25 replies to this topic

[CyberPunkGunner]

There is a tool being released by a reverse engineer in two weeks that
steals your authentication data from unencrypted gmail sessions. Go
into your options and turn on "Always use https" to keep your google
account safe.

http://it.slashdot.o...433206&from=rss

excerpt:
A tool that automatically steals IDs of non-encrypted sessions and
breaks into Google Mail accounts has been presented at the Defcon
hackers' conference in Las Vegas.

Last week Google introduced a new feature in Gmail that allows users
to permanently switch on SSL and use it for every action involving
Gmail, and not only, authentication. Users who did not turn it on now
have a serious reason to do so as Mike Perry, the reverse engineer
from San Francisco who developed the tool is planning to release it in
two weeks.


To change this go to the "Settings" page and go to the bottom and check the "Always use Http" option.

[Spartan 117]

GEEEZ thank you for sharing!!. I use gmail, wait so this tool will let people hack into your account and read your emails or something?

[g-force]

GEEEZ thank you for sharing!!. I use gmail, wait so this tool will let people hack into your account and read your emails or something?

No probably more like send out bad messages and use your account to spam people.

[NerfCrazy]

GEEEZ thank you for sharing!!. I use gmail, wait so this tool will let people hack into your account and read your emails or something?

No probably more like send out bad messages and use your account to spam people.

That and steal personal information such as an address some one emailed you.

[Galaxy613]

Thanks for sharing, I just changed my bookmark and changed that setting.

[Aimless]

Thanks for the heads up.

[Blacksunshine]

Great info. Good looking out. But I thought as soon as you logged in it automatically put you in HTTPS mode. I will have to look more closely when I next log in. But yes to those that are wondering if someone has access to your email they can send your passwords from your online banking and Ebay and paypal and other important sites and have full access to your important data. And possibly access to your financial accounts.

[VACC]

NOT MY G-LIFE!!!!!!

Thanks for the heads up. It's very much appreciated.

[Talio]

Done. Thank you sir.

Talio.

[nerfsharpie6]

Thanks for the heads-up.

The whole point of and encrypted or "secure" server is to provide basic security for people who don't want an open area connection to be eavesdropped on (port listening). They can be cracked, hacked and broken down by people who know what they are doing. Its just to provide temporary security for temporary connections to their secure network or server. I personally encrypt all files in and out of my computer to prevent a third party from snagging information.

Blacksunshine: It does put you into HTTPS mode only until you enter your inbox. If you didn't turn it off you get a message asking if you would like to show all insecure items on the page (adverts,scams,spam pics.)

[Blacksunshine]

Blacksunshine: It does put you into HTTPS mode only until you enter your inbox. If you didn't turn it off you get a message asking if you would like to show all insecure items on the page (adverts,scams,spam pics.)

Just logged in and noticed that.
And changed settings so that it always uses HTTPS.

[One Man Clan]

Not to highjack the thread, but has anyone else who uses Google for everything and Firefox for browsing seen the Google Redesign add-on for Firefox?

It can be found here: https://addons.mozil...efox/addon/8434

Check it out. It makes gmail and google calendar look much cooler. Just thought I'd mention it here. Also, change your https setting like CPGunner pointed out.

[keef]

Thanks for this, I use google for everything, can't have that get messed up...

OMC- I like the addon, thanks!

[Thom]

I'm meh on the redesign. It doesn't seem to improve the interface in a significant way. Nothing wrong with plain skins, though.

[serpent sniper]

Thanks for the heads up with the security issues.

OMC, awesome addon. The theme is very similar to my firefox skin, and my IM client's skin. Everything is nice and unified.

More google related thread hijacking:

Anyone else use digsby? It's a cool IM client that can do a lot of stuff. It combines all of your IM services, and can alert you if you get emails or messages on a social networking site. I use it and like it a lot. It keeps me from compulsively checking my gmail accounts and facebook.

It has a couple downsides though, no AIM chatroom support (yet at least) and doesn't work with just any email address. So far they support Gmail, AOL, IMAP, and POP accounts. I can't make it check my campus email (which opens in a web version of outlook), but I'm no email expert.

Just thought I'd share.

[Rambo]

There is a tool being released by a reverse engineer in two weeks that
steals your authentication data from unencrypted gmail sessions. Go
into your options and turn on "Always use https" to keep your google
account safe. To change this go to the "Settings" page and go to the bottom and check the "Always use Http" option.

Thanks for the heads up.

Not to highjack the thread, but has anyone else who uses Google for everything and Firefox for browsing seen the Google Redesign add-on for Firefox?

