Network News

X My Profile
View More Activity

I'd Like a Double Espresso and Your Password, Please

One of the perennial questions I get from readers is whether it is safe to log into personal e-mail accounts at the local coffeehouse or even via a neighbor's wireless network.

My answer remains the same: If you do not control the network, it is difficult to be sure that no one is eavesdropping on your Web surfing or e-mail reading.

Diehard members of the Web surfing café society remain skeptical. A tip of the digital beret to you, but I'd like to highlight a free tool released this year called "Don'tSteal My Wifi."

This program makes it easy for a novice user to set up a wireless network for the sole purpose of snooping on the Web mail accounts of anyone who has accessed that user's network. The program's maker, Altra Software, advertises the tool as a way to help wireless network owners learn the identity of people who have hacked a poorly secured wireless network or are using an open wireless network without permission.

The technology appears to capitalize on the way that many free Web mail providers implement log-in processes. Services such as Hotmail and Yahoo use a technology called secure sockets layer when users initially enter a user name and password. SSL encrypts the credentials sent from the user's machine to the Web mail service so that anyone who is lurking on the network -- or "sniffing" the traffic -- cannot capture and view those credentials in plain text. A browser is engaged in an SSL connection if a little padlock icon appears to the right edge of the browser's address bar, and the Internet address of the site you're visiting starts with "https://" instead of "http://".

But there's trouble afoot. In some cases, once you've logged into these accounts, the SSL connection to the Web mail server is no longer encrypted. Rather, those Web mail providers track your connection to the e-mail server by placing a "session cookie" on your computer. The cookies are small text files containing some kind of random, unique identifier. These text files let the Web mail provider know that you -- as the possessor of this cookie -- recently logged into an account with credentials the Web mail server recognizes. These cookies typically will become worthless after a pre-determined period of time, usually measured in minutes of inactivity or a few hours. Once the cookie has expired, the user is required to log in again with complete user name and password information.

Don'tSteal My Wifi grabs the session cookies and uses them to interactively log into the wireless interloper's account. The software is designed to download a locally browsable copy of all of the uninvited guest's e-mail messages stored in the snooper's Web mail account.

I am not promoting any "hacking tools;" the techniques employed by this software are widely available in point-and-click tools. Take a look at the very slick BackTrack 2, which makes it fairly easy for someone to route all traffic on a wireless network through their own machine, inject images, forge Web site security certificates, or redirect traffic destined for one Web site to another. It is also not terribly difficult to use tools like this to read wireless users' e-mails when they log into Web mail accounts like Yahoo and Hotmail over wireless networks. The bad guys already widely use these tools and don't need my help to find them.

Google seems to be fortified against this snooping software. I could not get Don'tSteal My Wifi to hijack my messages when I logged into my Gmail account. Perhaps Gmail implements its session cookies differently. If anyone finds differently, please comment at the end of this post.

It is almost certainly illegal to use this software to access e-mail messages that belong to someone else, even if that someone is filching your wireless connection.

If you are concerned about someone using your wireless network without permission, take advantage of the security features on your wireless router. Anyone operating a wireless router should change the default password to something difficult to guess, specifically a pass phrase that is at least eight characters and includes uppercase and lowercase letters and numerals.

Your wireless router also will include WEP encryption, which is hackable but better than nothing. If your wireless router has the stronger WPA or WPA2 standards built in, use those. If you use WEP and suspect that someone has hacked your password, consider upgrading to a newer router that supports WPA.

Instructions for changing the default passwords and deploying WEP/WPA encryption are available in a series of videos produced by a coalition of Internet security companies calledGetNetWise. It offers tutorials for some of the most widely used wireless routers, including those made by Apple, D-Link, Linksys and Netgear.

By Brian Krebs  |  April 9, 2007; 1:30 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: ¿Security Fix en Español?
Next: Research Suggests Weakness in Anti-Phishing Technology

Comments

SSL permits a null cipher suite, which means an SSL session can be unencrypted. Typically, null encryption is used for the handshake protocol that SSL uses to negotiate the encryption parameters and other aspects of the data exchange, and all user data sent over the SSL connection is encrypted. But SSL can be used to send unencrypted user data if the server implementor chooses to do so.

