Pages

Saturday, 27 October 2007

Wifi webmail etc security: sidejacking - protect yourself






You're at risk from sidejacking when you use the internet via a free, or even paid-for, unsecured public wi-fi or WLAN (wireless networking) hotspot. That could include just accessing your Hotmail or other webmail, or your Facebook or MySpace or other social networking account, your Amazon account, etc.

An attacker on the same wifi network could "sniff", steal and use login details and info of users of that open WLAN - such as "AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth."

This is old(ish) news and has been well publicised e.g. by the Register, Heise Security, and even the BBC, but I didn't blog it at the time and it's important enough to bear repeating, especially as more and more people use free public wifi - e.g. on 8 October 2007 McDonald's announced the rollout of free wireless internet access across all their UK restaurants, to be finished by the end of the year, hmm I might even develop a taste for McNuggets!

So, what's sidejacking? It's a clever wheeze. Many websites use what's called SSL to securely encrypt or scramble the data that's sent between them and your computer so that even if bad guys could intercept and copy it they shouldn't be able to make sense of it. That's why when you make payments over the Net, you ought to make sure the webpage starts with "https", with the "s" being a vital indicator of an encrypted page.

However, most sites don't encrypt every single page you go to after you log in to their site. They might make the initial login process secure, but after that the web pages you visit on that site (e.g. different folders in your email account) will not necessarily be secure. So bad hackers can therefore intercept the unencrypted information, particularly the "cookie" files saved with your browser and sent between it and the site - and which are often used to log you in.

At various cybersecurity conventions in the summer a security firm Errata Security demo'd free tools they'd produced to make the process very simple. With those tools it's now dead easy for bad hackers to sniff your public wifi internet traffic and "clone" and "replay" your cookies: Ferret steals cookies and other info, and Hamster lets their browser (Firefox) make use of those cookies.

Even more generally, all sorts of other unencrypted info can be intercepted and copied, and used to deduce details about you or your accounts which can then be used by the thief, which Errata call "seepage", and which I think of as the electronic rather than human equivalent of social engineering. As Errata put it: "Examples of data seepage are what happens when you power-on your computer. It will broadcast to the world the list of WiFi access-points you've got cached on your computer, the previous IP address you used (requested by DHCP), your NetBIOS name, your login ID, and a list of servers (via NetBIOS request) you want connections to."

See Errata's very interesting and not too techie slides about data seepage (in PPT format - if you don't have Powerpoint try emailing them to yourself in Gmail and then view them from there via Google Docs). As they say at the end, the best solution is to be aware of the danger - everyone really doesn't need to work from a coffee shop.

Demo and how to launch a public wi fi attack

If you weren't worried enough already, you might be interested to see this video demo.

The article it goes with provides a pretty full step by step practical howto on Ferret/Hamster for would-be hackers, with a slideshow of the exact screens on the attacking computer, and list of hardware/software needed! Plus some tips.

How to protect yourself?

How do you protect your security when you're accessing the Net through a public wireless connection, then?

The main thing is that the site has to be secure on every page - which is under the control of the site owner, not us consumers, unfortunately.

Before you login to a website, at least make sure that the page where you enter your details, the one with the boxes for your login info before you hit Submit or OK, is a secure page - i.e. starts with "https". But that's not enough, it has to be SSL all the way.

Google sites

Google didn't use to redirect users who tried to go to a http page to the https one, but since this news they automatically do that with Gmail, good on them! (try going to http://mail.google.com and you'll get automatically forwarded to a different, secure page). But you should still make sure that you start with an https page, and use something like https://mail.google.com for your bookmark or favorites i.e. the "s" version.

Google come out smelling of roses here not just because they now redirect Gmail users to an SSL page, but because it seems every page on Gmail uses SSL (https), so your Gmail should be safe from this particular attack as long as you login via a secure page.

If you're really paranoid you could use tools like the Gmail Secure Greasemonkey script for Firefox (how to install Greasemonkey and scripts) to force secure connections all the way through just in case. However, there's an even better and easier tool, which I'll come to in a moment.

You should note that, as Errata point out, only Gmail (and Gmail Chat) is secure in this way currently. You may still be at risk if you login on other Google "properties" like Blogger, etc - and of course now that your Google Account, which you use to login to Blogger, is used not just for Gmail but also Blogger and other Google services, someone who steals your Blogger login could use it for your Gmail too. So it would be great if Google were to make all logins and pages SSL across all their services. The Register article said there were options for many Google properties to keep Google Calendar and some other Google services encrypted throughout the whole session.

At first I couldn't find any options in the settings, only instructions for Google Calendar (which require Gmail Secure), and I also worked out that if you login to it with https i.e. https://www.google.com/calendar/render it does seem to stay at https.

