NEWS - October 25, 2012
by Carol~ - 10/25/12 11:33 AM
How a Google Headhunter's E-Mail Unraveled a Massive Net Security Hole
It was a strange e-mail, coming from a job recruiter at Google, asking Zachary Harris if he was interested in a position as a site-reliability engineer.
"You obviously have a passion for Linux and programming," the e-mail from the Google recruiter read. "I wanted to see if you are open to confidentially exploring opportunities with Google?"
Harris was intrigued, but skeptical. The e-mail had come to him last December completely out of the blue, and as a mathematician, he didn't seem the likeliest candidate for the job Google was pitching.
So he wondered if the e-mail might have been spoofed - something sent from a scammer to appear to come from the search giant. But when Harris examined the e-mail's header information, it all seemed legitimate.
Then he noticed something strange. Google was using a weak cryptographic key to certify to recipients that its correspondence came from a legitimate Google corporate domain. Anyone who cracked the key could use it to impersonate an e-mail sender from Google, including Google founders Sergey Brin and Larry Page.
Continued : http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/all/
Google, Microsoft and Yahoo fix serious email vulnerability
Mathematician exposes weak DKIM keys
CERT Issues Warning After Mathematician Discovers DKIM Flaw
Mathematician Impersonates Google Founder to Point Out DKIM Flaw