|
|
Sponsored Content
Special Forums
Cybersecurity
IT Security RSS
In-Session Phishing
Post 302282489 by Linux Bot on Saturday 31st of January 2009 10:10:17 AM
01-31-2009
In-Session Phishing
The in-session phishing attack is a game-changer.** This attack exploits the trust of a trusted site (e.g. shopping, banking) by jumping in mid-session in the form of a pop-up.* "Your session has timed out, please log on again" or "please reset your password" is what it might state.* Since it appears to be originating from the trusted site, the victim complies, sending login credentials not to the trusted server but to the bad guys.*
More information can be found here.
Consider the analogy that a trusted site is like your home.* You protect your credentials like you do the keys to your front door, and once you've crossed the threshold of either, you feel safe and your guard is down.* Anything that happens from that point forward is assumed safe.* So when you see a pop-up during one of these trusted sessions, you are not suspicious.* You do not consider that it could be like a stranger suddenly appearing in your living room.
We are still very focused on protecting the front door, but this is myopic because we don't consider that at some point your session could be compromised or hijacked.
We have to be, alas, more vigilant when using protected sites.* We cannot assume that crossing the front door equates to a perpetually safe session until you log out. Web browsers need to start verifying the source of pop-ups, and allow users to check the validity of pop-ups.* But pop-ups would be personally verified probably as often as SSL certificates are currently (i.e. rarely.)
Unfortunately (going back to our analogy) this added vigilence is akin to checking every room and looking around corners even when you're home!* And this could prove to be too much for the average user.* Let's hope a technical solution arrives soon.
More...
More information can be found here.
Consider the analogy that a trusted site is like your home.* You protect your credentials like you do the keys to your front door, and once you've crossed the threshold of either, you feel safe and your guard is down.* Anything that happens from that point forward is assumed safe.* So when you see a pop-up during one of these trusted sessions, you are not suspicious.* You do not consider that it could be like a stranger suddenly appearing in your living room.
We are still very focused on protecting the front door, but this is myopic because we don't consider that at some point your session could be compromised or hijacked.
We have to be, alas, more vigilant when using protected sites.* We cannot assume that crossing the front door equates to a perpetually safe session until you log out. Web browsers need to start verifying the source of pop-ups, and allow users to check the validity of pop-ups.* But pop-ups would be personally verified probably as often as SSL certificates are currently (i.e. rarely.)
Unfortunately (going back to our analogy) this added vigilence is akin to checking every room and looking around corners even when you're home!* And this could prove to be too much for the average user.* Let's hope a technical solution arrives soon.
More...
|
|
6 More Discussions You Might Find Interesting
1. Windows & DOS: Issues & Discussions
It's an online con that is growing fast and stealing tens of millions of dollars.
An e-mail seemingly from a financial institution instructs you to log on to a legitimate-looking Web site. Such “phishing” attacks exploit a universal weakness in online security: passwords.
To read the rest of... (0 Replies)
Discussion started by: ZOverLord
0 Replies
2. Shell Programming and Scripting
Hi there.
How do I make the DB connection see the parameter variables passed to the unix script ? The code snippet below isn't working properly.
sqlplus << EOF
user1@db1/pass1
BEGIN
PACKAGE1.perform_updates($1,$2,$3);
END;
EOF
Thanks in advance,
Abrahao. (2 Replies)
Discussion started by: 435 Gavea
2 Replies
3. Shell Programming and Scripting
Hi,
Apologies if anyone has read my recent post on the same subject in the Linux forum, just thought actually the solution might more likely come from scripting.
Essentially, I am trying to restrict access to directories based on the user's name AND their location on a session-by-session... (3 Replies)
Discussion started by: en7smb
3 Replies
4. Solaris
I am not able to login in gnome session and java session in Sun solaris 9& 10 respectively through xmanager as a nis user, I am able to login in common desktop , but gnome session its not allowing , when I have given login credentials, its coming back to login screen, what shoul I do to allow nis... (0 Replies)
Discussion started by: durgaprasadr13
0 Replies
5. Shell Programming and Scripting
Besides 'who am i' and 'tty' what commands could be used to determine if a session is interactive as compared to a web process or cron process. Any command should work with the common unix variants. (3 Replies)
Discussion started by: jgt
3 Replies
6. Solaris
what is the difference between desktop session and console session in solaris
as i am wondering we use option -text for the former and -nowin for the later (1 Reply)
Discussion started by: kishanreddy
1 Replies
LEARN ABOUT SUNOS
gnome-session-save
gnome-session-save(1) User Commands gnome-session-save(1) NAME
gnome-session-save - saves or terminates the current GNOME session SYNOPSIS
gnome-session-save [--kill] [--gui] [gnome-std-options] DESCRIPTION
gnome-session-save can be used from a GNOME session to save a snapshot of the currently running applications. This session will be restored at your next GNOME startup session. OPTIONS
The following options are supported: --gui Shows a dialog when the session is saved, and reports errors in dialog boxes instead of printing to stderr. --kill Terminates the GNOME session. gnome-std-optionStandard options available for use with most GNOME applications. See gnome-std-options(5) for more information. EXAMPLES
Example 1: Saving the user's current session example% gnome-session-save Example 2: Terminating the user's current session example% gnome-session-save --kill Example 3: Using the GUI to terminate the user's current session example% gnome-session-save --kill --gui EXIT STATUS
The following exit values are returned: 0 Application exited successfully >0 Application exited with failure FILES
The following files are used by this application: /usr/bin/gnome-session-sThe command-line executable for the application. ATTRIBUTES
See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWgnome-session | +-----------------------------+-----------------------------+ |Interface stability |External | +-----------------------------+-----------------------------+ SEE ALSO
gnome-std-options(5), default.session(5), gnome-smproxy(1), gnome-session(1) NOTES
Written by Brian Cameron, Sun Microsystems Inc., 2003. SunOS 5.10 13 Jan 2003 gnome-session-save(1)