[Cialug] Time to change your passwords.

[Josh More]

In the past, the password-saving feature in the browsers have had
significant flaws.  Things are much better today, but I still question
the wisdom of tracking your passwords in a piece of software that is at
the outermost layer of attacks.  This solution also doesn't work well if
you use more than one primary system.

However, it would count as good advice for the non-technical.

it's also worth noting that many of these attacks are leveraging cross
site scripting flaws (which could access your password repo) and
overlays (which capture the human-entered UN/PW), so it's a complex
attack surface.  Mozilla is working on some interesting server-side
whitelisting technology, but we have quite some time before it gets
universally adopted (and even then, there is a DNS weakness).



-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701

>>> Matthew Nuzum <newz at bearfruit.org> 10/07/09 8:36 AM >>>
On Tue, Oct 6, 2009 at 6:04 PM, kristau <kristau at gmail.com> wrote:
>
> If
> so, then always logging in to your gmail, hotmail, yahoo, et al
> accounts by first typing the URL in the address bar should protect you
> against such an attack.

Maybe this theory is flawed, or only as secure as the browser vendor
(which if it isn't secure then what security do you have?), but
relying on the browser's username and password keeping feature could
help you avoid falling prey to a phishing attack.

If you have set ebay to remember your username and password and you
click a link for an interesting item and it doesn't remember your
username and password and you have to type it then alarm bells should
be going off.


-- 
Matthew Nuzum
newz2000 on freenode, skype, linkedin, identi.ca and twitter
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug