Get Ready For Google Gadget Malware

“Gmalware” may be coming soon to your iGoogle page.

In two weeks, at the Black Hat Conference on Wednesday, Aug. 6, Cenzic senior security analyst Tom Stracener and security researcher Robert Hansen, better known as “RSnake,” plan to demonstrate a zero-day vulnerability that affects Google Gadgets.

“At the core of the talk is the concept of Gmalware, which is basically a malicious gadget,” said Stracener. “The idea is that gadgets are supported by the gmodule domain and security architecture. And with the current security architecture, it doesn’t protect individuals from malicious gadgets very well. Nor does it protect gadgets from one another.”

Google Gadgets, said Stracener, are vulnerable to information theft, deceptive practices, content spoofing, and authentication issues.

A Google Gadget, for example, can log you into an account without your knowledge and monitor your Google Search queries, Stracener explained. It can also be made to attack another Google Gadget and steal information.

No malicious Google Gadgets have been spotted in the wild yet. Once details about the vulnerabilities emerge, however, that may change.

Source:
http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=209601064

Posted in Internet, Privacy, Security | No Comments

A Safer Gmail With Https

Google added a new feature to Gmail to always use a secure (https) connection. Switch to the settings/ general tab and scroll down to “Browser connection” to see if you got it already (if not, it may still be rolled out for you). While safer, Google in their blog announcement of this also notes it may slow down your Gmail a bit.

Source:
http://blogoscoped.com/archive/2008-07-25-n17.html

Posted in Internet, Privacy, Security | No Comments

Web Form Spam Alive and Kicking

Spammers have never balked at using Web forms as a way of sending out spam messages–anything to expose their wares. Basically they will look for a public Web server that allows them to provide feedback or information to a certain company. These Web forms require them to fill up certain fields with information such as names, phone numbers, email addresses, and–wait for it–even spam messages. Even worse, spammers can also send image spam and/or infected files if the Web form contains a field that will allow them to attach such files. If they have finished filling up the form and submitted it to the Web server, recipients of the Web form will now receive the spam.

Source:
http://blog.trendmicro.com/web-form-spam-alive-and-kicking/

Posted in Internet, Privacy, Security | No Comments

Metasploit Releases DNS Explot Code

Metasploit, the information security research and hack tool kit, created by HD Moore, has released exploit code targeting the DNS Cache Poisoning Flaw, recently revealed by Dan Kaminsky, of DoxPara Research.

Evidently, reported at Wired’s ThreatLevel blog, the code can not be utilized to overwrite the domain name server cache data, however, it will reveal dates of expiry on any pre-cached data, then, according to the blog, idle for a specified time frame prior to completing the exploit.

Source:
http://infosecurity.us/?p=352

Posted in Internet, Networking, Privacy, Security | No Comments

MoocherHunter – Detect & Track Rogue Wifi Users

MoocherHunter™ is a mobile tracking software tool for the real-time on-the-fly geo-location of wireless moochers and hackers. It’s included as part of the OSWA Assistant LiveCD we mentioned quite recently.’

I wanted to mention this tool separately as I think it’s very cool!

MoocherHunter™ identifies the location of an 802.11-based wireless moocher or hacker by the traffic they send across the network. If they want to mooch from you or use your wireless network for illegal purposes (e.g. warez downloading or illegal filesharing), then they have no choice but to reveal themselves by sending traffic across in order to accomplish their objectives. MoocherHunter™ enables the owner of the wireless network to detect traffic from this unauthorized wireless client (using either MoocherHunter™’s Passive or Active mode) and enables the owner, armed with a laptop and directional antenna, to isolate and track down the source.

Because it is not based on fixed or statically-positioned hardware, MoocherHunter™ allows the user to move freely and walk towards the actual geographical location of the moocher/hacker. In residential and commercial multi-tenant building field trials held in Singapore in March 2008, MoocherHunter™ allowed a single trained operator to geo-locate a wireless moocher with a geographical positional accuracy of as little as 2 meters within an average of 30 minutes.

Source:
http://www.darknet.org.uk/2008/07/moocherhunter-detect-track-rogue-wifi-users/

Posted in Hardware, Internet, Networking, Privacy, Security | No Comments