[svlug] Highly Effective Gmail Phishing

Ivan Sergio Borgonovo mail at webthatworks.it
Fri Jan 13 03:35:59 PST 2017


On 01/13/2017 03:22 AM, Rick Moen wrote:

> 1.  I never share credentials (e.g., passwords) across multiple places,
> e.g., Web sites.  Every one of them gets a unique credential.  I store
> them all in 3DES-encrypted storage in my offline PDA.  To date, this has
> been a PalmOS PDA with the open source Keyring app
> (http://gnukeyring.sourceforge.net).  PalmOS PDA are now so antique that
> I'm looking to find equivalent code for my Cyanogenmod tablet, instead.
> But the critical thing is to use a carefully sparse, _offline_ device.
>
> Every time I mention this category of credential storage, some people
> tout their 'password wallets' as if those were the same, but IMO they
> very much are not -- because they are online.  IMO, the same security
> attack that compromises your desktop/laptop having the ability to snoop
> on everything in your password wallet is A Very Bad Thing.
> (Disadvantage of Keyring:  Being offline, it doesn't permit
> copy-and-paste to my login session.  But IMO, the PDA's airgapping's
> advantages outweigh that inconvenience.)

My approach to the password problem has been:
- I'm not paid to remember and type passwords. If I've to remember more 
than 5 there is something wrong with what I'm doing
- Educate myself to know what's important, what I can trust, don't relay 
and trust what I can not.

With that in mind I can happily live with software wallets.
OTP helps. Stuff like https://www.themooltipass.com/ even if not 
air-gapped are interesting, but I don't think my google password is 
worth $170. Simply because I don't relay on any google service for 
anything important.

After all if they have compromised any of my boxes, and I don't trust 
too many boxes an air gapped wallet won't make too much difference.

And I'm not Hillary Clinton (or Renzi or Draghi... [1]).

> 2.  I never enter credentials for a security-sensitive thing (banking,
> medical, e-commerce) except in a context and manner initiated and
> operated by me.  So, using example of the phishing attack discussed at

This is gold. I'm just waiting a bug in the URL bar.

> 3.  I distrust other people's recursive DNS nameservers.  Personally,
> I trust only my own, and think it's elementary caution to use (say) an
> instance of Unbound via 127.0.0.1 on one's laptop and eschew what DHCP
> provides -- except where it's your dhcpd and your recursive nameserver.

This should be strongly mitigated by https in most circumstances.

It is something I'm planning to implement as soon as I'll have a router 
with enough memory to run a full fledged DNS.
In april I may switch to a 1Gbit connection... and well... SOHO router 
won't be able to handle it. So I was thinking to set up something on this:
http://www.wispmax.com/pc-engines-apu2b4-system-board.html
or something by Ubiquiti (but I don't like to relay on one company for 
firmware and I don't have perfectly clear what's running inside).

> 4.  I deeply distrust Javascript.  Well-tuned NoScript is your friend

Today you really have to put your browser in a VM and start over from a 
fresh snapshot everyday.
Even banks fill their websites with tons of external sources of JS.
I won't be surprised to find banks that make *external* sources of JS 
*required* to use their site (it would be time to change the bank).
So it happens more and more frequently that to be able to use the 
content of a website you've to authorize far more *external* sources of 
JS you would like.

Even when you've some experience selecting sources of JS to authorize a 
list of 20+ external sources, some of which you just discover after 
you've enabled some is becoming a pain.

The fact that you can't authorize eg. akamai.net JS just when it is 
required from XYZ.com doesn't help.

And this is not an unavoidable consequence of progress, it is greed and 
bad programming [2]

Still NoScript is an indispensable tool.
BTW contribute to Italian economy https://noscript.net/
I've been told by friends from Palermo, Maone has a family ;)

> 5.  I deeply distrust webmail.  The more I hear about HTML-mail security
> and other complications, the more I love mutt.

And if you don't use mutt, you can still avoid to render HTML and block 
scripts in Thunderbird or I hope any decent graphic email client.

> 6.  I try to never rely overmuch on other people's routers and networks.
> Strong crypto helps, though with same-origin problems (helped by the
> HTTPS Everywhere extension) you may have non-https streams alongside
> your https ones.  Always remember that strong crypto's security is only
> as good as the security of each endpoint and that of the transport.
>
> But what I wanted to mention here is a browser extension so modestly
> simple it does an important job well:  CertWatch
> (https://certwatch.simos.info/).  What it does, and _all_ it does, is

Interesting. The coincidence of "they screwed the DNS I'm using" and 
"they have been able to get a signed certificate" is unlikely but... not 
so much [3]


[1]
https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/

[2]
http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
http://www.haneycodes.net/npm-left-pad-have-we-forgotten-how-to-program/

[3] https://en.wikipedia.org/wiki/DigiNotar

> [2] More recently, though, they've most often attached 'skimmer'
> overlays to the real ATMs styled to look like part of the base unit,

Here it seems far more popular than in US. Fortunately I use an ATM once 
in every 3 to 4 years.


-- 
Ivan Sergio Borgonovo
http://www.webthatworks.it http://www.borgonovo.net




More information about the svlug mailing list