Free PC performance & security scan Take a few minutes to find out why your PC is so slow. Run the free PC Pitstop Optimize 2.0 scan and receive a free custom report detailing common issues that might be keeping your PC from running at full speed. Over 100 million scans run. Scan now! PC Pitstop

Never reinstall your XP again New technology: no set-up, no loss of data or applications. The ultimate professional repair tool. Free PC booster with every scan, get it now! Reimage.com

See your ad here

By Scott Spanbauer

Exploits allowing hackers to break into Gmail accounts are likely to occur, if they're not already circulating, after security researchers released details of a hole that Google has reportedly declined to patch.

There are steps you can take to reduce the risk of using a webmail account, but it appears that the usual tricks won't solve the Gmail problem until Google fixes the software.

The weakness that researchers say afflicts Gmail, a free e-mail service hosted by Google, belongs to a class of attacks known as cross-site request forgery (CSRF, pronounced "sea surf").

Besides Gmail, CSRF holes affecting YouTube, Netflix, and NYTimes.com have also been found and repaired in the past. CSRF attacks use security flaws in cookies, password requests, and other interactive Web components to intercept communications between your browser and a Web site's server.

The first report of the Gmail problem within security circles was written by Vicente Aguilera Díaz of Internet Security Auditors (ISA) on July 30, 2007. The next day, ISA issued an alert and included a proof of concept illustrating how the exploit could be used to change a Gmail account password.

After more than a year during which, according to ISA, Google was repeatedly contacted privately about the problem researchers publicly released a detailed description of the exploit on March 3, 2009, according to a Secure Computing article.

The magazine quoted an unnamed Google spokesman as saying, "We've been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user's password within the period that the user is visiting a potential attacker's site."

Considering that an automated attack can test thousands of passwords in a matter of seconds, you might not be very reassured by Google's position. Many PC users select weak passwords that consist of common names or dictionary words, leaving them susceptible to brute-force discovery. And the general release of the CSRF technique makes it easy for hackers to write opportunistic code, if actual exploits aren't already in the wild.

The March 3 public disclosure should not be confused with an earlier Gmail CSRF flaw that was first reported on Jan. 1, 2007. Google repaired that problem by the following day, according to a blog post by software consultant Hari Gottipati.

CSRF attacks — which are also referred to as session-riding — are different from the more-widely known cross-site scripting (XSS) exploits. XSS holes allow a malicious Web site that's open in one browser window to inject JavaScript into another site's page that's open in a separate window or tab. Once the unwanted script is running on a PC, the code can try to collect private data and passwords and transmit them back to the attacker's server.

XSS vulnerabilities have recently been discovered and patched in many browsers and on many sites, including Yahoo Mail and Hotmail as well as Gmail.

Provide some protection for webmail with https

Google, Yahoo, and other Internet services cover themselves by stating that you use the services at your own risk. A major threat of using any webmail service is that a hacker could swipe or guess your password and take over your account.

If your Google account includes such personal information as stored credit card numbers (for Google Shopping, for instance), a contact list, photos, and business or financial documents, having your account hacked could be more than just an inconvenience.

One way for an attacker to steal passwords — especially given the ubiquity of open, unencrypted Wi-Fi networks — is to use software that "sniffs" Internet traffic. If you enter your username and password on a Web page without encryption, your inputs are transmitted as plain text, not just over a Wi-Fi connection but also through every router that happens to be located between you and the service's machine.

Fortunately, the Big Three webmail services — Gmail, Yahoo Mail, and Hotmail — and many other Web sites provide protection for their sign-in sessions using Secure Sockets Layer (SSL) encryption. SSL enables a Web browser to scramble any sign-in data before pumping it out naked across the Internet's plumbing.

To determine whether a site encrypts its sign-in procedure, look in your browser's address bar. The page's URL should begins with https (Hypertext Transfer Protocol over SSL), as shown in Figure 1. Unencrypted pages use the http protocol.


Figure 1. Look for the https protocol in a browser's address bar, which indicates an encrypted connection.

