Spear phishing with Slackbot for fun and profit – Eric Bailey
Sneaky social engineering in Slack.
Link tags: phishing
14
Security Checklist
Exactly what it sounds like: a checklist of measures you can take to protect yourself.
Most of these require a certain level of tech-savviness, which is a real shame. On the other hand, some of them are entirely about awareness.
Google AMP - A 70% drop in our conversion rate. - Rockstar Coders
Google hijacking and hosting your AMP pages (in order to pre-render them) is pretty terrible for user experience and security:
I’m trying to establish my company as a legitimate business that can be trusted by a stranger to build software for them. Having google.com reeks of a phishing scam or fly by night operation that couldn’t afford their own domain.
We need more phishing sites on HTTPS!
All the books, Montag.
If we want a 100% encrypted web then we need to encrypt all sites, despite whether or not you agree with what they do/say/sell/etc… 100% is 100% and it includes the ‘bad guys’ too.
Extended Validation is Broken
How a certificate with extended validation makes it easier to phish. But I think the title could be amended—here’s what’s really broken:
On Safari, the URL is completely hidden! This means the attacker does not even need to register a convincing phishing domain. They can register anything, and Safari will happily cover it with a nice green bar.
Phishing with Unicode Domains - Xudong Zheng
Domains registered with punycode names (and then given TLS certificates) are worryingly indistinguishable from their ASCII counterparts.
Can you spot the difference between the URLs https://adactio.com and https://аdаctіо.com?
PushCrew Push Notifications for HTTP websites
A nasty service that Harry noticed in his role as chronicler of dark patterns—this exploits the way that browser permissions are presented below the line of death.
Certified Malice – text/plain
Following from that great post about the “zone of death” in browsers, Eric Law looks at security and trust in a world where certificates are free and easily available …even to the bad guys.
The Line of Death – text/plain
A thoroughly fascinating look at which parts of a browser’s interface are available to prevent phishing attacks, and which parts are available to enable phishing attacks. It’s like trench warfare for pixels.
Twitter Status - Phishing scam
And this, boys and girls, is why the password anti-pattern is bad, m'kay?
Maybe the effort we go to as we think about the... · Ben Ward's Scattered Mind
"Facebook has rolled out an identity system — Facebook Connect — with a slick UI that trains a gazillion tech-naïve users to slap their identity credentials into any old website."
FatBusinessman.com : On Authentication
David has written an excellent comparison of the two differing mindsets when approaching online authentication. In no uncertain terms, OAuth (or an OAuth style authentication) is right and the password anti-pattern is wrong, wrong, wrong.
bunnyhero dev » Scaring people with fullScreen
Fullscreen mode for Flash movies could be used to totally freak people out. Here's how.
disambiguity - » Design Ethics - Encouraging responsible behaviour
Leisa joins in on the password anti-pattern. As she says, this is a question of ethics. I've already made my position clear to my colleagues and clients. Have you?