***Googlemail users****warning****

#1
Just checked mine & they were'nt checked! 8O

If you use Gmail, you will want to doublecheck a setting in your account. Once you log in, go up to settings, and look to the bottom of the page...




is what you want to see. New tool unveiled at DefCon this weekend showed an automated way to steal your password if you don't have that security setting on.

Read more?
Washington Post

Spike
 
#4
nice on the heads up but i knew that one has been doing the rounds a bit, must try to post more things like that thanks for the reminder
 

ugly

LE
Moderator
#6
What happens if neither boxes are ticked?
 

ugly

LE
Moderator
#9
ugly said:
What happens if neither boxes are ticked?
Well please some advice lads?
 

Sixty

ADC
Moderator
Book Reviewer
#10
ugly said:
What happens if neither boxes are ticked?

Probably nothing but ticking it takes away a potential vulnerability if someone malicious fancied a go at hacking your account.
 
#11
Here you go Ugs.

A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://).


When you log in to Gmail, Google's servers will place what's called a "session cookie," or small text file, on your machine. The cookie identifies your machine as having presented the correct user name and password for that account, and it can allow you to stay logged in to your account for up to two weeks if you don't manually log out (after which the cookie expires and you are forced to present your credentials again).



The trouble is that Gmail's cookie is set to be transmitted whether or not you are logged in with a secure connection. Now, cookies can be marked as "secure," meaning they can only be transmitted over your network when you're using a persistent, encrypted (https://) session. Any cookies that lack this designation, however, are sent over the network with every Web page request made to the Web server of the entity that set the cookie -- regardless of which of the above-described methods a Gmail subscriber is using to read his mail.



As a result, even if you are logged in to Gmail using a persistent, encrypted https:// session, all that an attacker sniffing traffic on your network would need do to hijack your Gmail account is force your browser to load an image or other content served from http://mail.google.com. After that, your browser would cough up your
session cookie for Gmail, and anyone recording the traffic on the network would now be able to access your Gmail inbox by simply loading that cookie on their machine.



Not incidentally, there are multiple free tools that people can use to view all Internet traffic flowing across a wired or wireless network and arbitrarily inject images, links and other data into any Web traffic transmitted on the network. While this attack may be more typically executed on a wireless network, Dan Kaminsky's now-famous DNS bug could let attackers do this on a much, much larger scale, by corrupting an entire ISP's network.



To put this attack in perspective, consider the following scenario. You log into your Gmail account on a wireless hotspot at the local coffee bar, being careful to do so by clicking on a bookmark that sends you to https://mail.google.com. In between reading your e-mail, for example, you surf over to another trusted Web site. A bad guy who has hijacked the establishment's network sees that you've requested a new Web page and appends a tiny image at htp://mail.google.com to the new page you requested. Bingo. Your browser will spit out the Gmail cookie with your credentials.



If this weren't enough, Mike Perry, a reverse engineer for San Francisco based Riverbed Technologies, debuted a software tool at the Defcon hacker conference that automates this cookie-stealing method for Gmail, as well as a number of other Internet heavyweights that he says are similarly vulnerable.



"Web sites can say, 'Only transmit cookies for the https:// version of these image elements, but Gmail, Facebook, Amazon and a whole bunch of other sites just don't do this," Perry said.

I should note here that this attack is hardly new. Perry said he told Google about this problem a year ago, about the same time he posted an alert to the Bugtraq security mailing list about it. Late last month, Google finally announced a new setting for Gmail users labeled "Always Use https://". While people who have selected this option are immune from this attack, many Gmail users may errantly assume that they are just as protected if they start the login process by typing a persistent, encrypted connection ( https://mail.google.com) into their browser.



Without checking the new "Always Use https://" setting in Gmail, users remain vulnerable to this attack.



"Google did not explain why using this new feature was so important," Perry said. "This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they're secure but they're really not."



Perry said he is currently investigating whether more sensitive targets, such as online banking sites, also may be vulnerable to this kind of attack.



If you're wondering how to best protect yourself when visiting online sites that may or may not force secure cookies, the best advice is to use the "logout" button when you are done using the site, as this will kill the cookie planted by the site.

I'm guessing many sites do not set the secure bit on their session cookies because it saves them money. It will be interesting to see how many sites change their practices within the next couple of weeks. Perry said he plans to publicly release his automated cookie-stealing tool in about two weeks.
 

ugly

LE
Moderator
#12
Mine has neither currently ticked is that a problem and what should I do, also will it feck up all my surfing for porn and online inflatable sheep purchases?
 

Sixty

ADC
Moderator
Book Reviewer
#13
ugly said:
Mine has neither currently ticked is that a problem and what should I do, also will it feck up all my surfing for porn and online inflatable sheep purchases?
Mine was like that too. I just ticked it as it'll have no detrimental effect.

Won't affect either your 'art' surfing or your shopping as it only has relevance to your email program, not your browser.
 

ugly

LE
Moderator
#18
Good thats now done and hopefully all will be as normal. I do resist most changes with tinternet thingy as they usually feck things up beyond belief!
 
#19
Is this a problem for all other webmail platforms or is googlemail particularly vulnerable?
 

Sixty

ADC
Moderator
Book Reviewer
#20
It's just Gmail. The attack is specific to the way the Google cookie arrangment works. Everything else wil be fine.
 

Latest Threads