Last time someone came out with a Gmail exploit, it was possible to completely hijack your account with just email filters. This time around, hackers found a way to break into your account via "session" cookies. Mike Perry — a reverse-engineering specialist in San Francisco — is debuting a tool at Defcon that can sniff out the browser's cookies during your session of email crunching. When you click on links from inside email messages, website operators can use that Gmail cookie and be able to find out your account information and password.

Three MIT students who'd been blocked by a judge from presenting their findings on "vulnerabilities in Boston's transit fare payment system" at this month's Defcon security conference are free to speak starting Friday. A U.S. District Court judge refused to extend the 10-day gag order issued against Zack Anderson (pictured), RJ Ryan, and Alessandro Chiesa just before the conference. The Massachusetts Bay Transportation Authority had asked for a five-month restraining order to allow time to fix the vulnerabilities. San Francisco's Electronic Frontier Foundation represented the students. (Photo by Zack Anderson)

He's only 24 years old, but Michael Dolan of West Haven, Conn. has been slapped with the maximum sentence after pleading guilty to fraud and aggravated identity theft. Dolan and five accomplices spammed AOL users for four years with messages such as, "Due to a central server meltdown, your credit card information was lost." The prosecution claimed the scams had taken in at least $400,000 from 250 users who fell for it. Dolan's defense lawyer had argued that Dolan suffered mental illness, made worse by his father's suicide.

MSNBC.com did not report this morning that in a long-anticipated move, Microsoft has acquired AOL. But after finding the above "MSNBC Breaking News" alert in my inbox this morning, I thought they did for a minute there. I even started drafting a post on the news ("Last we heard about the deal in mid-July, AOL negotiators were …"). Then my boss yelled at me. I looked at the email again and saw it came from — obviously a phishing scammer. A clever one, though, who knows Valleywag editors are hungrier for news than for Angelina Jolie's lips. A tipster tells us there's similar "Breaking News alert" email going around, declaring "Yang relinquishes control over Yahoo!"— don't believe that one, either.

Gary McKinnon — crowned by the Pentagon as the biggest hacker of all time — will have to wait a bit longer before heading to the U.S. to face criminal charges. The European Court of Human Rights will now allow him to stay in Britain until August 28 to review his appeal against extradition. McKinnon has been pleading innocence throughout all this, claiming he was simply curious about what information the U.S. military and NASA had about UFOs. [News.com]

A Macworld reader sent in a screenshot of a charmingly credible HTML email that claims to be from Apple: "We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?" It's convincing not just because it's pretty, but because this sort of error from MobileMe at this point would seem like a minor hurdle — I'm still trying to figure out how my wife's name got onto my account in the conversion. That'll teach me to sneak her credit card.

The Wall of Sheep is a tradition at the annual Defcon computer-security conference. Hackers at the event post information that other attendees have accidentally placed unsecured onto the conference's network. Passwords and porn are the best examples. Organizers at last week's Black Hat conference set one up, too. It's a fun prank, but here's a serious idea: Why not run a Wall of Sheep at your own company? There are two good reasons:First, a company wall would remind employees daily that their private details are available to anyone on the network who's installed Kismet and Wireshark. It's not the whiz kids from Black Hat you should worry about. It's the coworker looking to sell a list of sales leads to pay off a gambling debt. A company Wall of Sheep would be run by one or two in-house sysadmins. They would use network-snooping tools to check for unprotected data on the network. They'd publish carefully redacted versions of anything they caught onto an in-house webpage. If you neglect to set the SSL options on your mail client, just the fact that you've sent 37 emails to Carolyne at the front desk will be the day's watercooler talk. What could be more motivational? Second, a Wall of Sheep forgives no one. Not the CEO, not the star salesman, not the hotshot in Professional Services. Showing up on the wall because you didn't follow company security rules is like showing up late for work: Everyone sees it, even if they don't dare call you on it. When it comes to changing human behavior, embarrassment is far more effective than an error message. (Photo by RobotSkirts)

You can fill this blank in yourself: Three students from the Massachusetts Institute of Technology were scheduled to present an analysis of "vulnerabilities in Boston's transit fare payment system" at the Defcon security conferences in Vegas. They were stopped at the last minute after the Massachusetts Bay Transit Authority sued them for allegedly violating the Computer Fraud and Abuse Act. The Electronic Frontier Foundation has chosen to represent the students. That's great news, if only because it involves the EFF standing up for something besides BitTorrent.

