Yesterday we brought you news that Gmail is open to a filter-insertion technique that can allow attackers to forward mail with attachments to other addresses. Google confirmed that flaw yesterday.

But it looks like Petko Petkov isn’t the only researcher out there looking into Google flaws.

On Wednesday, Billy (BK) Rios posted on his blog that Google may be putting its own servers at risk because of a cross-domain exposure flaw associated with Google Documents.

Here’s a snippet:

“Google Documents basically allows you to upload your documents (a.k.a. content) to a Google server. Once you’ve uploaded the document, Google has essentially “taken ownership” of the document (content). There are ways to minimize the risks associated with taking ownership of content, and it seems that Google has taken some measures to sanitize for XSS… but it seems that their focus on XSS may have caused them to miss a different type of cross domain exposure.”

Rios’ blog also features proof-of-concept code.

Remember Fujacks?

Fujacks was just one name for the worm that affected a varying number of computer users in China early this year. Some Chinese media reports put the number of victimized computers in the millions, but Western analysts complained at the time that those figures weren’t accurate.

The malware created images of a panda bear juggling sticks as it spread from computer to computer.

So call it Fujacks or the Panda worm or the Panda burning incense worm, but it’s creator has received four years in jail – and a number of job offers, according to his lawyer.

Haowei Ren and Vu Nguyen of McAfee Avert Labs said it will be interesting to see where Li Jun ends up in a few years.

“During the trial, Li Jun’s lawyer attempts to show his value to Chinese society showing an offer letter from a networking company in Hangzhou that is interested in making Li Jun their CTO. His attorney goes on to say that he has received over 10 offers from different companies that are willing to pay Li Jun over 1 million China Yuan per year.

In his closing remarks, Li Jun’s lawyer was quoted as saying ‘A rare talent who is now regretful of his deeds and hopes to utilize his talents to contribute to society.’”

-Haowei Ren, Vu Nguyen, McAvert Labs Blog, Sept. 25, “W32/Fujacks author faces prison: Justice served or a slap on the wrist?”

Graham Cluley, senior technology consultant and chief spokesman at Sophos, noted that businesses could be sending the wrong message when hiring former hackers and attackers.

“It’s important that the IT community does not send out a message that writing viruses or worms is cool, or a fast track into employment,” Cluley said in a news release this week.

Something to keep an eye on later this week: Microsoft’s BlueHat v6 blog.

Set to take place in Redmond this Thursday and Friday, BlueHat v6 will feature Microsoft brass meeting with outside security experts on topics like virtualization, process isolation, Windows Mobile and automated exploit creation.

Here are two goals of the conference as described by Andrew Cushman, Microsoft director of security outreach.

- “To expose senior product leaders and front-line engineers to the threats and attack tools and methodologies used in the real world. Take the security threat from the theoretical/intellectual level of, ‘I understand what a buffer overflow is,’ to ‘OMG that’s what it’s like.’ BlueHat connects with execs and engineers at a visceral level and *really* brings the message home…

- To expose security researchers (and the security community) to Microsoft engineers and business leaders… BlueHat gives us a chance to open up on our home turf and gives the researchers an opportunity to interact with all levels of the organization. They too get to experience first-hand that Microsoft does have smart, passionate engineers that do care about security.”

Of course, it’s Microsoft’s conference and it’s closed - so don’t expect breaking news to appear on the BlueHat blog, but it’s still worth keeping tabs on.

From email attachments to gift cards to announcements about the beginning of the NFL season to online games – that’s what we’ve seen the Storm Worm do lately, switching email-lure tactics.

Both F-Secure and McAfee Avert Labs have screenshots worth checking out.

So, what’s next?

Everyone who has known me for more than a half-hour has realized that I’m one of those people who takes watching football seriously.

There are a lot of these people. If you walk past a sports bar on a Sunday afternoon, you’ll see a few hundred of them. There are probably also support groups for this sort of thing.

So I was immediately interested in Bruce Schneier’s take on the New England Patriots’ “Recording Gate” scandal.

If your ESPN has been down for the past week, a Pats official was removed from the sidelines on Sunday during a game against the New York Jets for recording hand-signals given by the opposing defensive coordinator.

Schneier contends that football teams could use radio technology used by quarterbacks and coaches to their advantage, with a little old-school hacking:

“A smart team could not only eavesdrop on the other team, but selectively jam the signal when it would be most critical. The rules said that if one team’s radio link didn’t work, the other team had to turn its off, but that’s a minor consideration if you know it’s coming.”

Of course, that team wouldn’t look too smart once they were caught and fines and penalties were handed out.

I’m willing to bet that most people who read headlines today about the hacking of the U.S. Consulate General in St. Petersburg, Russian pinned it on Chinese hackers or the group that broke down much of Estonia’s online infrastructure a few months back.

Well, to the disappointment of war-mongers and conspiracy theorists everywhere, that might not be the case.

It looks like the consulate’s server was caught by hackers targeting, for the most part, other smaller websites.

But the door is open that hackers may have been on an information-gathering mission, because the trojan used in the attack is designed to gather data.

Sophos, at the time of this blog’s writing, had the only in-depth analysis of the attack available, and a good write-up of their research on a company blog.

It must be the season for website relaunches.

Last week, we introduced readers to the new SCMagazineUS.com. We hope readers find it easier to use as both a resource and information source.

We’ve made it easier to find podcasts, blogs, the buyers guide, group tests and product reviews. You name it, and it should be easily found from our homepage – which has the new URL http://www.scmagazineus.com/.

Enjoy!

And while I’m on the subject, my compliments go out to the folks at US-CERT, who have a brand new website of their own. Click here to take a look for yourself.