WARNING: that 13-year-old with a laptop in Starbucks just hijacked your bank account.

Note: I'm writing this up for my less tech-savvy friends ... some of you knew how to do this before it was easy ... but now it is just stupid simple and anyone anywhere can do it. For another blog on this subject (showing how someone might actually use this attack to help educate people), see this page.

You see that 13-year old kid with a laptop over there? Or that 50-something? Doesn't matter where you are ... airport, Starbucks, next door neighbor's house, hospital lobby ... if you ever log in to a web service over an insecure session (more on that in a second) someone can hijack your web accounts if you aren't careful.

How? Well here's the surprise. You see when you log in to a website like Facebook or Yahoo mail you log in once to establish your identity. And if you log in over an insecure public network (pretty much any network like those at Starbucks, McDonald's, hotels, airports would qualify) and do not use a secure web service (ie, the web site starts with "HTTPS" ... "S" being the important letter) then someone else on that same network can intercept your password in real time.

That's been known for awhile, but I bet you didn't know that someone can intercept your session even after you have logged in. Why is this important? Because many sites will direct you to a HTTPS (secure) login page ... but once you've logged in they default to normal HTTP (insecure). But that's been known for a long time ...

Even worse? This is the part that this post is about ... once you log in securely if you are dropped to an insecure web server then someone can "sniff" the network you are on and get your "cookie". A cookie is what the site sends you when you first log in. It is a string of characters that you send back to the web site whenever you view a page that says "hey, I already logged in once, just use this instead of making me enter my password for every page".

Now what this means is that someone can, while at that Starbucks/hotel/etc, scan the network and once you appear on the network and load any information from a page like Facebook (and your browser will constantly do this even if you never touch that Facebook tab again). They can take your cookie and it will tell them not only what your name is on that service but it will let them click on it to immediately get into the site as you.

Now that might not seem too bad, right? They don't actually have your password. But wait ... what if one of those services is a web mail service? If they can access your email AND they happen to know anything about your other accounts then they might be able to go to that other service and use the "I lost my password, email it to me" option. What if they know where you bank? Well if they got your real name from your Facebook session ... they can also get your credit report in the matter of a minute or two.

How is this done? Well, the ability to do this was always out there. People with enough skill could use tools to read all of the data going across that open network. So this is really nothing new to the determined criminal. But now with the release of a software package called "Firesheep" -anyone- can do it inside the Firefox web browser. This software does all of the hard work for them. All they have to do is install it (takes less than a minute) and start up Firefox. Then they just watch until your name pops up on the screen. Once they do that they can click on your name and see anything you have access to on that service.

So ... what can you do to protect yourself? (Caps below for emphasis ... I'm not yelling at you :)

1) NEVER log in to ANY site you that has ANYTHING sensitive (and plenty of people consider the ability to post their Facebook status "sensitive") on an insecure WiFi network unless that site is using SECURE HTTP (HTTPS). That was basic "public networking 101" since WiFi came out and you probably already knew that.

2) Make sure that any site you access that you don't want others to access (like ... again ... Facebook or your email) not only let you log in over HTTPS but ALSO let you browse over HTTPS.

EXAMPLE: If you log in to Facebook right now it will go over HTTPS (although they're pretty bad about letting you realize this since it doesn't show up in their login page). However once you do that you will be put onto their unsecured HTTP site. At this point, if you had been on a public network, someone could have snatched your cookie. It would only have been safe if after you logged in you had been sent directly to a HTTPS address.

... In a case like the example above, you can sometimes force the site to let you browse securely by just changing the "HTTP" to "HTTPS". However it is important to re-state the face that if you had done this after logging in while on a public network it would have still broadcast your "cookie" that one time.

4) So if you wanted to be safe in the example above you would have needed to have logged in from a private network FIRST and then continued your browsing on the public network only after having changed it to "https".


Every link and image on that page, even after you changed it to HTTPS, is using standard HTTP (at least in the case of Facebook). That means you're still not safe. It is up to you to make sure ... before you use it on an open network ... that you can safely browse on HTTPS the entire time.

If the site you need to use simple won't let you secure your session you have 2 further options:

a) You can browse over a VPN ("virtual private network"). Those will encrypt your traffic but unless you get one from work or you have a very friendly networking guru in your life you will have to pay for this service. Even an extremely simple SSL VPN or Windows-based VPN will suffice.

b) Don't browse your site from that network.


I highly encourage you to encourage your favorite sites to work on this problem. They've known about it for years and years. But now they can't just ignore it. Or rather you shouldn't let them keep ignoring it.

PS. I used Facebook alot in my examples. It was easy. Hopefully at some point after this writing Facebook will have fixed their security issues ... but even if they do that (and I'll try to remember to update this if they do so) it won't stop OTHER sites from having the same problem. I know that in the past Yahoo mail did similar stuff with secure sessions and cookies. This is because running data over HTTPS requires more processing overhead and a little more cost than open web traffic. But in these days of open networks everywhere ... it is worth that expense.

No comments:

Post a Comment