Friday, August 03, 2007

Automated password hijacking

Brian Krebs' Security Watch blog describes a hacking tool for stealing user's passwords from webmail sites.

This again shows the risks of connecting to the net through unsecured or public wireless networks which I mentioned a few weeks back.

If you regularly use other people's networks, particularly wireless networks, you need to use secure socket layer protocols. That means using webmail sites that start with https and email servers that support SSL.

Brian's article notes that gmail has a secure version simply by typing https:// before the address rather than just using www.

I tried this with my Internet providers, Pacific Internet and Bigpond, and found they support these protocols on their logins.

Interestingly, Bigpond's webmail reverts to standard http:// once you've logged in. I'm not sure this is a good thing and that's going to need a little more research.

I'm going to get into the habit of using https for all my webmail accounts. Naturally, you should always make sure financial websites always use https before you logon.

Stealing passwords is a big and lucrative business for the bad guys. Using secure websites reduces your chances of being a victim.