Gmail hacked over WiFi HotSpot - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: Gmail hacked over WiFi HotSpot (/showthread.php?tid=76664)
Gmail hacked over WiFi HotSpot by albert on 08-09-2007 at 11:19 PM
Well, to shorten up the story :
quote:
Originally posted by Zdnet Blog
Robert Graham (CEO Errata Security) gave his Web 2.0 hijacking presentation to a packed audience at Black Hat 2007 today. The audience erupted with applause and laughter when Graham used his tools to hijack someone’s Gmail account during an unscripted demo. The victim in this case was using a typical unprotected Wi-Fi Hotspot and his Gmail account just popped on the large projection screen for 500 or so audience members to see. Of course had the poor chap read my blog about email security last week he might have avoided this embarrassment. But for the vast majority of people using Gmail or any other browser or “Web 2.0″ application, they’re all just a bunch of sheep waiting to be jacked by Graham’s latest exploit.
Full stories and how-to :
http://blogs.zdnet.com/Ou/?p=651
By the way, what do you guys think of this?
It seems that it isn't only Gmail, but online applications with cookies? Is that correct?
RE: Gmail hacked over WiFi HotSpot by ShawnZ on 08-09-2007 at 11:27 PM
this is literally the entire reason people secure their wifi. this type of attack is so well known, its not even a "neat trick" -- its just how its done.
RE: Gmail hacked over WiFi HotSpot by albert on 08-09-2007 at 11:34 PM
quote:
Originally posted by ShawnZ
so well known, its not even a "neat trick" -- its just how its done.
I secure mine with a WEP 10 characters key, is that enough?
RE: Gmail hacked over WiFi HotSpot by ShawnZ on 08-09-2007 at 11:37 PM
quote:
Originally posted by albert
quote:
Originally posted by ShawnZ
so well known, its not even a "neat trick" -- its just how its done.
I secure mine with a WEP 10 characters key, is that enough?
no
in fact, you shouldn't be using WEP at all
RE: Gmail hacked over WiFi HotSpot by Supersonicdarky on 08-10-2007 at 01:04 AM
* Supersonicdarky will have fun next time he is stealing wifi 
RE: Gmail hacked over WiFi HotSpot by Verte on 08-10-2007 at 10:18 AM
I bet it's possible to secure yourself by encrypting all your IP traffic, though you will need a way to decrypt it at the server end. And you know, I bet TOR would work most of the time.
RE: Gmail hacked over WiFi HotSpot by M73A on 08-10-2007 at 10:54 AM
i have WEP and MAc filtering... is that okay? just my ds only takes wep 
RE: Gmail hacked over WiFi HotSpot by andrewdodd13 on 08-10-2007 at 11:11 AM
MAC filtering just means they can't steal your connection, but they can decrypt the signal if they're up for it, which means they can do the hack described in the topic.
I can't really be bothered reading this atm, but doesn't G-Mail use SSL?
Edit: Okay, so I went and read it. Cookie snatching is pretty evul.
RE: Gmail hacked over WiFi HotSpot by Steven on 08-10-2007 at 01:00 PM
If there serious about trying to hack into your gmail account, i bet they wouldnt stop when they see WEP. If they would go through that to go into someones account, then why not try to crack WEP? So WEP probably isnt the smartest choice.
RE: Gmail hacked over WiFi HotSpot by ShawnZ on 08-10-2007 at 01:28 PM
quote:
Originally posted by andrewdodd13
I can't really be bothered reading this atm, but doesn't G-Mail use SSL?
gmail has ssl capability (if you go to https://gmail.com it'll be ssl) but by default only the logon page uses ssl
RE: Gmail hacked over WiFi HotSpot by Tochjo on 08-10-2007 at 02:26 PM
It is not allowed to discuss how to use hacking tools. It is, of course, perfectly fine to discuss the article and the security of wireless networking.
RE: Gmail hacked over WiFi HotSpot by Adeptus on 08-10-2007 at 03:02 PM
quote:Yes. We call that a "VPN"
Originally posted by Verte
I bet it's possible to secure yourself by encrypting all your IP traffic, though you will need a way to decrypt it at the server end.
Google was actually going to offer a VPN service for secure communication over open WiFi a few years ago. I am not sure what became of that, but suspect not much. I have a VPN set up at home for this very reason, so that I can secure my communications when I travel and have to use dodgy WiFi hotspots.
In any case, sniffing and cookie stealing is no news, and as ShawnZ correctly notes, using https://gmail.com (so that your session is fully encrypted, not just the login page) should also help.