DroidSheep – One-click session hijacking using your android smartphone or tablet computer.

DroidSheep makes it easy to use for everybody. Just start DroidSheep, click the START button and wait until someone uses one of the supported websites. Jumping on his session simply needs one more click. That’s it.

What do you need to run DroidSheep?
– You need an android-powered device, running at least version 2.1 of Android
– You need Root-Access on your phone (link)
– You need DroidSheep

Which websites does DroidSheep support?
– amazon.de
– facebook.com
– flickr.com
– twitter.com
– linkedin.com
– yahoo.com
– live.com
– google.de (only the non-encrypted services like “maps”)

Download: droidsheep-current.apk

Hackers have obtained a digital certificate good for any Google website from a Dutch certificate provider.

Criminals could use the certificate to conduct “man-in-the-middle” attacks targeting users of Gmail, Google’s search engine or any other service.

Attackers could poison DNS, present their site with the fake cert and bingo, they have the user’s credentials.

Man-in-the-middle attacks could also be launched via spam messages with links leading to a site posing as, say, the real Gmail. If recipients surfed to that link, their account login username and password could be hijacked.

Details of the certificate were posted on Pastebin last Saturday.

The SSL certificate is valid, and was issued by DigiNotar, a Dutch certificate authority, or CA.

It’s unclear whether the certificate was obtained because of a lack of oversight by DigiNotar or through a breach of the company’s certificate issuing website.

Given their ties to the government and financial sectors it’s extremely important to find out the scope of the breach as quickly as possible. The situation was reminiscent of a breach last March, when a hacker obtained certificates for some of the Web’s biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo.

Then, Comodo said that nine certificates had been fraudulently issued after attackers used an account assigned to a company partner in southern Europe.

Initially, Comodo argued that Iran’s government may have been involved in the theft. Days later, however, a solo Iranian hacker claimed responsibility for stealing the SSL certificates.

A week after 70 law enforcement agencies were defaced and attacked in what was known as Fuck FBI Friday, Anonymous and LulzSec have released another massive amount of confidential data, this time targeted at US police officers in what they’re now calling Shooting Sherrifs Saturday.

Over 10GBs of information has been leaked including hundreds of private emails, password information, address and social security numbers, credit card numbers, informant details, police training files and more.

The group claims to be acting in solidarity with Topiary, a member of LulzSec who was apparently found to be in posession of 750,000 login credentials when arrested last week as well as with the Anonymous PayPal LOIC defendants whom Anonymous faithful claim should be considered as ‘political prisoners’. From the release ‘notes’:

“We stand in support of all those who struggle against the injustices of the state and capitalism using whatever tactics are most effective, even if that means breaking their laws in order to expose their corruption. You may bust a few of us, but we greatly outnumber you, and you can never stop us from continuing to destroy your systems and leak your data.”

“We have no sympathy for any of the officers or informants who may be endangered by the release of their personal information. For too long they have been using and abusing our personal information, spying on us, arresting us, beating us, and thinking that they can get away with oppressing us in secrecy. Well it’s retribution time: we want them to experience just a taste of the kind of misery and suffering they inflict upon us on an everyday basis. Let this serve as a warning to would-be snitches and pigs that your leaders can no longer protect you: give up and turn on your masters now before it’s too late.”

Source: Shooting Sheriffs Saturday | Official Release Statement

If you have Wi-Fi turned on, the previous whereabouts of your computer or mobile device may be visible on the Web for anyone to see.

Google publishes the estimated location of millions of iPhones, laptops, and other devices with Wi-Fi connections, a practice that represents the latest twist in a series of revelations this year about wireless devices and privacy, CNET has learned.

Android phones with location services enabled regularly beam the unique hardware IDs of nearby Wi-Fi devices back to Google, a similar practice followed by Microsoft, Apple, and Skyhook Wireless as part of each company’s effort to map the street addresses of access points and routers around the globe. That benefits users by helping their mobile devices determine locations faster than they could with GPS alone.

Only Google and Skyhook Wireless, however, make their location databases linking hardware IDs to street addresses publicly available on the Internet, which raises novel privacy concerns when the IDs they’re tracking are mobile. If someone knows your hardware ID, he may be able to find a physical address that the companies associate with you–even if you never intended it to become public.

Tests performed over the last week by CNET and security researcher Ashkan Soltani showed that approximately 10 percent of laptops and mobile phones using Wi-Fi appear to be listed by Google as corresponding to street addresses. Skyhook Wireless’ list of matches appears to be closer to 5 percent.

Source: CNET News

Facebook accidentally left a door open for advertisers to access profiles, pictures, chat and other private data at the social network, US computer security firm Symantec says.

Symantec discovered that certain Facebook applications leaked tokens that act essentially as “spare keys” for accessing profiles, reading messages, posting to walls or other actions.

Facebook applications are web software programs that are integrated onto the leading online social network’s platform. Symantec said that 20 million Facebook applications such as games are installed every day.

The tokens were being leaked to third-party applications including advertisers and analytics platforms allowing them to post messages or mine personal information from profiles, according to Nishant Doshi of Symantec.

“Fortunately, these third-parties may not have realized their ability to access this information,” Doshi said in a blog post.

“We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.”

Symantec estimated that as of April, nearly 100,000 applications were giving away keys to Facebook profiles.

“We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” Doshi said.

Facebook confirmed the problem, which was discovered by Doshi and Symantec colleague Candid Wueest, according to the computer security firm.

There was no reliable estimate of how many tokens have been leaked since the release of Facebook applications in 2007.

Despite whatever fix Facebook has put in place, token data may still be stored in files on third-party computers, Symantec warned.

“Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens,” Doshi said.

“Changing the password invalidates these tokens and is equivalent to ‘changing the lock’ on your Facebook profile.”