Thursday, April 21, 2011

Insecure Mail Server Offers Chinese Government Accounts To The Masses

Via Threatpost.com -

A security researcher who identified holes in SCADA software used by utilities in China has issued a new warning to that country's CERT about insecure Web infrastructure, including an e-mail server that allows any Web user to create their own Chinese government mail account.

Dillon Beresford, a security researcher at NSS Labs, notified China's Computer Emergency Response Team (CERT) on Wednesday about a hole in the mail server for Guizhou Province that allows any user to create a new mail account and log in to the Provincial government's mail server. The critical hole is just one example of what Beresford said is a public sector Web infrastructure that is rife with vulnerable and insecure applications, despite China's popular reputation as an aggressor in the arena of cyber espionage and cyber warfare.

The vulnerable e-mail server doesn't require users to authenticate to it with a user name and password and lacks proper access controls, Beresford wrote in the e-mail, which was shared with Threatpost. Threatpost verified that the script allows unauthenticated users to create e-mail accounts for the Internet domain for Guizhou Province, which is located in southwestern China, one of the country's coal producing regions.

The ramifications behind the security hole are extremely serious," he said in an e-mail addressed to China's CERT and official email addresses for the province. "An attacker could represent themselves as an official from the Chinese Government and use the accounts to socially engineer and attack other Government workers in the People's Republic of China," Beresford wrote.

A moderately sophisticated user could also leverage access to the Webmail server to escalate their privileges. Beresford confirmed that the server in question was vulnerable to SQL injection attacks that could give a hacker access to other e-mail accounts, as well.

No comments:

Post a Comment