How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/

By Kim Zetter
Threat Level
Wired.com
10.24.12

It was a strange e-mail, coming from a job recruiter at Google, asking 
Zachary Harris if he was interested in a position as a site-reliability 
engineer.

“You obviously have a passion for Linux and programming,” the e-mail 
from the Google recruiter read. “I wanted to see if you are open to 
confidentially exploring opportunities with Google?”

Harris was intrigued, but skeptical. The e-mail had come to him last 
December completely out of the blue, and as a mathematician, he didn’t 
seem the likeliest candidate for the job Google was pitching.

So he wondered if the e-mail might have been spoofed – something sent 
from a scammer to appear to come from the search giant. But when Harris 
examined the e-mail’s header information, it all seemed legitimate.

Then he noticed something strange. Google was using a weak cryptographic 
key to certify to recipients that its correspondence came from a 
legitimate Google corporate domain. Anyone who cracked the key could use 
it to impersonate an e-mail sender from Google, including Google 
founders Sergey Brin and Larry Page.

The problem lay with the DKIM key (DomainKeys Identified Mail) Google 
used for its google.com e-mails. DKIM involves a cryptographic key that 
domains use to sign e-mail originating from them – or passing through 
them – to validate to a recipient that the domain in the header 
information on an e-mail is correct and that the correspondence indeed 
came from the stated domain. When e-mail arrives at its destination, the 
receiving server can look up the public key through the sender’s DNS 
records and verify the validity of the signature.

[...]

______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org