[kwlug-disc] OT: Hotmail/Yahoo account breakins
bjonkman at sobac.com
Sat Feb 16 13:43:31 EST 2013
* Delete cookies after logging out (from e-mail, banking, Facebook, &c.)
* Set cookies to delete when closing browser
* Set cookies to not accept cookies from third-party sites
* Use a different browser for truly sensitive stuff, eg. banking. Use
that browser ONLY for banking. Use another different browser for e-mail.
* Remove the Java plugin from all browsers
* Remove the Flash plugin from the banking browser (and the e-mail
browser, unless you like those dancing baby videos)
* If you *do* allow Flash, delete your Flash cookies too.
* Disallow "Offline Web Content and User Data" storage
*the* one most effective form of protection. I'm surprised (and
dismayed) that you're not going to recommend NoScript.
On my browser (which I don't use for banking or e-mail) I have these
plugins to provide protection:
* Adblock Plus - Blocks ads, and cross-site vulnerabilites from
* Cookie Culler - Deletes cookies, but allows me to set certain
"protected" cookies to be persistent (eg. to my own servers)
* Ghostery - Blocks third-party content, eg. Web bugs, "Like" buttons, &c.
* HackTheWeb - Allows me to remove selected content from a page
* RefControl - Lets me customize the "Refered" header per Web site
* UserAgentSwitcher - Lets me customize the browser's UserAgent string
(sadly, not on a per-site basis). Mine is set to "Go Stuff Yourself",
* HTTPS-Everywhere - Forces sites to use https where possible
And the most interesting:
* RequestPolicy - Selects which sites are allowed to make cross-site
requests to selected third-party sites
I find it amazing how many sites are set up deliberately to use multiple
domains. For example, Google sites need to access google.com, google.ca,
gstatic.com, googleusercontent.com, and want to access
google-analytics.com and doubleclick.net as well.
Also, I have automatic browser re-direction turned off. It's amazing how
many sites require you to hop through several third-party sites before
finally showing you any content. And, of course, each hop is tracking
your browsing behaviour...
Bob Jonkman <bjonkman at sobac.com> http://sobac.com/sobac/
SOBAC Microcomputer Services Phone: +1-519-669-0388
6 James Street, Elmira ON Canada N3B 1L5 Cell: +1-519-635-9413
Software --- Office & Business Automation --- Consulting
On 13-02-16 12:20 PM, Paul Nijjar wrote:
> On Fri, Feb 15, 2013 at 07:38:01PM -0500, Khalid Baheyeldin wrote:
>> On Fri, Feb 15, 2013 at 12:53 AM, unsolicited <unsolicited at swiz.ca> wrote:
>>>> In theory, yes.
>>>> But not all services provide forwarding nor POP/IMAP (AFAIK, only Gmail
>>>> allows it).
>>> MANY do, including hotmail and yahoo. Live, gmail, rogers, the list goes
>> All of them have forwarding and POP/IMAP. But Gmail is the only one
>> to have these features free of charge.
> In my investigations, I found that yahoo.ca had POP servers available
> for free but that yahoo.com did not.
> In looking through this thread I am trying to figure out good advice
> to give to (somewhat computer anxious) computer users. So far I have:
> - Use NoScript (which I probably will not give as advice)
> - Open links in separate browsers
> - Be wary of weird links and attachments (and check that the URL does
> not secretly point to a malware site)
> - Change your password after an attack
> - Don't stay logged into your email?
> - Use plain text email to stop link spoofing
> - Stop using email
> Anything else?
> I am still looking for confirmed stories about how these vectors
> attack. We have lots of speculation (and it is telling that everybody
> has different theories) but not much evidence.
> - Paul
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 263 bytes
Desc: OpenPGP digital signature
More information about the kwlug-disc