Security researchers say they have developed an interesting trick to take over Gmail and Outlook.com email accounts - by shooting down victims' logout requests even over a supposedly encrypted connection. And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we're told …
" change your password without re-typing the old one"
You're so mercifully free of the ravages of Best Practice
Re: " change your password without re-typing the old one"
Odd. Perhaps it's just Outlook, but the last time I tried to change a Microsoft account password, it wouldn't let me until I responded to the automated e-mail sent to another e-mail account.
So what should we do? Is logging out then trying to log in again and using the wrong password good enough?
Don't connect to wifi networks you don't know. Don't use a shared computer. Lock your work computer when leaving your desk. All of these should be standard procedure anyway.
These attacks seem pretty minor to me (apart from the e-voting case), the attacker needs physical access to the network and computer. If a hacker has physical access to your computer you're screwed anyway.
"Don't connect to wifi networks you don't know. Don't use a shared computer"
So you go travelling to a few countries but have to take your own laptop with you and only use roaming data to connect?
Easier just to refresh the page after logging out (or press the back button) and see if you still have access.
I would guess always shutting down the browser afterwards will also work.
Not safe to use roaming data - they could spoof the cell.
If you go abroad it's safest to unspool your own fibre - and don't drink the water
VPN back to base before browsing?
...the attacker needs physical access to the network and computer.
That is not what was described. This is a man-in-the-middle attack which requires access to the network, not the computer. The point of using a "naughty" access point is to get a victim to attach to the wrong network, so advice to the effect of not connecting to networks you don't know if good in as much as the target notices the cloned name showing up is somehow different than expected.
As far as G-mail requiring that the old password be typed in before changing it, I wonder how difficult it would be to display a bogus page requesting the current password be input. Not everyone would bite, but this sort of thing is a numbers game: attack millions, but only affect thousands. It still adds up.
...not forgetting to tie a few empty tin cans to your end, so you can detect if they're trying to cut the fibre for a literal man-in-the-middle attack.
ARP spoofing means you don't need to install/compromise a router
The article fails to mention that you don't actually need to install special man-in-the-middle hardware such as a rogue wifi AP or ethernet router. You can use ARP spoofing to perform man-in-the-middle attacks as long as you have access to the same subnet as the target.
I just tried to change my outlook password, and it DOES require me to enter the current one in order to set a new one...
What to do? Just close the browser.
I have to ask this (I also know it will get a lot of down votes) but who in their right mind uses a browser foe email? Maybe it has become the fashion now to use html in emails, again, why?
There are some cases where webmail is clearly the best solution, such as if you're traveling without your own device. But aside from that, I think most people are just more comfortable in a web browser. Traditional email programs feel rather clunky and require (minimal) technical knowhow to set up correctly.
isn't it just easier to ask the NSA or GCHQ for copies of all the target's emails?
Re: But surely...
Getting really old now.
One small flaw...
Man in the middle
It's hardly a surprise that as soon as you get near-physical contact to a victims device then you'll get a lot of options to perform malicious attacks. One of the reasons why you should be careful with using your tablet or phone out in the open while you have no clue what (or if) wifi networks are being used.
Of course the majority doesn't care at all, as long as they can read their e-mails, tweets and do some online banking.
They can have mine.
I only talk about taking over the world on my blogs, never on email, so I'm probably safe.
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- VMware reveals 27-patch Heartbleed fix plan