Secure Googling...? (2)
Continuing with the Google security-related tidbits...
3. Fighting Spam using Gmail
A few weeks ago, I heard in CyberSpeak about a functionality available in Gmail and its potential usage to find and research about Spam sources. Google allows you to append any text to your Gmail username, by using the "+" sign, and still receive messages addresses to these "new" accounts in your Google account. By following this format, username+sometext@gmail.com, and by changing "sometext" when using your e-mail address to register for online services (make "sometext" somehow related with the service), you can easily identify what service was used by spammers to get your e-mail address and flood your mailbox.
Although I initially thought this method could be easily defeated by spammers by filtering the "+sometext" portion after the username and before the @, I've confirmed that the "+" sign is a standard symbol for e-mail addresses, meaning it can be part of the username. The same idea can be extended through the usage of the "." sign in Gmail. Gmail doesn't recognize dots (.) as characters within a username, therefore, you can generate address variations by adding and removing dots. Besides, in Gmail usernames are case insensitive, so you can create more variations combining upper and lower case letters.
During 2006, we launched a Honeypot Spam project inside the Spanish Honeynet Project to research and analyze statistics related with Spam, the resources spammers are using to collect new addresses (newsgroups, mailing-lists, forums, Webs...) and how these are used. Throughout the username variations techniques mentioned above, any individual can easily implement basic honeytokens to research and get stats about Spam and how each address gets collected and used by spammers.
4. Google and Computer Forensics
My recent Security Focus "Wireless Forensics" article only focused on specific wireless forensic methods, although obviously, in a real case they can be complemented with correlation from other standard forensic sources, such as logs from multiple devices or disk forensics. Additionally, Google searches from a suspect computer gathered through Web browser forensic techniques can be used even in wireless related cases :)
5. Google Conspiracy Theories...
Google states that all the resources available through its search engine are found simply by following the links available in other Web pages (parsing the HTML <a href...> tags). However, I've seen Web pages linked through Google that supposedly never were linked from another Web page. Additionally, Google clearly states and even promotes in its main Gmail page nowadays (see picture below) how they can personalize your Googling experience. Google customization services fit Google contents to your preferences and interests. You can see this AdSense-based technology working through the personalized ads on the top of your your Gmail inbox.
To feed up the multiple conspiracy theories against Google, my concern is... is Google parsing e-mails to populate its search engine with new links? (More about this in future posts; we are currently researching about it)
Additionally, I wonder if in a near future we will have different customized views of the data provided by the Google search engine, like a personalized Google. If this is the case, depending of who you are (if authenticated through your Google account), your Google Hacking search results may remarkably differ from others.
To sum up...
If you're a security conscious person, it's up to you to use a Google account and the different services offered by Google, but please, take care of the info you exchange through them. You always has the option of protecting your messages using other solutions, such as GPG/PGP for your e-mail (using the Gmail IMAP access) or OTR (Off-the-Record Messaging) for your chat sessions (using an IM client such as GAIM). Also, keep yourself up-to-date about the new Google services, like the new Google Click-to-Call VoIP service, that seems to allow spoofing of caller-id records (unfortunately, I cannot test it in Europe). Finally, don't forget to track what Google has to say through its Google Help.
Happy and secure Googling!!
3. Fighting Spam using Gmail
A few weeks ago, I heard in CyberSpeak about a functionality available in Gmail and its potential usage to find and research about Spam sources. Google allows you to append any text to your Gmail username, by using the "+" sign, and still receive messages addresses to these "new" accounts in your Google account. By following this format, username+sometext@gmail.com, and by changing "sometext" when using your e-mail address to register for online services (make "sometext" somehow related with the service), you can easily identify what service was used by spammers to get your e-mail address and flood your mailbox.
Although I initially thought this method could be easily defeated by spammers by filtering the "+sometext" portion after the username and before the @, I've confirmed that the "+" sign is a standard symbol for e-mail addresses, meaning it can be part of the username. The same idea can be extended through the usage of the "." sign in Gmail. Gmail doesn't recognize dots (.) as characters within a username, therefore, you can generate address variations by adding and removing dots. Besides, in Gmail usernames are case insensitive, so you can create more variations combining upper and lower case letters.
During 2006, we launched a Honeypot Spam project inside the Spanish Honeynet Project to research and analyze statistics related with Spam, the resources spammers are using to collect new addresses (newsgroups, mailing-lists, forums, Webs...) and how these are used. Throughout the username variations techniques mentioned above, any individual can easily implement basic honeytokens to research and get stats about Spam and how each address gets collected and used by spammers.
4. Google and Computer Forensics
My recent Security Focus "Wireless Forensics" article only focused on specific wireless forensic methods, although obviously, in a real case they can be complemented with correlation from other standard forensic sources, such as logs from multiple devices or disk forensics. Additionally, Google searches from a suspect computer gathered through Web browser forensic techniques can be used even in wireless related cases :)
5. Google Conspiracy Theories...
Google states that all the resources available through its search engine are found simply by following the links available in other Web pages (parsing the HTML <a href...> tags). However, I've seen Web pages linked through Google that supposedly never were linked from another Web page. Additionally, Google clearly states and even promotes in its main Gmail page nowadays (see picture below) how they can personalize your Googling experience. Google customization services fit Google contents to your preferences and interests. You can see this AdSense-based technology working through the personalized ads on the top of your your Gmail inbox.
To feed up the multiple conspiracy theories against Google, my concern is... is Google parsing e-mails to populate its search engine with new links? (More about this in future posts; we are currently researching about it)
Additionally, I wonder if in a near future we will have different customized views of the data provided by the Google search engine, like a personalized Google. If this is the case, depending of who you are (if authenticated through your Google account), your Google Hacking search results may remarkably differ from others.
To sum up...
If you're a security conscious person, it's up to you to use a Google account and the different services offered by Google, but please, take care of the info you exchange through them. You always has the option of protecting your messages using other solutions, such as GPG/PGP for your e-mail (using the Gmail IMAP access) or OTR (Off-the-Record Messaging) for your chat sessions (using an IM client such as GAIM). Also, keep yourself up-to-date about the new Google services, like the new Google Click-to-Call VoIP service, that seems to allow spoofing of caller-id records (unfortunately, I cannot test it in Europe). Finally, don't forget to track what Google has to say through its Google Help.
Happy and secure Googling!!
Labels: Google
posted by Raul Siles at 12:25 AM
0
comments