So if I understand you correctly, Brian, some web mail providers are doing just that, with the result being that anyone who has access to the network traffic can easily exploit the unencrypted SSL session. Wireless network interlopers are therefore vulnerable.

This raises in my mind three questions that I hope you may be able to address.

1. How vulnerable are guests of wireless networks, as opposed to interlopers? For example, suppose I go to my local Starbucks and use their WiFi network, and for whatever reason I'm confident that the administrator of the network is not sniffing packets and harvesting e-mail traffic. Could any user of the same WiFi network exploit the traffic as you described, or is only the network administrator able to do so?

2. Do web mail providers advertise for their users whether the entire SSL session is encrypted? I'm assuming that you'll still see the padlock icon in the browser status bar and https in the URL, even if the SSL session is using null encryption.

3. Shouldn't the browser notify the user when null encryption was negotiated with the server? Shouldn't the browser be able to be configured to not accept a connection with a server (or to drop an existing one) when null encryption is offered as the only option by the server? If this is not possible, are browser vendors (or open source projects) considering such features?

Posted by: Mark | April 9, 2007 4:02 PM | Report abuse

Brian, with respect to Google, I believe there are two issues which are relevant.

First, unlike HotMail and Yahoo, Gmail uses Ajax, so state information is not maintained with cookies.

Second, and more significant, if you employ the Gmail URL with an "https" prefix (i.e. https://mail.google.com), you will be connected to Google's servers using SSL and your entire session will be encrypted, not just the sign on. This allows one to use Gmail in public without fear of snooping.

Posted by: Mike Wyman | April 9, 2007 4:20 PM | Report abuse

Mark-
The null SSL session is interesting, but I think what Brian was talking about was the scenario where login pages are encrypted (ie, https: yellow bar and padlock), but subsequent pages are not. I've seen this at several sites, but it is clear that your acutal email browsing is not encrypted, only the login process.

And yes, you do not need to be an administrator on a wireless network to view or tamper with existing traffic. This tool may or may not work, but wireless traffic is easily readable if unencrypted, and can potentially be tampered with too.

Posted by: James | April 9, 2007 4:30 PM | Report abuse

Some session cookies are associated with your IP address so that attempts to use a session cookie from a different host will be rejected. This is generally a Bad Thing because people's addresses can change legitimately for various reasons outside their control--e.g. DHCP address reassignment, NAT pool rotation, etc.--but it does provide some protection in this sort of attack.

Posted by: antibozo | April 9, 2007 4:30 PM | Report abuse

Never felt comfortable using wireless or webmail for that matter. Both leave too many avenues to exploit. Especially webmail as any active content in an e-mail can run inside the browser.

A secure alternative to webmail is to use a solid e-mail client (ex. Outlook 2003 or newer) with the option to view all mail as plain text turned on while also using an encrypted (SSL) POP3 connection. Most ISP's (ex. Comcast), even GMail allow such a setup. Typically, the encrypted connection uses port 995 (incoming mail POP3) and port 465 (outgoing mail SMTP).

http://mail.google.com/support/bin/answer.py?answer=13278&topic=1556

http://www.comcast.net/help/faq/index.jsp?faq=EmailOutlook17809

Of course, such a setup is not as convenient as accessing e-mail via a web browser on any Internet connection. But, it is a classic case of security over convenience!

Posted by: TJ | April 9, 2007 7:24 PM | Report abuse

James:
Thanks for the clarification. I wasn't sure if Brian was saying that the unencrypted traffic was still part of the HTTPS session or a follow-on HTTP session. At least in the latter case a knowledgeable user will know the e-mail session is exploitable to anyone who can sniff the traffic. If anyone is doing what I thought Brian was saying is happening, it would be inexcusable, since they can achieve the same thing (reduced server processing) without misleading the client.

I only use public WiFi networks occasionally. Are there some that offer encryption with a different key for each user? That would address much of the concern discussed here, if you trust the WiFi network provider.

Posted by: Mark | April 9, 2007 8:38 PM | Report abuse

I re-read the article, and here is the statement that led me to believe that some e-mail providers are implementing SSL sessions with null encryption.

"In some cases, once you've logged into these accounts, the SSL connection to the Web mail server is no longer encrypted."

