Google’s April Fool’s prank inadvertently broke their security

As part of its traditional series of April Fool's day jokes, Google used its own .google gTLD to launch a backwards version of its home page from the domain com.google on 1st April.

However, this year's joke inadvertently undermined an important security feature on Google's real homepage, which made it vulnerable to user interface redressing attacks such as click-jacking. This vulnerability would have allowed a remote attacker to change a user's search settings, including turning off SafeSearch filters.

The backwards content displayed on com.google

The backwards content displayed on com.google on 1 April 2015

The issue stemmed from the way com.google used an iframe to display backwards content from google.com. This would not normally be possible, as google.com uses the X-Frame-Options HTTP response header to prevent other websites from displaying itself within an iframe. But for the purpose of the April Fool's joke, Google stepped around this problem by passing the parameter "igu=2" to google.com, which not only told it to display the content backwards, but also instructed the server to omit the X-Frame-Options header entirely.

com.google uses an iframe to display a backwards search page from google.com. Also not the reversed text in the HTML comment, revealing that it is an April Fool's day joke.

com.google used an iframe to display a backwards search page from google.com. Also note the reversed text in the HTML comment.

A remote attacker could also have leveraged this "feature" to display the Google Search Settings page in an iframe on an external domain, and trick his victims into unwittingly changing those settings. A carefully constructed clickjacking attack could have gone unnoticed by each victim until it was too late and the settings had already been changed.

To highlight the different responses, the following was an ordinary response from Google's Search Settings page at https://www.google.com/preferences?hl=en&fg=1. Note the presence of the X-Frame-Options header:

HTTP/2.0 200 OK
Alternate-Protocol: 443:quic,p=0.5
Cache-Control: private
Content-Encoding: gzip
Content-Length: 35486
Content-Type: text/html; charset=UTF-8
Date: Wed, 01 Apr 2015 09:54:14 GMT
Expires: Wed, 01 Apr 2015 09:54:14 GMT
Server: gws
Set-Cookie: [redacted]
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: h2-15

Conversely, with the igu=2 parameter appended, the X-Frame-Options header was omitted from the response, allowing the page to be displayed in a frame on an attacker's own website:

HTTP/2.0 200 OK
Alternate-Protocol: 443:quic,p=0.5
Cache-Control: private
Content-Encoding: gzip
Content-Length: 33936
Content-Type: text/html; charset=UTF-8
Date: Wed, 01 Apr 2015 09:58:30 GMT
Expires: Wed, 01 Apr 2015 09:58:30 GMT
Server: gws
Set-Cookie: [redacted]
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: h2-15
Google's Search Settings being successfully displayed within an iframe on a Netcraft domain

Google's Search Settings being successfully displayed within an iframe on a Netcraft domain on 1 April 2015 (this content is not served backwards).

Changes made to the above settings via the iframe would persist across the user's session when they subsequently used google.com in a normal window. Netcraft reported this issue to Google and it has since been resolved — the method described in this article can no longer be used to display the settings page within an iframe on an external domain.

Critical Windows vulnerability affects at least 70 million websites

The race is on to patch nearly a million Windows web servers, following the publication of code that can identify the presence of a serious vulnerability announced by Microsoft on Tuesday.

The critical vulnerability lies within Microsoft's HTTP protocol stack, known as HTTP.sys. The maximum security impact, according to Microsoft Security Bulletin MS15-034, is remote code execution — by sending a specially crafted HTTP request to a vulnerable server, a remote attacker can execute arbitrary code on that server.

An ongoing scan for this vulnerability suggests that the test performed by the published code is inconclusive, as it might erroneously give the all-clear to a server that returns non-static content, even if it is in fact vulnerable.

However, Netcraft's latest Web Server Survey shows more than 70 million websites could be vulnerable, including Microsoft IIS servers that sit behind non-Windows load balancers. The total number of servers involved in hosting these sites stands at around 900,000, which is more than a sixth of all web-facing computers in the world.

The affected versions of Windows includes Windows Server 2008 R2, 2012 and 2012 R2. Windows 7, 8 and 8.1 are also vulnerable, but are not commonly used to host websites. Microsoft's security bulletin does not include Windows Server 2003 in the list of affected versions, so the 130 million sites that run IIS 6.0 on this older operating system would appear to be safe (at least from this particular issue).

Given the swift publication of code that could potentially be developed into a practical exploit, it is essential that all Windows server administrators apply the necessary security updates as a matter of urgency.

Microsoft has already released a security update for this vulnerability, so don't delay, apply today!

Most Reliable Hosting Company Sites in March 2015

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Bigstep Linux 0:00:00 0.000 0.113 0.063 0.127 0.128
2 Netcetera Windows Server 2012 0:00:00 0.000 0.056 0.084 0.168 0.168
3 Datapipe Linux 0:00:00 0.004 0.090 0.012 0.024 0.032
4 Qube Managed Services Linux 0:00:00 0.004 0.096 0.038 0.077 0.077
5 EveryCity SmartOS 0:00:00 0.004 0.082 0.066 0.133 0.133
6 Codero Citrix Netscaler 0:00:00 0.004 0.157 0.095 0.228 0.423
7 Swishmail FreeBSD 0:00:00 0.009 0.117 0.063 0.126 0.160
8 XILO Communications Ltd. Linux 0:00:00 0.009 0.190 0.067 0.135 0.135
9 iWeb Linux 0:00:00 0.009 0.125 0.072 0.143 0.143
10 SingleHop Linux 0:00:00 0.009 0.208 0.075 0.152 0.152

See full table

Bigstep had the most reliable hosting company website in March, responding to all of our requests. This is the 13th time that Bigstep has appeared in the top 10 since Netcraft began monitoring its website in March 2013, and the first time it has topped the ranking. Bigstep offers "full metal" cloud services from data centres in the UK and Germany, providing bare metal hosting with the flexibility of the cloud.

Netcetera's website also responded to all of our requests in March, placing second due to a slightly slower average connect time. Netcetera run a carbon neutral data centre on the Isle of Man and offers shared, dedicated and cloud hosting services.

Four websites responded to all but one request in March, Datapipe, Qube Managed Services, EveryCity and Codero. Datapipe is ranked in third place based on its shorter average connect time, having taken one of the top three spots in four of the past five months. Datapipe boasts a 100% Network Uptime Guarantee, and has kept this promise on its own site, with 100% uptime for the past 9 years.

Linux remains the most popular operating system in the top 10 with six of the hosting companies choosing to use the OS for their websites. The four other websites all use different operating systems: Windows Server 2012, SmartOS, Citrix Netscaler and FreeBSD.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

March 2015 Web Server Survey

In the March 2015 survey we received responses from 878,346,052 sites and 5,192,428 web-facing computers. Although the total number of websites fell by 5 million this month, the number of web-facing computers has grown by more than 57,000.

All major web server vendors suffered a loss of hostnames in March, with Microsoft losing the most (8.0 million), while Apache lost 5.3 million and nginx lost 2.9 million. Each also suffered a small loss in market share as a result of an increase in sites with missing server banners, and an unknown vendor, GSHD. However, many of these sites could still be using IIS, as they have previously been seen running IIS/6.0, and are still using Windows Server 2003 this month.

In terms of web-facing computers, all major server vendors showed absolute gains this month. Microsoft experienced the largest gain of 23,000 computers, breaking its recent declining trend with a small increase in market share to just over 30%. Apache and nginx experienced gains of 16,000 and 13,000 respectively. Apache's gain was not enough to increase its market share, however, which fell by 0.22 percentage points; nevertheless, it is still the most commonly installed web server, used on nearly 47% of all web-facing computers in the world.

More than 500 new generic top-level domains have been delegated since 2013, and many of these have shown promising growth. With so many new top-level domains to choose from, there are now more opportunities than ever for fraudsters to register deceptive domain names. Some phishing attacks have already made good use of the new gTLDs by hosting their fraudulent content on domains such as battlelogin.xyz and appleitunesprofile.club.

.xyz was the most commonly used new gTLD for phishing attacks during the previous month. In total, Netcraft blocked 239 phishing attacks across 39 distinct .xyz domains. Judging by their names, and the lack of legitimate content anywhere else on these sites, most of these domains appear to have been registered specifically for the purpose of fraud, rather than belonging to existing sites that had been compromised.

ICANN requires gTLD registries to agree to deal only with registrars that prohibit end-users from carrying out nefarious activities such as phishing, malware distribution and copyright infringement. However, each registry maintains its own safeguards, meaning that some are better than others at proactively defending against fraud.

