[Offtopic] Wi-Fi hotspot .. access accounts via VPN or SSL

stephen at melbpc.org.au stephen at melbpc.org.au
Thu Aug 2 04:33:21 EST 2007


Hi all,

Quoted: "never use a Wi-Fi hotspot unless you are using VPN (virtual 
private networking) or SSL (secure sockets layer) to access accounts"

--
Researchers: Web apps over Wi-Fi puts data at risk 

Security experts warn that packet sniffers can collect cookie information 
while a user is accessing rich Web apps over Wi-Fi

By Jeremy Kirk, IDG News Service August 01, 2007
<http://www.infoworld.com/article/07/08/01/Web-apps-over-Wi-Fi-put-data-at-
risk_1.html?source=NLC-TB&cgd=2007-08-01>

Users who access Google's Gmail or the Facebook social-networking site 
over Wi-Fi could put their accounts at risk of being hijacked, according 
to research from Errata Security, a computer security company

It's not just those sites but any rich Web applications that exchange 
account information with users, including blogging sites such as 
Blogspot .. wrote Errata CEO (etal) in a paper. 

Most Web sites use encryption when passwords are entered, but because of 
the expense, the rest of the information exchanged between a browser and a 
Web site is not encrypted, they wrote in a paper presented at the Black 
Hat 2007 security conference in Las Vegas this week. 

Using a packet sniffer, which can pick up data transferred between a 
wireless router and a computer, it's possible to collect cookie 
information while a user is accessing one of those sites over Wi-Fi. 

Cookies consist of bits of data sent to a browser by a Web site to 
remember certain information about users, such as when they last logged 
in. 

Included in the cookie can be a "session identifier," which is another bit 
of unique information generated when people log into their accounts. 

By collecting cookie information and the session identifier with the 
packer sniffer and importing it into another Web browser, the hacker can 
get inside a person's account. The attacker may not, however, be able to 
change a person's password, since many Web 2.0 applications require a 
second log-in to change account information. 

Nonetheless, it could allow a hacker to create blog postings, read e-mail, 
or do other malicious activity. Meanwhile, the victim is directed to a 
version of the Web page they intended to visit, which Errata 
calls "sidejacking." 

There is a remedy, however. "The consequence of this is that users should 
never use a Wi-Fi hotspot unless they are using VPN (virtual private 
networking) or SSL (secure sockets layer) to access their accounts," they 
wrote. 
--

Cheers people
Stephen Loosley
Victoria, Australia

 

Message sent using MelbPC WebMail Server





More information about the offtopic mailing list