Posts Tagged ‘Gmail’

Wi-fi Hacking and Grabbing Your Cookies

Things just get worse and worse for mobile users who take advantage of cheap or free wireless hotspots, this attack involves the cookies that are used on websites to keep users information so they don’t have to login every time they go there, Gmail is a great example and one they used to demonstrate how easy it really is.

Prior to the demonstration, which involved the live hijacking of a Google mail account (GMail), many sites were thought to be safe because they encrypted the data swapped back and forth when people login.

However, Mr. Graham carried out his attack on the unencrypted cookies, tiny text files, many sites use to identify people that regularly return.

The tools created by Mr. Graham, called “Hamster” and “Ferret”, watch the traffic flowing in and out of public wi-fi hotspots and let attackers grab cookies as they are passed back to people logging in to their webmail or social network account.

Using the cookie an attacker could pose as a victim and enjoy almost the same level of access to an account as its rightful owner. Source: Warning of webmail wi-fi hijack

I will check out the tools myself and see how easy it is to do, I doubt they are available anywhere yet, but I have not searched for them. Hopefully, most sites that use cookies in this way will at least ask for a password should the hacker try to change your information, such as your password etc. If you have a VPN for your work, you should definitely connect to it before using any wireless hotspot, or any unsecured wireless network, as that will encrypt the data flowing and keep the hackers from being able to use it. When using Gmail, some extra protection can be had by starting at https://www.gmail.com as that is a secure connection, not 100% sure if it will completely block it as of yet, opinions are definitely varied.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - August 3, 2007 at 7:00 pm

Categories: Security, Wireless   Tags: , , ,

Security Roundup

Some interesting security related stories.

U.S. Database Exposes Social Security Numbers The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations.

Google draws privacy complaint to FTC “Google’s proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world,” the complaint reads. “Moreover, Google will operate with virtually no legal obligation to ensure the privacy, security and accuracy of the personal data that it collects.”

This one could potentially be big, if the data that Google collects from the browsing habits of people with their toolbar, the information they gather from people searching their site(s), the data they collect from their ads on a major portion of the internet, the data they collect from their online programs, like Gmail, Google Docs & Spreadsheets, etc, the data they collect from people using Google Checkout, the data they collect from Youtube and all of the embedded videos, if this data is used by people working for Google or by someone who is able to access it from the outside, it is staggering, I am sure, the amount of information they could compile and use on people.

A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver.

Depends on your definition I guess, sitting there with nothing running, no one could get into them, on the second day, they sent contestants urls via email and one hacker was able to exploit a vulnerability in Safari and open a back door that gave him access to everything. While they did not crack the OS itself, it did crack a tool that many people use on such a system, it’s the same as all of the IE vulnerabilities that get exploited, though they certainly have the better track record over Windows. Here is more from zdnet.

MacBook Pro hijacked with Safari zero-day Hackers Dino Dai Zovi and Shane Macaulay teamed up to hijack a MacBook Pro laptop at the CanSecWest security conference here, effectively pouring cold water on the Mac faithful’s belief that the machines are impenetrable. Dai Zovi, a former Matasano researcher who has been credited in the past with finding Mac OS X vulnerabilities, exploited a zero-day flaw in the built-in Safari browser to take complete control of the machine.

Seeing through walls Have you considered that someone could be reading what’s on your monitor from a few rooms away? It’s unlikely, but possible, as work by Cambridge University computer security researcher Markus Kuhn shows.

ISP Kicks Out User Who Exposed Vulnerability; Doesn’t Fix Vulnerability Apparently, a college student discovered and published a pretty major vulnerability found in the routers the company uses, allowing anyone to access the routers remotely. Rather than thank the customer for finding and highlighting a pretty serious vulnerability, the company has cut off his service and threatened him with lawsuits. Oh yeah, they also haven’t bothered to fix the vulnerability — despite it being published 7 weeks ago. The reasoning from the ISP is astounding. They claim that since they can’t find any evidence that anyone ever used the vulnerability, he must have discovered it by “illegal” means. Who knew that simply probing for security vulnerabilities was illegal? And, of course, the ISP told the guy he’s not allowed to talk about its legal threat to him — which isn’t actually legally binding. It’s not clear if the ISP doesn’t understand what it’s done or simply doesn’t want to fix the vulnerability.

Interact with the security community CanSecWest, the world’s most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.

1 comment - What do you think?  Posted by Jimmy Daniels - April 21, 2007 at 4:39 am

Categories: Security   Tags: , , , , , , ,

Is Google TV for Real?

Google TV
I’ve just been reading about this whole Google TV thing that has been going on, where this guy named Mark Erickson in a video from Infinite Solutions, shows you how to get an invite to the next big beta from Google, Google TV. It’s a pretty good hoax for lots of reasons. Google buying Youtube, Google wants to own all forms of advertising so they will get to TV sooner or later, as more quality content is created online, they will be able to translate that over to TV, and soon we will be watching TV on the Internet and the Internet on TV. Both videos that were created by them are high quality, especially the second video as it actually looks like he is accessing a Google TV site. Both videos are below. Is it real, probably in some other form, but this is one well done hoax and should get an A for effort at least.

Now watch the second video here, it looks to me like they created a movie and he is operating the mouse and keyboard like he is controlling the computer, notice how they don’t show his hands and movie at the same time, and even went as far as to show him entering the wrong password once because he is nervous. He even grabs the monitor once and moves it around and says there is no way he can fake this, he’s not ILM, Industrial Light & Magic.

It would be very easy to fake the address in the IE address bar, and as people noted at Techcrunch, there are no DNS entries for tv.google.com, and they have another video of a guy that says he copied every link and emailed all of them to himself and it worked for him on the 114th try, hehe. This is starting to sound like a poor mans DOS attack, by getting thousands of people emailing themselves multiple times and logging in and out many, many times, it overloads there servers. Several times tonight I have received errors because gmail was unable to perform an operation.

This just gets better and better. New video found via CenterNetworks “confirming” the accuracy of the hoax. This guy says he got it to work on his 114th login, after copying numerous links on the Gmail settings page. Source: Google TV – An Elaborate Hoax

Google Blogoscoped has got the official word from Google, just in case you had some doubts left in your mind.

Alas, Mark’s “Google TV beta” is simply a figment of his fertile imagination. But great entertainment for all of us here at the Googleplex. Source: Google TV (Hoax)

I admit I tried it and logged into Gmail probably 30 times to just make sure before I posted, so I was part of the problem as well. Erik even has another “great video” called How to Increase Your Wi-Fi Signal where he tells us to wrap an Ethernet cable around a cell phone and plug the other end into your computer and it will boost your wifi signal, and, he ads, you can coat a salad bowl with aluminum foil to get an even better signal, two hole bars better, hehe. That Erik, he sure is funny.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - January 30, 2007 at 5:18 am

Categories: Google, YouTube   Tags: , , ,