Feeds

back to article Gmail, Outlook.com and e-voting 'pwned' on stage in crypto-dodge hack

Security researchers say they have developed an interesting trick to take over Gmail and Outlook.com email accounts - by shooting down victims' logout requests even over a supposedly encrypted connection. And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we're told …

COMMENTS

This topic is closed for new posts.
g e
Silver badge
FAIL

" change your password without re-typing the old one"

Ahhh Microsoft.

You're so mercifully free of the ravages of Best Practice

14
2
Silver badge

Re: " change your password without re-typing the old one"

Odd. Perhaps it's just Outlook, but the last time I tried to change a Microsoft account password, it wouldn't let me until I responded to the automated e-mail sent to another e-mail account.

2
0

So what should we do? Is logging out then trying to log in again and using the wrong password good enough?

0
0
Silver badge

Don't connect to wifi networks you don't know. Don't use a shared computer. Lock your work computer when leaving your desk. All of these should be standard procedure anyway.

These attacks seem pretty minor to me (apart from the e-voting case), the attacker needs physical access to the network and computer. If a hacker has physical access to your computer you're screwed anyway.

4
0
Anonymous Coward

"Don't connect to wifi networks you don't know. Don't use a shared computer"

So you go travelling to a few countries but have to take your own laptop with you and only use roaming data to connect?

Easier just to refresh the page after logging out (or press the back button) and see if you still have access.

I would guess always shutting down the browser afterwards will also work.

2
0
Silver badge

Not safe to use roaming data - they could spoof the cell.

If you go abroad it's safest to unspool your own fibre - and don't drink the water

1
0
Silver badge

VPN back to base before browsing?

0
0
Bronze badge
Childcatcher

Pretty Minor

...the attacker needs physical access to the network and computer.

That is not what was described. This is a man-in-the-middle attack which requires access to the network, not the computer. The point of using a "naughty" access point is to get a victim to attach to the wrong network, so advice to the effect of not connecting to networks you don't know if good in as much as the target notices the cloned name showing up is somehow different than expected.

As far as G-mail requiring that the old password be typed in before changing it, I wonder how difficult it would be to display a bogus page requesting the current password be input. Not everyone would bite, but this sort of thing is a numbers game: attack millions, but only affect thousands. It still adds up.

1
1
Bronze badge
Devil

...not forgetting to tie a few empty tin cans to your end, so you can detect if they're trying to cut the fibre for a literal man-in-the-middle attack.

0
0
Alert

ARP spoofing means you don't need to install/compromise a router

The article fails to mention that you don't actually need to install special man-in-the-middle hardware such as a rogue wifi AP or ethernet router. You can use ARP spoofing to perform man-in-the-middle attacks as long as you have access to the same subnet as the target.

http://en.wikipedia.org/wiki/ARP_Spoofing

2
0

I just tried to change my outlook password, and it DOES require me to enter the current one in order to set a new one...

0
0

What to do? Just close the browser.

1
0
Bronze badge

I have to ask this (I also know it will get a lot of down votes) but who in their right mind uses a browser foe email? Maybe it has become the fashion now to use html in emails, again, why?

1
0
Silver badge

There are some cases where webmail is clearly the best solution, such as if you're traveling without your own device. But aside from that, I think most people are just more comfortable in a web browser. Traditional email programs feel rather clunky and require (minimal) technical knowhow to set up correctly.

0
0
Black Helicopters

But surely...

isn't it just easier to ask the NSA or GCHQ for copies of all the target's emails?

0
2
Bronze badge
Stop

Re: But surely...

Getting really old now.

0
0
Silver badge

One small flaw...

Man in the middle

It's hardly a surprise that as soon as you get near-physical contact to a victims device then you'll get a lot of options to perform malicious attacks. One of the reasons why you should be careful with using your tablet or phone out in the open while you have no clue what (or if) wifi networks are being used.

Of course the majority doesn't care at all, as long as they can read their e-mails, tweets and do some online banking.

0
0

They can have mine.

I only talk about taking over the world on my blogs, never on email, so I'm probably safe.

0
0
This topic is closed for new posts.