When I saw that I was reminded of Blackle. I figured they put it out, but I don't see any tie to them.

Anyone else use digsby? It's a cool IM client that can do a lot of stuff. It combines all of your IM services, and can alert you if you get emails or messages on a social networking site. I use it and like it a lot. It keeps me from compulsively checking my gmail accounts and facebook.

Aside from social networking messages and emails, I think Trillian Astra will be eons ahead of digsby once it's finally released. Plus, I've tried to install digsby on four machines and it was only successful on one of them.

[Dr Rockzo]

I use gmail, and this is interesting. This reminds me of when Miley Cyrus's gmail account got hacked haha.

[digitalkid]

Ahh, DefCon. A hacker's heaven. Thanks for the heads-up. Now I want to check out that tool, just for curiosity.

Even though I don't use Google for everything, just search and Gmail, it's not gonna bother me if I turn on https for Gmail. Might as well.

Thanks for posting this!

[Killzor]

Thanks dude. I probably never would've noticed that without you pointing it out.

[AssassinNF]

There is a tool being released by a reverse engineer in two weeks that
steals your authentication data from unencrypted gmail sessions. Go
into your options and turn on "Always use https" to keep your google
account safe.

http://it.slashdot.o...433206&from=rss

excerpt:
A tool that automatically steals IDs of non-encrypted sessions and
breaks into Google Mail accounts has been presented at the Defcon
hackers' conference in Las Vegas.

Last week Google introduced a new feature in Gmail that allows users
to permanently switch on SSL and use it for every action involving
Gmail, and not only, authentication. Users who did not turn it on now
have a serious reason to do so as Mike Perry, the reverse engineer
from San Francisco who developed the tool is planning to release it in
two weeks.


To change this go to the "Settings" page and go to the bottom and check the "Always use Http" option.

Am I missing something? This guy created a tool that hackers can use to hack into peoples e-mail, steal personal information, and possibly even use it for identity theft. We know his name and where he lives, and he's not being arrested/sued/etc? Is there really no law that can stop people like him?

I'm definitely no expert on the legal system, but I just think it seems strange that hackers can get away with this shit.

Thanks for the heads-up.

[Aimless]

As long as he claims that it was just an experiment and not for doing illegal things he'll be fine.

Edited by Aimless, 31 August 2008 - 11:03 PM.

[nerfsharpie6]

Hacking by any sense of the word is not illegal. Its when the hacker steals personal information for unlawful gains does it then become illegal. Conventions like defcon, are legal gatherings of like minded people to discuss their hobby, or even job. The media has slandered, and dirtied the word, to twist it to their meaning to scare people. The real definition of a "hacker" is a person who believes in the free trade of all media. Its only when some one steals something from a computer do they become the bad guy.

[boisie]

Am I missing something? This guy created a tool that hackers can use to hack into peoples e-mail, steal personal information, and possibly even use it for identity theft. We know his name and where he lives, and he's not being arrested/sued/etc? Is there really no law that can stop people like him?

I'm definitely no expert on the legal system, but I just think it seems strange that hackers can get away with this shit.

Thanks for the heads-up.

Are you a retard? Hacking is in no means illegal. Until you steal information, you are on legal turf. People even get paid to hack into networks, for security measures. I'm now going to refer you to HackaDay.com and have your search for Defcon. Also, check out Hackthissite.org. Very fun little site.

Also, the creator is not the one to arrest. The skiddies are.

Edited by boisie, 01 September 2008 - 04:22 PM.

[AssassinNF]

Am I missing something? This guy created a tool that hackers can use to hack into peoples e-mail, steal personal information, and possibly even use it for identity theft. We know his name and where he lives, and he's not being arrested/sued/etc? Is there really no law that can stop people like him?

I'm definitely no expert on the legal system, but I just think it seems strange that hackers can get away with this shit.

Thanks for the heads-up.

Hacking is in no means illegal. Until you steal information, you are on legal turf. People even get paid to hack into networks, for security measures. I'm now going to refer you to HackaDay.com and have your search for Defcon. Also, check out Hackthissite.org. Very fun little site.

Also, the creator is not the one to arrest. The skiddies are.

He's created something specifically for the purpose of stealing information. I know he can't really be arrested or anything, but I still think it's bullshit.

I never said hacking was illegal. I said hacking specifically for the purpose of allowing others to steal information should be illegal.

[analogkid]

By releasing this tool, not only is he allowing internet criminals steal your stuff, he is allowing people to use the tool to come up with a fix. You can't fix something until you know how its broke.