taint.org: Justin Mason’s Weblog

Security: Hey user auth systems! If you’re going to require me to sign in, and publish my login as a signature to prove that I’m ‘me’, please do me a favour — don’t delete the account if it’s been ‘inactive’, and allow anyone to re-register that name without my knowledge!

I just tried to leave a comment on a Blogger.com weblog, to find that my user account at Blogger had been deleted. Re-creating a new account with the same name wasn’t a problem – the previous account data had been simply deleted outright. (Presumably they don’t do this to people with a Blogger.com weblog — I hope.)

The risks of this are pretty clear; given that I’d already established an identity (at least in comments on certain Blogger weblogs) as ‘justinmason23′, if an attacker were to have re-registered that identity before I did, they could impersonate me.

Tags: account, auth, blogger, com, hey, identity, login, name, security, user, weblog

Spam: Yahoo!’s DomainKeys proposal for sender auth.

I’m in the UK this week, so commenting in detail isn’t too easy right now. But briefly, the big problem I foresee for DK is dealing with mailing lists and forwarders.

I did spot this oddity in the patent license, though:

Yahoo! will grant a royalty-free, worldwide, non-exclusive license under any Yahoo! patent claims that are essential to implement or use any Implementations so that licensees can make, use, sell, offer for sale, import, or yodel Implementations; provided that the licensee agrees not to assert against Yahoo!, or any other Yahoo! licensees of Implementations, any patent claims of licensee that are essential to implement or use any Implementations.

My emphasis. “Yodel”? ;)

But seriously — patents will make implementation of this tricky for open-source projects, unless those terms are extended to allow the license to be transferable and usable indefinitely.

Patents: argh. That’s all I can say for now. :(

Tags: auth, domainkeys, implementations, license, licensee, patent, proposal, sender, spam, yahoo, yodel

Spam: A nasty new development — spammers are now exploiting closed relays to send spam, by brute-force attacking their SMTP AUTH interfaces. SMTP AUTH is a system used to allow legitimate mail server users to send outgoing mail securely, by authenticating them first. ( sample documentation here.)

This ROKSO file indicates one spammer’s modus operandi:

These relays were abused using SMTP AUTH. That is, the spammer supplied a valid username/password pair to the server, was authenticated, and therefore granted permission to send mail anywhere. Such attacks are therefore successful only when weak passwords are used. This spamhaus constantly scans the net to find abusable servers to use in subsequent spam runs. All brands of servers (sendmail, exchange, mdaemon, rockcliffe, etc) are equally targeted, as long as they support SMTP AUTH. The attacker tries several username/password pairs - such as with ‘admin/admin’ - following a certain pattern and hoping to find a combination that lets him in.

An analysis done in july 2003 has shown that a total of 276 combinations are attempted (of course new ones can have been added in the meanwhile): Usernames: webmaster, admin, root, test, master, web, www, administrator, backup, server, data, abc each with the following passwords: username, username12, username123, 1, 111, 123, 1234, 12345, 123456, 1234567, 12345678, 654321, 54321, 00000000, 88888888, admin, root, pass, passwd, password, super, !@#$%^&* as well as with a blank password.

MDaemon users beware! The account creation tool of recent versions of MDaemon defaults the password to the account name. If the default is accepted, the account will be open to be exploited by this spamhaus.

Incredible. There’s no way at the SMTP/IP level to tell that this relay was compromised; blacklisting will definitely cause collateral damage in response; so content analysis is pretty much necessary, as far as I can see.

And in another worrying development: it turns out that the latest Outlook worm, W32.Swen, doesn’t bother trying to randomly generate usernames etc. or send via SMTP directly. Instead, it asks the user for their username, password and SMTP server!

Tags: account, admin, auth, mail, mdaemon, password, server, smtp, spam, username

A nasty new development — spammers are now exploiting closed relays to send spam, by brute-force attacking their SMTP AUTH interfaces. SMTP AUTH is a system used to allow legitimate mail server users to send outgoing mail securely, by authenticating them first. ( sample documentation here.)

This ROKSO file indicates one spammer’s modus operandi:

These relays were abused using SMTP AUTH. That is, the spammer supplied a valid username/password pair to the server, was authenticated, and therefore granted permission to send mail anywhere. Such attacks are therefore successful only when weak passwords are used. This spamhaus constantly scans the net to find abusable servers to use in subsequent spam runs. All brands of servers (sendmail, exchange, mdaemon, rockcliffe, etc) are equally targeted, as long as they support SMTP AUTH. The attacker tries several username/password pairs - such as with ‘admin/admin’ - following a certain pattern and hoping to find a combination that lets him in.

An analysis done in july 2003 has shown that a total of 276 combinations are attempted (of course new ones can have been added in the meanwhile): Usernames: webmaster, admin, root, test, master, web, www, administrator, backup, server, data, abc each with the following passwords: username, username12, username123, 1, 111, 123, 1234, 12345, 123456, 1234567, 12345678, 654321, 54321, 00000000, 88888888, admin, root, pass, passwd, password, super, !@#$%^&* as well as with a blank password.

MDaemon users beware! The account creation tool of recent versions of MDaemon defaults the password to the account name. If the default is accepted, the account will be open to be exploited by this spamhaus.

Incredible. There’s no way at the SMTP/IP level to tell that this relay was compromised; blacklisting will definitely cause collateral damage in response; so content analysis is pretty much necessary, as far as I can see.

And in another worrying development: it turns out that the latest Outlook worm, W32.Swen, doesn’t bother trying to randomly generate usernames etc. or send via SMTP directly. Instead, it asks the user for their username, password and SMTP server!

Tags: account, admin, auth, mail, mdaemon, password, server, smtp, spam, username