Total number of websites

Web server market share

DeveloperFebruary 2015PercentMarch 2015PercentChange
Apache342,480,92038.77%337,175,53638.39%-0.38
Microsoft253,484,22128.69%245,496,53327.95%-0.74
nginx130,093,89914.73%127,191,69614.48%-0.25
Google20,238,0572.29%20,097,7022.29%-0.00
Continue reading

Web security company inadvertently aids HMRC phishing attack

Web security company M86 Security Labs, which is now part of TrustWave SpiderLabs, is inadvertently helping fraudsters to carry out phishing attacks against HM Revenue & Customs.

The text within this HMRC phishing email is actually represented by a PNG image, which is loaded directly from the M86 Security Labs website.

The text within this HMRC phishing email is actually represented by a PNG image, which is loaded directly from the M86 Security Labs website.

The spoof emails involved in the ongoing attack look practically the same as many previous HMRC phishing emails — and that's because the content within the email body is being served directly from the M86 Security Labs website. The emails simply display a PNG screenshot of an email that was featured in a 2010 blog post by M86 Security Labs, which warned potential victims about an HMRC phishing attack.

Ironically, the screenshot featured in that blog post is now being used as a key component of the current attacks against taxpayers.

The HTML source of the email body.

The HTML source of the email body, which displays the 24kb image from the M86 blog post.

The image as it was intended to be shown on the M86 Security Labs blog.

The image as it was intended to be shown on the M86 Security Labs blog.

Clicking anywhere on the image in the phishing email takes the victim to an HMRC phishing site hosted in Turkey. This initially prompts the victim to enter their email address, full name and date of birth, before a subsequent page asks for even more information, including the victim's postal address and card details.

hmrc-phishingsite

Fake HMRC tax refunds remain a popular ruse. Netcraft blocked 1,150 HMRC phishing sites last month alone, and notably discovered one hosted under the trusted gov.uk domain in 2009.

Most Reliable Hosting Company Sites in February 2015

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Datapipe Linux 0:00:00 0.009 0.092 0.012 0.025 0.033
2 EveryCity SmartOS 0:00:00 0.009 0.079 0.068 0.135 0.135
3 Qube Managed Services Linux 0:00:00 0.019 0.099 0.038 0.077 0.077
4 Host Europe Linux 0:00:00 0.019 0.145 0.075 0.175 0.175
5 XILO Communications Ltd. Linux 0:00:00 0.023 0.201 0.075 0.144 0.144
6 Netcetera Windows Server 2012 0:00:00 0.028 0.060 0.091 0.177 0.177
7 CWCS Linux 0:15:18 0.074 0.196 0.106 0.192 0.193
8 Hivelocity Hosting Linux 0:00:00 0.098 0.129 0.099 0.196 0.196
9 Anexia Linux 0:00:00 0.102 0.398 0.097 0.191 0.191
10 Aruba Windows Server 2012 0:19:23 0.121 0.146 0.088 0.206 0.207

See full table

Datapipe had the most reliable hosting company site in February, with just two failed requests. Datapipe recently acquired cloud hosting company GoGrid, claiming that GoGrid's technology will allow its customers to quickly and easily deploy big data services, such as NoSQL databases. The acquisition also gives Datapipe three new data centres located in Amsterdam, North Virginia and San Francisco, bringing the total number of data centre locations to ten.

EveryCity followed closely in second place, with the same number of failed requests as Datapipe but with a slightly longer average connection time. EveryCity's managed hosting customers receive its "elite" service as standard, which guarantees 100% uptime and round the clock support. Netcraft has not observed any outages of EveryCity's site since monitoring began in April 2014, and it has previously been featured in the top ten on six occasions.

In third place, Qube Managed Services had four failed requests. Qube offers a managed private cloud hosting service that provides a secure virtual hosting environment dedicated to individual businesses. This provides the ability to quickly scale capacity up and down according to demand, whilst also ensuring that data is physically segregated between different organisations.

Linux remains the most popular choice of operating system, with seven of the top ten hosting company sites using the OS this month. Netcetera's and Aruba's sites are both served from Windows Server 2012 machines. EveryCity uses SmartOS, an open-source operating system based on OpenSolaris.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.