I'd Like a Double Espresso and Your Password, Please
One of the perennial questions I get from readers is whether it is safe to log into personal e-mail accounts at the local coffeehouse or even via a neighbor's wireless network.
My answer remains the same: If you do not control the network, it is difficult to be sure that no one is eavesdropping on your Web surfing or e-mail reading.
Diehard members of the Web surfing cafÃ© society remain skeptical. A tip of the digital beret to you, but I'd like to highlight a free tool released this year called "Don'tSteal My Wifi."
This program makes it easy for a novice user to set up a wireless network for the sole purpose of snooping on the Web mail accounts of anyone who has accessed that user's network. The program's maker, Altra Software, advertises the tool as a way to help wireless network owners learn the identity of people who have hacked a poorly secured wireless network or are using an open wireless network without permission.
The technology appears to capitalize on the way that many free Web mail providers implement log-in processes. Services such as Hotmail and Yahoo use a technology called secure sockets layer when users initially enter a user name and password. SSL encrypts the credentials sent from the user's machine to the Web mail service so that anyone who is lurking on the network -- or "sniffing" the traffic -- cannot capture and view those credentials in plain text. A browser is engaged in an SSL connection if a little padlock icon appears to the right edge of the browser's address bar, and the Internet address of the site you're visiting starts with "https://" instead of "http://".
But there's trouble afoot. In some cases, once you've logged into these accounts, the SSL connection to the Web mail server is no longer encrypted. Rather, those Web mail providers track your connection to the e-mail server by placing a "session cookie" on your computer. The cookies are small text files containing some kind of random, unique identifier. These text files let the Web mail provider know that you -- as the possessor of this cookie -- recently logged into an account with credentials the Web mail server recognizes. These cookies typically will become worthless after a pre-determined period of time, usually measured in minutes of inactivity or a few hours. Once the cookie has expired, the user is required to log in again with complete user name and password information.
Don'tSteal My Wifi grabs the session cookies and uses them to interactively log into the wireless interloper's account. The software is designed to download a locally browsable copy of all of the uninvited guest's e-mail messages stored in the snooper's Web mail account.
I am not promoting any "hacking tools;" the techniques employed by this software are widely available in point-and-click tools. Take a look at the very slick BackTrack 2, which makes it fairly easy for someone to route all traffic on a wireless network through their own machine, inject images, forge Web site security certificates, or redirect traffic destined for one Web site to another. It is also not terribly difficult to use tools like this to read wireless users' e-mails when they log into Web mail accounts like Yahoo and Hotmail over wireless networks. The bad guys already widely use these tools and don't need my help to find them.
Google seems to be fortified against this snooping software. I could not get Don'tSteal My Wifi to hijack my messages when I logged into my Gmail account. Perhaps Gmail implements its session cookies differently. If anyone finds differently, please comment at the end of this post.
It is almost certainly illegal to use this software to access e-mail messages that belong to someone else, even if that someone is filching your wireless connection.
If you are concerned about someone using your wireless network without permission, take advantage of the security features on your wireless router. Anyone operating a wireless router should change the default password to something difficult to guess, specifically a pass phrase that is at least eight characters and includes uppercase and lowercase letters and numerals.
Your wireless router also will include WEP encryption, which is hackable but better than nothing. If your wireless router has the stronger WPA or WPA2 standards built in, use those. If you use WEP and suspect that someone has hacked your password, consider upgrading to a newer router that supports WPA.
Instructions for changing the default passwords and deploying WEP/WPA encryption are available in a series of videos produced by a coalition of Internet security companies calledGetNetWise. It offers tutorials for some of the most widely used wireless routers, including those made by Apple, D-Link, Linksys and Netgear.
April 9, 2007; 1:30 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Â¿Security Fix en EspaÃ±ol?
Next: Research Suggests Weakness in Anti-Phishing Technology
Posted by: Mark | April 9, 2007 4:02 PM | Report abuse
Posted by: Mike Wyman | April 9, 2007 4:20 PM | Report abuse
Posted by: James | April 9, 2007 4:30 PM | Report abuse
Posted by: antibozo | April 9, 2007 4:30 PM | Report abuse
Posted by: TJ | April 9, 2007 7:24 PM | Report abuse
Posted by: Mark | April 9, 2007 8:38 PM | Report abuse
Posted by: Mark | April 9, 2007 8:45 PM | Report abuse
Posted by: William | April 9, 2007 8:47 PM | Report abuse
Posted by: PK | April 9, 2007 9:48 PM | Report abuse
Posted by: Oded | April 10, 2007 6:50 AM | Report abuse
Posted by: Anonymous | April 10, 2007 8:39 AM | Report abuse
Posted by: Ishaan Prasad@IIITA | April 10, 2007 8:46 AM | Report abuse
Posted by: BB | April 10, 2007 11:38 AM | Report abuse
Posted by: Bk | April 10, 2007 5:20 PM | Report abuse
Posted by: Anonymous | April 11, 2007 7:17 AM | Report abuse
Posted by: Michael Horowitz | April 13, 2007 4:15 PM | Report abuse
Posted by: Liz | May 2, 2007 10:18 AM | Report abuse
The comments to this entry are closed.