[kwlug-disc] OT: Hotmail/Yahoo account breakins

Bob Jonkman bjonkman at sobac.com
Sat Feb 16 13:43:31 EST 2013


Additional advice:
 * Delete cookies after logging out (from e-mail, banking, Facebook, &c.)
 * Set cookies to delete when closing browser
 * Set cookies to not accept cookies from third-party sites
 * Use a different browser for truly sensitive stuff, eg. banking. Use
that browser ONLY for banking. Use another different browser for e-mail.
 * Remove the Java plugin from all browsers
 * Remove the Flash plugin from the banking browser (and the e-mail
browser, unless you like those dancing baby videos)
 * If you *do* allow Flash, delete your Flash cookies too.
 * Disallow "Offline Web Content and User Data" storage


Using the NoScript plugin to block Javascript, XSS and CSRF is probably
*the* one most effective form of protection. I'm surprised (and
dismayed) that you're not going to recommend NoScript.

On my browser (which I don't use for banking or e-mail) I have these
plugins to provide protection:

* NoScript - Disables Javascript, blocks XSS and CSRF
* Adblock Plus - Blocks ads, and cross-site vulnerabilites from
third-party content
* Cookie Culler - Deletes cookies, but allows me to set certain
"protected" cookies to be persistent (eg. to my own servers)
* Ghostery - Blocks third-party content, eg. Web bugs, "Like" buttons, &c.
* HackTheWeb - Allows me to remove selected content from a page
* RefControl - Lets me customize the "Refered" header per Web site
* UserAgentSwitcher - Lets me customize the browser's UserAgent string
(sadly, not on a per-site basis). Mine is set to "Go Stuff Yourself",
per http://boingboing.net/2012/10/10/more-trouble-for-proposed.html
* HTTPS-Everywhere - Forces sites to use https where possible

And the most interesting:
* RequestPolicy - Selects which sites are allowed to make cross-site
requests to selected third-party sites
 
I find it amazing how many sites are set up deliberately to use multiple
domains. For example, Google sites need to access google.com, google.ca,
gstatic.com, googleusercontent.com, and want to access
google-analytics.com and doubleclick.net as well.

Also, I have automatic browser re-direction turned off. It's amazing how
many sites require you to hop through several third-party sites before
finally showing you any content. And, of course, each hop is tracking
your browsing behaviour...

--Bob.

Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/
SOBAC Microcomputer Services              Phone: +1-519-669-0388
6 James Street, Elmira ON Canada  N3B 1L5  Cell: +1-519-635-9413
Software   ---   Office & Business Automation   ---   Consulting 


On 13-02-16 12:20 PM, Paul Nijjar wrote:
> On Fri, Feb 15, 2013 at 07:38:01PM -0500, Khalid Baheyeldin wrote:
>> On Fri, Feb 15, 2013 at 12:53 AM, unsolicited <unsolicited at swiz.ca> wrote:
>>
>>>> In theory, yes.
>>>>
>>>> But not all services provide forwarding nor POP/IMAP (AFAIK, only Gmail
>>>> allows it).
>>>>
>>> MANY do, including hotmail and yahoo. Live, gmail, rogers, the list goes
>>> on.
>>
>> All of them have forwarding and POP/IMAP. But Gmail is the only one
>> to have these features free of charge.
> In my investigations, I found that yahoo.ca had POP servers available
> for free but that yahoo.com did not.
>
> In looking through this thread I am trying to figure out good advice
> to give to (somewhat computer anxious) computer users. So far I have:
>
> - Use NoScript (which I probably will not give as advice)
> - Open links in separate browsers
> - Be wary of weird links and attachments (and check that the URL does
>   not secretly point to a malware site)
> - Change your password after an attack
> - Don't stay logged into your email?
> - Use plain text email to stop link spoofing
> - Stop using email 
>
> Anything else?
>
> I am still looking for confirmed stories about how these vectors
> attack. We have lots of speculation (and it is telling that everybody
> has different theories) but not much evidence.
>
>
> - Paul
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20130216/72e1f9a8/attachment.bin>


More information about the kwlug-disc mailing list