[kwlug-disc] OT: Hotmail/Yahoo account breakins
unsolicited at swiz.ca
Sat Feb 16 19:07:04 EST 2013
On 13-02-16 12:20 PM, Paul Nijjar wrote:
> On Fri, Feb 15, 2013 at 07:38:01PM -0500, Khalid Baheyeldin wrote:
>> On Fri, Feb 15, 2013 at 12:53 AM, unsolicited <unsolicited at swiz.ca> wrote:
>>>> In theory, yes.
>>>> But not all services provide forwarding nor POP/IMAP (AFAIK, only Gmail
>>>> allows it).
>>> MANY do, including hotmail and yahoo. Live, gmail, rogers, the list goes
>> All of them have forwarding and POP/IMAP. But Gmail is the only one
>> to have these features free of charge.
> In my investigations, I found that yahoo.ca had POP servers available
> for free but that yahoo.com did not.
Thank you for that. I hadn't picked up on that nuance. I have always
used yahoo.ca. (Forward yahoo.com equivalent to yahoo.ca, and go from
> In looking through this thread I am trying to figure out good advice
> to give to (somewhat computer anxious) computer users. So far I have:
> - Use NoScript (which I probably will not give as advice)
Although not directly germane to the attack vectors, you might have some
success suggesting AdBlock+ or equivalents, some of which will have
domain blacklists. Might also be reasonable to see if you can dig up
something that will block 'foreign ips'. e.g. If you only speak English,
no point ever getting a page from Russia, Asia, etc.
Use NotScripts in Chrome.
Even noscript and notscript is accepted better than I expected. If they
always allow (whereas 'we' would normally only temporarily allow) sites
with names they recognize, like google.ca / google.com, and leave
blocked / mark untrusted names they don't, like,
illstealyourpassword.org or illsendyoulotsofspam.info, some vectors will
never be opened, and they'll have a better browsing experience.
Avoid safari (or rekonq) if possible - they do not have the 'rich' addon
environment present in chrome, or let alone firefox.
Opera has some ecosystem attractiveness to it, if you can get over it's
weirdness / differences from traditional browsing.
You might check out userscripts.org. There are addons for a number of
browsers for it.
Trick will be to automate it for them. e.g. As part of logging in, could
you send down the latest blacklist to them?
peerblock (used to be peer guardian) in windows, ipblock in linux.
Better rules on your ipcop / firewall - won't help when they're out of
your control, may help limit internal spread of outside acquired infections.
Anti-virus / malware - especially if they have xss guards. (Not that I
can recommend anything.) On linux, schedule nightly clamav scans? [Don't
know what else can be suggested on Linux / many don't feel anything is
necessary - yet all that you have talked about here are cross-platform,
browser, issues, which presumably Linux is susceptible to. May keep the
systems operable, but still leave a miserable user browsing experience /
> - Open links in separate browsers
That largely will be hard to be successful in. Many windows users will
still only internet explorer, apparently. I have had some success in
suggesting Chrome (which gets you the process separation), explaining it
works better with google things, like docs - e.g. right-click works in
it as expected. You may have success explaining different browsers for
different activities - much like opening Calc for spreadsheets, opera
for reading e-mail, chrome for other stuff, firefox for <x>, safari for
<y>. [I end up using different browsers just to keep google accounts
separate - calendar in one / account, chrome has domain account, etc.
Otherwise, suddenly I'll be in the calendar of the wrong account and
have to switch accounts back - which gets old, quickly.]
> - Be wary of weird links and attachments (and check that the URL does
> not secretly point to a malware site)
Some browsers have cookie settings to only automatically accept cookies
from the same site. May even be a security restriction somewhere saying
a site can only access it's own cookies?
Note that many browsers will show you where the link goes, when you
hover over it, in the lower right corner. Peek at it before clicking,
for, as you say.
> - Change your password after an attack
(And make it a hard one. Make suggestions as to how to think about them
- e.g. One guy I knew used 'I8' in some, standing for 'I Hate')
'1m at home' sort of thing.
> - Don't stay logged into your email?
- bears further investigation before recommendation, as you will have
resistance. If the attack vectors show e-mail must be open on a page, vs
just cookies merely present on the computer.
> - Use plain text email to stop link spoofing
Big advantage here is it's very explicit where a link is going - no
hovering to see, etc.
> - Stop using email
> Anything else?
- Migrate to chrome over internet explorer
- migrate off yahoo to gmail (given apparent yahoo cookie vulnerability
expressed earlier) [Forward yahoo to gmail, start using gmail, reply
from gmail - over time the migration will become known / you can
eventually stop using yahoo. Gmail looking to have better spam
protection within it. In the mean time, with forwarding / gmail use
only, some vectors will inherently cease to be effective.
- refresh / redirect blockers?
- if you could automate blacklist / ip blockers, I would guess that that
would be your most successful one stop shopping effort. You're still
vulnerable, but many (known) vectors would get shut down.
Biggest thing seems to be user education, which is hard to be effective
with, and little cause / effect deterministic success.
> I am still looking for confirmed stories about how these vectors
> attack. We have lots of speculation (and it is telling that everybody
> has different theories) but not much evidence.
Sort of nature of the beast, I suppose. It it were well documented /
known browsers would build in counters. e.g. redirects of redirects
would counter much of the above.
All of this sounds very much like a kwlug.org post. Perhaps one, with
links to 'Top 10 sites of how to protect yourself' for users, and
another with a collection of the technical info you have collected for
technical type readers.
More information about the kwlug-disc