Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at:
http://www.mail-archive.com/[EMAIL PROTECTED]/ <A HREF="">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om
--- Begin Message --- -Caveat Lector-In a message dated 10/30/2004 6:16:39 PM Eastern Standard Time, [EMAIL PROTECTED] writes:Via NY Transfer News Collective * All the News that Doesn't Fit
sent by Bob Richards
NetLife (Israel) - Oct 29, 204
http://net.nana.co.il/Article/?ArticleID=155025&sid=10
NetLife Exclusive:
Security hole found in Gmail
An Israeli hacker reveals a security hole in Gmail that allows the
compromise of users' email boxes -- without the need of a password
by Nitzan Weidenfeld, Nana NetLife Magazine
So you've got a Gmail mail account? Or maybe you've just received an
invitation? Well, we have some bad news for you: Your mail box is
exposed. A major security hole in Google's mail service, allows full
access to user accounts, without the need of a password.
"Everything could get publicly exposed -- your received mails might be
readable, as well as all of your sent mail, and furthermore -- anyone
could send and receive mail under your name", thus reveals Nir
Goldshlagger, an Israeli hacker, on an exclusive interview with Nana
NetLife Magazine <http://net.nana.co.il/Category/?CategoryID=69&sid=10>.
"Even more alarming", he explains, "is the fact that the hack itself is
quite simple. All that is needed of the malicious hacker, beside
knowledge of the specific technique, is quite basic computer knowledge,
the victim's username - and that's it, he's inside".
When approached, Google admitted to the security flaw. Google also
assured us that this matter is being resolved, and that "the company
will go to any length to protect its users".
The flaw which was discovered by Goldshlagger and was tested many times
by Nana's editorial board had shown an alarming success rate. In order
not to further jeopardize mail boxes' owners, we will only disclose that
the process is based upon a security breach in the service's identity
authentication. It allows the hacker to "snatch" the victims cookie file
(a file planted in the victim's computer used to identify him) using a
seemingly innocent link (which directs to Gmail's site itself). Once
stolen, this cookie file allows the hacker to identify himself as the
victim, without the need of a password. Even if the victim does change
his password afterwards, it will be to no avail. "The system
authenticates the hacker as the victim, using the stolen cookie file.
Thus no password is involved in the authentication process. The victim
can change his password as many times as he pleases, and it still won't
stop the hacker from using his box", explains Goldshlagger.
Whether hackers have already used this method to compromise users'
accounts is unclear at the moment.
Matters are several times worse when it comes to a service such as
Gmail. Besides the obvious blow to Google's seemingly spotless image,
we're looking here at a major threat to anyone who has turned to Gmail
as his major email box. "Because Gmail offers a gigabyte of storage,
several times bigger than most other web based mail services, users
hardly delete any old correspondence", says Goldshlagger. "The result is
a huge amount of mail accumulating in the users' boxes, which frequently
include bank notices, passwords, private documents and other files the
user wanted to backup. Who ever takes a hold of this data, could
literally take over the victim's life and identity".
Ofer Elzam, a security expert for "Aladdin <http://www.ealaddin.com/>",
who examined the security hole at Nana's Netlife request, explains:
"This is a major threat, for the following reasons: First the users
have no way of protecting themselves. Second it's quite easy to carry
out, and third it allows identity theft, which is nothing less than a
serious danger to the victim".
"On the bright side", he adds, "its a good thing that this hole was
found now, before the service was officially announced and offered to
millions of users world-wide. I reckon it's just a matter of time before
an automatic tool is made, which would allow even the less
computer-savvy people to exploit this hack. The damage, needless to say,
could be huge"
Is there a way, after all, to protect ourselves in the face of this
danger? Elzam does not bear good news on the matter. "The only immediate
solution that comes to mind is not using Gmail to store any messages or
files that might be maliciously used. At least until Google attends to
this problem."
***
The Register - Oct 29, 2004
http://www.theregister.co.uk/2004/10/29/gmail_vuln/
Gmail accounts 'wide open to exploit' - report
By John Leyden
Google's high profile webmail service, Gmail, is vulnerable to a
security exploit that might allow hackers full access to a user's
email account simply by knowing the user name, according to reports.
The security flaw allows full access to users' accounts, with no need of a
password, Israeli news site Nana says. Using a hex-encoded XSS link, the
victim's cookie file can be stolen by a hacker, who can later use it to
identify himself to Gmail as the original owner of an email account,
regardless of whether or not the password is subsequently changed. Following
up a tip from an Israeli hacker, journos from the site confirmed the attack
and verified the exploit with local security firm Aladdin Knowledge Systems.
It's unclear whether the hole has been maliciously exploited. Google
has been notified of the issue and is reportedly working on a fix.
No-one from the company was available to update "The Register" on the
issue at time of going to press.
