Wednesday, August 11, 2010

How many clicks does it take?

To takeover someone's life?

Not many. If you look at a number of recent high profile hacks (Sarah Palin, Twitter) you'll notice that the key vector of attack is via email. Email is the Achilles' Heel of all our virtual lives. If you can control someone's email, you can control a large part of their life. And since email has gone from on a single computer to in the cloud, email attacks are easier than before.

If it's not obvious why, consider the following uses of email:

1. Private communications - email is used where letters used to be and for scheduling. If you could access someone's email you'd have a lot of information about where they'd be at what time. Also, if they are having an affair it is quite likely that it'll leave a trace in their email.

2. Social network - the contact information in the person's email gives you who they communicate with. This is vital information for social engineering attacks against the person. It's also useful information for spear-phishing since you could fake a mail from a trusted person.

3. Passwords - Many (most?) companies provide password reset by sending an email to the user. If you control the person's email you can reset their password on almost any other service and obtain access to those services.

4. Financial Services, Utilities - Most companies that used to mail you paper statements are now offering electronic versions. With access to their statements you have a lot of information to mess with them in real life.

So, how credible is an email takeover?

I recently discovered an interesting attack vector for GMail and Google Apps for Your Domain. Google has a feature that allows a user to link their Google accounts together for single sign in. This feature works with GMail and Google Apps for Your Domain.

If a user has a personal GMail account and a company Google Apps account and opts for single sign in they create a vulnerability where a malicious sysadmin could take over their personal account. Sysadmins are able to control the passwords of users in Google Apps. A sysadmin could change the password of any user they wish to target through the Google Apps control panel.

Clearly, they'd need a pretext, but I'm sure they could find one (such as 'company policy' that passwords be changed every n-weeks).

Once changed they can log in as the user. This will arouse little suspicion because Google Apps will report a log in from the same IP as the user normally logs in. Google would only say in the footer that they were logged in more than once from the same IP (and only during the attack).

From the corporate account the evil sysadmin can jump to the personal account. Clearly, resetting this password will raise suspicion so the attacker sets up an automatic forward of all mail to an email address they control (such as another GMail account). This can be done using a filter (say forwarding all mail containing the word 'the'):

Or using the Forwarding feature:

Conveniently forwarding doesn't leave a trace in the user's Sent Items. Only when manually forwarding is a record kept that is visible to the attacked user. Unless the user examined their settings carefully this attack would likely go unnoticed for a long time. When manually forwarding a copy of the forwarded message is attached to the original in a standard GMail thread. But automatic forwarding does nothing.

The attacker is then free to read the attacked person's mail through the account it is forwarded to, or even forward it on to create a chain to frustrate attacks to figure out who had created the attack.

My take: protect your email with your life (almost). Get a really good password and do not link your accounts. If your email is vulnerable, so are you.

UPDATE: A number of people have told me that this problem (the Google issue) isn't real because they can't reproduce it. I originally saw this happen before the recent introduction of the new single sign in from Google, so perhaps it has been addressed and I am incorrect about the specific details.

UPDATE: Now verified why this was happening. The user had explicitly used their Google Apps account and added GMail to it from that account. That caused the new GMail account to be logged in when going to Google Apps. Thus it's incorrect to say that this is caused by the linking feature. Apologies.

No comments: