Friday, August 10, 2007

* How to hack unencrypted wireless session

Recently, I came across the information about unsecured WiFi connections. I am sure you are familiar with this scenario when you turn your laptop on in some of the buildings or neighborhoods, and your wireless card can find at least 2-3 unsecured wireless connections. Unfortunately, most of them are the result of the default configurations of the wireless router being pre-configured by the manufacturers and used by inexperienced consumers. While I can understand why they do it this way (for non-IT customers), it leads to a wide-open gate for hackers and this is not news, what is interesting is how easily Web app sessions can be hijacked on these networks.

Infamous Robert Graham, the CEO of Errata Security (I have the links to his web site in our Information Security Index), described the “man in the middle” attack. Robert hijacked a GMail session of a volunteer and showed how easily he could grab cookies and IP addresses and take over a session.

The attack is actually quite simple. First Robert needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement.

1. To ran the “Ferret” utility to copy all the cookies flying through the air

2. To clone the cookies into a browser with a home-grown tool called “Hamster”.

3. The attack can hijack sessions in almost any cookie-based web application (ex: Google’s Gmail, Microsoft’s Hotmail and Yahoo Mail).

4. Since those programs just uses cookies, getting the IP addresses and user names and passwords are not required.

How to protect your session? Hey, just use the SSL from the beginning instead of a pure HTTP session: instead of the http equivalent will be a good remedy.