Cookie stealing has been around for a while. All this guy did was encapsulate it into a firefox extension. I've used packet sniffers in my neighborhood when I did some wardriving and it's unbelievable how many open networks and WEP encrypted networks there are. WEP can be cracked instantly now, but WPA, WPA2 with TKIP encryption should keep you solid for a long time to come.
wv = godasm = Is this how intelligent design started?
traditionalguy, this particular exploit raises a very different issue. It's not that somebody unauthorized can potentially read your FB status message that you posted, but that somebody sharing your WiFi connection can easily pretend to BE you and post a phony status message on your behalf. That's a very legitimate and serious issue.
Just stay off of public, unencrypted Wi-Fi and don't send sensitive information through insecure http connections, meaning when you're about to "sign in" or otherwise submit information through a website, make sure the URL you're visiting begins with "https" rather than plain "http", before you hit the "submit" button. Better yet, most modern browsers, such as Firefox and Safari, have additional indications that you're on a secure website. Firefox puts a blue tag around the beginning of the URL bar which will give you security information about the site you're visiting if you click on it.
Here's my recommendations:
1. Be extremely judicious about sending any sensitive information through the internet. Don't give anyone information of any kind unless you have to, and only then once you've weighed the risks carefully.
2. UPDATE YOUR SOFTWARE FREQUENTLY! Make sure you frequently check for updates to your web browser software and your computer operating system. Most software has an "automatically check for updates" feature. Use it! Old software, especially of the Windows variety, is extraordinarily vulnerable because it's already had a million holes punched in it.
3. Use a firewall. Most operating systems have a built-in firewall. Enable it!
4. Don't click on links to sites where you'll then sign in. Always type the address, such as www.citibank.com, in the URL bar yourself. And, in general, be careful about any links you click, as you don't need to do anything except click on the wrong thing to be compromised. As a rule, I never click on any link ending in .ru or .cn (Russia and China's extensions).
5. If you have a home Wi-Fi network, SECURE IT! DO NOT RUN AN OPEN, UNSECURED WI-FI NETWORK. You're asking for trouble. My Wi-Fi network uses WPA2 security protocol with a completely random 20-character key which I change frequently.
That's a new one... I posted a long comment and it appeared in the thread but now it's gone. If anyone has a copy of this comment could you send it to me?
"Hey, the unexamined life is not worth living. Why deny yourself the pleasure of wifi over coffee and banana bread?"
That answer is easy for me. The money I could have spent for a laptop, and free cafe' wifi, has instead gone to pay for my daily Starbucks coffee and banana nut loaf. Shamefully, this little ritual costs $30 a week, and over $1500 a year.
Never did the math before! Help! In need of new ritual!
Lem, as Pat noted, this doesn't just expose your data, it allows others to masquerade as you.
A year or two ago, I developed a system to mitigate this effect. For the technically minded, it uses digest authentication enabled by JavaScript and HTML5 local storage to generate a unique key for each page load, so it is not susceptible to playback attacks. Unfortunately, local storage is not widely enough supported by browsers to make this desirable to site owners.
Young Hegelian, I love your analogy. As you noted, cookies are a weak attempt at adding state (memory) to HTTP. HTML5 allows somewhat more secure state to be maintained. In a few years, when browser support is more universal, I think it may be an acceptable free alternative to SSL.
That's a new one... I posted a long comment and it appeared in the thread but now it's gone. If anyone has a copy of this comment could you send it to me?
You aren't the only one. It's been happening to me as well.
There is so much stuff out there about everyone already because we were so naive in the beginning. I think there should be a giant reset button that wipes the entire web, but alas I dream.
Now when I hang at the cafes I don't use their free wifi. I use an aircard from my cell phone company. Free would be nicer because this device certainly is like the opposite of free.
It's a packet analyzer with built-in support for getting session identity for various popular services, and a large number of people have used it in the wild.
Support the Althouse blog by doing your Amazon shopping going in through the Althouse Amazon link.
Amazon
I am a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for me to earn fees by linking to Amazon.com and affiliated sites.
Support this blog with PayPal
Make a 1-time donation or set up a monthly donation of any amount you choose:
29 comments:
Again, using the internet is a public activity with no expectation of privacy. Somebody alert Brett Farve.
I gave up sitting in cafes when they all jacked up the volume of their ambient music (to discourage people hanging out?).
I've noticed that the Sequoya branch wi-fi is encrypted now, and I wonder if this is why.
Hey, the unexamined life is not worth living. Why deny yourself the pleasure of wifi over coffee and banana bread?
Cookie stealing has been around for a while. All this guy did was encapsulate it into a firefox extension. I've used packet sniffers in my neighborhood when I did some wardriving and it's unbelievable how many open networks and WEP encrypted networks there are. WEP can be cracked instantly now, but WPA, WPA2 with TKIP encryption should keep you solid for a long time to come.
wv = godasm = Is this how intelligent design started?
I'm glad this is getting publicity. Too many people engage in secure activities over unsecured wi-fi. Maybe this will serve as a wake-up call.
traditionalguy, this particular exploit raises a very different issue. It's not that somebody unauthorized can potentially read your FB status message that you posted, but that somebody sharing your WiFi connection can easily pretend to BE you and post a phony status message on your behalf. That's a very legitimate and serious issue.
B4 the Internet the idea of going to a cafe or a bar was just so one could "hack" or "get hacked"..
Now.. I don't know what the hell is going on.
PatHMV...Thanks! There is a lot to learn.
