February 05, 2007

Secure Googling...? (2)

Continuing with the Google security-related tidbits...

3. Fighting Spam using Gmail

A few weeks ago, I heard in CyberSpeak about a functionality available in Gmail and its potential usage to find and research about Spam sources. Google allows you to append any text to your Gmail username, by using the "+" sign, and still receive messages addresses to these "new" accounts in your Google account. By following this format, username+sometext@gmail.com, and by changing "sometext" when using your e-mail address to register for online services (make "sometext" somehow related with the service), you can easily identify what service was used by spammers to get your e-mail address and flood your mailbox.

Although I initially thought this method could be easily defeated by spammers by filtering the "+sometext" portion after the username and before the @, I've confirmed that the "+" sign is a standard symbol for e-mail addresses, meaning it can be part of the username. The same idea can be extended through the usage of the "." sign in Gmail. Gmail doesn't recognize dots (.) as characters within a username, therefore, you can generate address variations by adding and removing dots. Besides, in Gmail usernames are case insensitive, so you can create more variations combining upper and lower case letters.

During 2006, we launched a Honeypot Spam project inside the Spanish Honeynet Project to research and analyze statistics related with Spam, the resources spammers are using to collect new addresses (newsgroups, mailing-lists, forums, Webs...) and how these are used. Throughout the username variations techniques mentioned above, any individual can easily implement basic honeytokens to research and get stats about Spam and how each address gets collected and used by spammers.

4. Google and Computer Forensics

My recent Security Focus "Wireless Forensics" article only focused on specific wireless forensic methods, although obviously, in a real case they can be complemented with correlation from other standard forensic sources, such as logs from multiple devices or disk forensics. Additionally, Google searches from a suspect computer gathered through Web browser forensic techniques can be used even in wireless related cases :)

5. Google Conspiracy Theories...

Google states that all the resources available through its search engine are found simply by following the links available in other Web pages (parsing the HTML <a href...> tags). However, I've seen Web pages linked through Google that supposedly never were linked from another Web page. Additionally, Google clearly states and even promotes in its main Gmail page nowadays (see picture below) how they can personalize your Googling experience. Google customization services fit Google contents to your preferences and interests. You can see this AdSense-based technology working through the personalized ads on the top of your your Gmail inbox.

To feed up the multiple conspiracy theories against Google, my concern is... is Google parsing e-mails to populate its search engine with new links? (More about this in future posts; we are currently researching about it)

Additionally, I wonder if in a near future we will have different customized views of the data provided by the Google search engine, like a personalized Google. If this is the case, depending of who you are (if authenticated through your Google account), your Google Hacking search results may remarkably differ from others.

To sum up...

If you're a security conscious person, it's up to you to use a Google account and the different services offered by Google, but please, take care of the info you exchange through them. You always has the option of protecting your messages using other solutions, such as GPG/PGP for your e-mail (using the Gmail IMAP access) or OTR (Off-the-Record Messaging) for your chat sessions (using an IM client such as GAIM). Also, keep yourself up-to-date about the new Google services, like the new Google Click-to-Call VoIP service, that seems to allow spoofing of caller-id records (unfortunately, I cannot test it in Europe). Finally, don't forget to track what Google has to say through its Google Help.

Happy and secure Googling!!


February 04, 2007

Secure Googling...? (1)

These are a few security-related tidbits about Google and its services. They took my attention during the last few weeks/months and I researched a little bit about them:

1. Google Services and Encryption

Gmail is very attractive to end users due to its big storage capacity and its user-friendly interface (once you get used to it :) . As most of you probably know, Google allows the user to select the level of security it requires. When you access Gmail, no matter the protocol you use (http or https), the authentication process is encrypted through SSL/TLS, so your credentials (username and password) are protected. However, if you use http, that is, you access http://mail.google.com, once you have been authenticated, your whole mail session is unencrypted, so the subjects for the mails in your inbox (and in other "labels") as well as all the mails you sent and read travel in cleartext. When using https, https://mail.google.com, the whole session is encrypted.

The chat service (Google Talk) follows the Gmail rules. If you pointed your Web browser to the https Gmail version, your chat session from your computer to the Google servers uses TLS/SSL; the session from the Google servers to the other end follows the security level selected by the other end user (http or https).

However, even when you are connected through https, some services, such as the Calendar, don't provide a secure access method. If you click on the "Calendar" link (see picture above) , you access the http version of the calendar, so your event information and settings (that could contain sensitive information - see item 2) travel in the clear. Perhaps Google thinks that the information about your meetings and reminders is less sensitive that the data in your e-mails ;) . To force the usage of the https Calendar version, you need to manually enter the https://www.google.com/calendar/ URL in your Web browser.

If you are interested in running a sniffer and checking the details above, don't get confused by the fact that Google uses compression by default, as specified in the HTTP headers with the "Accept-Encoding: gzip,deflate" option.

2. Google Calendar (bridging virtual and real world)

By the way, do you know that you can enable Google calendar SMS notifications for free as in free beer? You can register your cell number in your Google Calendar account by going to "Settings -> Notifications", so that when a meeting is going to take place you will receive an SMS message with the details. In order to avoid someone from entering your cell number on its Google account and DoS (SMS flooding) your mobile, Google implements a secure registration process. When a new cell number is registered, you get a verification code in your cell (via SMS) that must be entered in your Google account to validate and activate the SMS service.

Once more, the weakest link in this process is the human factor. I've seen several offices where people enjoy talking through the cell in the most uncomfortable places, such as the restrooms ;) . If you don't like to practice restroom phoning ;), what if you left your cell unattended for a few seconds, or you are a victim of social engineering tricks and give it to someone momentarily? Someone could validate your cell with his own Google account!! Call me paranoid, but this could be done as a joke or with malicious intent. I'm afraid that at this point the only option would be to put in place your personal incident response procedures and work with Google to identify the account where your mobile was registered and remove your cell number.