Hotmail, Yahoo and AOL – 0Day vulnerabilities

Posted on 2012/04/30 by R Sachin

It seems the trouble of “Password Reset” is far from over, the latest in the world of 0Day is all about bypassing Hotmail, Yahoo (yes Yahoo!! – we have been saying about it for quite some time) and AOL – password reset functionality.

The method remains the same, using tamper data with  firefox and modifying the POST data to gain access to the password change option.

After taking a look at these 0Day vulnerabilities, we believe that there still exists a vulnerability in Yahoo, which allows the attacker to gain unprivileged access to the victimes address book and email sending functionality.

A few weeks back we had issued an advisory for Yahoo Users which can be found here. We urge all yahoo users to follow the steps and secure themselves , but this is useful only upto a certain extent and will not protect you against Password Reset functionality buy and at the time of writing this blog, it seems the bug has been temporarily patched.

Web-Email Users are also advised to segregate their password management and follow the tips provided to ensure that during such attacks the footprint is negligible.

How to segregate your passwords is mentioned in this blog-post.

According to our past experiences, we have understood that, 2-factor authentication and password change notification via mobile phone without the need for secondary email id works the best.

Posted in Anti-Spam, Security, Spam Auth, eScan 11, email harvesting, spoofing | Tagged , | Leave a comment

Hotmail – 0Day Vulnerability

Posted on 2012/04/27 by R Sachin

A high severity password reset vulnerability is detected in Microsoft’s official MSN Live Hotmail service. A Vulnerability Laboratory senior researcher, Benjamin Kunz Mejri, identified a critical security vulnerability in Microsoft’s official MSN Hotmail (Live) service. A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service.  The vulnerability allows an attacker to reset the Hotmail/MSN
password with attacker chosen values.  Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based).  The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“.
Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Live Hotmail module.

Report-Timeline:
================
2012-04-06:    Researcher Notification & Coordination
2012-04-20:    Vendor Notification by VoIP Conference
2012-04-20:    Vendor Response/Feedback
2012-04-21:    Vendor Fix/Patch
2012-04-26:    Public or Non-Public Disclosure

In simpler terms, the attacker uses Firefox and Tamper Data – a Firefox Addon to intercept and manipulate the complete process.

This particular exploit spread like wild-fire in the under-ground forums and was exploited within the twoo week period between notification and patch.

According to some reports, many of these Hotmail accounts which were linked to PayPal , Liberty Reserve were targeted and the money looted. Many users also complained about receiving spam emails from these hotmail accounts.

This reminds me of the Yahoo mail accounts being hacked, though nothing has yet been disclosed about Yahoo’s 0 Day, but I am sure it exists. We have also issued an advisory for Yahoo Users and how to mitigate these attacks.

This raises a few questions and forces us to think about the concept of linking email accounts and using them as a Single Sign On.

For past few years, numerous services have started integrating themselves with each other, allowing you to access these services by authenticating yourself using Gmail, Hotmail, Yahoo, Facebook etc. Alternatively, your email accounts are used for password retrieval or are used as usernames.

Advantages are numerous, no need to register, no need remember different usernames, passwords for different sites/services.

But, very recently I realized that drawbacks are numerous. Whenever I wanted to change the password for one service then I ended up changing passwords for quite a few of other linked services. There was just no method involved and I felt quite lost in the world of passwords. Managing server passwords , admin passwords and also managing my personal passwords.

Here is what I did to make my life simple yet have a fairly secure environment:

1: Created a List of all the sites which I frequently visit and have login rights.

2: Segregated them into Mail, Forums, Newsletters and associated services.

Group 1
Email Services – All having different passwords.

Group 2 – These sites needed their own usernames but password retrieval system depends on email services.
Insurance/Financial Services – All having different  password
Some Forums

Group 3 – These sites need either twitter/facebook accounts and rest of it handled by OAuth APIs
Associated Services – bit.ly, scoop.it etc.
Some Forums/NewsLetter sites etc.

The second task was generating another list of services, which even if they are hacked shouldn’t impact my online presence, also, sometimes in order to retrieve some information, many websites require you to register, hence a secondary email id was created and started providing this email id for authentication purposes or for registrations. Effectively, ensuring that my primary email account is free from spam and even if there is a security issue with these not so secure services, I do not end up changing each and every password.

At the end of this exercise, I ended up with 9 different passwords and am able to access 30+ services. and while changing passwords all needed to do was to rotate these passwords and at the end of term, generate 9 new passwords and manage them. During this term, if ever I came across any report suggesting a breach, all I need to do is look at the services I used and do the needful if required.

Researchers are always asking everyone to use difficult passwords, or password managers , change passwords at regular intervals but as a end-user, it is our responsibility to ensure that we learn to segregate and prioritize the services we use.

Password Managers are closely integrated with browsers and all of the browsers come with a password manager of their own. The issue with this is that many tools are available which can extract the stored passwords and also most of the trojans also extract this information and upload it to the attackers inbox, effectively rendering ‘Browser based Password Mangers‘ useless.

Posted in eScan 11 | 1 Comment

DNS-Changer Bot – Part Deux

Posted on 2012/04/21 by R Sachin

FBI sets July 9 deadline to clean DNSChanger malware

Hundreds of Thousands May Lose Internet in July

These headlines in leading new-papers, sound too good to be true, eye catching and rings alarm bells. For past few days, similar content is making rounds all across the internet, tweets being getting retweeted, and links going viral.

As the D-Day approaches, in this case – 9Th July 2012, more and more security researchers asking everyone to take seriously the threat posed by DNS-Changer Bot. Doesn’t this name sound familiar? Well yes, a few months ago I had blogged about DNS-Changer Bot.

In the previous blog, I had not only mentioned about DNS-Changer but also about few other attacks

1: DNS Cache Poisoning

2: CPE based DNS Attack which we had witnessed in India.

The above-mentioned attacks, including DNS-Changer Bot attack, depend on messing around with DNS – Domain Name Service. The hacker/ malware authors set up fake DNS servers with fake DNS entries pointing to their own servers serving fake content, the payload of the content may vary from Click-Fraud to Drive-by Downloads.

Providing a solution for DNS-Changer was not our prime task, but to ensure that all the issues which have been outlined, are taken care of, as they are all similar in nature with varying degrees of differences but their end-result is always the same.

Once again, let me assure to you that, users of eScan need not worry about DNS-Changer or about Cache Poisoning or CPE based DNS attacks.

Download the MWAV toolkit from here , which will take care of a lot of things for you along with the dreaded DNS-Changer Botnet.

One more thing, since, so many users are being affected by DNS Changer bot, that would mean,

1: Users are blissfully unaware or

2: Their Antivirus doesn’t take care of this issue.

Either ways, it is the human perception of staying comfortable when all things are working right. In this case, FBI seeking extension from US Court to keep the standby DNS servers alive, ensuring that sites are accessible without any glitch.

As long as FBI keeps on getting the extension, this issue is never going to get resolved, unless and until some drastic steps are initiated, e.g. users being redirected to the warning page.

Posted in eScan 11 | Tagged , , , , | Leave a comment