Temporary & Disposable Email / SMS List

Sometimes it is very useful to have a temporary email address which you will be only using briefly. I admit it, I personally use these disposable email providers because I need to download for example a free whitepaper or register to an online form that I know I won't be using again in the future for a very long time and I don't want to get bombarded with advertising material afterwards (or have my email shared with undisclosed third-parties).

Before I move on telling you about the temporary/disposable email addresses, let me point out another interesting online service that sometimes might come in handy. These are temporary mobile numbers to receive actual text messages (aka SMS). There are websites which allow you to receive an SMS online and won't parse or modify the content. (Yes, this means you can do XSS if you manage to fit your JavaScript code within one SMS.) Basically, the only thing you need to do is to look for the country you want the SMS to be sent to, and pick an available number from the list. 

I am surprised to see that major companies in the information security community don't maintain a black-list of these temporary emails and public phone numbers for SMS messages, at least the same way Google does. Google knows these temporary/disposable email addresses and publicly accessible phone numbers for SMS, and won't allow you to use them when registering for a new gmail account. 

So, I have done the hard work for you. Instead of listing the websites where you can go get a temporary/disposable email (for example, see here or use a search engine), I am listing all the domains being used by these websites that offer temporary/disposable email addresses. (its too much work to list all the phone numbers as well and by the way, these are modified/change too often to put them in a static list similar to the temporary/disposable email domains).

This information is fully up-to-date today (19/Jan/2016) and I will try to update it again as often as it is possible. Of course, if you find any domain used for such purpose which is not on my list, feel free to contact me and I will be happy to update the list. I believe this list is good to be shared among the infosec community, so anyone who might have a domain or domains to add, will be able to do so. 

You can find all these hundreds of domain names in this PDF File. Follow me on Twitter (@drgfragkos) and let me know if you found this list useful. 

A serious bug with SSH that requires immediate action

Two issues have been identified in OpenSSH (CVE-2016-0777 and CVE-2016-0778). Theo de Raadt in a mailing list posting gave us a heads up earlier today. 

More or less, you will need to add the option UseRoaming no to your /etc/ssh/ssh_config (or your user's ~/.ssh/config) file, or start your SSH client with -oUseRoaming=no included on the command line. Adding the option to the config file can be done with a single command:

# echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config

This is a basically a workaround until you are able to patch all affected systems. 

First Patch Tuesday for 2016

The new year brought a set of new patches for the vulnerabilities identified in the Microsoft product family. I know there is no point saying it once more but for those who need to hear it, make sure you patch your systems as soon as possible! :

See here: https://technet.microsoft.com/en-us/library/security/mt637763.aspx

MS16-010	Security Update in Microsoft Exchange Server to Address Spoofing (3125573)	Microsoft Exchange
MS16-008	Security Update for Windows Kernel to Address Elevation of Privilege (3124605)	Microsoft Windows
MS16-007	Security Update for Microsoft Windows to Address Remote Code Execution (3124901)	Microsoft Windows
MS16-006	Security Update for Silverlight to Address Remote Code Execution (3126036)	Microsoft Developer Tools & Software
MS16-005	Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution (3124584)	Microsoft Windows
MS16-004	Security Update for Microsoft Office to Address Remote Code Execution (3124585)	Microsoft Office
MS16-003	Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3125540)	Microsoft Windows
MS16-002	Cumulative Security Update for Microsoft Edge (3124904)	Microsoft Edge & Microsoft Windows
MS16-001	Cumulative Security Update for Internet Explorer (3116180)	Internet Explorer & Microsoft Windows

SSH vulnerability in Fortinet Fortigate products

It was stated that an SSH "backdoor" was identified in Fortinet Fortigate products and the proof-of-concept source code was posted on the Full Disclosure mailing list. 

See here: http://seclists.org/fulldisclosure/2016/Jan/26

Fortinet released a brief statement regarding the issues found with FortiOS on January 12, 2016. The brief statement says that the issue that was recently disclosed publicly was resolved and a patch was made available in July 2014. 

Fortinet stated that: "This was not a “backdoor” vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external."

Have you heard of "Cyber Insurance"?

The Cyber Liability Insurance Cover (CLIC) or otherwise referred to as cyber insurance, is a market that grew significantly in 2015. One of the main factors that contributed significantly to this growth is the constant increase of threats in the cyber space and more specifically the high profile data breaches that took place during the past years. Due to these data breaches companies were taken to court and were forced not only to cover the losses, but to take upon the extra costs for the data breaches as well. In most cases, these additional costs included crisis management, legal costs, reputational damages, engaging in identity theft resolution, credit and fraud monitoring and further technical costs as well.

Under the potential threat of a breach and the inevitable consequences, this has established not only a need but also a demand for a cyber insurance market. This has also been highlighted by a cyber survey conducted by RIMS. The survey showed that 74 percent of the companies without Cyber insurance will be purchasing one within the next two years. Likewise, by 2025 the total annual premiums for stand-alone cyber insurance are projected to grow to $20 billion.