But the best solution is to use CustomizeGoogle, a free Firefox extension (how to install extensions). It will force secure connections not only for Gmail but also for Calendar, Docs and Reader (after installation in Fox go to Tools, CustomizeGoogle options, pick each one of them down the left and tick the "Secure" box in turn):


I did try https with Blogger but it throws me right back to http... I have a feeling Blogger isn't high up on Google's secure connection list, but as Google Account info is vulnerable through that (and Picasa, etc, which has a secure login page but not after that) and can be used for any other Google service, I hope Google will fix all this soon.

Other sites?

Yahoo and Microsoft don't automatically redirect users to secure pages, sadly. Yahoo say they submit login details using SSL, but when I've tried Yahoo Mail there's not an "s" in sight throughout the login process or afterwards. In other words, I very much doubt you're secure on Yahoo! Mail. Unless it was a hiccup the times I tried...

With Microsoft Live Hotmail, you could click the "Use enhanced security" link then sign in. But the point is, after that, it's back to a http page - not https. So really you're not secure there either.

Why don't all providers and web services use SSL all the way? Because it's more expensive for them, of course, and they don't want to pay for it unless they're forced to.

So what do you do if you have Yahoo or Microsoft webmail, apart from switching to Gmail (which anyone can now do, for free)? You could try to see if the wifi network you're using has encryption, and if so turn it on. But if it's an open network... well you could lobby Yahoo etc to use SSL throughout their sites, but short of that, if you're using public wifi, you either have to live with the risk, or:
  • Don't use your browser, instead use suitable email software - encrypt the connection between your email program and the mail server (you need to use something like Outlook which has this feature of course, here's how) and access your Hotmail via POP (only available to paying customers so far but to be rolled out more generally in time; for free accounts I've found this option for POP but it does not allow SSL, so don't use it for wifi security). This works also for your ISP email too, or

  • Use your mobile phone instead of wi-fi - as Errata say, "you can often access the Internet by "tethering" your mobile phone, or get one of the new notebooks with built-in adapters." It's slower than wifi yes, but maybe that's the price you pay for the greater security. (Some smartphones have wifi. If you try to browse using your cellphone over a public wifi connection rather than GPRS, EDGE, HSDPA, etc, I suspect the risks will be the same as if you used a laptop.)
What about accessing other sites, like your del.icio.us bookmarks, Facebook account etc? It looks like mobile broadband is the only easy way if you want to be more secure.

The geeky way

There are other ways, but they depend on other people or ISPs, or they require more geekiness than I can muster currently, e.g. "setup a box at home and VPN to it, and harden the wifi adapter so that none of your normal system applications (e.g. NetBIOS) are bound to it." Eeeeek, I say! If VPN is too much to face, there's also SSH tunneling, which again takes time and patience and a server to go through to, like on your home computer (but there are some tutorials on tutorials on VPN - step by step for XP Pro and XP on your laptop - and on SSH tunneling, just three examples.)

At least there seem to be providers out there which for a fee can provide a server you can tunnel through to for more secure access, which might be slightly easier to use if still not the easiest, e.g. Guardster (again I've not tried it, just come across it, but it does seem to be known). Investigating all this is on my very long to do list... Does anyone know if your cookies etc are safe provided you use Tor? If so, then phew I'm sorted.

If there's enough demand for it I'll roll up my sleeves and have a go with the VPN etc stuff, and write my own tutorial if necessary. Let me know!

And finally, a few other wifi security tips:

4 comments:

Anonymous said...

It turns out the attack is actually much more serious than Errata Security was aware of. For many https sites (yes, httpS, not a typo) including gmail and amazon.com, an attacker can still retrieve your cookies even if you are not visiting that site at the time. I describe this problem in greater detail in my bugtraq post: http://seclists.org/bugtraq/2007/Aug/0070.html

I also work on the development version of the Torbutton extension (http://torbutton.torproject.org/dev) - its defaults do protect you to some extent from this attack via Tor exit nodes - your Tor-originating cookies are cleared every time you toggle Tor, and your Non-tor cookies are kept in an isolated jar while you use Tor.

However, if you use Tor for an extended period of time, or change the Torbutton cookie settings to keep your Tor cookies around, you run the risk of exit nodes injecting iframe/refresh elements and grabbing your Tor-acquired cookies. Moral: Keep a clean cookie slate while using Tor. Log out of services as soon as you are done using them, or at least use a cookie management extension to verify that the cookies you do keep can be transmitted over encrypted sessions only.

Of course, the same MITM "active sidejacking" problem is present on wifi networks, shared ethernet networks, and even cable modem and DSL networks (with a little bit of work to hack up a custom modem). For some reason major websites dismiss these concerns. Check your banks, check your merchants. Many of them are broken. No one seems to care :)

Improbulus said...

Many thanks for your very helpful comment Mike.

I guess it'll take the banks losing a lot of money out of their own pockets before they take notice..

Anonymous said...

In my opinion the using VPN tunnels is the best way to protect wireless against illegal access and unauthorized downloading by your net. I use the http://strongvpn.com/ service. Think it’s one of the best services.

Steven Dale said...

Excellent site! Came across by accident and impressed by the detail and depth of information. keep up the good work.

Steven