Before the Russian army pushed past the borders of breakaway republic South Ossetia and invaded Georgia's interior, Russian hackers took over Georgian government websites last Friday, taking control over a central government site as well as the homepages for the ministries of foreign affairs and defense. Researcher Jart Armin told Britain's Daily Telegraph he blames the attacks an organization called the Russian Business Network, which the Telegraph describes as a "a network of criminal hackers with close links to the Russian mafia and government."That's an understatement. The Russian Business Network is infamous for operating botnets, distributing malware, and stealing private information. But its usual targets are businesses, not nation-states. A year ago, Brian Krebs wrote in the Washington Post about RBN's exploits, which included an attack on the Bank of India. The Estonian government blamed the RBN for three days of attacks on its Web sites in April. Armin, the security researcher says Georgia's hacked sites are now routed them through servers in Russia and Turkey that are "well known to be under the control of Russian Business Network and influenced by the Russian Government." The Ministry of Foreign Affairs of Georgia has moved its website to Google's Blogger — itself a notorious hotbed of spam, but at least one that's hosted on a theoretically more secure network.

Today at the Black Hat conference in Las Vegas, two security experts showed off a new Web-based break-in that completely bypasses all of the hardware memory protection built into Windows Vista. Once inside, a program can then load any content at all from the Internet via your browser. The best tech writeup is at Electronista: "The malicious code not only negates the effectiveness of Vista's Address Space Layout Randomization and Data Execution Prevention technologies, but specifically abuses their behavior to ensure an attack gets through." What does this mean for you? It's not the end of the world. But stand by for one very important Security Update.

Three French reporters for Global Security Magazine attending this week's Black Hat Security Conference in Las Vegas were booted, after they "allegedly" (that's reporter-speak for "they won't admit it") sniffed the private network set up for the press. The private network is meant to be a sort of chill room for journalists, so they can file a few articles without getting pwned by conferencegoers every five minutes. Note to the French: We'll be more impressed if you hack Rachel Marsden's Facebook page.

Microsoft security engineer Billy Rios tells the Wall Street Journal that some of the best scams are the ones that phishers play on each other:

Last week we learned from Dan Kaminsky that DNS servers — computers that translate domain names into the numerical IP addresses machines use to locate each other on the Internet — had a security issue, all around the world, that made them vulnerable to hackers. In fact HD Moore, the man who wrote an exploit for the bug got hacked himsef. Here's a time-lapse video showing the progression of network engineers working overtime to apply software patches to servers.

Hackers will reveal a new way to steal user accounts with pictures later this week, at the Black Hat security conference in Las Vegas. The method uses hybrid files that are read as photos by some programs and as code by others These hybrid files can have code, such as Java, embedded in them, and then be uploaded to websites such as Facebook, MySpace, or eBay where they can skirt security measures to do harm.

The smart way to read the New York Times report on the latest Domain Name System vulnerability — "A rush to patch the Web" — is to start from the end and read backwards. That way, Bruce Schneier opens with the statement that there's no reason to worry. In layman's math, the odds that you'll be redirected to another site by a hacker are extremely low, and the worst that can happen to you is you'll fall for a fake site that prompts for your credit card number. You'll next notice the Times couldn't find anyone who'd been bitten by the bug. But keep reading, because the rest of the article is a huge media opportunity for security famewhore Dan Kaminsky. Actual quote: “I play this game to protect people."

Gary McKinnon, a British computer expert, claims he's just fascinated with UFOs. Using his home computer and a modem — how WarGames! — he infiltrated military networks and accessed thousands of computers trying to find evidence of alien contact. Now caught and having lost an appeal with the British courts, he's awaiting extradition to the United States to stand trial, accused of the "biggest military hack of all time." The full list of his computer-exploiting prowess:

HD Moore is the guy behind the Metasploit Project. In general, Metasploit helps sysadmins find security holes in their networks. Last week, Moore published an exploit for a weakness in the domain name server (DNS) software used to route Web surfers to the correct machine for, say, www.valleywag.com. On Tuesday, some of the traffic to Moore's employer, BreakingPoint, was rerouted to a fake Google page operated by a scammer running a click fraud racket. The cause? An AT&T DNS server for the Austin, Texas area that had been compromised using ... you guessed it. Moore emailed us, "There is no way to verify now that it has been fixed, but my impression is that it was actually a different exploit."

"EBK" and "Defiant," the online monikers of the hackers who disrupted Comcast's online service, have gone on record about their exploits. They say that a hole in domain-name registrar Network Solutions' security let them change Comcast's registered address in domain records to "Dildo Room, 69 Dick Tard Lane." Network Solutions denies there was a vulnerability. [Wired]

Whoa: Wired interviews the stoner hackers, "Defiant" and "EBK," who "took down Comcast's homepage and webmail service for more than five hours Thursday." Apparently they're pretty psyched about what they did but also scared: "I wish I was a minor right now because this is going to be really bad," says 19-year-old Defiant (pictured). Here's how they did it:

Internet service provider Comcast had the comcast.net domain name server redirected to a server in Germany after hackers got control of the site's DNS entry with Network Solutions. For a portion of yesterday evening, the homepage read: