Fact: Twitter uses Amazon’s S3 AWS to store user images.
Fact: Twitter apparently only checks the file extension to determine the file type of uploaded images, not an image library or a method that checks for binary image data.
Fact: This can be used (or abused) to obtain un-metered free hosting of files that are less than 800K in size.

How is it done? A user can rename any file with a ‘jpg’ ‘gif’ or ‘png’ extension and upload it as their background image on a dummy Twitter account.

Then they can simply grab the URI of the “image” from the inline CSS declarations. Since the file is believed to be an image, it is uploaded and stored with no changes. The URI will point to a file having an image extension, but non-image content.

A good application of this is using Twitter’s AWS account to host javascript files. Simply enter the URI as the “src” attribute in a script tag like so:

<script type="text/javascript" src="http://s3.amazonaws.com/twitter_production/profile_background_images/151911/my_javascript.jpg"></script>

For high-traffic websites that use large javascript files, this could save a considerable amount of bandwidth. Amazon’s S3 acts as a CDN as well, so this might also improve performance.

There are some ugly security implications of this, however. Many web-based exploits use unaware 3rd-party hosts to serve up malicious javascript files.  This is particularly troubling since other types of files can be uploaded (exe, swf, mp3, etc). Unless they want their Amazon S3 storage account to become a free data repository for the bad guys, perhaps Twitter should be a bit more prudent with their user-submitted data.

Gmail S/MIME is a pretty cool Firefox add-on that adds signing and encrypting capabilities to Gmail. The add-on integrates smoothly with the user interface so that you might think Google had added the feature themselves. It still needs some work (it’s currently at version 0.4) but has the potential to be a very useful tool for security-conscious users.

Read the rest of this entry »

Have you ever tried to open a digitally signed e-mail and been greeted with a message like this one:

Signature: Invalid

It doesn’t really tell you much about why Outlook doesn’t like the signature.  In almost all cases, this type of error is shown because of a problem with the signer’s digital certificate.  It can also occur if the message was tampered with, although this is a rare case.  But, it would be nice to know for sure why the signature isn’t valid.  Enter Simple CAPI, a free tool available from us nice folks at Gemini Security Solutions.  This tool can help you figure out just what is going wrong with that certificate.

Step 1:  Locate the certificate in the CAPI stores

Simple CAPI allows you to diagnose problems with certificates that are present in your Windows certificate store.  For secure e-mail, other users’ certificates will typically be located in the Other People container, with the store type set to User Store.  Select these options in the main Simple CAPI window, and find the user’s certificate in the list.

Simple CAPI certificate selection

With the certificate selected, press the Validate Certificate button at the bottom of the window.

Step 2: Specify Validation Parameters

The certificate validation screen presents some options for the validation process.  The default options should be selected, as these options are what programs like Outlook typically use when they validate certificates.  You can also disable revocation checking by selecting NoCheck from the Revocation Mode drop-down list, although this may lead to incomplete validation results.

Validate Certificate Dialog

Click the Build button to check the certificate path for errors.

Step 3: View Results

The certificate path building operation may take a few minutes, depending on the size of the revocation information that the application needs to download.  Once the certificate path is checked, the results of the validation operation are presented.  In this particular case, Simple CAPI has returned the error “A required certificate was not within its validity period when verifying against the current system clock or the timestamp in the signed file”.  This error appears under the user’s certificate – telling us that the e-mail signature was found to be invalid because the certificate was expired.

Signature Validation Results

If the Simple CAPI validation tool finds no errors with the certificate, then it’s possible that the data in the original message was changed or corrupted.  If you still need some help figuring out why a particular certificate is failing, though, contact us and maybe we can help!

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

The digital world is moving online and taking our email with it. While most home users have abandoned desktop email clients, most corporate computers are loaded with some desktop email client (almost always Microsoft Outlook), which will keep it alive. Lifehacker posed the question, is Thunderbird and desktop email in general, going extinct?

Here are 3 reasons desktop email will continue to live and why corporate administrators won’t pull the plug.

1. Digital Signatures - Online email simply does not handle digital signatures natively.
2. Control - Carting your email out-of-house puts email in the control of another company completely and is a potential security risk. While I think that eventually you’ll begin to see larger and larger companies getting involved in cloud computing, it won’t kill desktop email.
3. Archiving and Organization - Companies can set up specific folders for critical or legal emails and organize how messages are archived to best fit their environment.

It will be interesting to see when the major web-based email providers will make a real push for the corporate world. Until then, desktop email will continue to live on, in the office at least.

picture: larskflem

Grendel Scan is a powerful web application scanner that can help you identify potential security gaps across your websites. There are a number of web application scanners freely available (Tim reviewed w3af last week), but Grendel Scan has a number of features that make it a useful tool for administrators, in particular those who may not have much (or any) penetration testing experience but are looking to close potential vulnerabilities across their web applications.

• Unlike w3af, Grendel Scan’s GUI interface is fully functional. You only need to identify a place to store the scan files and a URL to get started.
• Grendel Scan works mostly in the background and doesn’t require much attention once the scan gets going.
• The final report is generated in HTML so you can view it in a very readable format in any web browser. The particular type or specific vulnerabilities, their risk ratings, as well as recommended fixes are clearly organized in the report. You can also pause the report and generate them on the fly.
• Works on Windows for administrators who are scared of Linux or Macs (you’d be surprised).

Although the final output from Grendel Scan is well organized, you’ll need some programming and security knowledge to decipher it. That’s when it’s time to call in the security guru to take a look for guidance. Grendel Scan is free for download and a useful tool for a wide range of experience levels.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

So far, nothing has happened today with Conficker except that it’s phoned home to get new instructions, which it has done before. I’ve been unable to find any reports of disaster, or even misuse of network resources anywhere I’ve looked. Has Conficker done anything to you or your organization (other than be an annoyance)? I’d like to hear reports in the comments. For me, my home network is all Unix systems, and no Windows, so nothing to report there. No one in our office picked it up, but some colleagues of mine (not security people) were infected and merely removed the infection and went on with their lives.