Skip to content

Posts tagged ‘phishing’

26
Mar

Safari, Mac OS X and Fraudulent SSL Certificates (Comodo)

Following the recent hacking of Comodo, a certificate authority that distributes SSL certificates, web users to the following domains are at a higher risk of phishing and sniffing attacks:

  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com
  • login.skype.com
  • addons.mozilla.org

Attackers were able to obtain SSL certificates for these domains, essentially allowing them to pose as those websites. The certificates have since been revoked by Comodo, however this relies on browsers checking for them by checking Comodo’s Certificate Revocation List (CRL) and having the Online Certificate Status Protocol (OCSP) enabled. Firefox and Chrome were updated last week to block the fraudulent certs, but Safari doesn’t do CRL and OCSP checking by default.

Hit the jump for how to enable these checks in OSX and Safari. Read moreRead more

12
Oct

Inform your Friends about their Hacked Accounts

Every so often I receive an email from someone I know; it talks about something completely random, and almost always includes a link at the end. The same thing sometimes happens on MSN and I get a message like this:

(12:02:36 PM) Friend: Hey! My cat had a spastic fit, and then coughed up a hairball! Check it out!

Now, whether or not that link goes to a malware site, or just someplace for you to buy viagra is not the point. You don’t click on suspicious-looking links… do you?

In some cases they may have simply fallen for a phishing attack, and typed in their credentials where they shouldn’t have. They may even have been hacked due to weak secret questions. More often than not however – and you see this a lot with Hotmail/MSN users – what’s happened is that they logged into their email or MSN on an infected computer, which recorded their credentials. In either of these scenarios the info back to its HQ, where it starts being used to send out spam/viruses/porn/more porn/younameit.

The best solution is to simply change the password (and secret questions) for the account in question. Be a friend, and tell them that they’ve been 0wned.

[Updated 19/01/2011]

13
Sep

XKCD: Password Reuse

Today’s XKCD is amusing, but still makes a very valid point. After using ultra-stupid passwords such as “password”, “123456” and “abc123”, password-reuse is the second biggest threat to the security of your accounts.

XKCD: Password ReuseGoogle and Mr. Black Hat think alike!

css.php