Seeing the https protocol or the well-known "lock" icon in a browser's status bar is no guarantee that a particular site is legitimate, of course. The Anti-Phishing Working Group offers information on how these indicators can be spoofed by hackers as well as some tips to help you avoid scams.

If a sign-in page uses the https protocol, however, it's unlikely that your password will be sent as plain text across the Internet.

Gmail's sea-surf hole can't be closed by SSL

Some reports on the Web, such as an article at Softpedia.com, say using https during your Gmail sessions blocks CSRF attacks on the service.

Unfortunately, that's not the case for this Gmail hole, according to ISA's Aguilera. In an e-mail interview conducted in Aguilera's native Spanish, he said the flaw allows a hacker to take advantage of an encrypted session (the following is my translation from the original language):

• "In this vulnerability, the attacker causes the victim to generate, invisible to the victim, a request to the server (in which request the victim's authenticated session cookie is also transmitted).
  
  "When the server receives the request, it sees that it comes from an authenticated session (the victim's), and thus is unable detect that, in reality, the request was instigated by the attacker.
  
  "In other words, it's as if the victim/user actually created the request to the server, and the fact that the communication is encrypted is unrelated and doesn't prevent the attack."
  

Table of contents

By Katy Abby We all know the story of the Three Little Pigs who outsmart the Big, Bad Wolf. Their tale of survival in a time before building codes has been passed down from generation to generation for more than 150 years. Of course, such a popular yarn has inspired many adaptations, but none is as imaginative as this remarkable stop-motion short by artist Takeuchi Taijin. You'll be amazed by the creativity and simple beauty of this film. Like the original fable, it's a classic that you just may return to time and again. Play the video

Table of contents

Save up to 76% on quality inkjet ink We offer the sharpest prices on the Web for quality ink and laser toner. Bonus: save an extra 10% by using coupon code DAS926M. Free shipping to contiguous U.S. locations for all orders over $50. Offer expires 5/31/2009 and excludes OEM items. 4InkJets

Are your computer's drivers up-to-date? Driver Detective provides the most up-to-date drivers specific to your computer! With more than 1 million drivers, Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers. Drivers HeadQuarters

Get your message seen by 400,000 readers Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 400,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement. Windows Secrets Newsletter

See your ad here

TOP STORY By Scott Spanbauer Gmail accounts hacked via unpatched hole Provide some protection for webmail with https Gmail's sea-surf hole can't be closed by SSL POP3 and IMAP protect Gmail, Hotmail, Yahoo Mail WACKY WEB WEEK By Katy Abby "Not by the hair on my chinny chin chin!"

	LANGALIST PLUS By Fred Langa What to do when Chkdsk won't finish the job Chkdsk reports errors that may not be there System folders gobble up free disk space Relocate Vista's Documents folder in an instant Wireless connection slows to a crawl
	BEST SOFTWARE By Ian "Gizmo" Richards Simple way to disable or reassign keyboard keys Change your key assignments using software Free keyboard rearranger is small and simple This keyboard remapper accommodates any layout
	WOODY'S WINDOWS By Woody Leonhard Knock out problematic autostart programs Policing the programs that start with Windows The things Software Explorer and Msconfig miss A better way — from Microsoft, no less Digging deeper into your autostart assemblage Think twice before disabling that autostart app

There's no fixed fee! Contribute whatever it's worth to you Readers who make a financial contribution of any amount by May 6, 2009, will immediately receive the latest issue of our full, paid newsletter and 12 months of new paid content. Pay as much or as little as you like — we want as many people as possible to have this information.

A portion of your support helps children in developing countries Each month, we send a full year of sponsorship to a different child. Your contributions in April are helping us to sponsor Heidy Joseline, a 3-year-old girl who lives with her family in Guatemala. Children International channels development aid from donors to Heidy Joseline and her community. We also sponsor kids through Plan USA and other respected agencies. More info

More info on how to upgrade

Table of contents

• Visit our Unsubscribe page.
  

Table of contents