Just stay off of public, unencrypted Wi-Fi and don't send sensitive information through insecure http connections, meaning when you're about to "sign in" or otherwise submit information through a website, make sure the URL you're visiting begins with "https" rather than plain "http", before you hit the "submit" button. Better yet, most modern browsers, such as Firefox and Safari, have additional indications that you're on a secure website. Firefox puts a blue tag around the beginning of the URL bar which will give you security information about the site you're visiting if you click on it.
Here's my recommendations:
1. Be extremely judicious about sending any sensitive information through the internet. Don't give anyone information of any kind unless you have to, and only then once you've weighed the risks carefully.
2. UPDATE YOUR SOFTWARE FREQUENTLY! Make sure you frequently check for updates to your web browser software and your computer operating system. Most software has an "automatically check for updates" feature. Use it! Old software, especially of the Windows variety, is extraordinarily vulnerable because it's already had a million holes punched in it.
3. Use a firewall. Most operating systems have a built-in firewall. Enable it!
4. Don't click on links to sites where you'll then sign in. Always type the address, such as www.citibank.com, in the URL bar yourself. And, in general, be careful about any links you click, as you don't need to do anything except click on the wrong thing to be compromised. As a rule, I never click on any link ending in .ru or .cn (Russia and China's extensions).
5. If you have a home Wi-Fi network, SECURE IT! DO NOT RUN AN OPEN, UNSECURED WI-FI NETWORK. You're asking for trouble. My Wi-Fi network uses WPA2 security protocol with a completely random 20-character key which I change frequently.
6. Change your important passwords frequently.
Maybe some don't want the protection.. call it "going commando" ;)
Its public while private.. no its private while in public.. its navigating publicly in private.. I think.
That's a new one... I posted a long comment and it appeared in the thread but now it's gone. If anyone has a copy of this comment could you send it to me?
Its the expectation of privacy while using an open wifi different from using a cell phone in public, say a public transit bus?
Granted, one only hears half the cell call.. (not missing much, most cell calls are bs anyways)
wv - blyme
If anyone has a copy of this comment could you send it to me?
sorry I missed it.
"Hey, the unexamined life is not worth living. Why deny yourself the pleasure of wifi over coffee and banana bread?"
That answer is easy for me. The money I could have spent for a laptop, and free cafe' wifi, has instead gone to pay for my daily Starbucks coffee and banana nut loaf. Shamefully, this little ritual costs $30 a week, and over $1500 a year.
Never did the math before! Help! In need of new ritual!
Lem, as Pat noted, this doesn't just expose your data, it allows others to masquerade as you.
A year or two ago, I developed a system to mitigate this effect. For the technically minded, it uses digest authentication enabled by JavaScript and HTML5 local storage to generate a unique key for each page load, so it is not susceptible to playback attacks. Unfortunately, local storage is not widely enough supported by browsers to make this desirable to site owners.
There are many things in the IT world that are the IT equivalent of building a dumptruck on a volkswagon chassis.
Complex web applications using HTTP is one of them.
If HTTP actually had "sessions" and wasn't a stateless protocol, this sort of hacking would be much more difficult.
Folks who secure website applications for a living lose much sleep over issues just like this, thanks to our dear buddy, HTTP.
Lem, as Pat noted, this doesn't just expose your data, it allows others to masquerade as you.
And here I was thinking I was boring ;)
Note how this and the post about Mee seem to dovetail. A great reason to stay away from those places.
Ann Althouse said...
I'd kind of already given up my once-raging habit of hanging out in cafés on café WiFi.
Being married, especially happily married, does that to one.
WV "unshum" When shumming becomes a bad idea.
Young Hegelian, I love your analogy. As you noted, cookies are a weak attempt at adding state (memory) to HTTP. HTML5 allows somewhat more secure state to be maintained. In a few years, when browser support is more universal, I think it may be an acceptable free alternative to SSL.
Use the WiFi link to open an encrypted VPN tunnel from your smartphone or laptop to your home DD-WRT router's PPTP server via a DDNS lookup.
Set the VPN tunnel as your default route and surf in privacy anywhere: hotel, cafe, airport, etc.
Suckers!
A guy writes a virus, calls it a proof-of-concept, and gets everyone hysterical.
Next up, logging in to a computer as administrator lets you corrupt the system.
Palladian said...
That's a new one... I posted a long comment and it appeared in the thread but now it's gone. If anyone has a copy of this comment could you send it to me?
You aren't the only one. It's been happening to me as well.
YoungHegelian said...
There are many things in the IT world that are the IT equivalent of building a dumptruck on a volkswagon chassis.
Complex web applications using HTTP is one of them.
If HTTP actually had "sessions" and wasn't a stateless protocol, this sort of hacking would be much more difficult.
Folks who secure website applications for a living lose much sleep over issues just like this, thanks to our dear buddy, HTTP.
HTTPS would solve that issue pretty darned quick I think.
Nice article. I could not bear to send my parents to a nursing home. In home care is the way for me.
Monogram Vernis
There is so much stuff out there about everyone already because we were so naive in the beginning. I think there should be a giant reset button that wipes the entire web, but alas I dream.
Now when I hang at the cafes I don't use their free wifi. I use an aircard from my cell phone company. Free would be nicer because this device certainly is like the opposite of free.
Three words: "Virtual Private Network"
Joe: This isn't a virus, or a proof of concept.
It's a packet analyzer with built-in support for getting session identity for various popular services, and a large number of people have used it in the wild.
Post a Comment