Tuesday, August 12, 2008

New Tool to Automate Cookie Stealing from Gmail, Others

A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://).


When you log in to Gmail, Google's servers will place what's called a "session cookie," or small text file, on your machine. The cookie identifies your machine as having presented the correct user name and password for that account, and it can allow you to stay logged in to your account for up to two weeks if you don't manually log out (after which the cookie expires and you are forced to present your credentials again).



The trouble is that Gmail's cookie is set to be transmitted whether or not you are logged in with a secure connection. Now, cookies can be marked as "secure," meaning they can only be transmitted over your network when you're using a persistent, encrypted (https://) session. Any cookies that lack this designation, however, are sent over the network with every Web page request made to the Web server of the entity that set the cookie -- regardless of which of the above-described methods a Gmail subscriber is using to read his mail.



As a result, even if you are logged in to Gmail using a persistent, encrypted https:// session, all that an attacker sniffing traffic on your network would need do to hijack your Gmail account is force your browser to load an image or other content served from http://mail.google.com. After that, your browser would cough up your
session cookie for Gmail, and anyone recording the traffic on the network would now be able to access your Gmail inbox by simply loading that cookie on their machine.

US June machine tool demand up from year ago

Demand for the machine tools that shape metal for products, such as car engines and refrigerators, rose in June from a year ago, two groups said in a joint report on Sunday.

U.S. June machine tool demand rose 2 percent to $360.43 million from $353.40 million a year earlier in June 2007, the American Machine Tool Distributors' Association (AMTDA) and the Association for Manufacturing Technology (AMT) said in a joint report.

But June demand was virtually unchanged from an upwardly revised $360.30 million estimate for May. May demand was initially estimated at $341.21 million.

In the first six months of 2008, demand for machine tools, which gives a sense of the pace of manufacturing, stood at $2.318 billion, up 15.3 percent from $2.011 billion in the same 2007 period.

"I think everyone is excited that the underpinning for productivity in our economic growth -- manufacturing technology equipment -- continues to grow at double-digit rates through the second quarter," AMT President John Byrd said in a statement.