[kwlug-disc] OT: Hotmail/Yahoo account breakins

[unsolicited]

On 13-02-16 12:20 PM, Paul Nijjar wrote:
> On Fri, Feb 15, 2013 at 07:38:01PM -0500, Khalid Baheyeldin wrote:
>> On Fri, Feb 15, 2013 at 12:53 AM, unsolicited <unsolicited at swiz.ca> wrote:
>>
>>>> In theory, yes.
>>>>
>>>> But not all services provide forwarding nor POP/IMAP (AFAIK, only Gmail
>>>> allows it).
>>>>
>>>
>>> MANY do, including hotmail and yahoo. Live, gmail, rogers, the list goes
>>> on.
>>
>
>> All of them have forwarding and POP/IMAP. But Gmail is the only one
>> to have these features free of charge.
>
> In my investigations, I found that yahoo.ca had POP servers available
> for free but that yahoo.com did not.

Thank you for that. I hadn't picked up on that nuance. I have always 
used yahoo.ca. (Forward yahoo.com equivalent to yahoo.ca, and go from 
there?)

> In looking through this thread I am trying to figure out good advice
> to give to (somewhat computer anxious) computer users. So far I have:
>
> - Use NoScript (which I probably will not give as advice)

Although not directly germane to the attack vectors, you might have some 
success suggesting AdBlock+ or equivalents, some of which will have 
domain blacklists. Might also be reasonable to see if you can dig up 
something that will block 'foreign ips'. e.g. If you only speak English, 
no point ever getting a page from Russia, Asia, etc.

Use NotScripts in Chrome.

Even noscript and notscript is accepted better than I expected. If they 
always allow (whereas 'we' would normally only temporarily allow) sites 
with names they recognize, like google.ca / google.com, and leave 
blocked / mark untrusted names they don't, like, 
illstealyourpassword.org or illsendyoulotsofspam.info, some vectors will 
never be opened, and they'll have a better browsing experience.

Avoid safari (or rekonq) if possible - they do not have the 'rich' addon 
environment present in chrome, or let alone firefox.

Opera has some ecosystem attractiveness to it, if you can get over it's 
weirdness / differences from traditional browsing.

You might check out userscripts.org. There are addons for a number of 
browsers for it.

Trick will be to automate it for them. e.g. As part of logging in, could 
you send down the latest blacklist to them?

peerblock (used to be peer guardian) in windows, ipblock in linux. 
Better rules on your ipcop / firewall - won't help when they're out of 
your control, may help limit internal spread of outside acquired infections.

Anti-virus / malware - especially if they have xss guards. (Not that I 
can recommend anything.) On linux, schedule nightly clamav scans? [Don't 
know what else can be suggested on Linux / many don't feel anything is 
necessary - yet all that you have talked about here are cross-platform, 
browser, issues, which presumably Linux is susceptible to. May keep the 
systems operable, but still leave a miserable user browsing experience / 
result.]

> - Open links in separate browsers

That largely will be hard to be successful in. Many windows users will 
still only internet explorer, apparently. I have had some success in 
suggesting Chrome (which gets you the process separation), explaining it 
works better with google things, like docs - e.g. right-click works in 
it as expected. You may have success explaining different browsers for 
different activities - much like opening Calc for spreadsheets, opera 
for reading e-mail, chrome for other stuff, firefox for <x>, safari for 
<y>. [I end up using different browsers just to keep google accounts 
separate - calendar in one / account, chrome has domain account, etc. 
Otherwise, suddenly I'll be in the calendar of the wrong account and 
have to switch accounts back - which gets old, quickly.]

> - Be wary of weird links and attachments (and check that the URL does
>    not secretly point to a malware site)

Some browsers have cookie settings to only automatically accept cookies 
from the same site. May even be a security restriction somewhere saying 
a site can only access it's own cookies?

Note that many browsers will show you where the link goes, when you 
hover over it, in the lower right corner. Peek at it before clicking, 
for, as you say.

> - Change your password after an attack

(And make it a hard one. Make suggestions as to how to think about them 
- e.g. One guy I knew used 'I8' in some, standing for 'I Hate') 
'1m at home' sort of thing.

> - Don't stay logged into your email?

- bears further investigation before recommendation, as you will have 
resistance. If the attack vectors show e-mail must be open on a page, vs 
just cookies merely present on the computer.

> - Use plain text email to stop link spoofing

Big advantage here is it's very explicit where a link is going - no 
hovering to see, etc.

> - Stop using email
>
> Anything else?

- Migrate to chrome over internet explorer

- migrate off yahoo to gmail (given apparent yahoo cookie vulnerability 
expressed earlier) [Forward yahoo to gmail, start using gmail, reply 
from gmail - over time the migration will become known / you can 
eventually stop using yahoo. Gmail looking to have better spam 
protection within it. In the mean time, with forwarding / gmail use 
only, some vectors will inherently cease to be effective.

- refresh / redirect blockers?

- if you could automate blacklist / ip blockers, I would guess that that 
would be your most successful one stop shopping effort. You're still 
vulnerable, but many (known) vectors would get shut down.

Biggest thing seems to be user education, which is hard to be effective 
with, and little cause / effect deterministic success.

>
> I am still looking for confirmed stories about how these vectors
> attack. We have lots of speculation (and it is telling that everybody
> has different theories) but not much evidence.

Sort of nature of the beast, I suppose. It it were well documented / 
known browsers would build in counters. e.g. redirects of redirects 
would counter much of the above.

All of this sounds very much like a kwlug.org post. Perhaps one, with 
links to 'Top 10 sites of how to protect yourself' for users, and 
another with a collection of the technical info you have collected for 
technical type readers.