Re: Firesheep/Cain& Able

[David Gillett <gillettdavid () FHDA EDU>]

  I remember, a few years back, taking a sysadmin to task for an email that
basically told users just "You should be afraid to use email."  I can't see
that "You should be afraid to use Web 2.0." is much of an improvement.
Threat warnings need to include some kind of useful advice, something
recipients can do to reduce their exposure.

We're going to experiment with WPA2; I expect we'll roll that out to our
production wireless networks soon.  And in the meantime, I've added "HTTPS
Everywhere" to the Firefox add-ons on all the machines I personally use or
administer.

David Gillett


-----Original Message-----
From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU]
Sent: Monday, November 01, 2010 11:23
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] Firesheep/Cain& Able

On Mon, 01 Nov 2010 09:39:09 PDT, Isac Balder said:

> Inform and educate users of sites that allow CSRF, XSS, etc.

"Dear Users: Most websites, including a lot that you'd expect better from,
are vulnerable to CSRF and XSS attacks. Be careful out there..."

Remember - "Web 2.0" isn't all that far from an *intentional* XSS attack. :)

Given that, I wonder what sane and useful advice you could actually give
users.