The Register - Oct 15, 2004
http://www.theregister.co.uk/2004/10/15/google_desktop_privacy/
Google Desktop privacy branded 'unacceptable'
By Andrew Orlowski
Google's Desktop represents a privacy disaster just waiting to happen,
a rival has warned. David Burns, Copernic CEO, says users should know
that the giant ad broker intends to mix public and private queries in
the future, leveraging its key moneyspinning product: contextual
advertising.
"If you lined people and said, 'Stick your hand up if you want Google
to know what pictures you have, and what MP3 files you have,' I don't
think many would." Burns had offered these capabilities to partners
before, but received some pushback.
"Major brands don't want to compromise their reputation. We've offered
this in the past to potential partners, and had a major PC hardware
company and major portals say 'No, we can't do this'", Burns told us.
With the subpoena-happy RIAA getting support from state law
enforcement in its war on copyright infringers, Google represents a
single point of compromise for millions of file traders.
Copernic offers a native Windows search application both as a free
download and as a branded offering to partners, and has toyed with
merging the two before. But it's realized personal archives are very
different to Google's snapshot of the web - and the queries are
different too.
"I don't deny desktop and web on the same page is attractive," he
added. "But we're not going to do it."
Burns was former US chief of FAST, which created the All The Web
search site before selling it to Overture. Yahoo! now owns both.
Google Desktop Search allows users to opt out of sending the company
back detailed usage data, but it isn't possible to firewall it
completely. Much more ominously, reckons Burns, Google's product
manager Marissa Mayer said she expected the private queries to
generate more hits for google.com. Most people, she believed, would
choose to combine personal and web searches resulting in more revenue
for Google's ad business.
"As a result, we will serve more Web results pages and more ads, and
those ads have more chances of getting clicked on. So there will be
incremental Web search revenue from this product," she told the
"Washington Post."
In January, Eric Schmidt said the company's goal was to create a
"Google that knows you". With the addition of personal information,
it's just taken a giant step towards that goal.
*
Search the NYTr Archives at:
http://olm.blythe-systems.com/pipermail/nytr/
To subscribe or unsubscribe or change your settings via the web, visit:
http://olm.blythe-systems.com/mailman/listinfo/nytr
=================================================================
NY Transfer News Collective * A Service of Blythe Systems
Since 1985 - Information for the Rest of Us
339 Lafayette St., New York, NY 10012
http://www.blythe.org e-mail: [EMAIL PROTECTED]
=================================================================
From: [EMAIL PROTECTED]
To: undisclosed-recipients
Subject: [NYTr] Very Nasty Security Hole Found in Google's Gmail
Date: Sat, 30 Oct 2004 12:58:57 -0500 (CDT)Via NY Transfer News Collective * All the News that Doesn't Fit sent by Bob Richards NetLife (Israel) - Oct 29, 204 http://net.nana.co.il/Article/?ArticleID=155025&sid=10 NetLife Exclusive: Security hole found in Gmail An Israeli hacker reveals a security hole in Gmail that allows the compromise of users' email boxes -- without the need of a password by Nitzan Weidenfeld, Nana NetLife Magazine So you've got a Gmail mail account? Or maybe you've just received an invitation? Well, we have some bad news for you: Your mail box is exposed. A major security hole in Google's mail service, allows full access to user accounts, without the need of a password. "Everything could get publicly exposed -- your received mails might be readable, as well as all of your sent mail, and furthermore -- anyone could send and receive mail under your name", thus reveals Nir Goldshlagger, an Israeli hacker, on an exclusive interview with Nana NetLife Magazine <http://net.nana.co.il/Category/?CategoryID=69&sid=10>. "Even more alarming", he explains, "is the fact that the hack itself is quite simple. All that is needed of the malicious hacker, beside knowledge of the specific technique, is quite basic computer knowledge, the victim's username - and that's it, he's inside". When approached, Google admitted to the security flaw. Google also assured us that this matter is being resolved, and that "the company will go to any length to protect its users". The flaw which was discovered by Goldshlagger and was tested many times by Nana's editorial board had shown an alarming success rate. In order not to further jeopardize mail boxes' owners, we will only disclose that the process is based upon a security breach in the service's identity authentication. It allows the hacker to "snatch" the victims cookie file (a file planted in the victim's computer used to identify him) using a seemingly innocent link (which directs to Gmail's site itself). Once stolen, this cookie file allows the hacker to identify himself as the victim, without the need of a password. Even if the victim does change his password afterwards, it will be to no avail. "The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he pleases, and it still won't stop the hacker from using his box", explains Goldshlagger. Whether hackers have already used this method to compromise users' accounts is unclear at the moment. Matters are several times worse when it comes to a service such as Gmail. Besides the obvious blow to Google's seemingly spotless image, we're looking here at a major threat to anyone who has turned to Gmail as his major email box. "Because Gmail offers a gigabyte of storage, several times bigger than most other web based mail services, users hardly delete any old correspondence", says Goldshlagger. "The result is a huge amount