2013-01-07

Gmail account (not mine) potentially 0wned

A household security announcement:

2013-01-07 21:00 GMT Potential security breach of a home gmail account.
At or around 02:00 last night (GMT) at least five people, including myself were sent a URL by my wife.
  • As she's been in London, I've only just got access to this laptop
  • A curl of the link shows it has a javascript malware page; I haven't looked at what the contents are, but it's clearly trying to 0wn the browser.
  • It's too late to use the google account activity log to see what's up -it only goes back 12 hours.  I should have known about that feature this morning. For that reason we aren't sure what happened.
  • Her password was Bristol street name (not ours) + a number: weak entropy; it may have been brute-forced. Alternatively, it may not have come from her account at all, as not many people seem to have got it. I will look through my deleted items list and the headers.
  • Firefox and Chrome are up to date.
  • Thunderbird is up to date and not used for gmail
  • No bounce mail came into the gmail account. For that reason we believe that the message was not sent  to all addresses in the contact list. It may not have been compromised, though something did know that the five of us (at least) knew each other. This could be from some other email that is in the inbox of someone else who has been compromised.
  • There is no email in her mailbox that contains everyone's email address.
  • There's no obvious sign of contamination of gmail, such a filter to hide bounce responses that spamming everyone would inevitably generate.
  • even though flash is set to auto update, it hasn't picked up the most recent release, as the interval between emergency out of band flash updates is much less than the check rate of the flash updater. Whoever wrote it was optimistic and assumed that you'd update flash to get new features, not to stop it being one of the key attack routes for clients.
  • Java 1.6 is installed, though I disabled it on both browsers some time last year.
  • Acrobat pro is the default viewer of PDF files for firefox and thunderbird
  • the default app for  microsoft apps is the MS office suite
  • although MS word is set to check for updates weekly, it does not have the Nov 13 2012 critical update. The implication here is that MS Office automated update checking is broken.
  • we have adblock and flashblock to keep adverts out and flash pages from strangers away. Everyone should do this.
I have 3 theories.
  1. the password was gained through some brute force attack
  2. some malware gained access to the system via flash, acroread, MS office or, possibly though unlikely, Java. If this is the case, the Mac laptop has to be considered compromised.
  3. someone generated some spoofed emails.
Immediate Actions
  1. The password has been changed to a pass phrase.
  2. We have switched to 2 way authentication on google; a text is sent to the phone when logging in on a browser without the cookies, and you get device specific logins for IMAP clients. You can also generate sets of ready-to-use auth keys for use when travelling without a phone -which is enough to make me switch too.
  3. I've verified that neither gmail or google docs contains any of our credit card numbers. Apart from the last four digits of my number from an itunes receipt, all is well. Yes, I know about apple icloud's vulnerability to hacking with those digits [ http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ ], but there's little that can be done there -it's apple's side. If any card no was in a file visible from gmail I'd have had to revoke it via the bank.
  4. Updating the AV software, rebooting.
  5. Updating flash, acrobat, MS office.
  6. Update Java and make sure that java1.6 isn't on the box (you need to install the full JDK for this)
  7. Making Apple Preview the default PDF viewer for firefox and thunderbird
  8. maybe: installing Apache Office and making that the default viewer of MS Office apps from browsers. I suspect some end-user resistance there.
  9. Forcing proper pass phrases across all of Bina's accounts -her login password was compromised by a ten year old in 2012 so as to get extra time on the home computer. I do not consider the replacement to be much better.
If I see any signs of the laptop being compromised, it's rebuild time. The only reason I'm not doing it now is that I don't know how to do this on a mac -yet.

22:09 Update
  • Be aware that Installing Java7 re-enables java plugins, even if disabled. Turn it off in the (new) Java control panel, and then verify in the browser
  • Thunderbird picks up the whole set of installed plugins -including any newly re-enabled Java7 plugin, and flash. This is very serious, as it makes recipients vulnerable to targeted flash or Java attachs.
  • AV scanners are happy.
  • The headers show that the messages came from a different domain but were routed via gmail.
  • I didn't think google mail would do that to unauthenticated accounts -which makes me suspect it was a brute force attack
I'm concluding that the gmail login was guessed by brute force. The 2-way auth and new password should prevent this happening again, though we have to consider the contacts list and (personal) emails compromised.
Posted by at
Labels:

No comments:

Post a Comment

Comments are usually moderated -sorry.

Subscribe to: Post Comments (Atom)