Dangers of the internet (not this again!)

June 2, 2011

Hacking social networking accounts has become silly easy, with freely available software to rival those seen in blockbuster Hollywood movies like Mission Impossible or James Bond.

First we had Firesheep, which is a add-on for Moozilla Firefox that you ran from a laptop. Now we have FaceNiff which is available on rooted Android phones. Both are designed to allow amateurs to hack other people. I mention this to inform you of what dangers are out there, and not in any way shape or form encourage the use of such hacking tools.

So it goes something like this:

Joe Hacker spots a coffee shop with free wifi inside and sits down with his laptop, firing up Firesheep in the background. At that point he can carry on surfing the internet and look innocent enough. Eric enters the same location for coffee and free wifi. Eric logs on to his Facebook and Amazon, to check both for updates and promotions. Facebook and Amazon challenge him for user names and passwords, and upon successful authentication, issue him with a cookie for the remainder of their session, to avoid continuous challenging of credentials.

Joe now has Firesheep displaying profile pictures and social network information of both Sarah and Michelle, which means Firesheep succesffuly captures the cookie sent to both Sarah and Michelle, so he can also use that session to browse around profiles as if he is either of them. At that point, he can capture all the information for identify fraud, including pictures for identification and a whole bunch of unsavory uses.

It gets worse, FaceNiff now enabled Joe Hacker to compromise your accounts from the comfort of a rooted Android phone, so he never even has to pay for a coffee and sit down inside. This is particularly dangerous around holiday destinations in which a lobby is used to offer clients inclusive wifi. Video of it in action: http://youtu.be/3bgwVM7t_s4 

The only way this can be fixed, is by all traffic between the user and the social network going over a SSL connection, much like shopping carts with online retailers. This encrypts the messages between both and makes the hacking much more of a mathematical challenge rather than snooping cookies like the two ways mentioned above. Sadly this is all in the hands of the big social networks.

Moral of the story, if you are going to use social networking sites, make sure you use them from trusted locations only, such as a secured home network. Or more simply put, if you are in a cafe, don’t share your cookies with strangers! (had to shoe horn that one in sorry)

Posted by Kieran Donnelly