I read this as an assertion that the SSL session continues in an unencrypted mode. Perhaps Brian meant to say "HTTP" rather than "SSL", in which case the problem is not as insidious or outrageous as I thought.

Posted by: Mark | April 9, 2007 8:45 PM | Report abuse

I don't use WEP or WPA but I only allow specific MAC Addresses to connect to my wireless network. Is that better or worse than using WEP/WPA?

Posted by: William | April 9, 2007 8:47 PM | Report abuse

William, encryption is a *far* better way to protect your network than a MAC address filter list. After sniffing some packets on your unencrypted network, a hacker can easily spoof the MAC address of an allowed wireless card and then enter your network. WPA or WPA2 encryption would be immeasurably better than leaving your network unencrypted with only a MAC list for protection.

More info can be found at
http://www.windowsecurity.com/articles/Wireless-Network-Security-Home.html

Posted by: PK | April 9, 2007 9:48 PM | Report abuse

Thank you Mr. Krebs for this! We downloaded the data leakage program yesterday [dontstealmydata] from this site and are very happy!

I may be mistaken, but I believe any web server is vulnerable to this (downloading of all data from an account, during the period while a session is active) unless the entire session is encrypted. This means that there really is no security to any account unless you see the 'https' in your web browser at all times.

Another related story is that many important systems do not expire the cookie on the server. This means that even after you log out, someone can access your account using only the unencrypted portion of your session. This may even be full access to the account for several days, with the only restriction that the accessor cannot change the password to the account (i.e. requires a re-sign in).

Shalom!

Posted by: Oded | April 10, 2007 6:50 AM | Report abuse

I'm not worried/don't care about somebody reading my email. Why you ask, because when it is being sent, it can be intercepted and read. An email is like a postcard in the mail.

Anything that you need to protect while surfing either is or should be on a secure site (banking, brokerage, etc). If you keep passwords, usernames, etc in your Yahoo address book or Yahoo email, you are asking for trouble.

Posted by: Anonymous | April 10, 2007 8:39 AM | Report abuse

Yes its fairly easy to hijack session cookies even on LAN for a gmail account .
As for a comment by another user (Oded) , he says he doesnt care about his emails being read. Sir, may I also remind you that social interactive sites like orkut.com also use a similar thing. If a hacker with a bad intention logs in to your account , then all I can say is that its not going to be good for you.

Posted by: Ishaan Prasad@IIITA | April 10, 2007 8:46 AM | Report abuse

Does using a subscription to a commercial VPN provider such as Jiwire eliminate the problems of snooping and data loss at insecure hotspots?

Posted by: BB | April 10, 2007 11:38 AM | Report abuse

BB -- If you're using a VPN to read your e-mail, you'll be fine. That is, of course, as long as you don't have some kind of malware on your system, then all bets are off.

Posted by: Bk | April 10, 2007 5:20 PM | Report abuse

"Sir, may I also remind you that social interactive sites like orkut.com also use a similar thing. If a hacker with a bad intention logs in to your account , then all I can say is that its not going to be good for you."

And orkut.com is what?

Posted by: Anonymous | April 11, 2007 7:17 AM | Report abuse

Everyone here is working under the assumption that if they see a secure connection for a web page (such as that for a webmail system asking for a userid/password) that data entered into this web page is encrypted.

This is not necessarily true.

You can enter data into a secure web page and have that data be transmitted in plain text. In fact, both IE and Firefox have options to warn you when sending unencrypted data out of your computer.

For a detailed explanation of this see
http://michaelhorowitz.com/securesubmit.html

Posted by: Michael Horowitz | April 13, 2007 4:15 PM | Report abuse

Gmail works fine on this program. When someone logs into my wireless network with gmail this program gives me their email address, and if I double click on the address it takes me into their account. From there I can read any message (or send a message, including a message to them warning them to desist).

Computer tresspassers do not have to be provided with privacy. If someone taps into my wireless network, any resulting data pulled out of my system is mine, and I can use it to identify that person and use as I see fit (including providing this information to authorities). If the tresspasser wants privacy, she should use her own network, not mine.

Posted by: Liz | May 2, 2007 10:18 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company