Networking

Can your wireless network be sidejacked?


Well-known security experts Robert Graham and David Maynor, founders of Errata Security, wrote an interesting paper for the Black Hat 2007 security conference being held this week. Their claim is that many Web applications may be vulnerable after the initial logon takes place. Gmail and Facebook are two examples mentioned in the NetWorld.com article. Apparently the password exchange is encrypted, but, after that, the traffic sent between the browser and Web server isn't encrypted for the remainder of the session. Why not? Simply put, it costs more in bandwidth and server processing to encrypt the entire session.

OK, so traffic isn't encrypted for the entire session. If the password is secure, why should this be of any concern? It comes down to the infamous cookie, session ID, and the information they provide. According to Graham and Maynor, this information, especially the session ID, can be imported into a Web browser which then mimics the original user's Web browser and allows a third party to access the same Web application. This is called sidejacking and is obviously not a good thing.

Sidejacking can occur on any network, but is the easiest to do on a wireless network since the packet analyzer used to sniff the traffic doesn't have to be physically attached to the network. If the wireless network is an open network all the better.

So how do you prevent this? Here are some simple but, for the most part inconvenient, solutions you can use to protect your data.

  • If possible, avoid using public or open wireless networks
  • If you need to use a public wireless network, do not access Web sites that require personal information.
  • If you need to use a public wireless network and require access to a Web application requiring personal information, use a VPN or SSL proxy to access the website.

As I mentioned, these aren't very convenient, but it's much less of a hassle than trying to rectify the loss and misuse of your personal information.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

23 comments
csf1998
csf1998

I have a few questions... 1) Without using the airpcap drivers on windows, I'm reading you need to use promiscuous mode (i use atheros, ,or broadcom) neither work, nor using airopeek drivers? Curious how people have gotten this to work with atheros? Standard sniffing or associated mode doesn't yield the hamster.txt... 2) Will it work under wep/wpa if you know the key? Easy way to test at home network. Thank you!

jiggybewithit
jiggybewithit

That's is not good but Can sidekacking be accessed if you have a secure wireless network.

adria.richards
adria.richards

Michael, I read the Network World article but no one mentions the abilty to continue the SSL sesion through the use of a nifty Firefox extension called GmailSecure (Digg Link - http://digg.com/mods/Force_Gmail_to_use_secure_connection_(Just_for_FireFox) And this article on Hackzine.com "HOWTO: secure Gmail to prevent session hijacking" shows that simply adding an extra "s" to the http will put you back into a secure SSL mode. I've been using the GreaseMonkey script for months with no problem. There are many other cool scripts from GreaseMonkey contributors that tweak signatures, drag and drop of files and photos into gmail messages and much more!

dawgit
dawgit

Good write Michael, I read George Ou's blog on this very event, I glad to hear a different perspective to it. I don't see anything new or spectactular about it though. Why is it news? Has every-one in the US goten dumber? Or just forgoten the basics? I don't get it. It seems like all grand-standing, on what should be the obvious. There's nothing really new at all, just a simple 'Man-in-the-Middle Attack', with a few tricks. What galls me, as I pointed out in my thread to George is the use of the 'Hamster' program. Not that used it, but with what George's blog says they're claiming it. tsk-tsk. "The (Java-) Hamster-Model has been taught in almost all the Java Programing Clases since at least '98 (I would say even earlier. probably even as early as '97, but who knows). Originally Copy Writen (yes, a Copy Write, even) by J?rgen Haible and Thomas G. Liesner, (who give each other credit) and many others. It has been released (to be used) as 'Freeware' by the owners (under their own licence), but... That doesn't mean that some-one can claim it as 'theirs'. Some links: [ http://home.arcor.de/tgl70/ ] (the main site of Hamster from Thomas G. Liesner.) [ http://www.tglsoft.de/ ] (Thomas G. Liesner's Main site, has links to the 'Hamster' under 'Freeware'.) [ http://de.wikipedia.org/wiki/Hamster_%28Software%29 ] (the Wikipedia site for 'Hamster', sorry, I think it's only in German.) [http://www.elbiah.de/hamster/ ] (the site of J?rgen Haible.) and from his site: "Hamster Playground is a free newsserver and mailserver software, which allows to collect news and mails from different servers. Collected messages are then available for any newsreader or mailclient on your local computer or on any computer in your family or company network. Hamster runs under all Windows versions (95, 98, ME), under Windows NT, 2000, XP and 2003 it can additionally be installed as a system service." Point is, not only is Robert Graham breaking the law (ok, alowed here in that it could be considered a 'demonstration', POC) by hacking into peoples on-line accounts, but he seems to be 'claiming' other peoples work as his own. He does NOT get to go past 'GO', he does NOT colect 200$s, He goes straight to JAIL. (or at the least Programers Purgetory)" Ok, that was a rant, but... I know that the point is to be more carefull. That can't be repeated enough it seems. But, public and therefore open Wifi's are a part of the teritory now and we should be stressing the 'How-to's' and I don't see that done enough. -d (edited to put the ?'s back in. hummmm)

