Hacked Chrome web dev plugin maker: How those phishers tricked me The chap behind Chrome Web Developer, a popular third-party extension that was briefly hijacked to inject ads into browsers, today confirmed he was the victim of a phishing attack. Chris Pederick, a Brit living abroad in San Francisco, California, said he received an email on Tuesday claiming to be from Google warning that his …
And it is that it doesn't matter who you are or how much you know, its still painfully easy to get caught out by the criminals because we have built an infrastructure that's fundamentally insecure.
And this is why everyone who bleats about end users being the problem because they won't adopt super unique passwords, or whatever other precautions is themselves part of the problem. We have to get to an IT infrastructure where its easier to do it the right secure way than it is to do things the wrong way. The trouble is a lot of sacred cows will have to go by the wayside for that to happen.
"I seem to constantly be logged out of my Google account, so having to log in is not unusual"
This.
I've given up checking the cert on accounts.google.com or even checking that it isn't accounts.goggle.com; the stupid login page seems to pop up randomly at unexpected times. At first I found it suspicious, but it happens so often that now I just type in a password without checking.
Kudos to the guy for admitting it was his own fault and doing his very best to sort it out ASAP, given the piss-poor example set by PR agencies these days it's good to see there's still honest people about. As my Granny used to say, better to own up and face the music now than be found wanting later when it's far too late.
"that will be sure to generate an automated email to the owner which will alert them to the compromise"
I don't know about that - my phone pings me (and it even has a bloody persistent notification status icon all just for this, without me having installed anything FFS!) before I even raised my hands from typing the password logging in from a PC Google thinks it doesn't like; even having entered the correct (long!) password at the first try, even from the same geographic area as usual, with an IP that hasn't changed for literally decades, from which it saw me log in numerous times - my browser just don't have its latest and greatest cookie since I purge them at the end of session on this machine...
Somewhat ludicrously, I also get alerted by email, which I'm (as a suspected fraud) free to delete for a "real owner" never to see assuming "he" doesn't have a push-email receiving device and checks his mail the old fashioned way, periodically. So yeah, I'm not sure what if anything more doing stuff like changing a password would trigger, given I see the whole nuclear spectacle for simply logging in from anywhere but home, from the one browser I allow to keep cookies persistently...
Actually it's rather like Google rubber-stamping me on each login (the way some parties/clubs do once you enter) then slamming me against the wall and yelling "who are you and what did you do with the real DropBear?!?" each time I take a shower...
I am sure you can quickly read up on number of incidents when whole IP blocks have been announced by people other than their original owners.
Some like the Pakistan Telecom Youtube brouhaha have likely been fat finger/incompetence.
Other cases while portrayed as such (human error, etc.) have more likely been orchestrated by state players.
So - back to restricting access based on IP ... it works until somebody hijacks the BGP announcement.
access to accounts from only certain I.P. address help in such situations
Not really. Under quite a lot of situations (mobile access, use at work, etc etc) you can't really know what your IP address is going to be. And even if you do find out, those addresses won't be under your control and are subject to change without warning.
It might tighten up security a bit (subject to the limitations of other people also on the shared network with you will also have access) but the admin overhead would be too much.
Seriously, the miscreants gain total pwnage of a developer plugin with millions of users through clever social engineering but all they want is a tiny click through percentage. Something tells me that either we haven't heard the whole story yet or the developer should purchase some lottery tickets.
I have various customers where I've installed a program where the mail server disables links that are embedded in html. Works well apart from the occasional gripe that the link has to be copied, pasted and edited before it can be accessed.
It really is impossible these days to judge the bona fides of senders. For instance, would you associate zapiermail.com as being genuinely coming from Facebook? And, if you are used to that state of affairs, how would you know if it was spoofed to appear as if it was coming from Facebook?
A big moan I've mentioned in these columns before is BT's use of custhelp.com to offer help to their customers. Last time I looked custhelp.com was registered to Oracle, but if you're not an IT person that doesn't mean a thing.
It doesn't work with Exchange. I use Mdaemon which gives the flexibility to run an external program as part of its message processing routine, it takes the message filename as a command line parameter and you can then do whatever you want to the message so long as it's fast doing so, and doesn't crash. I use Delphi for anything like this.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
