Hamster plus Hotspot equals Web 2.0 meltdown!

Hamster plus Hotspot equals Web 2.0 meltdown!

Summary: Robert Graham (CEO Errata Security) gave his Web 2.0 hijacking presentation to a packed audience at Black Hat 2007 today.

SHARE:

Robert Graham (CEO Errata Security) gave his Web 2.0 hijacking presentation to a packed audience at Black Hat 2007 today. The audience erupted with applause and laughter when Graham used his tools to hijack someone's Gmail account during an unscripted demo. The victim in this case was using a typical unprotected Wi-Fi Hotspot and his Gmail account just popped on the large projection screen for 500 or so audience members to see. Of course had the poor chap read my blog about email security last week he might have avoided this embarrassment. But for the vast majority of people using Gmail or any other browser or "Web 2.0" application, they're all just a bunch of sheep waiting to be jacked by Graham's latest exploit.

I caught up with Graham after the show and we went over more of the details of this Web hijacking exploit. First he captures the Wi-Fi signals using his laptop and a tool called Ferret which he wrote earlier this year. The tool grabs Cookies and Session IDs from your Web Browser session sent over the air and stores it.

Next, Graham fires up his new tool called Hamster (which he will post within the next week) which will process those Session IDs and Cookies so that they're ready to clone.

Captured Session IDs and Cookies

Hamster hosts a local proxy server that allows point-n-click hijacking

The attacker can then go to his local Hamster proxy server to clone other people's Web identities and hijack their Web accounts.=

Once the identity is cloned, the attacker is able to jump on to online services like Gmail masquerading as the victim with full access to read and send email on behalf of the victim. Furthermore, the attacker can go to maps.google.com and find the victim's personal information like home address if it's saved in to Google Maps.

I volunteered to set up an account on Gmail called "GetMeHacked" and allowed Graham to perform the attack. I then got a test email to Humphrey Cheung (Sr. Editor TGDaily) who was also watching the attack. Cheung posted his story here.

Before I knew it, I got hijacked and Graham sent an email on behalf of me.

What makes this even scarier is that Graham can go back in to my Gmail account for at least several more days using the same hijacked Session ID and Cookies. In fact he doesn't even need to perform the hijacking immediately because he can record all the Wi-Fi Hotspot data and process it with Hamster at anytime before the Cookies expire. In one fell swoop the attacker can steal the identities of every Wi-Fi Hotspot user within a few hundred feet or a lot more if a larger antenna is used.

If you weren't already scared of using public Wi-Fi Hotspots before, this should drive the point home. Graham even mentioned the dangers of Municipal Wi-Fi the use of Anonymous Secure Hotspots to solve this problem which I wrote about a few weeks ago. For the time being however, there isn't much that can be done on the vast majority of Web 2.0 services. Gmail fortunately allows the user to manually force SSL mode which would solve this problem but unfortunately they don't turn it on automatically for all users so the vast majority of users are wide open to session hijacking. For now, a user's only effective solution is to use some sort of VPN gateway to encrypt all of their data but most people won't do that. Tools like Hamster and Ferret will hopefully raise awareness and get the public to demand more secure Hotspots and SSL-enabled online services.

Topics: Wi-Fi, Browser, Collaboration, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

71 comments
Log in or register to join the discussion
  • This is why Windows sucks

    Your account was hijacked because Windows is a single user system: everyone is an Administrator. With OSX's awesome *nix kernel, everyone logs in with restricted rights and this type of an attack is impossible. If you were to access GMail from Safari on OSX, no one could steal your identity thanks to OSX's *nix security mechanisms.

    Don't laugh... I bet you $10 that there are people who think that way.
    NonZealot
    • Do you have a brain?

      Web 2.0 as it is commonly found right now, is the problem.

      Same deal with email (there was another interesting blog a couple days ago about email security needing to be WAY easier than it is right now).

      Save your Linux rant. One could even argue that open source Linux, with it's ability to be infinitely modified, is the problem because it provides a better platform to make hacker tools.. hehe, I could play devil's advocate too :)

      In any event, I will agree that on principle, Linux is more secure. Toss in this Web 2.0 crap... all bets are off.
      croberts
      • He forgot his sarcasm symbol

        He forgot his sarcasm symbol. Read his message in the context of sarcasm.
        georgeou
      • Huh?

        [i]"Web 2.0 as it is commonly found right now, is the problem."[/i]

        Web 2.0 is a very misleading name on something which actually is not about new
        technology but about new ways for people to interact, communicate.