Bill Detwiler
Bill Detwiler

This is definitely a serious concern for the vast majority of business travelers who use public Wi-Fi hotspots. If you support a public hotspot and want to offer better security, check out this download (http://downloads.techrepublic.com.com/abstract.aspx?docid=305181). George Ou explains how you can set up a secure wireless LAN hotspot for an anonymous user using a single generic and common username and password that anyone can remember.

Nodisalsi
Nodisalsi

When assigning a SessionID (cookie or URL-encoded key=value pair) - I've only ever used it to locate the user's persistent date in the server's TEMP folder. I've never trusted this as authentication. The persistent state data: User's login name, IP and last requested URL can be string concatenated and used as seeds to a hash function. The result of this hash function can then be *used as a key for every single request.* Then if another user tries to spoof from a different IP number - or even if the authorised user tries to spoof another URL - the authentication function should be able to catch it and respond appropriately. Now the connection method and protocol is totally transparent and we are secure again.

Michael Kassner
Michael Kassner

I agree with Dawgit as to the vulnerability of initially logging in. There are other security issues you may want to know about as well. Even SSL is not secure to a determined adversary in that they can mount a Man in the Middle attack that virtually takes over your connection and you are not remotely aware of it. This link describes in detail the attack process. I have attempted this in the lab over a Wi-Fi connection and timing is everything, that is why I mentioned it requires a very committed person to pull it off. http://www.sans.org/reading_room/whitepapers/threats/480.php

dawgit
dawgit

The point, moment, of vunerability is the signing in to the network, and how that is accomplished. It has been that way since we started networking. (It was the primary way that crackers got into the banking system, by-way of the teller machines, on dail up, over an open, public telephone line.) There must be at least some openness, for the network to even 'see' the legit computer wanting to sign-in. It's all a mater of trade-off's as to how easy you want 'conveniance' over security. -d

Michael Kassner
Michael Kassner

My intent was to hopefully shed light on the fact that people have to make sure their supposedly secure sessions are indeed encrypted for the entire session. In researching this topic, I asked numerous power users what they understood about this topic. All of them were under the impression that their entire session was secure and they became alarmed when I mentioned that may not be the case.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I looked at george's article and I am not sure I completely understand how this works. Has anyone ever set this up in a production environment and used it? Bill

Michael Kassner
Michael Kassner

Thank you for mentioning that approach. If I understand it correctly that would eliminate the problem. The next step would be getting everyone to use that methodology.

csf1998
csf1998

Yes, I'm trying to get hamster and ferret working to see how these tools work. I've used madwifi-ng for linux, works great, alongside aircrack-ng toolset, backtrack as well. But under windows, without airpcap , I don't know how to get atheros etc working with promiscuous for these tools Thanks

