Cisco and company, you’ve got approximately seven days before a security researcher rains down exploits on your web-based home router parade. Seismic’s Craig Heffner claims he’s got a tool that can hack “millions” of gateways using a new spin on the age-old DNS rebinding vulnerability, and plans to release it into the wild at the Black Hat 2010 conference next week. He’s already tested his hack on thirty different models, of which more than half were vulnerable, including two versions of the ubiquitous Linksys WRT54G (pictured above) and devices running certain DD-WRT and OpenWRT Linux-based firmware.
To combat the hack, the usual precautions apply — for the love of Mitnick, change your default password! — but Heffner believes the only real fix will come by prodding manufacturers into action.
More information [engadget]
In 2009, Chris Paget showed the world the vulnerabilities of RFID by downloading the contents of US passports from the safety of his automobile. This year, he’s doing the same for mobile phones. Demonstrating at DefCon 2010, the white hat hacker fooled 17 nearby GSM phones into believing his $1,500 kit (including a laptop and two RF antennas) was a legitimate cell phone base station, and proceeded to intercept and record audience calls. “As far as your cell phones are concerned, I’m now indistinguishable from AT&T,” he told the crowd. The purpose of the demonstration was highlight a major flaw in the 2G GSM system, which directs phones to connect to the tower with the strongest signal regardless of origin — in this case, Paget’s phony tower.
The hacker did caveat that his system could only intercept outbound calls, and that caller ID could tip off the owner of a handset to what’s what, but he says professional IMSI catchers used by law enforcement don’t suffer from such flaws and amateur parity would only be a matter of time. “GSM is broken,” Paget said, “The primary solution is to turn it off altogether.” That’s a tall order for a world still very dependent on the technology for mobile connectivity, but we suppose AT&T and T-Mobile could show the way. Then again, we imagine much of that same world is still using WEP and WPA1 to “secure” their WiFi.
More information [engadget]
Google is adding support for multiple account sign-ins so anyone with more than one Google account can just log into one, but quickly switch between accounts without special add-ons or other tricks.
We mentioned it might happen yesterday, but it looks like the new feature is rolling out for real, starting today. The feature won’t be enabled for everyone just yet, but when it is, you should be able to set it up here. Alternately, Google Operating System points out that you may also see a link to multiple sign-in setup on your Google Accounts page. (It’s starting to roll out today, and if it’s like most Google rollouts, you should see it within at least a few days.) What you need to know:
- You can sign into a maximum of three accounts at once.
- The first account you sign in with when you’re setting up multiple sign-in will be set to your default account.
- You can’t use Offline Gmail or Calendar with the multiple sign-in feature.
- Multiple sign-ins only work with these Google apps—that is, Google App Engine, Code, Calendar, Gmail, Reader, Sites, and Voice support the multiple sign-in feature. Most notably, Google Docs isn’t yet supported, but it’s marked as coming soon.
More information [lifehacker]
