Big phishing problem "bears fruit" at Toorcon (and he's dead, Jim)

It's IT Blogwatch: in which many ISP subscribers could have been at risk of "undetectable" phishing attacks for 18 months. Not to mention analytics, according to Captain Kirk...

Robert McMillan reports:

A vulnerability in servers used by EarthLink to handle mistyped Web page requests may have allowed attackers to launch undetectable phishing attacks against any Internet site, according to a noted Internet security researcher. The bug, which was patched earlier this week, underscores a fundamental security risk in the way that some ISPs are attempting to generate advertising revenue from mistyped Web addresses, said Dan Kaminsky, director of penetration testing with IOActive, a security consulting firm. The vulnerability was in a service called Barefruit, which Earthlink has been using since August 2006 to return Web pages with search terms and advertising to customers who mistype a domain name in their browser. more

Brian Krebs adds:

In seeking to further monetize Web site traffic on their networks, a number of major Internet service providers may be inadvertently exposing their customers to a greater risk of online attack from identity thieves ... a growing number of providers also are serving ad-filled pages when customers request a subdomain of a Web site that does not exist, such as something.example.com. This practice ... potentially introduces security threats when ISPs outsource the ad-serving process to third parties ... ISPs like Earthlink, Qwest and Verizon have outsourced at least portions of their ad-serving technology to BareFruit ... The trouble is that until late this week, BareFruit's ad servers were vulnerable to what Kaminsky called a "trivial to find and exploit" vulnerability that would make it simple for fraudsters to trick users of those ISPs into visiting malicious Web sites that appear to be located at trusted sites. more

Ryan Singel sings:

The vulnerability was a dream scenario for phishers and cyber attackers looking for convincing platforms to distribute fake websites or malicious code. The hole was quickly and quietly patched Friday ... Earthlink users, and some Comcast subscribers, were at risk. Kaminsky warns that the underlying danger lingers on ... At issue is a growing trend in which ISPs subvert the Domain Name System ... The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn't exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it's the official Google site. As a result, all those subdomains are only as secure as Barefruit's servers, which turned out to be not very secure at all. more

Dan Goodin has more:

Speaking at the ToorCon security conference in Seattle, Kaminsky demonstrated an exploit class he dubbed PiTMA, short for provider-in-the-middle attacks. A variation of man-in-the-middle attacks, it stole authentication cookies and injected arbitrary content into trusted web pages by exploiting weaknesses in an ad server Earthlink used when returning results for non-existent addresses ... Kaminsky's demo relied on an easily exploited cross site scripting (XSS) error in an ad server ... When notified of the error, "BareFruit defecated masonry" and "fixed the bug in about 27 minutes after they heard what they were up to," Kaminsky said. Even though the specific problem has been corrected, similar ad servers are likely also vulnerable, Kaminsky said, imperiling large swaths of internet. He said the practice should serve as a strong argument in favor of net neutrality, a concept that holds that ISPs should be barred from changing the content of pages they deliver. more

koma3504 agrees:

Just one more reason the ISP'S should not be allowed to break DNS. Or modify pages. or forge packets. And it should be made LAW and fined accordingly when caught doing so. more

Joseph Hunkins is scared:

More broadly this security issue raises questions about whether thoses with access to our online informaiton and online activity details are protecting us responsibly enough. The US Government, Google, Yahoo, MSN and others collect extensive details about search activity, email content, and more. Even the issue of who owns your data is not resolved to any reasonable degree. The value of this data increases as data mining and advertising targeting techniques improve so the online community is well advised to clarify many of these data ownership and data stewardship issues immediately, because the Pandora's box of personal information opens wider every day. more

But Danny McPherson takes a broader view:

Security “of the web” ends up being fully gated by the security of the ad server folks ... [but] you do NOT have to be the ISP/packet data path at all to molest Internet users, just in the DNS “control path” ... Here are five techniques that various folks in the DNS control path can employ to perform similar or adjacent questionably ethical activities. Domain tasting: Exploit the add grace period (AGP) ... Domain name front running ... Domain name front running enabled by non-existent domain (NXDOMAIN) data ... Become a DNS services provider and hijack customer subdomains ... Synthesize DNS query responses that result in NXDOMAIN. more

And finally...

• Analytics According to Captain Kirk
• bonus link: It's worse than that: he's dead, Jim. Dead, Jim. Dead! [some other content on site may not be safe for work]

Buffer overflow:

• Enterprise Initiatives: Open Source - Debunking Myths - Part 3
• Ross Mayfield: Whipping up a batch of effective communications
• 9 to 5 Mac: Paypal denies Safari-blocking reports
• Mark Sigal: The Social Map Is All About Me
• Michael Hugos: Five Inspirations for Turning Data into Information
• Jack Schofield: Forbes talks to Psystar boss while CNet has paid for its Macalike PC

Other Computerworld bloggers:

• Don Tennant: Here's to humor
• Scot Finnie: Eating My Words on the MacBook Air
• Preston Gralla: Ballmer: Vista is a "work in progress"
• David DeJean: Would you pay forever for Office?
• Michael R. Farnum: Security Assessment / Audit Terms
• David Ramel: GPS strikes again
• Mark Hall: Saving Cobol
• Mike Elgan: Why are Americans neo-Luddites about cell phones?
• Douglas Schweitzer: Gone Phishing...again
• Shark Tank: Feel the pain
• Shark Bait: Warehouse troubles

[Like this blog? Subscribe to the RSS feed here]

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You too can pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

• Red Hat abandons desktop Linux for consumers (and RC-SMB)
• Windows XP SP3 dates leaked? (and NH5D)
• Seagate swiftly sues STEC (and bad fix)