[svlug] Highly Effective Gmail Phishing

Ivan Sergio Borgonovo mail at webthatworks.it
Fri Jan 13 13:10:35 PST 2017

On 01/13/2017 08:58 PM, Akkana Peck wrote:
> Such a lot of great advice in this thread ...
>> Rick Moen wrote:
>>> 4.  I deeply distrust Javascript.  Well-tuned NoScript is your friend
> Ivan Sergio Borgonovo writes:
>> Today you really have to put your browser in a VM and start over from a
>> fresh snapshot everyday.
>> Even banks fill their websites with tons of external sources of JS.
> [ ... ]
>> Even when you've some experience selecting sources of JS to authorize a
>> list of 20+ external sources, some of which you just discover after
>> you've enabled some is becoming a pain.
> Often it takes five or six iterations: even if you enable all six of
> the javascript sites on the first page, when you hit reload, the
> javascript from those sites brings in four new ones, and if you
> enable those and reload, there will be still more ... all of them
> required before you see any content on the page. It's loony.

greed. Probably bad programming is a side effect of greed.

> So I use a separate browser, ideally one that doesn't save any
> cookies, passwords or any other information. I have a little
> python-webkit browser I use for that purpose, which starts up very
> quickly and doesn't have any way to store cookies or other info;
> but you can also make a separate firefox profile and run it with
>     firefox --private-window -new-instance -P profilename
> when you need a safe window. Go ahead and let it set cookies and
> such, then clean out the profile regularly -- like Ivan's VM
> snapshot suggestion, but without the VM.

The problem is not just about privacy... it's about security.

Furthermore while JS, cookies etc. make it cheaper to track you, they 
aren't anymore required to track you. [1]

You could turn off JS, delete cookies, avoid to save history etc... and 
as soon as you'll eg. turn off your adblocker you'll notice they will 
serve ads based on your past surfing history.
And yeah... it is not to help you otherwise Google app on android 
wouldn't keep on showing me news from Singapore just because I've a 
Singaporean SIM ;)

A lot of code is remotely hosted. This multiply the attack surface.
And most of this stuff doesn't do anything useful.

> If you use a separate browser for heavy-JS sites, make sure it looks
> different from your normal browser (if they're different profiles for
> the same browser app, you can install different UI themes), so if
> anything starts asking you to log in, you immediately know it's bogus.

I'm using different profiles with different themes with ffox but just 
because some sites I need require more relaxed policies.

Once upon a time I was more indulgent and I temporarily enabled more JS, 
now after enabling 2 or 3 obvious sources when content is still 
unreadable my policy has become GTFO.
There is a general overlapping between low quality content and abuse of 
JS. Time saved.

>> The fact that you can't authorize eg. akamai.net JS just when it is
>> required from XYZ.com doesn't help.

> I sure wish noscript offered that sort of granularity.

[1] https://panopticlick.eff.org

Ivan Sergio Borgonovo
http://www.webthatworks.it http://www.borgonovo.net

More information about the svlug mailing list