Google Web History Vulnerable to Firesheep Hack

Google Web History Vulnerable to Firesheep Hack

Two researchers have shown how a modded version of the Firesheep Wi-Fi sniffing tool can be used to access most of a victim's Google Web History, a record of everything an individual has searched for.

The core weakness discovered by the proof-of-concept attack devised by Vincent Toubiana and Vincent Verdot lies with what is called a Session ID (SID) cookie, used to identify a user to each service they access while logged in to one of Google's services.

Every time the user accesses an application, the same SID cookie is sent in the clear, which the Firesheep captures from the data sent to and from a PC connected to a non-encrypted public Wi-Fi hotspot.
Because many of Google's services use HTTPS (Gmail for instance), the attacker has to find a way to get the user to resend this SID. The most direct method is to set up a rogue access point and then use an iFrame to direct the user to a Google service (such as Alerts) that doesn't use an encrypted channel.

The attack also requires that the user has Google Web History tracking turned on. This is the system that keeps tabs of a user's search history and many people are not even aware exists because it is set as during Google's account setup procedure.

Testing the technique against ten volunteers, the researchers were able to retrieve up to 82 percent of the links visited by them during the test period.

The only current defense against this attack is for users to remains signed out of Google while using a Wi-Fi hotspot or to set up a personal VPN. Users could also disable Google Web History or purge its contents.

However, note Toubiana and Verdot also note that, "some issues cannot be addressed by users and require a modification of Google's cookie policy," The major worry remains the expansion of Google's tracking to other types of data in its Google+ service. "As Google is taking steps to include social indicators in result personalization, user's social network could soon be exposed."

Firesheep is a browser-based plug-in published a year ago by security developer Eric Butler to highlight security vulnerabilities in the way cookies for sites such as Facebook and Twitter were being exchanged across open Wi-Fi links without HTTPS turned on. Although not a new issue, Firesheep showed how easy it was to turn the flaw into a simple tool that could be used by any attacker.

DDOS using google servers

Its true google helps everyone.Recently we had killapache dos now we have ddos + proxy with the help of google +
How does DDOS via google+ works?
The vulnerable pages are “/_/sharebox/linkpreview/“ and “gadgets/proxy?“
Is possible to request any file type, and G+ will download and show all the content. So, if you parallelize so many requests, is possible to DDoS any site with Google bandwidth. Is also possible to start the attack without be logged in G+.

Attack vectors:

The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs.
But beware: gadgets/proxy? will send your ip in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/




+DDoS source code download:

http://www.ihteam.net/advisories/_154785695367_+ddos.sh

source

EDIT - This vulnerability have been patched !

26,000 Porn Website Hacked and Password Exposed By LulzSec

Boom!!!!!Notorious LulzSec strikes again.This time the 26,000 users of an  porn website were in danger.The hackers compromised the database of the hardcore website (called "Pron"), exposing not only the email addresses and passwords of over 25,000 members but also the credentials of 55 administrators of other adult websites.

LulzSec drew particular attention to various government and military email addresses (.mil and .gov) that appeared to have accounts with the porn website..

To add insult to injury, the LulzSec group called on its many recent Twitter followers to exploit the situation, by logging into Facebook with the email/password combinations and tell the victim's Facebook friends and family about their porn habit.

It should go without saying that logging into someone else's account without their permission is against the law in most countries around the world.

My dear internet users you learned a lesson ?

importance of using different passwords for different websites,This story made you learned i think.The danger is that once one password has been compromised, it's only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain or, in this case,  embarrassment.

If you believe there might be a chance that your username/password were/being exposed, or if you're simply in the habit of using the same password for multiple websites -My dear readers it is your time to change your habit :)

Problems understanding how to keep good or uncrackable or unguessable passwords ? please let me know i can help you or google it ;)

References 

Nakedsecurity
THN
127.0.0.1

Google to move out of Microsoft's IE7, Firefox 3.5 and Chrome 9

Google to move out of Microsoft's IE7, Firefox 3.5 and Chrome 9

Google will drop support for Microsoft's Internet Explorer 7 (IE7) and Mozilla's Firefox 3.5 browsers for its online apps, including Gmail and Docs.

"Beginning August 1, we'll support the current and prior major release of Chrome, Firefox, Internet Explorer and Safari on a rolling basis," said Venkat Panchapakesan, who heads Google's enterprise engineering team, in a company blog Wednesday. "Each time a new version is released, we'll begin supporting the update and stop supporting the third-oldest version."

By that scheme, Google will stop supporting IE7, Firefox 3.5, Apple's Safari 3 and its own Chrome 9, all which have released two newer versions.

IE7, for example, has been superseded by IE8 and IE9; the same goes for Firefox 3.5, which has been replaced by Firefox 3.6 and Firefox 4.

After Aug. 1, users running those browsers may have trouble with some features in Gmail, Google Calendar, Google Talk, Google Docs and Google Sites. At some point, those apps may stop working entirely.

"For Web applications to spring even farther ahead of traditional software, our teams need to make use of new capabilities available in modern browsers," said Panchapakesan. "Older browsers just don't have the chops to provide you with the same high-quality experience."

Panchapakesan didn't mention Opera Software's Opera browser in his blog, an omission that prompted many users to leave comments.

"Lack of support for a browser as standards-compliant as Opera is absurd," complained someone identified as "Isildur."

Opera accounts for approximately 2% of all browsers, according to Web measurement company Net Applications, less than one-sixth the share of Chrome and less than one-third that of Safari.

The numerous "where's Opera"-style comments prompted one wag to say, " Wow, every existing Opera user left a comment here."

By Net Applications' statistics, the browsers Google will retire represent a minority of those in use.

Last month, IE7 accounted for 7% of all the browsers used worldwide, said Net Applications on Tuesday. Firefox 3.5 owned an even-smaller share of 1.4%, while Safari 3 accounted for only 0.1%. Altogether, the browsers destined for the dustbin controlled less than 9% of the browser market.

This was not the first time that Google has warned customers and users to upgrade to a newer browser. In January 2010, the search giant said it was dumping Google Docs support for IE6, the Microsoft browser that still accounts for 10.4% of all browsers in use.

Many IE6 users, however, are in China, where the government blocks access to Google's online applications, and with which Google has a contentious relationship.

But while Google and others have stopped supporting the 10-year-old IE6, Google is one of the first online software vendors to drop 2006's IE7 from a support list. Microsoft, for instance, has committed to supporting IE7 on Windows XP until April 2014, and on Vista for three years longer.

Panchapakesan urged people running one of the browsers on Google's kill list to upgrade to a newer edition.

The end-of-support plan for Google Apps will not disrupt access to its search site using older browsers

Detecting Google hacking against your Website

Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.

Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.
GHH is a “Google Hack” honeypot. GHH is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources so it implements honeypot theory to provide additional security to your web presence.
To install the Google Honeypot on your website you follow the install instructions. This allows you to monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.

Detecting Google hacking against your Website

Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.

Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.
GHH is a “Google Hack” honeypot. GHH is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources so it implements honeypot theory to provide additional security to your web presence.
To install the Google Honeypot on your website you follow the install instructions. This allows you to monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.

Android Trojan Highlights Risks of Open Markets

Android enthusiasts have long championed Google’s “open” philosophy towards the smartphone platform. The recent appearance of a new Trojan horse in unofficial Android app venues, however, may cause users to think twice about how open they want the platform to be.

The app in question, Android.Walkinwat, appears to be a free, pirated version of another app, “Walk and Text.” The real version is available for purchase in Google’s official Android Market for a low price ($1.54).

If you download the fake app (from unofficial markets for Android apps) and install it, it redirects you to the actual app on the Android marketplace — but in the background, it sends the following embarrassing SMS message to your entire phone book:

Hey,just downlaoded [sic] a pirated app off the internet, Walk and Text for Android. Im stupid and cheap, it costed only 1 buck. Dont steal like I did!

Egregious spelling and grammatical errors aside, the text message serves as a reminder of the risks to those willing to go outside of the official Market for apps.

“Someone downloaded the app, inserted their malware, and uploaded it onto other non-official marketplaces,” Symantec mobile team product manager John Engels told Wired.com in an interview.

In other words, if you go outside the official Market, things may not be what they seem, and there’s no guarantee that what you download is what you actually want.

Google maintains clear content policies on all apps that are uploaded to the official Android Market, and developers know well enough in advance what those policies are, and how not to break them. Whenever an app in clear violation of Google’s policies shows up in the Market — like, say, a piece of malware — Google’s Android engineers are often quick to quash it.

But if you’re not one for pesky rules and regulations and want to see what the non-Google-sanctioned markets have to offer, all it takes to access them on an Android device is for you to uncheck a box on a settings page, allowing your phone to install apps from “unknown sources.”

To a certain degree, this isn’t a huge issue for the novice user. Many outside applications are hosted on file sharing websites that users like your grandmother probably aren’t frequenting. And unless they’ve tried to install these outside applications by sideloading them, they’ve probably never unchecked the unknown source’s permissions box to begin with.

But last week’s debut of Amazon’s new App Store may have changed that. In order to install Amazon’s App Store on an Android device, you first must uncheck that permissions box. While there may be no immediate risks associated with downloading apps from Amazon’s App Store, it opens the door for users to allow other unofficial — and therefore riskier — apps to be installed on their devices, from other sources.

“As soon as you flip that switch and go away from the Android Market, which is the one place where most people go, then you are putting yourself at some risk,” security researcher Charlie Miller told Wired in a previous interview.

“The threat will persist so long as people continue to download pirated software from peer-to-peer networks,” Webroot threat research analysts Armando Orozco and Andrew Brandt told Wired.com.

They say sticking to the Android Market is your safest bet, but if you’re still compelled to go outside the official box for your apps, whether it be to Amazon’s App Store or another unofficial market, you should “scrutinize the permissions the App requests, and don’t install it if it wants access to certain functions (like the ability to send SMS messages) that the app shouldn’t need to access.”

But doesn’t staying within the confines of the Android Market defeat the purpose of choosing a platform with such an “open” philosophy? If you want a stricter, closed system with stringent regulation on its apps via a review process, you might as well buy an iPhone.

“Android users enabling sideloading doesn’t necessarily lead to piracy or installation of apps from unsafe sources,” says Alicia diVittorio, a spokewoman for Lookout Mobile Security. “In fact, it’s great to have another source for consumers to download apps from a reputable brand like Amazon.”

Indeed, Amazon’s Appstore isn’t a great deal different from Apple’s App Store: Both companies require an intense review and approval process before making any developer’s submitted applications available for purchase.

Essentially, there’s an inherent risk that comes with downloading apps for a device with an attitude of openness like the Android. Even the official Market is susceptible to infiltration by malware, as evidenced by the swath of malicious apps pulled from the store earlier this month.

But in a relatively free and open domain such as Android’s, the risk remains the price of admission.

Android Trojan Highlights Risks of Open Markets

Android enthusiasts have long championed Google’s “open” philosophy towards the smartphone platform. The recent appearance of a new Trojan horse in unofficial Android app venues, however, may cause users to think twice about how open they want the platform to be.

The app in question, Android.Walkinwat, appears to be a free, pirated version of another app, “Walk and Text.” The real version is available for purchase in Google’s official Android Market for a low price ($1.54).

If you download the fake app (from unofficial markets for Android apps) and install it, it redirects you to the actual app on the Android marketplace — but in the background, it sends the following embarrassing SMS message to your entire phone book:

Hey,just downlaoded [sic] a pirated app off the internet, Walk and Text for Android. Im stupid and cheap, it costed only 1 buck. Dont steal like I did!

Egregious spelling and grammatical errors aside, the text message serves as a reminder of the risks to those willing to go outside of the official Market for apps.

“Someone downloaded the app, inserted their malware, and uploaded it onto other non-official marketplaces,” Symantec mobile team product manager John Engels told Wired.com in an interview.

In other words, if you go outside the official Market, things may not be what they seem, and there’s no guarantee that what you download is what you actually want.

Google maintains clear content policies on all apps that are uploaded to the official Android Market, and developers know well enough in advance what those policies are, and how not to break them. Whenever an app in clear violation of Google’s policies shows up in the Market — like, say, a piece of malware — Google’s Android engineers are often quick to quash it.

But if you’re not one for pesky rules and regulations and want to see what the non-Google-sanctioned markets have to offer, all it takes to access them on an Android device is for you to uncheck a box on a settings page, allowing your phone to install apps from “unknown sources.”

To a certain degree, this isn’t a huge issue for the novice user. Many outside applications are hosted on file sharing websites that users like your grandmother probably aren’t frequenting. And unless they’ve tried to install these outside applications by sideloading them, they’ve probably never unchecked the unknown source’s permissions box to begin with.

But last week’s debut of Amazon’s new App Store may have changed that. In order to install Amazon’s App Store on an Android device, you first must uncheck that permissions box. While there may be no immediate risks associated with downloading apps from Amazon’s App Store, it opens the door for users to allow other unofficial — and therefore riskier — apps to be installed on their devices, from other sources.

“As soon as you flip that switch and go away from the Android Market, which is the one place where most people go, then you are putting yourself at some risk,” security researcher Charlie Miller told Wired in a previous interview.

“The threat will persist so long as people continue to download pirated software from peer-to-peer networks,” Webroot threat research analysts Armando Orozco and Andrew Brandt told Wired.com.

They say sticking to the Android Market is your safest bet, but if you’re still compelled to go outside the official box for your apps, whether it be to Amazon’s App Store or another unofficial market, you should “scrutinize the permissions the App requests, and don’t install it if it wants access to certain functions (like the ability to send SMS messages) that the app shouldn’t need to access.”

But doesn’t staying within the confines of the Android Market defeat the purpose of choosing a platform with such an “open” philosophy? If you want a stricter, closed system with stringent regulation on its apps via a review process, you might as well buy an iPhone.

“Android users enabling sideloading doesn’t necessarily lead to piracy or installation of apps from unsafe sources,” says Alicia diVittorio, a spokewoman for Lookout Mobile Security. “In fact, it’s great to have another source for consumers to download apps from a reputable brand like Amazon.”

Indeed, Amazon’s Appstore isn’t a great deal different from Apple’s App Store: Both companies require an intense review and approval process before making any developer’s submitted applications available for purchase.

Essentially, there’s an inherent risk that comes with downloading apps for a device with an attitude of openness like the Android. Even the official Market is susceptible to infiltration by malware, as evidenced by the swath of malicious apps pulled from the store earlier this month.

But in a relatively free and open domain such as Android’s, the risk remains the price of admission.