of mail accumulating in the users' boxes, which frequently include bank notices, passwords, private documents and other files the user wanted to backup. Who ever takes a hold of this data, could literally take over the victim's life and identity". Ofer Elzam, a security expert for "Aladdin <http://www.ealaddin.com/>", who examined the security hole at Nana's Netlife request, explains: "This is a major threat, for the following reasons: First the users have no way of protecting themselves. Second it's quite easy to carry out, and third it allows identity theft, which is nothing less than a serious danger to the victim". "On the bright side", he adds, "its a good thing that this hole was found now, before the service was officially announced and offered to millions of users world-wide. I reckon it's just a matter of time before an automatic tool is made, which would allow even the less computer-savvy people to exploit this hack. The damage, needless to say, could be huge" Is there a way, after all, to protect ourselves in the face of this danger? Elzam does not bear good news on the matter. "The only immediate solution that comes to mind is not using Gmail to store any messages or files that might be maliciously used. At least until Google attends to this problem." *** The Register - Oct 29, 2004 http://www.theregister.co.uk/2004/10/29/gmail_vuln/ Gmail accounts 'wide open to exploit' - report By John Leyden Google's high profile webmail service, Gmail, is vulnerable to a security exploit that might allow hackers full access to a user's email account simply by knowing the user name, according to reports. The security flaw allows full access to users' accounts, with no need of a password, Israeli news site Nana says. Using a hex-encoded XSS link, the victim's cookie file can be stolen by a hacker, who can later use it to identify himself to Gmail as the original owner of an email account, regardless of whether or not the password is subsequently changed. Following up a tip from an Israeli hacker, journos from the site confirmed the attack and verified the exploit with local security firm Aladdin Knowledge Systems. It's unclear whether the hole has been maliciously exploited. Google has been notified of the issue and is reportedly working on a fix. No-one from the company was available to update "The Register" on the issue at time of going to press. The Register - Oct 15, 2004 http://www.theregister.co.uk/2004/10/15/google_desktop_privacy/ Google Desktop privacy branded 'unacceptable' By Andrew Orlowski Google's Desktop represents a privacy disaster just waiting to happen, a rival has warned. David Burns, Copernic CEO, says users should know that the giant ad broker intends to mix public and private queries in the future, leveraging its key moneyspinning product: contextual advertising. "If you lined people and said, 'Stick your hand up if you want Google to know what pictures you have, and what MP3 files you have,' I don't think many would." Burns had offered these capabilities to partners before, but received some pushback. "Major brands don't want to compromise their reputation. We've offered this in the past to potential partners, and had a major PC hardware company and major portals say 'No, we can't do this'", Burns told us. With the subpoena-happy RIAA getting support from state law enforcement in its war on copyright infringers, Google represents a single point of compromise for millions of file traders. Copernic offers a native Windows search application both as a free download and as a branded offering to partners, and has toyed with merging the two before. But it's realized personal archives are very different to Google's snapshot of the web - and the queries are different too. "I don't deny desktop and web on the same page is attractive," he added. "But we're not going to do it." Burns was former US chief of FAST, which created the All The Web search site before selling it to Overture. Yahoo! now owns both. Google Desktop Search allows users to opt out of sending the company back detailed usage data, but it isn't possible to firewall it completely. Much more ominously, reckons Burns, Google's product manager Marissa Mayer said she expected the private queries to generate more hits for google.com. Most people, she believed, would choose to combine personal and web searches resulting in more revenue for Google's ad business. "As a result, we will serve more Web results pages and more ads, and those ads have more chances of getting clicked on. So there will be incremental Web search revenue from this product," she told the "Washington Post." In January, Eric Schmidt said the company's goal was to create a "Google that knows you". With the addition of personal information, it's just taken a giant step towards that goal. * Search the NYTr Archives at: http://olm.blythe-systems.com/pipermail/nytr/ To subscribe or unsubscribe or change your settings via the web, visit: http://olm.blythe-systems.com/mailman/listinfo/nytr ================================================================= NY Transfer News Collective * A Service of Blythe Systems Since 1985 - Information for the Rest of Us 339 Lafayette St., New York, NY 10012 http://www.blythe.org e-mail: [EMAIL PROTECTED] =================================================================
--___________________________________________________________
www.ctrl.org DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance—not soap-boxing—please! These are sordid matters and 'conspiracy theory'—with its many half-truths, mis- directions and outright frauds—is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply.
Sign-up for Ads Free at Mail.com
http://www.mail.com/?sr=signupLet us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at:
http://www.mail-archive.com/[EMAIL PROTECTED]/ <A HREF="">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om
--- End Message ---