        Why I agree that Linux is a vastly superior alternative to windoze, I think in this case
        it's mostly Wifi protocols, unencrypted, to blame.
        Mikael_z
        • That's why I used quotes for Web 2.0

          That's why I used quotes for Web 2.0 and I refer to it as "Web 2.0". It's a marketing name that's deliberately nebulous and not a single person on the planet can define what it is. These kinds of words pop up in the world of IT every few years and they're great marketing tools because they can define it as whatever suits what they're trying to sell. Heck, Cisco's Chambers recently defined it as "collaboration" and video conferencing.
          georgeou
          • You mean "Web 2.00" (as in Oh-Oh!")

            Unfortunately, there is no bulletproof solution -- and even the good ones are in the legitimate users' way more than in the hackers' way.

            Maybe it's time for a resurgence in PGP use. No, it won't keep Freddy the Feddie from getting his jollies looking at your archived porn, but it will keep the hacker from spoofing you during the several days before the cookies die.

            Of course, it will only help until some moron from the FBI loses his laptop with 50,000,000 users' account info on it . . .
            critic-at-arms
          • buzzwords

            [i]These kinds of words pop up in the world of IT every few years and they're great marketing tools because they can define it as whatever suits what they're trying to sell. [/i]

            "Intranet" was another one, in the 90's.
            JetJaguar
    • Buwahahaha.. you made my day.

      Thanks for the laugh. I think you forgot your sarcasm smiley, or were you really serious?

      While we're at it, how about we all dump our PC's and move to VAX/VMS machines? They're the most secure systems I've ever used. Your gmail session will never, [i]evar[/i], be stolen. :o
      kraterz
      • Already ahead of you on that one

        Although we are moving to AS/400s with Wireless terminals. We connect using Port 23. We protect our APs by turning off all of our broad cast APs and use 40 bit WEP. We also use an exclusive MAC Address list that we manage centrally on an anonymous access ftp so that the co-workers can add any new MACs that might need on our secure network.

        I would just like to see some one try and exploit our network.
        nucrash
        • You need to read one of George Ou's earlier posts

          On securing wireless networks. From what he reported it would take a hacker less time than it takes you to log in to break your current security. He recommends WPA 2 encryption. Well read the article I'm sure it's in the ZDNet archives.
          maldain
          • Thanks for that bit of information

            But I feel that my methodology is fool proof and can not be cracked. After all, we don't use those puny Windows systems. We use AS/400 clients with Telnet access.

            You should read about telnet as well:
            http://blogs.zdnet.com/Ou/?p=424

            We have had a secure network for a number of years. We use a Linksys router to block all outside traffic.

            Go ahead and hack me, my IP is 127.53.214.8
            nucrash
        • You're kidding right?

          You must be. WEP has been proven to be almost worthless as is using MAC lists because they can be spoofed.

          If you're serious I hope for your sake no hacker worth his salt comes near enough to your "secure" network to get a signal.

          Also giving out your IP and asking to be hacked is just silly bravado considering that the "security" you talk about secures the wireless portion of your network.
          Furiousrog
          • Just noticed the IP

            LOL, I just noticed the IP address you posted. I didn't actually read it the first time. Got it! :)

            Ignore my previous post.
            Furiousrog
          • I could have been a little more obvious

            But I wanted some one to actually try and hack me first.

            I thought the Telnet would give it away, or the link that I mentioned on the Telnet.
            nucrash
        • RE: Already ahead of you on that one

          ...I would just like to see some one try and exploit our network...

          Ain't a horse that can't be rode, ain't a cowboy that can't be throwed.
          joe6pack_z
          • If you can exploit me at that IP

            You have bigger problems than I do.
            nucrash
        • What's the...

          IP of your "anon ftp" site?
          zach.winchester
      • re: Buwahahaha.. you made my day.

        You should at least be using Integrity/OpenVMS nodes, you can buy them new w/current O/S release :-)

        http://h20341.www2.hp.com/integrity/cache/332341-0-0-0-121.html
        rregier@...
    • How dare you force me to spit out my coffee

      I cracked up when I first read this post. Knowing you and your usual banter, I couldn't help but know something was up.

      Still pretty good though. I would say you could give Mike Cox a run for his money.
      nucrash
    • LOL, nice straw man, ZealotBoy

      I wonder if anyone has ever seen you and Ou in the same room. ;-)

      Maynor got his at the Pwnies for letting his emotions overrule his better sense...maybe
      you guys will get an award for stereotyping all users of a platform some day....get
      your acceptance speech ready!
      RealNonZealot