Report: quot;Sidejackingquot; session information over WiFi easy as pie                                                   ...
Report: quot;Sidejackingquot; session information over WiFi easy as pie                                                   ...
Upcoming SlideShare
Loading in …5



Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Report: quot;Sidejackingquot; session information over WiFi easy as pie Page 1 of 2 [AD] Report: quot;Sidejackingquot; session information over WiFi easy as pie By Jacqui Cheng | Published: August 01, 2007 - 02:30PM CT Users may think that their personal data is safe when they use a secure login page online, but that's quite far from the truth. In fact, everything from the contents of your e-mail, who your friends and acquaintances are, and almost anything else you can think of could be easily exposed by hackers if browsed via WiFi network, security firm Errata Security pointed out in a recent paper presented at this year's Black Hat 2007 and seen by Ars Technica. The method by which this data could become exposed is nothing new, but it is simpler than most quot;man-in-the-middlequot; attacks, says Errata. Many web services, such as Gmail, BlogSpot, Facebook, MySpace, LinkedIn, and Google Adsense use cookies to identify session information after the user has already logged in. Using a basic packet sniffer over a WiFi network and a proxy server to pass the information through, a determined hacker can easily quot;sidejackquot; the session information as his own by stealing session IDs straight out of the WiFi signal. He could TV to make its debut on then use that session ID to represent himself as the original user, says Errata, which would iTunes Canada this week allow him to do things like make blog posts, unfriend all of your Facebook friends (*gasp*), and read or send e-mails. So far, only iTunes users in the US and UK have had the opportunity to buy TV Even though some sites, such as Gmail, offer secure, SSL-based login pages, things aren't quite shows from the iTunes so secure post-login. Unlike many bank web sites that offer a secure browsing experience for Store. Canada is about to join those ranks with a few the entire duration of the session, most sites dump the user right back out into unsecured shows of its own, though. territory after logging in, thus exposing their personal data to anyone who wants to get at it. The report provides several examples of session data pulled from directly from Facebook, MySpace, Yahoo Mail, and BlogSpot sessions. These concerns raise questions as to why some of these sites simply don't secure the entire session. In fact, some Gmail users have been asking why encrypted sessions are not not the Senior Web default setting for years now (or at least an option that one can turn on in the preferences), but Applications Developer at Social Platform LLC those requests appear to have fallen on deaf ears thus far. Errata says that most of today's Pioneer Square, Seattle, WA Web 2.0 sites don't use SSL throughout the session because of costs involved. That doesn't Perl Developer at Grant answer the question as to why some sites don't offer it by default, however, even though such Street Group an option is already available. For example, Gmail sessions are not secured by default, but Pittsburgh, PA users can change the URL prefix to quot;httpsquot; while using Gmail in order to secure all of their data. Senior Flash Developer However, Errata counters by pointing out that by the time users manually enter quot;https,quot; they at Six Degrees Games have already sent a session ID across the wire at least once. Los Angeles, CA Graduate C++ Software Of course, there are several easy—if not inconvenient, at times—solutions to protect your data. Engineer at Seeing Machines Limited The obvious answer would be to stick to secured WiFi networks that you know and trust (such Canberra, Australia as your home network) that would not have any strangers on it running packet sniffers. But if C++ Software Engineer you do need to use public access points, avoid accessing web pages that might transmit at Seeing Machines personal information. Those who want to be extremely careful, however, will want to follow Limited Errata's proposed solution: quot;[U]sers should never use a Wi-Fi hotspot unless they are using VPN Canberra, Australia (virtual private networking) or SSL (secure sockets layer) to access their accounts,quot; the company says. Quadcore and the Gigahertz Myth Filed under: security, packets, WiFi, SSL, more... Server Rightsizing: Dual Socket Systems Cut Cost Console mod-chippers busted in nationwide raids :Next Post Wireless LAN as the Primary Network Microsoft HD Photo considered for standardization by JPEG... :Prev Post Policy-Based Virtual Infrastructure 11-Dec-07
  2. 2. Report: quot;Sidejackingquot; session information over WiFi easy as pie Page 2 of 2 Web Services Canadian ISP tests injecting content into TV to make its debut on iTunes Canada this Technologies web pages week Optimizing WAN Microsoft's Office Live Workspace nets Using a Bluetooth phone with Linux Performance for the mixed reviews Symantec posts new Norton AntiVirus Global Enterprise UNICEF, OLPC try to start new oral tradition version for Leopard New bill would stop FCC's cable regulation Group calls for presidential science debate attempt Ive could eventually replace Jobs at Apple, Former Microsoft manager facing trial for says paper billing fraud Voyager 2 follows solar wind to its end Nobel winner blames cultural decline on Colleges serious about Xbox Live Arcade gets a slasher and a racer quot;blogging and bluggingquot; dealing with copyright, this week P2P issues imeem now offers streaming tracks from all Child's Play Fund Raising Update, with In black and white: a Big Four labels teaser review of the Santa Rosa Vendors worried Vista IPv6 too slippery for MacBook managed networks Nokia N810 review Ars Technica 2007 Gaming Gift Guide Copyright © 1998-2007 Ars Technica, LLC Finding a bride in a brothel: a review of About Ars Technica | Advertise | Contact Us | FAQ | Privacy Policy | Reprints | RSS Feeds | Uncharted Subscribe Why the CLR in .Net? Post your system partition configuration (and save users some time!) WANTED: Spreadsheet capable of over 1mn rows Canon EOS 350D (Rebel XT) -- still worth buying?? PSU not powerful enough? Copyright coalition: Piracy more serious than burglary, fraud, bank robbery AT&T willing to spy for NSA, MPAA, and RIAA MPAA: We are committed to fair use, interoperability, and DRM 11-Dec-07