— Tech+Life+Music

By: Richard Neil Ilagan
22-11-2010
Technology
Share

How Easy It Is To “Hack” Your Identity Online (a.k.a. Why You Should Be Wary of Using Public Wi-fi)

This post is pretty long, but I assure you, is well worth the read.

Wi-fi access points are finally gaining significant amount of ground here in the Philippines over the past years; it’s already not a big surprise to discover a wi-fi access point in various commercial establishments nowadays, to the point that it’s already somewhat expected to be there in the first place. Exactly how safe are you while surfing the internet, however?

Everyone worth their salt surfing the internet knows that their security while mingling online is of topmost concern. What most people don’t realize is just how easy it is exactly to gain access to their online accounts, just because of accessing the internet in public places.

How I’d impersonate you online

Jeff Atwood, the creator of Stack Overflow (and it’s related network sites), recently touched base on this topic in a blog post he wrote some weeks back.

The first thing you should realize about the internet is that the Internetâ„¢ is basically just a bunch of computers talking together. You could think of the whole experience as something along the lines of:

  • I tell my browser to go to Google.
  • My computer uses my internet connection to talk to Google’s server (another computer), telling it that I want to go to the Google home page.
  • Google’s server says, “Hey bro, wassup,” and tosses the Google home page (it’s really just a file) back to my computer.
  • My computer closes with a “Thanks dude,” and loads the Google home page file in my browser.

Of course, there are some technical complexities here and there, but all in all, that’s just it. The Internetâ„¢ in four bullet points.

Here’s where the crap comes in.

Do you know why sometimes when you go to a website, it automatically logs you in, as if it already recognized you right off the bat? (Think Facebook.)

When your computer and a website’s server talks over the internet, sometimes the web server would use a small file called a cookie to identify you immediately. This way, it skips the usual login process, because you’re already “authenticated”, as far as the website goes.

How that works isn’t exactly rocket science. When your computer “starts talking” to the website server, it attaches some identification text in the request based on the cookie.

GET / HTTP/1.1
Host: diy.stackexchange.com
Connection: keep-alive
User-Agent: Chrome/7.0.517.44
Accept-Language: en-US,en;q=0.8
Cookie: diyuser=t=ZlQOG4kege&s=8VO9gjG7tU12s
If-Modified-Since: Tue, 09 Nov 2010 04:41:12 GMT

The code above is called an HTTP header, and is included in the request your computer sends to a web server. It contains a bit of information, including the site you are contacting, the browser (and version) you’re using, and most importantly, your identification text based from your cookie (see the line marked Cookie: on line 6).

While the cookie text doesn’t exactly identify you (i.e. it won’t tell you that my name is Richard Neil Ilagan, and that I’m a programmer), I can use that to impersonate you.

How’s that? It’s pretty simple.

  • When I talk to a website server, it normally tries to attempt to identify me using my cookie.
  • If it recognizes my cookie, then I get logged in immediately.

So simply put, all I have to do is just copy someone else’s cookie, and modify my own HTTP headers so that I’m surfing the internet while pretending to be someone else. If I manage to copy, for example, someone else’s cookie for Facebook, I can automatically log in to Facebook as that user. Scary?

That sounds complicated.

That’s just because the explanation above took around 500 or more words. In reality, doing that is actually pretty easy.

In fact, a new Firefox plugin called Firesheep does that for you automatically. For free. As in beer and hassle-free.

How Easy It Is To Hack Your Identity Online (a.k.a. Why You Should Be Wary of Using Public Wi fi)

At this point, the next logical question would probably be, “How can anyone copy my cookies / HTTP headers?”. Simply put, this is where public networks come in.

You see, when you connect using a public network (such as the one in McDonald’s or Coffee Bean & Tea Leaf), what you probably don’t realize is that you’re also “connecting” your computer to everyone that’s using the same network. After all, it makes sense: if you’re using an internet connection, and someone else is using the same connection, there must be a way to get to your computer from the other computer.

And that’s why you’re vulnerable.

Since, in the same network, my computer can “see” your computer, I can “see” your communications to whatever websites you’re trying to contact, and thus, I can copy your data (i.e. your HTTP headers). And then I can log into your Facebook and try to wreak havoc (to say the least).

Some points:

  • It doesn’t matter if you have a strong password that’s 200 characters long for your websites. As long as I have your cookie identification, the website wouldn’t care, because it thinks I’m you.
  • It doesn’t matter if your computer is password-protected either. The data you send over the internet is not protected by your computer’s password. It’s basically on public domain.
  • And no, it doesn’t matter that you have two firewalls, three anti-spyware tools and ten anti-virus programs updated frequently. Like I said, public domain. Your tools can’t control what has already been sent out into the open.

So what can be done?

First and foremost, be wary when you’re surfing on public wi-fi networks. Try to make sure that the wi-fi connection is encrypted. When you try to connect via an unencrypted wi-fi network, Windows normally notifies you (at least in Windows 7), telling you that your network traffic may be visible to others. (I’m glaring at you, McDonald’s Katipunan.)

If you’re on unencrypted wi-fi, try not to login to sensitive sites (better yet, don’t log in at all). Remember that some websites (like Facebook) automatically log you in when you visit them. These also count.

If a website supports HTTPS (it’s a much securer form of the HTTP communications we talked about earlier), those should generally be safe for public connection, as they add some more layers of security above the usual vanilla cookie identification. If HTTPS is available, use it! (Even when you’re not on public wi-fi.)

Lastly, make sure your wireless network at home is also password-protected and encrypted. The stuff above applies to all internet connections that are shared, so if someone can get into your wireless network, you’re pretty much vulnerable as well.

Youkoso!

Tech+Life+Music is a technology / programming blog authored by Richard Neil Ilagan.

We learn something new everyday, and this serves a bit like a repository of the interesting stuff, challenges and boss fights I come across in my work and play. I blog mostly about progressive front-end development in .NET, jQuery and generic programming for the web.

Follow me on @techlifemusic, or add me up on Facebook and/or Google.

Enter your email address to subscribe to this blog and receive notifications of new posts by email. No spam, promise!

 

One comment thrown in. Keep them coming.
Submit yours
  1. Firefox: Protect against Firesheep with HTTPS Everywhere, another Firefox add-on | Richard Neil Ilagan says: November 24, 20108:35 am

    [...] you’ve read my previous (rather lengthy) post about how easy it is to get your identity stolen online, especially with the new Firesheep Firefox addon, you know exactly how much of a security risk [...]

Submit comment

© 2012 — Tech+Life+Music. All Rights Reserved. Powered by Wordpress.

Designed by Wpshower