[kwlug-disc] OT: Hotmail/Yahoo account breakins

unsolicited unsolicited at swiz.ca
Fri Feb 15 00:53:27 EST 2013



On 13-02-14 09:44 PM, Khalid Baheyeldin wrote:
> On Thu, Feb 14, 2013 at 9:32 PM, unsolicited <unsolicited at swiz.ca> wrote:
>
>> Worth forwarding all accounts to your trusted / preferred server, where
>> you can use your (sandboxed?) trusted e-mail client / browser/e-mail combo?
>> (Isn't gmail supposed to have some pretty good malware detection behind it?)
>>
>
> In theory, yes.
>
> But not all services provide forwarding nor POP/IMAP (AFAIK, only Gmail
> allows it).

MANY do, including hotmail and yahoo. Live, gmail, rogers, the list goes on.

> Further more, I used Gmail for its features, like spam protection,
> threading, good compose features, ...etc.

Which you would be gaining for all these other accounts as well.

> And I don't want to run my own POP/IMAP server.

Which is fine, I wasn't suggesting you should.

> And the attack vector was not Gmail. It was definitely Chromium and Yahoo
> Mail.

 > So all of that does not solve anything in this case.

Which is my POINT. If you were reading Yahoo in Gmail, taking advantage 
of the features you like, that attack vector is closed for you - you are 
never in Yahoo to be exposed to those holes.

> Something else not mentioned thus far: only read e-mail in plain text.
>> Switching to non-plain text on a per message, judicious, basis.

I didn't say it does. It's just another element of the various other 
steps that can be taken.

> If someone sends you a URL, and you have plain text email in your client,
> and you copy and paste it, then it is the same as clicking it from HTML.

Not necessarily so.

First, an URL in plain text is just as clickable as in non-plain text.

Second, that presumes you're reading the message in a browser not an 
e-mail client.

Regardless of where you click it, if the result is in, say, Firefox with 
NoScript, then you are leveraging the precautions you have taken there 
that might not be present in a standalone client.

If you're in Firefox / NoScript and webmail reading, then you're 
protected from this anyways, as you said, by those same precautions.

And from many of the nefarious html scripting and nonsense fiddly bits 
that come along in various other ways - that are not active script in 
plain text reading. Such as calls to invisible graphics from tracking 
sites - the very fetch request of which tells them that you got it, 
where you're from, and so on and so forth.



More information about the kwlug-disc mailing list