Session hijacking
Home page > Hot Topics > Session hijacking
12 January 2012
Session hijacking – just point and clickSession hijacking (or sidejacking) is simply a way of taking over a web session by stealing the session ID (which is normally stored within a cookie) and masquerading as that user. Of course, once the hacker has managed to gain the victim’s session details he can do anything on that network that the legitimate user is entitled to do. Whilst log-in pages to social media sites, for example, are usually HTTPS secured, the sites usually revert to HTTP after log-in, making the session cookie available in clear text. Session hijacking can only take place on an unsecured public network – the type commonly found in coffee shops, hotels, airports etc. Session hijacking is not a new phenomenon – it has been around for as long as web developers have been using session IDs to give us the seamless web experiences that we have come to expect. Tools like Hamster, Ferret and Cookie Monster have been exploiting this vulnerability since 2007. However, you needed a reasonable degree of hacking knowledge to use them effectively. In October 2010, Eric Butler, a web developer frustrated with this ongoing security vulnerability, released Firesheep, which packaged these vulnerabilities up into a nice, neat Firefox extension with a point-and-click interface. Butler has stated that he developed Firesheep to “show that a core and widespread issue in website security is being ignored”. Whilst Butler’s intention may have been wholly altruistic, the result has been that session hijacking is now within the reach of just about any motivated individual. With more than one million downloads of Firesheep to date, and with that number continuing to escalate, Butler perhaps underestimated the extent of that motivation. FaceNiff – Firesheep goes mobile FaceNiff is an Android application, released in June of this year, which allows hackers to intercept web session profiles over wireless networks and steal user credentials for Facebook, Twitter, You Tube and other social media sites. The developers have promised that a greater selection of sites will soon be available. FaceNiff is almost as easy to use as Firesheep, and, perhaps most importantly, works on WPAencrypted wireless networks. Given the relentless rise in smartphone ownership, FaceNiff may be even more dangerous than Firesheep. We’re in this together Much of the publicity surrounding Firesheep and FaceNiff has been based around social media websites and as a result, there has been a perception that this is not a problem that should concern business organisations. However, many business organisations use social media for sales, marketing, customer service and support functions. Furthermore, session jacking can, theoretically, be used to hijack any enterprise web or cloud application. The use of public networks by just about everyone from corporate employees to students to middle aged “silver surfers” has become entrenched within our web access patterns. Unfortunately, this trend has not been accompanied by a rise in the awareness of the risks of public networks. The growing use of social media for commercial purposes is putting business organisations at greater risk from vulnerabilities such as Firesheep and FaceNiff than they might realise. One particular issue with the commercial use of social media sites is that the responsibility for maintaining a commercial presence is usually under the remit of sales and/or marketing personnel. As you might expect, these employees are often not as well versed in security concerns as their colleagues in IT. These findings highlight the challenge facing those responsible for data security. They may have overall responsibility for the security of customer data, but if we take the example of a sales person using a social media website to communicate with a customer over a support issue and using a public network to do so, we can see that progams such as Firesheep can pose a serious risk to corporate data security. This is not solely a consumer issue. Mitigating the risks As mentioned previously, there are only two ways that end users can protect themselves from a sidejacking attack, and each of these solutions is suitable for a different type of user. The solution most suited to mobile employees is to send all of your web traffic through a properly authenticated VPN tunnel. So, how do you keep your customers safe? If you run a transactional website that exchanges information with users, the only sure fire way to ensure that session jacking attacks cannot occur is to protected it with HTTPS, all the time and extend the use of SSL. Dangerous complacency When we take the figures above and combine them with the finding that 71 percent of our respondents have not, and are not planning to make any changes to their mobile security policies in the light of the publicity generated by Firesheep, a worrying picture emerges. Despite the fact that many IT professionals use SSL as an indicator of website safety, it seems that many business organisations are not protecting their employees and consequently their own corporate data or, most importantly of all, their customers with the same technology. This picture mirrors the responses of websites such as Twitter and Facebook who have (until relatively recently in the case of Facebook) known about this vulnerability for as long as it has been exploited and chosen to do nothing about it. Even the belated response of Facebook, which announced earlier this year that it now has an option to browse the site by HTTPS by default, is dependent on the user enabling the relevant security options. The fact is that business organisations have an obligation to protect their customer data. Government and industry regulations such as PCI DSS exist to ensure that organisations are aware of their responsibilities to protect customer data. They provide a framework of rules to comply with. The penalties for failing to comply vary from fines to, in the case of PCI DSS, a theoretical risk of being banned from processing card payments. Perhaps the biggest incentive is still the risk of public censure. The cases of Lush and Cotton Traders demonstrate the damage that can be done to an organisations brand and reputation by a high profile data breach. Conclusion Much of the analysis of Firesheep has focussed on the consumer end users of unsecured networks and websites. However, the Computing survey confirmed that social media is used increasingly for sales, marketing and support functions within business organisations so analysis of Firesheep should not be confined to end users. Furthermore, these session stealing attacks can work equally effectively on enterprise web and cloud applications. Business organisations should look at their use of social media and public networks to ensure that key business applications data is protected – especially customer data. Customers need to be protected against session stealing attacks. Attacks will ultimately lead to dissatisfied customers and lost revenue, as well as breaches of data regulations and potential public censure. The purpose of Firesheep was to demonstrate that protecting only web log-in information with HTTPS is not enough. The entire session needs to be protected to the same level. Business organisations should protect their customers and employees by means of the following: • Consider extending HTTPS to your whole website • Ensure all critical web applications use HTTPS • Use a trusted CA with a well recognised trust mark such as VeriSign • Advise your customers via your website that you use HTTPS and explain why • Enforce the use of VPNs for all critical web applications • Educate customers and colleagues about the dangers of sidejacking
|