digg

Facebook Connect Join Digg About

"Sidejacking" session information over WiFi easy as pie

arstechnica.com Don't be fooled by that login screen on your Facebook, Gmail, or Blogspot account. It's easier than ever for hackers to get in between you and your data by hijacking your session information over WiFi to do all sorts of malicious things, says one security firm.

Who dugg this? Made popular Aug 2, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

61 Comments

show profanity settings
expand all
  • underburn, on 10/10/2007, -4/+26You mean some hacker could potentially hijack my Digg session and digg stories I bury?! OH NOEZ!
  • inactive, on 10/10/2007, -0/+15use WPA with strong passwords.. if you don't know what you are doing, you are bound to get *****.. its not just a technology thing you see..
  • trghpy, on 10/10/2007, -0/+13Hello Onion Router!
    I prefer to ssl or ssh into my home server and surf from there.
    What ever happened to googles VPN host project for this sort of thing? It would let you VPN into google and thus encrypt into and out of googles network.
  • Scheissenegger, on 10/10/2007, -2/+14Nice article, but geeks wanna know how to do it....

    how to perform MITM attack: http://coolblog.profit42.com/2006/08/14/so-you-thought-ssl-was-safe/
    simple sniffing with Wireshark: http://coolblog.profit42.com/2006/07/26/how-to-get-someones-e-mail-usernamepassword-the-danger-of-wep-cracking-part-1/

    and since you are busy with hacking anyway:

    WEP crack: http://coolblog.profit42.com/2006/08/02/92/
    WPA crack: http://coolblog.profit42.com/2006/08/20/cracking-wpa/
  • mojo31979, on 10/10/2007, -0/+9True, have you ever tried to bake a pie??
  • useful, on 10/10/2007, -0/+8i remember doing this in 2001 and it was old news then

    next 802.11xxxx2231ultra will come out and they will release ANOTHER story saying that you can get your ***** stolen because someone told the gateway to pipe your port 80 traffic over their custom proxy server
  • tzonic, on 10/10/2007, -3/+9This is going to inspire a new generation of script kiddies. Heaven help us.
  • trghpy, on 10/10/2007, -3/+8@rabidstrike
    Not effective on public WiFi.
  • alok0, on 10/10/2007, -0/+5http://dyndns.com or http://freedns.afraid.org/ could help you :D
  • Homunculiheaded, on 10/10/2007, -0/+5I have a dumb question and will probably be dugg into oblivion, but how do you get a static ip so that you can connect to your home remotely? Or is there something obvious that I'm missing?
  • Otto, on 10/10/2007, -1/+6So? Don't access critical services over public wifi without using a VPN connection to a secure site.
  • stupergenius, on 10/10/2007, -0/+5You pay your ISP some dollars more per month or use something like http://www.dyndns.com/services/dns/dyndns/.
  • Scheissenegger, on 10/10/2007, -0/+5ONLY THE WPA ONE IS DICT ATTACK, THE WEP WORKS WITH ALL POSSIBLE COMBINATIONS.

    cracking time of WEP depends on CPU speed and data flow, aprox about 10 minutes.
  • Error601, on 10/10/2007, -0/+3That's what it's talking about. The login is secure but the rest of the session is not so a middleman system would only have to snag your clear text browser cookie for google to think its authorized.
  • randomgeek, on 10/10/2007, -0/+3Worked fine here. Maybe he's not the idiot?
  • baldr, on 10/10/2007, -0/+3Google decided to make it usable only at their free wifi locations, info here:
    http://wifi.google.com/download.html
  • brklynmark, on 10/10/2007, -0/+3If you knew what you were doing, this article is getting you over the biggest hurdle in doing whatever you want to your masturbatory fantasies' computer. I mean your neighbor's computer, your 17 year old female neighbor's computer.
  • rootchino, on 10/10/2007, -1/+3How about an article on how to do this, my neighbor has
    these two 17 year old daughters that are annoying as all *****...
    i'd love to be able to set their profile background to 'tubgirl'
    at a moments notice.
  • chrisbtig, on 10/10/2007, -0/+2I was going to say that too... who would be dumb enough to access their financial services on the free WiFi at Starbucks? But I can understand logging into sites like Gmail, Facebook or eBay on a public WiFi.
  • xtlosx, on 10/10/2007, -0/+2yes, error is absolutely correct, you might want to read the article next time before you comment... He mentioned wanting persistent https connections instead of just the login, but the overhead for a couple of thousand people logging into the gmail cluster might become high..... Just use VPN's back to your home, much simpler, then tunnel through your Proxy server, which is what I do... try and sniff that :)
  • cricoste90, on 10/10/2007, -1/+3Just use WPA2 with a 63 character key that's got some odd characters in it.
    Make hurdles for the "hacker" by enabling MAC filtering, disabling DHCP, disabling networking and only allowing the use of a guest password for all wireless computers, etc.
  • PRlME, on 10/10/2007, -0/+2Cause of Diggs evil commenting system about 1000 will not see this conversation -=(
  • SanTe, on 10/10/2007, -0/+2Yes to WPA2 with a long, non-dictionary passphrase. No to MAC filtering and disabling DHCP, which don't help in any way except to make your network less user friendly and convenient for yourself.

    Very helpful:

    The six dumbest ways to secure a wireless LAN
    http://blogs.zdnet.com/Ou/index.php?p=43&tag=nl.e539
  • Kyan, on 10/10/2007, -0/+2Umm, no. It takes practice as does anything worhtwhile learning. In the kitchen, making a fruit pie is about the easiest thing you can do from scratch. And back when the term was invented, scratch was the only way to make anything.

    I mean I guess in line with this thread you could say baking an apple pie "is as easy as a dictionary attack". I guess it depends on what you've had practice doing.
  • smurf22, on 10/10/2007, -0/+2Get my myspace account?! They could potentially ruin my non existent social life!
  • sjbdallas, on 10/10/2007, -0/+2Using instant pudding, a graham cracker crust, and tub of cool whip is easy.
    Making dough, rolling out the right thickness, getting into a pie crust w/out tearing, chopping up the fruit to the right size, measuring out the right amount of sugar and spices, figuring out what kind of top to have (fully covered or lattice), getting that put on right, then trying to bake it so the edges don't burn but the inside cooks? Huge pain in the butt.
  • aallaann, on 10/10/2007, -0/+2If you use PSK then any authorized user can sniff packets from any other authorized user. So the same attack is possible, but only those who have the pre-shared key can launch the attack. Still you probably wouldn't want your kid breaking into your onine accounts.
  • miakeru, on 10/10/2007, -0/+2VPN is not an authentication method. Instead it basically tunnels your internet connection, encrypting it before transmitting it and preventing anyone else on the WiFi network from peeking in. More information in the Wikipedia: http://en.wikipedia.org/wiki/Virtual_Private_Network
  • randomgeek, on 10/10/2007, -1/+3Yes, because everyone has a VPN to a secure site.
  • habbofresh, on 10/10/2007, -0/+1and alienate your 12000 friends!!!! ONOES!
  • richardiscool, on 10/10/2007, -0/+1WEP can be cracked without a dictionary attack.
  • iapx, on 10/10/2007, -0/+1The reason why the session is not entirely protected is that it consume a massive amount of CPU computing-power!
    That's so simple!
  • mythandros, on 10/10/2007, -1/+2Even funnier is the fact that the first two attacks only work if you've already got access to the network which you can't do with the second two attacks unless your target has seleted a dictionary word as a password. Furthermore, SSL is safe because the traffic is encrypted. You'd be sniffing out an encrypted username/password combo which is pretty useless.
  • richardiscool, on 10/10/2007, -0/+1Err... yeah, unless they're using a DECT phone, which 99% of cordless phones are.
  • Otto, on 10/10/2007, -1/+2Use good wireless encryption. ***** duh...
  • math0ne, on 10/10/2007, -2/+3Easy as pie?? I think that is a slight exaggeration of the situation.
  • Error601, on 10/10/2007, -0/+1Step away from the bong.
  • LordofShadows, on 10/10/2007, -0/+1Digg ate my newlines after makiing one little correction...

    The http protocol is stateless, it doesnt remember if you are logged in or not. Cookies were added to provide state to http protocol. A cookie is pretty much a plain text line in the http request that you can set to whatever you want, it provides state by sending whatever you want to remember to the server every time you request a page. A sessionid is a cookie that the server uses to identify you when you are logged in. (It uses a unique id to identify you instead sending the actual persistant data)

    Webpages like gmail use a secure connection so people with packet sniffers dont get to see your username and password sent in plaintext. (literally user=bob&pass=bobisgod) which is good. But then they leave the secured mode and send out your sessionid in plain text. Which, if found out by some one else, while you are logged in, would allow some one to be logged in as you. -- They wont know your password, but it doesnt matter much cause they are already logged in.

    Example http request with php style session id: (that number is the only thing seperating your logged in state from some one elses)
    GET / HTTP/1.1
    Host: www.digg.com
    Cookie: PHPSESSID=123456b0bf8a8f2fd46f43925b4c47b1;

  • SanTe, on 10/10/2007, -0/+1"SSL is safe because the traffic is encrypted."

    SSL certificates can be forged, so don't put blind faith into SSL. It's better than nothing, but not bulletproof.
  • ScionX, on 10/10/2007, -0/+1Breaking News: Fire is hot!!!!
  • LordofShadows, on 10/10/2007, -0/+1The http protocol is stateless, it doesnt remember if you are logged in or not. Cookies were added to provide state to http protocol. A cookie is pretty much a plain text line in the http request that you can set to whatever you want, it provides state by sending whatever you want to remember to the server every time you request a page. A sessionid is a cookie that the server uses to identify you when you are logged in. (It uses a unique id to identify you instead sending the actual persistant data) Webpages like gmail use a secure connection so people with packet sniffers dont get to see your username and password sent in plaintext. (literally user=bob&pass=bobisgod) which is good. But then they leave the secured mode and send out your sessionid in plain text. Which, if found out by some one else, while you are logged in, would allow some one to be logged in as you. -- They wont know your password, but it doesnt matter much cause they are already logged in. Example http request with php style session id: (that number is the only thing seperating your logged in state from some one elses) GET / HTTP/1.1 Host: www.digg.com Cookie: PHPSESSID=123456b0bf8a8f2fd46f43925b4c47b1;
  • inactive, on 10/10/2007, -0/+1true or you could just bookmark the secure page
  • Error601, on 10/10/2007, -0/+1What session ID are you talking about? At the application layer?
  • PRlME, on 10/10/2007, -1/+1KeyLogger dude KeyLogger, sure "us geeks" don't fall for it, but man are mySpace people stupid.
    Even Clone SignIn pages that clearly say 110mb.com in the URL works. And before some idiot says some thing like oh you be doing it huh. No i just went in to a AOL chat one day got got spammed by some wanna be hackers. funny stuff.
  • Error601, on 10/10/2007, -1/+1Side effect of posting on musician forums.
  • habbofresh, on 10/10/2007, -1/+1need /b/lackup
  • HalFTW, on 10/10/2007, -1/+1For those who won't remember to type https:// each time, customize google add-on can do it for you (as well as other stuff). https://addons.mozilla.org/en-US/firefox/addon/743
  • jason469, on 10/10/2007, -3/+3"says one security firm."

    Ha lol, I wonder why. Maybe if your still running WEP, but most people use WPA now.

    Using WEP is like using a pad lock on your back door (pun intended).
  • madstringer, on 10/10/2007, -1/+1If you know anything about security, you know that session IDs (these days) are generated randomly, with each new packet receiving a newly-generated session ID before being sent. An attacker can't just spoof the next session ID in sequence (123997; 123998; 123999, etc); he/she must figure out how they are being randomly generated and correctly randomly generate the next session ID in order for the recipient to accept the packet. While this can be brute-forced, it isn't as easy as this article makes it out to be....
    Anyone can sniff a wireless network, but most people will get lost on what to do with the data...

    minus 1 for sensationalism...

    Just *****' WPA/2 encrypt your wireless network already!
  • Fetching more discussions...
    Show 51 - 62 of 62 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.