Apple has inadvertently made it easy for spammers to create a database of MobileMe email addresses.

The issue points to a future of more junk mail for Mac heads. They are already being targetted by MobileMe phishing scams.

The email harvesting issue arises because every MobileMe user gets a public idisk file-sharing site. These sites have an address tied into a user’s email username. A user can’t hide or delete their public folder and there’s no way to choose what the name will be.

As a result spammers only need to map the iDisk domain using web crawler tools to extract the entire MobileMe user name list. Taking this username list and simply adding either @me.com or @mac.com will give an email list, Techcrunch reports.

Apple doesn’t see a problem with its system, essentially because it hasn’t received any complaints – yet.

Apple tech support said: “We’ve never had a complaint from a customer about people spamming them because of their iDisk public folder name. There is no way to remove your account name from the iDisk folders. I’m very sorry,”.

The consumer electronics giant’s response smacks of complacency, especially as it comes little over a week after the emergence of a phishing scam targeting MobileMe users. Personal data belonging to hundreds of punters with @mac.com email addresses is being traded in underground forums, credit card protection service CardCops reported. Punters were tricked into handing over these details for phishing emails whose plausibility was increased by earlier problems with the MobileMe service.

MobileMe has ploughed through a field of snafus since its launch on 9 July. Users were blocked from accessing email accounts for more than a week at the end of July and there have been syncing and billing problems, with some European users charged before their trial came to an end, forcing Apple to issue refunds.

Apple responded to these problems by adding 60 days onto the end of every MobileMe subscription.

MobileMe provides an online synchronisation service which includes a bundle of storage, calendar, mail and photo services. It adds support for Outlook and push email to the iPhone to Apple’s previous .Mac services. ®

Networks left open to SNMP scans

Minority of networks leave out welcome mat for hackers

Some sysadmins are leaving their networks open to hacking attack by allowing Simple Network Management Protocol (SNMP) configurations to be read across the internet.

Using SNMP scans, a range of devices including Windows servers, BT Voyager 2000 routers, and HP JetDirect printers might be prompted to cough up username credentials and passwords, according to Adrian Pastor of GNUCitizen.

SNMP is a core component of the internet management architecture and is used in tools such as HP Openview and Cisco Works. The protocol is unsecured, but defending against attacks is a simple matter of blocking external SNMP requests at the firewall.

However, a scan of 2.5 million random IP addresses by GNUCitizen revealed that 5,320 (about one in 500) responded to the submitted SNMP requests. Read access to SNMP configuration lets hackers spy on targeted networks.

The security weakness might easily enable hackers to change device configurations using a spoofed IP address – if a valid write community string is identified or cracked. This invasive hacking attack was not tested by the GNUCitizen scan.

Read-only access might be bad news, Pastor notes. “Even if a cracker only gained read access to a device or server via a SNMP community string, sometimes it would be possible to extract sensitive information such as user names and passwords which would eventually lead to a compromise of the targeted systems.” ®

Most home routers ‘vulnerable to remote take-over’

Universal plug and prey

Security mavens have uncovered a design flaw in most home routers that allows attackers to remotely control the devices by luring an attached computer to a booby-trapped website.

The weakness could allow attackers to redirect victims to fraudulent destinations that masquerade as trusted sites belonging to banks, ecommerce companies or health care organizations. The exploit works even if a user has changed the default password of the router. And it works regardless the operating system or browser the computer connected to the device is running, as long as it has a recent version of Adobe Flash installed.

“This is a huge problem,” Adrian Pastor, of the prolific hacking organization GNUCitizen, said in an instant message.

The problem resides in Universal Plug and Play, a feature built in to most routers used for home networks so machines running games, instant messaging programs and other applications will work seamlessly with the devices. By exposing an end user to a malicious Flash file lurking on a website, attackers can use UPnP, as the technology is usually called, to make significant modifications to the router.

The most serious change that’s possible is changing the the server PCs connected to the router use to access websites. That might cause a victim trying to access eBay or Bank of America to see spoofed pages that steal their login credentials.

The hack could also allow attackers to open ports on a victim’s router. That would be useful in turning a router into what would amount to a zombie machine by forwarding ports to an external server.

The weakness, which works using the navigatetoURL function and URLRequest object specified in Flash, isn’t a security flaw within Flash, the researches say. Rather they are design flaws in UPnP, which doesn’t use authentication. PCs using virtually any platform and browser will change router settings, as long as they run version 8 or higher of Flash.

Routers made by Linksys, Dlink and SpeedTouch have been confirmed to be vulnerable, and other manufacturers’ products are also likely susceptible to attack, the researchers said. Most routers have UPnP turned on by default. The only way to prevent the attack is to turn the feature off, something that is possible with some, but not all, devices.

The vulnerability, which was also discovered by Petko D. Petkov, is explained further here. A FAQ is here. ®

Read the story from the original publisher