Thursday, August 14, 2008

DNS still exploitable

Well for those of you who don't know it is still possible to poison the latest BIND patch with fully randomized ports. All that's required according to A Russian physicist, is a fast enough line, 2 computers and 10 hours of your time. He said "Attack took about half of the day, i.e. a bit less than 10 hours. So, if you have a GigE lan, any trojaned machine can poison your DNS during one night...". He released a post on his blog showing how he did it. The exploit is now also available from his blog and other websites distributing exploits: http://tservice.net.ru/~s0mbre/archive/dns/

When commenting on a New York Times article that discusses his findings, he said "Article says, that DJBDNS does not suffer from this attack. It does. Everyone does. With some tweaks it can take longer than BIND, but overall problem is there."

In other news Telspace systems will be presenting and providing wireless and Bluetooth training this year at the exceptional and must attend event Sector in Toronto, Canada.

Friday, August 8, 2008

Phishers target Google Lively

Google's new social networking platform is under attack.

Google recently deployed its own social networking platform, called Google Lively, which has come under the phisher's radar.

Google Lively, currently in Beta stage, is similar to another application called Second Life, by Linden Labs. Lively is even being referred to as the “Second Life killer”.

Google Lively users can embed the application into their Web sites using Google widgets, just as YouTube videos can be embedded into a blog, MySpace or Facebook account. From there they can create their own “room” for site visitors to chat/socialise in. Google Lively allows for customisable characters and personal rooms.

The problem comes in when users have to authenticate themselves to the application, you can literally log in to Google Lively from a completely anonymous site hosting the content.

As you can imagine, this brings about serious issues; an attacker could easily imitate a login screen for Google Lively and embed an object that just stores the username and password.

Similar to a phishing attack, the user will be tricked into giving over their confidential information. It seems possible that the application may intercept the information and then forward the login details to the legitimate application, so from here the user wouldn't even know their account details have been stolen. The end-user would be clueless to what has just taken place.

The application download is a mere 469Kb file. From there the application will initialise and install.

Due to the fact that there was much hype about hacking Second Life, such as Michael Thumann's excellent talk on hacking Second Life, this definitely makes us think we will see a lot of interest in 'hacking' Google Lively.

Not to mention the amount of information that can be acquired through utilising the application for, let's say, ‘interesting' purposes.

It is highly recommended that a separate Google account be used for Google Lively activity. This would minimise risk, simply because if a password is stolen, the potential damage will be minimal to the end-user.

In addition to using a separate account, it advised that South African users watch out for illegitimate Web sites, e-mails and links specifically pertaining to Google Lively.

An attacker could easily imitate a login screen for Google Lively and embed an object that just stores the username and password.
Google is concerned about security and has obviously drafted up several Web sites providing users with information on several attacks.

They have said the following in response to the security speculation: “Sadly, phishing schemes and other malicious attempts to steal identities are rampant on the Web today. Lively is always working to improve site security and warns users of phishing attempts, but we feel that the Google Accounts system is safe and secure. Always be cautious when entering any username and password that you may have - being aware is your best protection!”

Google has also provided a few safety tips on how not to fall victim to these attacks. These include advising users to be on the lookout for “phishy” e-mails, which contain generic greetings like "Attention Lively Member" or "Dear lucky user", targeted specifically for room owners (ie, "We're conducting a survey of Lively room creators...").

These may contain links to Web sites that look exactly like lively sign-in pages. They have also described several techniques and methodologies to subscribers that hackers would utilise, such as forged “From” headers in the e-mail.

Judging by the amount of people that still fall victim to phishing attacks, more needs to be done than telling users to check for forged headers. More can be read from here: http://www.lively.com/help/bin/answer.py?answer=98980&topic=15053 .

With more local users utilising Google services, it is more than just the fact that you can login to Google Lively from any anonymous Web site. There are several very important aspects to be concerned about in terms of the potential damage that could be caused. This definitely leaves a great amount of worries and concerns for the end-user. We can definitely expect to see some sort of attack against Google Lively in the not too distant future.

Thursday, August 7, 2008

Dan Kaminsky's Blackhat presentation packs room

Black Hat had its hands full when Dan Kaminsky took the stage this year in Las Vegas. Dan's talk pulled around 1000 Black Hat attendees. Despite the fact that information about the vulnerability was released before hand. With the room overflowing and people even sitting on the floor to catch Dan's talk about the much publicised DNS flaws that could change the internet.

Surprisingly Dan's DNS findings won him a Pwnie award for most over hyped bug. In Dan's talk he spoke about his findings and the potential threats that could have come about. Dan has also uploaded a summary of his talk to his site. And we even have a cool time line video: