Hacker News new | comments | ask | show | jobs | submit login

The timeline looks awesome:

  June 4th, 2016 – Emailed security@comodo.com and reached out on Twitter to @Comodo_SSL.
  July 25th, 2016 – Robin from Comodo confirms a fix has be put in place.
50+ days! Funny that the entity in question is the biggest CA.

That said, one should never click on links and buttons in emails. It's more comforting to be able to copy a link instead.

The part that makes this a real exploit is that the administrator of the target domain would only have to open the e-mail with a client that displays images in order to be exploited.

And that's true even if the client, like gmail, proxies the images: https://gmail.googleblog.com/2013/12/images-now-showing.html

I wouldn't even copy links. Too many unicode shenanigans and other URL display problems out there.

I made an exception for sites I was going to immediately use 1Password's autofill with, trusting its URL validation to save me from fakes. I hadn't considered that merely loading a malicious URL could cause trouble. I think I'll have to reconsider my policy on that.

I don't even open links from emails anymore, just login to the company's dashboard and find it instead. :/

That's how I handle phone calls, too. For example, if I get a call from a bank then as soon as they begin asking for personal information I inform them that I'll have to call them back. I do this even if I was _expecting_ a call from them.

I've never had a representative balk at this, but many times they'll give me a number and extension to call. But that would defeat the whole purpose. I tell them that I need a published number that I can independently confirm. Usually they just say it's fine to go ahead and use the number on their website.

None of this is foolproof. My confirmation of a phone number is usually rather cursory--a quick Google search comparing results with what I find on the company's website. But infosec crimes are becoming increasingly common and I'd rather not be the low-hanging fruit.

I heard of an attack that causes even calling back to fail. Because with some phone providers, when you hang up, it doesn't actually hang up. So you dial the new number thinking you are making a new call, but you are actually on the same call and they just play ringing sound effects for you, and have a new person "answer".

This only affects landlines, right? A smartphone tells you who you're connected to.

I'm not at all surprised. And at the end of the day I have no doubt that my social security number, drivers license number, bank account number, etc are for sale on the black market.

But at least as of today I'm pretty sure those databases are still quite expensive as that information isn't as easily available. And even if it was more readily available, it's still advantageous for criminals to maximize their payout by being selective about the accounts they rob. Who knows what information is useful to them when determining risk and benefit. Credit card numbers are a dime a dozen, but the numbers of high net worth individuals (not me, obviously!) which see less scrutiny for high-dollar purchases are worth a heck of a lot more than the ones you dump after fraudulently charging $10. If I owned a Tesla and somebody called me up to ask questions about my Tesla, I'd neither confirm nor deny; I'd politely ask them their purpose, and if it seemed legit I'd call them back on a published line. (Obviously just telling them you'd call back is all they'd need to know to profitably classify your identity, so it's very much a judgment call.)

My rule is that if I haven't previously published the information, I'm not going to give it up easily unless I initiate the communication, even if I know the information is already public, such as birth date, place of birth, etc.

My goal is just to minimize my exposure to fraud; I can never eliminate it. And choosing not to divulge personal information unless I initiate the contact, whether by phone, e-mail, or whatever, is a relatively simple, convenient, and rote countermeasure I've employed for almost a decade now.

I don't care about the technical details, except in so far as it helps me to very roughly gauge relative risk. Criminals are specialists in their area and I'm not about to pretend I can keep up with the state of the art. At the same time, fraud enterprises, like porn, tend to be at the vanguard of technology. So if something is going mainstream it's a sure bet it's been underground for awhile.

Can you provide more details? I haven't heard of this one and hope to educate myself better if it really is possible.

This is a potential concern with traditional analog POTS. There isn't an explicit signal to end the call on the analog side. Some switches take longer than others to detect when your phone goes on-hook and end the call. If yours takes a long time, then on the plus side, you can hang up one phone, walk to the other side of your house and pick up the other to continue a call, but on the minus side, an attacker could play a dial tone at you and trick you.

This can happen with connections between switches too, potentially; but modern (like 1980s modern) out of band signaling techniques on trunks generally prevents this type of thing.

Shortened URLs or extremely long ones are scary.

Microsoft took almost a year to fix a bug I reported. A year after my initial disclosure, they finally issued an emergency patch for Exchange and gave me a bounty.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact