December 07, 2009

If you give a hacker a cookie, he'll ask for a session ID.

Most clients I talk to have a basic understanding that a wireless network should be "secure". They do what they can to make their home and office wireless networks have some semblence of security. However, no one seems to have an issue checking their Facebook account from the local bookstore or pulling up some sensitive company emails at the airport. People make the assumption that since they have no sensitive information on their hard drive and they are running a really good anti-whatever, safety is assured.

I can promise you, it is not. And seeing what you are searching for is not the worse thing that a hacker can do. Let me explain:

You walk into your local bookstore and pop out your laptop. You find the wireless signal with the best strength, connect, and off you go to check your Yahoo! or Hotmail account. SuperAntiEverything 2009 tells you that you are secure, have no viruses, and no hacker in the world can access your computer. That's no problem for the hacker sitting in his car with a laptop and $5 worth of parts, because he doesn't want to get into your computer. He wants to become your computer.

When you logged into your email account, you typed in your password and sent it to Yahoo. This was probably an encrypted transaction (most sites will use SSL to encrypt your login) so a prying hacker would not be able to see this information. The site verifies the information and provides you with a Session Cookie. This bit of information is what prevents you from having to login constantly as you move from page to page. It contains an ID of sorts that is meaningless by itself (it doesn't contain a username or password), but uniquely identifies you to the website until you logout.

As you navigate from the inbox to your address book, this session-id is passed to the server which replies with the page you requested. The information is not secured like the login page was, and since this is an unsecured network at the book store, all of this information is unencrypted as it travels the air waves.

The hacker sitting in his car picks up this signal on his laptop and uses a packet sniffing utility to view the contents of the information you are sending. Including the cookie information you just passed. Now all he/she has to do is take the session cookie and inject it into their own browser. They can now surf around the site you are on as if they are you, without having to steal your username or password. Even after you have closed your browser and gone home, the hacker can take this session ID (provided you did not logout properly, which no one does unfortunately) and search every corner of your account with it. Post status updates. Send messages. Delete emails. Change your password. Worst of all, your firewall/antivirus/antispyware/browser/etc. won't protect you because the information is not being stolen until after it leaves your mobile device. It is a completely passive attack, nearly undetectable, and the tools to do it are easily found on the internet.

So how do you protect against this attack (known as "Sidejacking", a form a session hijacking)? The three most important things to remember are:

  1. Ensure when you are browsing to a site that associates you to an account, the session is encrypted with TLS/SSL. This means looking for "https" at the beginning of every page, not just the login page.
  2. Get your wireless network encrypted using strong protocols (WPA2) with strong passphrases and strictly control access to it. Avoid open networks for any work that is even remotely sensitive. 
  3. Properly logout of websites when you are done using them. This usually clears the session and renders any stolen cookies invalid. Look for the "logout" option, don't just close the window.
 Got questions about sidejacking or wireless security? Respond below.

No comments:

Post a Comment