What is Digg?75 Comments
- jamangold, on 01/14/2009, -1/+37FTA: "Punch the yeti! Win a free Llama!"
I found my new email signature. - logicslayer, on 01/13/2009, -1/+37Really? Same old phishing...I don't really see this as a threat to myself. Sure a lot of n00bs are going to fall for it but that's all it takes for them to keep doing this.
- inactive, on 01/14/2009, -0/+30you can have my social security number, I don't give a *****
457-55-5462
go to town - bingostud722, on 01/14/2009, -0/+25How about not putting your sensitive info into a pop up? No website is going to time out and have you resume using a pop up (And when I say pop up, I mean an actual separate, small browser window - not an in application pop up).
Digg uses a sort of "pop up" to have users log in initially, but it does not open a separate window - plus, you have to prompt it to do that. - vtnerd, on 01/14/2009, -0/+20By not leaving yourself logged into finance-related websites while you're doing other things.
Need to check your balance? Log in, check it and then log off (close the tab/window if it helps you). If you then are prompted to log back on, you'll know that couldn't possibly be right and you'll ignore it. - ChoiceMad, on 01/14/2009, -0/+17I agree. It's just stupid to leave your bank (or similar professional agency that deals with vital information) login open and go surf the kind of crapsites that are prone to using ad popups. People that haphazardly use the web like that almost deserve to be crapped on to hopefully learn important life lessons.
- Fhwqhgads, on 01/14/2009, -3/+19Wouldn't it suck for these phishers if there were NoScript and AdBlock addons for Firefox?
Experienced and security conscious people use both.
This "threat" would still only affect noobs and dumbasses.
Title of the article is inaccurate. - myxyplik, on 01/13/2009, -2/+18Well, one way would be to clear your cache or close your browser right after you log off. Pretty simple really.
- inactive, on 01/14/2009, -0/+10popup? what browser still allows popups, even IE has a popup filter now
- Squidwalk, on 01/14/2009, -0/+10Well, the article did mention Blizzard. Leaving your WoW client in windowed mode so you can check websites at the same time is pretty common. But you'd still have to be pretty dumb to think you have to login again while your client is running. I could see how this sort of attack can seem more authentic. If people are falling for phishing that doesn't seem authentic at all, this sort of attack will be much more successful.
- ThatGeek, on 01/14/2009, -0/+10you might want to go take a nap... it helps when im cranky
- Mujokan, on 01/14/2009, -0/+10"Dilbert" must be popular in your office.
- gamebittk, on 01/13/2009, -1/+10Except this targets users during an open session.
- katzeyes, on 01/13/2009, -6/+14Well crap! I mean seriously -- how do you protect yourself from that aside from ceasing internet activities altogether?
- gowjo18, on 01/14/2009, -3/+10no, it targets users who leave an open session while opening another browser. anyone with cyber common sense would do their thing and close the browser immediately.
- matthewinDRO, on 01/14/2009, -0/+7All your secure is now socially belong to me
- sepelester, on 01/14/2009, -0/+6It could just as well target a less vital site you're a member of and not as likely to be as careful with and steal your user credentials. Since most of us use the same password for several sites they can easily get your email account and then you're pretty much ***** if you own a domain name.
(just an example, I'm sure people would give quite a ransom to get their facebook account back after some serious abuse) - JackSchittt, on 01/14/2009, -1/+7According to our official company policies, we're still supposed to be on IE6, and ONLY IE6. They plan on "approving" IE7 for official use sometime in 2010 (No, that's not a typo). Firefox is not allowed at all.
Despite the company being largely unable to get computers with XP installed on them anymore (due to contract issues), Vista isn't scheduled for approval until sometime in late 2010, either, after "internal testing and approval" are completed. This of course leaves the question of "What are people who need new computers supposed to do?" wide open. I'm still pressuring them for an answer on that one, with no luck so far.
Fortunately, 98% of the people I work with ignore such policies. Most upgraded to IE7 a long time ago, and I've even been able to convince a few of them to switch to Firefox. And I'm typing this from my work computer....with both Vista and firefox installed. - noumuon, on 01/14/2009, -0/+6Mr. Davis? Is that you?
- inactive, on 01/15/2009, -0/+6Mr. Anderson...
- charliwag, on 01/14/2009, -0/+5/fail.
Read his name, it's not the real babyman. - DickyT83, on 01/14/2009, -3/+8I gotta say, that is a pretty bad ass idea.
- ahhell, on 01/14/2009, -3/+8Phishing article posted by a digg spammer. Interesting.
- Petronious, on 01/14/2009, -0/+5The attack makes use of Cross-site request forgery (CSRF)
http://en.wikipedia.org/wiki/Cross-site_request_fo ...
It's an issue for any authenticated session on a browser, particularly those browsers with JavaScript enabled.
Any HTTP or HTTPS request sent from a browser during an authenticated session will pass the authentication credentials along with it, even if the request originated from JavaScript or an image file on a different (malicious) website.
CSRF can be prevented by passing the session ID (or any authentication variable) along with all POST requests that could potentially alter sensitive or important information. No sensitive data should be modified via GET requests.
Unfortunately, the most difficult challenge may be stopping people from entering their passwords in popups or prompts.
Bottom line: log out when you're done, homeskillet. - subgeniusd, on 01/14/2009, -0/+5Our Regional IT Morons say Firefox is a "security risk" due to lack of automatic security upgrades.
In the mean time many of our computers still run IE6 because the on site admin is too lazy to upgrade them.
Asking long term computer users which browser they prefer and you get a blank stare........browser? Oh you mean that explorer thingy?
This planet is loaded with so much "low hanging fruit" that anyone with a bit of sense and experience is safe from the cracker mafia. - celotil, on 01/14/2009, -0/+4I read about this, or something very much like it, a couple of years ago.
Although I hadn't had a prior habit of surfing casually while doing my online banking, I always start a fresh browser before any banking and close it completely afterwards, and these days I also use privacy mode as well to prevent any caching of my banking details. - inactive, on 01/14/2009, -4/+8MrBabyMan?!
- unluckier, on 01/15/2009, -0/+41) Consider locking down your web browser:
http://www.cert.org/blogs/vuls/2009/01/reference_i ...
Basically, use (and properly configure) NoScript if you're running Firefox. If you're using IE, you've got your work cut out for you.
and/or
Less obtrusively:
2) Use a different web browser or online banking. Seriously. It's trivial to do, and the protection against this sort of attack is huge. - Thomasaka, on 01/15/2009, -1/+5Nope, still sounds like it only affects morons to me. Anyone who logs in a 2nd time from a pop up window is indeed a moron.
- Squidwalk, on 01/14/2009, -0/+3Some people have to use old browsers with limmited features due to work mandates. I know NBC employees that have to use IE6 for some reason beyond comprehension. If they don't have SP2 installed on IE6, they still have popups.
- Remelox, on 01/15/2009, -0/+3Not a moron. Someone ignorant. I could see my dad falling for this. He is not a moron nor is he exactly ignorant of tech, he shows military personel how to use their computer systems. However, he is a bit ignorant of the internet and home computers. I could see him seeing the pop-up, thinking, "Well this is new and annoying." and answering it. He knows enough about the internet to know people keep doing new things to their websites, often in the name of "Web 2.0".
- kimbja98, on 01/14/2009, -1/+4Web browsers should run each tab in a sandbox (like a VM). No tab can communicate with another. Of course, this brings in the problem of having many tabs open for the same site which is probably why they don't do this. Also, the large memory requirements could put people off but perhaps this would work on a "per site" basis. I know IE already sandboxes so if it dies, it won't take down the OS. Perhaps that principle could be extended to prevent these attacks?
- reddikilowatt, on 01/15/2009, -0/+3So do what you have to do at the online bank and get out.
Who keeps their bank's web page open all day? I don't even keep my brokerage account open if I'm not trading. - Awspire, on 01/14/2009, -0/+3Probably the best defense against phishing sites is having your account secured with a security key token, like the protection offered from Paypal. Unfortunately, there's only a handful of banks that offer this protection. Hopefully people will start demanding this type of security from their banks or simply move over to those that do.
If you do have a Paypal account, I highly recommend adding their security key protection to your account, which can also be used to protect your paypal account.
https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Mark ... - sepelester, on 01/14/2009, -1/+4Click generated popups (target=_new for example) are not suppressed. A popup could stem from a page you're currently surfing and hide behind a window without much notice. It's still a long shot, but even a tiny fraction would make it profitable (less than one hit in a million makes spam still profitable).
- Remelox, on 01/15/2009, -0/+3So there is no Java on other operating systems? Doesn't that kind of ruin the point of Java?
- stuffradio, on 01/15/2009, -1/+4Please reply to this message with your home address and credit card information.
Disclaimer: I need to check to see if the credit card is legitimate by spending an undisclosed amount!
Note: This is not any sort of "pop up" so you can be sure it's legit! - Nerys, on 01/15/2009, -0/+3This is EASY.
NO WEBSITE. NOT ONE SINGLE FINANCIAL WEBSITE THAT I AM AWARE OF
will "pop" a login prompt on timing out.
NONE. so the moment you see one you should be suspect IE it still takes a moron to be fooled by this. - inactive, on 01/15/2009, -0/+33 on front page right now.
Did he pinch them? - jcaino, on 01/15/2009, -0/+3But who's going to protect the children? Oh Noes!
- Remelox, on 01/15/2009, -0/+3Buried for inaccurate, this social security number does not belong to a Mister Moose Onthe Loose.
- mechfluff, on 01/15/2009, -0/+3/facepalm
On one level, I can't believe people still fall for this *****, but then I remember all of the idiots I've seen who will fall for the simplest phishing schemes. - Fhwqhgads, on 01/14/2009, -1/+3>>> Need to check your balance? Log in, check it and then log off (close the tab/window if it helps you).
and wipe out the cookies and browser cache. I only keep cookies from a few sites I use all the time and that don't accept sensitive data. The rest get wiped. - inactive, on 01/15/2009, -0/+2@stuffradio
Okay follow the url below...
http://tinyurl.com/a7fgyn - sexybobo, on 01/14/2009, -3/+5Have firefox remember your username and info. It autofill it in only on legit sites if it doesn't fill in your username you know something is up. You can even just have it remember your username with no password if you are worried.
- PowerInside, on 01/15/2009, -0/+2Mr Kerry
- Axed33, on 01/15/2009, -0/+2I like Ars, but this smacks of sensationalism a bit.
Title: "New in-session phishing attack could fool experienced users"
Conclusion: "Between currently available solutions and inevitable patches, I think in-session phishing is going to find its nets mostly empty." - mongqui, on 01/15/2009, -1/+3Meh. i've got Windows Antivirus 2009. I can't be fooled.
- happyhamburgers, on 01/15/2009, -0/+2I still think more people will be fooled by Nigerians with a massive inheritance.
- britoca, on 01/15/2009, -0/+2never say never, smart ass
-
Show 51 - 75 of 75 discussions
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is