Google “gadgets” called gateways for hackers

Posted: August 19, 2008 in Articles

by Staff Writers
Las Vegas, Nevada (AFP) Aug 8, 2008
Hackers turned computer security specialists accuse Google of setting users up for online disasters by letting them personalize home pages with applications that could be tainted.Software that hackers can trick people into installing on “iGoogle” home pages can track users’ activities and control their machines, SecTheory chief executive Robert Hansen showed AFP on Friday.

“I could force you to download child porn or send subversive material to China,” Hansen said. “The exploitation is almost limitless. Google has to fix it.”

Google lets people customize iGoogle home pages with mini-software programs called “gadgets” such as to-do lists, news feeds, currency converters, and calendars.

Hackers can program malicious code into proffered gadgets or break into systems hosted by engineers providing legitimate mini-programs.

“It turns out a lot of people who develop these things aren’t good at security,” Hansen said, citing research he and Cenzic security analyst Tom Stracener shared at a notorious annual DefCon hacker gathering in Las Vegas.

“We pretty much break into anything we try.”

Hackers can resort to a tactic of luring people to websites that trick people into installing applications in iGoogle home pages. A hacker can remotely control a victim’s computer as long as the iGoogle page is open.

Gmail users face danger from the same “hole” in security, according to Hansen, whose hacker name is “RSnake.”

“We’ve been telling Google about these vulnerabilities for years and they have not made corrective actions,” Hansen said.

“They chose to open the doors and insomuch put a lot of consumers at risk.”

Google says it checks gadgets for malicious code, rarely finding any, and that it removes tainted programs.

Typos can bedevil online political campaigns
Las Vegas (AFP) Aug 7 – Typos can bedevil online political campaigns by letting evil software wizards or crafty king-makers turn misspellings into opportunities for sabotage or theft, a security specialist warned Thursday.

In a practice referred to as “typo squatting” people not connected to campaigns can buy rights to Internet addresses with candidates’ names misspelled and use them to malign, mock or steal from contenders.

“You can guarantee that more of these will become common in future elections,” Oliver Friedrichs, director of emerging technologies at Symantec’s security response unit, said while detailing such attacks at a premier Black Hat conference in Las Vegas.

“More than likely the people who do this are the extremists or people who are in it for a profit. Campaigns need to become more aware of these kinds of attacks.”

For example, a Symantec check in February revealed that 47 out of 160 variations on “” were being “typo-squatted.”

Ironically, one squatter’s web page featured a legitimate Obama ad.

“Obama is paying for advertisements, through Google, on a site that is a typo-squatter on a domain name the Obama campaign should own in the first place,” Freidrichs said.

“Campaigns are spending a lot on online advertising and some of this money is really being misspent and going to typo-squatters.”

Some typo-squatters use the web pages to mock or deride candidates. A “” website poked fun at her and other candidates by depicting them as characters from “Star Trek” films and television shows.

“Typoed” web pages can be used to spread false announcements, such as a candidate withdrawing from a race, or tell stories of scandals that don’t exist.

A candidate who has dropped out of the US presidential race was accused of being an animal killer on a typo-squatted website.

Malicious software secretly planted in computers of people who visit squatted websites could reveal where they go online or even take control of machines.

“If I want to attack supporters of a particular campaign I can easily put malware on my site,” Freidrichs said of typo-squatters.

“You can target candidates, cause confusion, pop-up ads, or re-direct computers when they try to log on to a candidate’s website.”

Typo-squatters can create realistic looking campaign websites and take donations, keeping the cash and using credit card information for further fraud.

Online donations intended for one candidate could be routed to an opponent without donors knowing.

Once someone owns a website based on a typo, they can also intercept and redirect similarly misaddressed emails.

Campaign emails containing speech drafts, contributions, or strategy notes could be intercepted due to errant keystrokes while typing addresses, according to Freidrichs.

“This is a serious problem that spans not only campaigns but every company with email,” Freidrichs said.

“Even more scary, we went and looked at defense contractors and found a typoed domain routed to India and another routed to China.”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s