Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: In-Session Phishing
Special Forums Cybersecurity IT Security RSS In-Session Phishing Post 302282489 by Linux Bot on Saturday 31st of January 2009 10:10:17 AM
Old 01-31-2009
In-Session Phishing
The in-session phishing attack is a game-changer.** This attack exploits the trust of a trusted site (e.g. shopping, banking) by jumping in mid-session in the form of a pop-up.* "Your session has timed out, please log on again" or "please reset your password" is what it might state.* Since it appears to be originating from the trusted site, the victim complies, sending login credentials not to the trusted server but to the bad guys.*

More information can be found here.

Consider the analogy that a trusted site is like your home.* You protect your credentials like you do the keys to your front door, and once you've crossed the threshold of either, you feel safe and your guard is down.* Anything that happens from that point forward is assumed safe.* So when you see a pop-up during one of these trusted sessions, you are not suspicious.* You do not consider that it could be like a stranger suddenly appearing in your living room.

We are still very focused on protecting the front door, but this is myopic because we don't consider that at some point your session could be compromised or hijacked.



We have to be, alas, more vigilant when using protected sites.* We cannot assume that crossing the front door equates to a perpetually safe session until you log out. Web browsers need to start verifying the source of pop-ups, and allow users to check the validity of pop-ups.* But pop-ups would be personally verified probably as often as SSL certificates are currently (i.e. rarely.)

Unfortunately (going back to our analogy) this added vigilence is akin to checking every room and looking around corners even when you're home!* And this could prove to be too much for the average user.* Let's hope a technical solution arrives soon.

Image
Image

More...
 

6 More Discussions You Might Find Interesting

1. Windows & DOS: Issues & Discussions

Stanford security experts unveil defenses against ‘phishing’ attacks

It's an online con that is growing fast and stealing tens of millions of dollars. An e-mail seemingly from a financial institution instructs you to log on to a legitimate-looking Web site. Such “phishing” attacks exploit a universal weakness in online security: passwords. To read the rest of... (0 Replies)
Discussion started by: ZOverLord
0 Replies

2. Shell Programming and Scripting

sqlplus session being able to see unix variables session within a script

Hi there. How do I make the DB connection see the parameter variables passed to the unix script ? The code snippet below isn't working properly. sqlplus << EOF user1@db1/pass1 BEGIN PACKAGE1.perform_updates($1,$2,$3); END; EOF Thanks in advance, Abrahao. (2 Replies)
Discussion started by: 435 Gavea
2 Replies

3. Shell Programming and Scripting

Hiding Directories on a Session by Session basis

Hi, Apologies if anyone has read my recent post on the same subject in the Linux forum, just thought actually the solution might more likely come from scripting. Essentially, I am trying to restrict access to directories based on the user's name AND their location on a session-by-session... (3 Replies)
Discussion started by: en7smb
3 Replies

4. Solaris

I am not able to login in gnome session and java session in Sun solaris 9& 10

I am not able to login in gnome session and java session in Sun solaris 9& 10 respectively through xmanager as a nis user, I am able to login in common desktop , but gnome session its not allowing , when I have given login credentials, its coming back to login screen, what shoul I do to allow nis... (0 Replies)
Discussion started by: durgaprasadr13
0 Replies

5. Shell Programming and Scripting

Determining if session is a login session

Besides 'who am i' and 'tty' what commands could be used to determine if a session is interactive as compared to a web process or cron process. Any command should work with the common unix variants. (3 Replies)
Discussion started by: jgt
3 Replies

6. Solaris

Difference between the desktop session and console session

what is the difference between desktop session and console session in solaris as i am wondering we use option -text for the former and -nowin for the later (1 Reply)
Discussion started by: kishanreddy
1 Replies

LEARN ABOUT DEBIAN

catalyst::plugin::session::store::dbic::delegate

Catalyst::Plugin::Session::Store::DBIC::Delegate(3pm)	User Contributed Perl Documentation  Catalyst::Plugin::Session::Store::DBIC::Delegate(3pm)

NAME

       Catalyst::Plugin::Session::Store::DBIC::Delegate - Delegates between the session and flash rows

DESCRIPTION

       This class delegates between two rows in your sessions table for a given session (session and flash).  This is done for compatibility with
       Catalyst::Plugin::Session::Store::DBI.

METHODS

   session
       Return the session row for this delegate.

   flash
       Return the flash row for this delegate.

   _load_row
       Load the specified session or flash row from the database. This is a wrapper around "find_or_create" in DBIx::Class::ResultSet to add
       support for transactions.

   expires
       Return the expires row for this delegate.  As with Catalyst::Plugin::Session::Store::DBI, this maps to the "session" row.

   flush
       Update the session and flash data in the backend store.

   _clear_instance_data
       Remove any references held by the delegate.

AUTHOR

       Daniel Westermann-Clark <danieltwc@cpan.org>

COPYRIGHT

       Copyright 2006-2008 Daniel Westermann-Clark, all rights reserved.

       This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

perl v5.14.2							    2010-11-29		     Catalyst::Plugin::Session::Store::DBIC::Delegate(3pm)
All times are GMT -4. The time now is 09:50 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy