Archive for the 'Security' Category


GMail and A Stolen Domain

Posted December 25, 2007 * Comments(0)

Last month, David Airey announced on his blog that he would be leaving for a month to take a vacation in India. On the day that he left, an unknown party logged into his webhost support site and asked for the details to transfer his www.davidairey.com domain.

Normally, this is where the process of hijacking his domain would have stopped. Unfortunately, the unknown party also had access to his GMail account (which he states was completely different than the password for his webhost).

After some digging and research, David determined how the hacker was able to access both of his accounts: Google GMail E-mail Hijack Technique

GMail Hijack

The hijack works as described below:

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

Although the flaw has been fixed, be sure to follow the steps in David’s post to ensure that your account wasn’t previously compromised.

Keeping Data Secure

Posted November 20, 2007 * Comments(0)

Although it should be a top priority, data security is often overlooked by companies of all sizes. Whether its because they don’t take the time to secure their data or simply don’t know how to completely secure their data, there are far too many companies which are letting valuable data slip out.

If you think I’m exaggerating, keep reading…

Security

Recently, Shoemoney made an extremely alarming post about data security. Although he removed the post from his blog relatively quickly (no doubt in an effort to protect the privacy of the individuals that were impacted by a company being careless with their private information), I was fortunate enough to catch it in my Feed Reader and save it for later.

Even though I’m not going to provide any specific links (although the data is still cached by Google), here’s a quick overview of what Shoemoney found:

By typing a simple search query into Google, Shoemoney was able to find multiple results from different companies that contained the following publicly viewable information about their employees: employees ID, manager ID, Employee first and last names, full address, phone, SOCIAL SECURITY NUMBERS, SALARY, start dates, termination dates, date of birth, and health benefit packages