypto-currency: The coupling of MaidSafe with crypto-currencies (including mastercoin and bitcoin, and the MaidSafe proprietary Perpetual Coin + safecoin)

3 more annotations...