Poisoned by the Venom: Silicon Snake Oil:Vol 1 BigString

People often ask me what it is that ErrataSec does. Outsourced security research doesn’t seem descriptive enough for most people. Well basically companies like ISS, eEye, and iDefense have research teams. These are groups of people that can take a product apart and then detail the problems of them. This doesn’t mean just finding buffer overflows; sometimes it means there are simple things like architecture problems. We are basically a research team for hire.

I have the perfect example of what we do. It’s a rather simplistic example and I assure you more examples are forthcoming in a new blog series called “Poisoned by the Venom: Silicon Snake Oil”. This will be a monthly series where we will attempt to impart some wisdom to our readers about how to logically analyze a vendor claim and evaluate a product. This series is starting off rather simply with me starting my day with my trusty RSS reader. I came across an article on Gizmodo that catches my eye.

http://gizmodo.com/gadgets/software/bigstring-recallable-email-send-naked-vidmail-to-the-boss-with-confidence-228926.php

It’s a service that claims email that is recallable or that it can be forced to expire. Knowing what I do about how email works it doesn't mean the message that gets delivered will be deleted, that would mean that a 3rd party source can delete emails on an arbitrary server. That’s not how email servers work. So before looking at the service at all I have a feeling that what will happen is the contents of your email will be stored on their webserver and when it’s recalled or expired the content is just removed. This would mean that the message you receive on your email server is really nothing more than an HTML message that links back to the hosted content that contains your message. This is already a problem for people that don’t receive html email or don’t have html enabled email clients.

So I went to the site and signed up for an account. The first clue that this really isn’t a security oriented service is that using a typical password for me that contain uppercase, lowercase, and alphanumeric characters I get a message that my password is to long. If I were worried about security this would worry me because it would be easy for someone to bruteforce my account.

After creating a few emails my initial thoughts were correct. When you send an email that is “recallable” all that happens is that your text is turned into an image. This in theory would help with the problem of people copying or forwarding your email because they can’t just cut and paste your text. On top of that the image is hosted on the Bigstring servers. When I click to “recall the email" all that happens is the image of my text is replaced with a blank image. This has the same problem that most DRM stuff has, the simple problem that has been overlooked. Most audio DRM can be defeated by just plugging the headphone jack of one machine to the input jack on another.

To defeat the “recallable” option all someone needs to do is press print screen before the message is expired. This isn't really an ingenious or sneaky trick, it should be common sense. Below are before and after pics of the same message; there really isn’t much a company can do about disabling the print screen button so the “recallable” feature of the email service really isn’t useful.

The next edition will target two factor auth systems that claim to stop ID theft.