Archive for the ‘Wi-Fi’ Category

Facebook Session Hijack Video

Friday, July 2nd, 2010

We discovered a major security hole in Facebook almost by accident. The exploit is so trivial I can’t justify calling it hacking. Any time you are on an open WiFi and accessing Facebook, anyone else on the same network can easily grab your credential and access Facebook as you with full access to your account.

We have posted a video demonstrating this to YouTube as well as putting it in the Anonymizer Labs section of our website.

Posted in Announcements, Anonymizer, Computer Security, Internet, Online Privacy, Security Breaches, Wi-Fi
PermaLink | 3 Comments » | Email to a Friend
Digg this Add to del.icio.us Add Redit

Sidejacking

Saturday, August 4th, 2007


Report: “Sidejacking” session information over WiFi easy as pie

While this is not really news, it is a very nice description of a very widespread risk.
This issue here is that many websites simply use a serial number in a cookie to keep track of user sessions. The implicit behavior is that if you have the cookie, you are authenticated and logged in. The big problem is that most of these sites are also insecure. With the popularity of insecure WiFi networks, capturing those cookies has become very easy. Once an attacker has the cookie, he can act as you for all purposes on those websites.

The simplest solutions are: enable SSL on the website (if possible), only use WPA secured WiFi, use a VPN, or use Anonymizer with the encrypted surfing option enabled (which effectively makes all websites SSL protected).

Posted in Internet, Online Privacy, Personal Privacy, Security Breaches, Wi-Fi
PermaLink | No Comments » | Email to a Friend
Digg this Add to del.icio.us Add Redit

More news on Wireless Insecurity

Thursday, April 5th, 2007

I was just sent a link to an improved attack on WEP for WiFi. WEP (Wired Equivalent Privacy) is no such thing. Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann at the technical university Darmstadt in Germany have a paper and proof of concept implementation of an improved attack on WEP. This attack should be able to compromise WEP security in under a minute under normal conditions with an inexpensive laptop.

In reality over half of deployed wireless nodes have no security enabled at all, so WEP is certainly an improvement on that. A much better solution exists called WPA. It is available on almost all WiFi devices, and should be used wherever possible. While WPA is not perfect, there are no efficient attacks against WPA, however experts are still not confident in its security. If you have a high security application, stick with a wire, and/or use a strong VPN within the WiFI connection. I am a belt and suspenders kind of guy, so I like to use multiple layers of security whenever possible.

Posted in Security Breaches, Wi-Fi
PermaLink | 2 Comments » | Email to a Friend
Digg this Add to del.icio.us Add Redit