2

I'm the IT/programmer guy at a small translation company. I just sent out emails to our translators around the world with an unique URL for them to come into our site and update their password. eg: http://mysite.com/update/080F9326-491D-11E0-B806-D028DFD72085

The unique URL gives anyone who captures it full access; so I've PGP encrypted all the emails (we have a public key in our database for each translator).

Here's the weird bit:

  • 5 min after I sent out the emails exceptions started coming in
  • There was a bug in my code causing the exceptions (do'h!)
  • Looking thru the IIS logs 1 IP address visited ALL the unique URLs - maxmind.com says the IP is in Columbus, Ohio

The links were hit too fast for it to be the intended recipients; I know for a fact a translator friend in Lebanon had not RECEIVED the email when his link was hit.

Has anyone seen anything similar?

KiteTranslator
  • 21
  • 1
  • Did they also visit any non-existent URLs of the same format? Maybe they received one of your URLs and decided to start scanning for more? – Steven Mar 08 '11 at 17:00
  • They only visited the URL i emailed - and they are guids, so they would be pretty hard to guess! – KiteTranslator Mar 09 '11 at 09:59
  • Its easy to guess GUIDs (and take forever to guess them all), but impossible to guess without hitting wrong ones. But if the links were properly encrypted with PGP, perhaps someone broken into your app. – Steven Mar 09 '11 at 17:54
  • Maybe some fancy av software is checking links for malware from a secure location. Those email addresses are from your company domain? – odk Mar 08 '11 at 11:40
  • I'd drop a WHOIS on the IP to see who if any one is scanning it. – Jacob Mar 08 '11 at 11:44
  • Could be anything at the users end - like a google toolbar! – Coops Mar 08 '11 at 11:53
  • I did a network-tools.com check on the IP address; registered to a hosting company in Arlington, Virginia I've never heard of. – KiteTranslator Mar 09 '11 at 10:00
  • Has IIS logged a user-agent when that IP accessed those URLs? That might give you some clues. – Bryan May 31 '11 at 19:34

1 Answers1

1

This is what I'd do and check:

(all of this is dependant on how paranoid you are and how confidential the data really is, translaten for the next ueber-web-facebook-flash-game aren't quite as confidential as say translations for legal parties that are planning to have some international drug raid and need to pass information around)

  • First and foremost: Invalidate all URLs that have been sent out
  • Password protect everything but don't tell anyone the password

Things under your control

  • was the message really encrypted (maybe just signed)
  • check the machine that did the encryption for malware (was it some gateway that is publicly reachable, was it "real end to end encryption)
  • someone got access to the private key without using malware:
    • repeat the process and check logs
    • repeat the process with a new key and check the logs - tell recipients about the new key
    • repeat the process with a new key and check the logs - don't distribute the new key

Things not under your control

  • malware on any of the recipients machines

Find out who's the bad guy

  • send a unique so called secure URL to every person in question unencrypted
  • send a unique so called secure URL to every person in question encrypted -- this is actuall optional

(sorry but sending out an unprotected URL by GPG is just about the same as sending out a protected URL in plaintext -- script kiddies will find that stuff -- also protecting on the server side is in my experience more valuable for a business since you have more control)

Finally

I had a friend very proud of consistently using PGP for all his mail converstations. That is ntil he found out that he accidentally had exported his private key and kept sending that around all the time instead of the public key -- funny at the time, but you never know what hits you (now it wasn't me, I'm by far to lazy to encrypt my mails with PGP and explain it to customers, I usually use some encrypted ZIP-file or something else that is useable by non-tech people without explanation)

Implement one-time-passwords for your translators. Send them the new stuff by snail-mail.

Also, I assume you have a written consent about not giving stuff away and you are absolutely sure that it wasn't by coincidence someone with some technical background that scripted receiving encrypted mails and automagically does some other stuff.

Also (again), any possibility that any of the recipients have subcontractors that do the actual work and the mail got forwarded (possibly with the key needed to decrypt it)

Last but not least: There's this thing called mobile access, did you give everyone a call to make sure it wasn't valid access from somewhere you haven't expected?

serverhorror
  • 6,478
  • 2
  • 25
  • 42