dawgit
dawgit

on location. I mean in that not only which country you could be in, but also the actual location in that country or teritory of the World. What type of conection do we talk about here? A type at the local coffee shop? At McDonalds? The Airport? A Hotel? They might all have different requirements for signing in to 'Their' Wifi. (mostly due to payments, but not always) Not all conections will alow an encripted 'Hallo' but once that is done there is no reason (or excuse) not to be useing some security scheme. (even Yahoo has that available) The problem here is that gap between the 'Users' computer (laptop) and the conection (as in the actual Wifi antenna). It's not the last mile problem, but the last feet (or meters). In that realm is where the most danger from a 'Man-in-the-Middle' attact occurs. (which is why it is illegal, almost every-where) In that zone even with a 'secure' VPN or SSL is the most vunerable. It gets worse for International Travelers, since it is actually illegal for the most part to import / export encription schemes / programs from one World Area (or country) to another. (example from the US to Japan, to the EU, to Russia, or even China. Or any combination of those trips or visa-versa) That also is a nightmare in the International Banking and Finance branch. It (security) is 'Required' by various laws, and at the same time 'Illegal'. You have the right idea though in making people aware of the problem. (as I had hoped we all do) And you should be thanked for that. (George Ou too, he's always been on the soap box on this.) My problem with these guys descibed here. (or maybe their methods) They don't appear to have a solution, just an illistration of a 'known' problem. (and it sounds like, by also ripping off other peoples work.) Again, a Thanks to you Michael. -d (edited due to 'un-secure' spelling. ;\ )

Michael Kassner
Michael Kassner

I would like to try and help if possible. What areas do you have questions about? The approach suggested by George is pretty much the same approach that is used when you are sent to a SSL website (i.e., Internet banking). The wireless link is encrypted even before you enter your username/password combination. Which creates user to user anonymity as well as traffic encryption even though you are using the same username and password. The real world problem with this, is that it requires a more complicated wireless network to be used. Not something most businesses want as the the RoI on a hot spot is somewhat nebulous to begin with.

Michael Kassner
Michael Kassner

I feel your frustration, as the developers most enthusiastic about Wi-Fi drivers are working in Linux. I hope some other members to have found or even developed drivers for that chip set series. I have an older version of AirPCap and it worked to a certain extent, but not being able to deal with encrypted traffic was a huge negative. I am not sure if the newer versions are intelligent enough to decrypt WPA2. I personally have been using OmniPeek Personal for most situations and it works quite well.

dawgit
dawgit

While that is certainly the case in our "I want it now" spoiled society. Your concept of "Security will always be the inverse of convenience.". I don't believe it must be that way. The same could also be said of "Thinking" or just plain old "Common Sense" these days. Or so it seems. Mega-Giga bytes of sensitive data left un-attended in some-ones car, or even house, is has nothing to do with "Convenience", it's just plain Stupid.!.. -d

Michael Kassner
Michael Kassner

You have focused on a basic premise that relates to more than just IT. Security will always be the inverse of convenience.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

The main emphases here is at a large convention. Important people tend to be at these functions and they tend to have a lot of important data. Why weed through thousands of accounts to get one good account when you can scrape the cream off the top? In the "olden-days" things didn't happen as fast as they do now. A delayed response can cost lots of money in some cases so that means people may not have a choice about how they connect and do business. Bill

lesko
lesko

while its nice to have a fully encrypted session from beginning to end it isn't always practical for massive scale deployment. A server that can support say 10,000 non-encrypted webmail sessions can most likely only support 100 encrypted sessions. It gets very expensive, very quickly especially if you are getting mail for free from Gmail or the like. One of the post mentioned that the real insecurity lies in the last feet or meters, I tend to disagree. If a person with a truly malicious intent wants to gather information to be used for profit, they would not be gleaning information at the source you would try to get it as close to the destination as possible so as to be able to gather as many accounts, as many credit card info etc. The person sidejacking you at the source probably are just playing around, or if they have malicious intent, while the threat is there it is not as big a threat as those guys listening near the destination. Why dont we just treat mail and web like we did in the olden-days ... assume that everything is sent in the clear and there really is no security. The mantra given to all the techs was "email is like a postcard everything can be read by anyone" as far as solutions go there are plenty and a lot of them are proven SSL & IPsec are just a couple examples.

thinker999
thinker999

I thought that Yahoo only encrypted the initial password exchange, and the rest of the session was 'in the clear.'

Michael Kassner
Michael Kassner

That is how I see it working. It is a good idea and requires little client participation.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I didn't read through the Radius portion before. I think I understand now. The access point gets a profile from the radius server that forces the connection to use the certificate to encrypt the connection at the specified encryption strength. Correct? Then access is allowed when the login in is complete. Bill

Editor's Picks