FoxNews is reporting that the attack code used in the Google hack last week has been published. Gmail accounts can be compromised through this attack, which is specific to Microsoft Internet Explorer.
DNSSEC would have made this attack very difficult if not impossible, as I pointed out in my post on this hack last week. DNSSEC provides the foundation for authentication for the internet, including email. Without DNSSEC you can't be certain who sent email or that you are on the correct web site. These weaknesses were key to the success of these attacks, which hit at least 34 major firms (see my post from 1/13/10).
The article is linked here: Google Hack Leaked to Internet; Security Experts Urge Vigilance:
The code that was used to hack Gmail accounts in China is now publicly available on the Internet, and security experts are urging computer users throughout the world to be highly vigilant until a patch can be developed.
The hack involves Internet Explorer 6, the browser that came with the Windows XP operating system that, while outdated, still powers millions of businesses and home computers and is now dangerously compromised.
On Thursday, the code that was used to hack Gmail accounts in China and led Google to threaten to close shop there was posted to malware-analysis Web site Wepawet. By Friday, security site Metasploit had posted a demonstration of just how easily the exploit can be used to gain complete control over a computer.
Metasploit is intended to let security professionals test out security threats.
"Normally these frameworks are designed for the good guys for our assessment. The problem is, it's open source and available to anyone," said Michael Gregg, head of Superior Solutions Inc., a Houston-based cybersecurity consultancy.
"And the scary thing about Metasploit is, anybody can pull this stuff down and anybody can launch it. It's not the skilled hacker working for the government, it's the kid next door."
George Kurtz, CTO of the security firm McAfee, agrees. "The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," he wrote late week. "This attack is especially deadly on older systems that are running XP and Internet Explorer 6."
If hackers can get into the heart of Google then the average bank or business has little chance of considering itself secure. It was only a matter of time before this surfaced. What concerns me even more is the response to this threat. The article continues:
Microsoft's next scheduled security update is Feb. 9 -- so unless the company expedites an "out of cycle" security patch, more than three weeks will elapse before this vulnerability is fixed. Without a patch in sight, security experts urge vigilance, and not just for government agencies and huge businesses like Google.
"This is something that affects businesses in the U.S. as well as individuals. The Internet knows no borders," Gregg warned.
Gregg said that years ago, software companies had months to solve a security flaw after it was uncovered. Today, it's hours. Protecting yourself and your business is substantially harder today than it was in years past, too, due both to the accelerated pace of these exploits and also to hackers' reliance on social engineering, where an individual is tricked into providing confidential information.
Gregg calls it spearphishing: "They target the user with an e-mail that would appeal to them, one that leads to a site that launches malicious code onto your system." And the IE 6 exploit makes it particularly easy to slip that code on your computer.
Staying on top of current security patches, using firewalls, updating Web browsers and running intrusion detection software is the first part of staying safe. But since most attacks rely upon spearphishing or some similar end-user exploit, Gregg suggests a training program that would warn users that if an e-mail link looks too good to be true, it probably is -- don't click on it.
Wouldn't it be nice if you could authenticate email so you would know the spearphish email was fake? And if you were careless and clicked on the email, wouldn't you like the site to be authenticated so you would have some idea that it was malicious? Then you understand why DNSSEC is so important because it could be used to do this for you.
You would not be entirely dependent upon your security administrator skills by ". . . using firewalls, updating web browsers and running intrusion detection software . . ." Which as he notes are largely irrelevant anyway if you click on a spearphish email. Security needs to be on the net and not dependent solely on the user.
Comments