Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Page 2 of 2 < 1 2
Topic Options
#339224 - 08/11/2010 01:10 Re: So, I'm rethinking this gmail hack [Re: tfabris]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
There is another interface to Gmail as well and that is whatever protocol that the official Gmail application uses to talk to their servers.

The Gmail application on my Android phone can access my Gmail account even with IMAP and POP3 disabled. There doesn't appear to be any mechanism to disable access via the Gmail application.

Top
#339235 - 08/11/2010 10:27 Re: So, I'm rethinking this gmail hack [Re: hybrid8]
Tim
veteran

Registered: 25/04/2000
Posts: 1529
Loc: Arizona
Originally Posted By: hybrid8
Use 1Password (to store your passwords and other secure info and to spit back the password on the appropriate web site) - which should now be available for Windows as well. It will not enter the password unless you are on the real site. And since you're not typing the password yourself, it makes keyloggers useless for recording your passwords.

I was told that some keyloggers just read what is transmitted in the fields and doesn't actually log your keystrokes. How true that is, I have no idea.

Top
#339236 - 08/11/2010 10:58 Re: So, I'm rethinking this gmail hack [Re: Tim]
hybrid8
carpal tunnel

Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
I'm not sure how it will read what gets transmitted on a secure connection though.
_________________________
Bruno
Twisted Melon : Fine Mac OS Software

Top
#339245 - 08/11/2010 13:03 Re: So, I'm rethinking this gmail hack [Re: hybrid8]
DWallach
carpal tunnel

Registered: 30/04/2000
Posts: 3810
Without knowing exactly what the attackers did, it's hard to know. Maybe they found a cross-site scripting vulnerability or browser hack and were able to get JavaScript into your Gmail client to extract your login credentials. Hard to say. Unsurprisingly, Google is quite proactive at dealing with these sorts of attacks.

If you're using Google with your own domain, you can sign up for two-factor authentication. I've been using it for a while now and I'm quite happy with it. I'm running the Google Authenticator app on my Android phone, such that if I need to log in from a new machine, I have to type in the additional number alongside my password. Also interesting, Google effectively invalidated my password for IMAP and the like. They instead use a web form that generates separate one-time passwords for each place you'd normally use a password (home machine IMAP, work machine IMAP, PicasaWeb plugin for Adobe Lightroom, Android phone, etc.).

Needless to say, it's a bit bumpy getting it set up, but after that it's remarkably painless and potentially more resistant to these sorts of account hijacking attacks. Example: even if somebody could steal the credentials inside your browser, and thus work around the need to have a new one-time-password, I'll bet that the new IP address disagrees with the credentials so account access fails. I already feel sorry for the poor Google engineer who had to make all of this work with variable IP addresses behind NATs.

Top
Page 2 of 2 < 1 2