Header

Tue, 14 Aug 2007

mh.blackhatFeedback(Side-jacking, Hamster)
Tags: conferences, silly-yammerings, public, blogharoon @ 17:04

Ok.. so its a lot later than i promised, but i did mention that i would post some feedback on some of the talks i ended up catching at this years BlackHat. By far the talk that grabbed the most press was the Erratasec talk on Side-Jacking.

Essentially the researchers demonstrated a tool (hamster) that allows an attacker on a shared network (wifi was used as an example, but i guess any shared medium would suffice) to hi-jack users accounts by sniffing their session-ids.

The confusing thing about the talk (other than the fact that in discussions about it, people seem to completely confuse the concepts of a cookie, a session, a cookie-expiry, a session-timeout and other basic HTTP concepts) was the crowd reaction to it. People were amazed and clapped loudly as Robert Graham "impersonated" some other user whos session-id he captured.

It felt a little surreal to see the number of people who were visibly shaken at the thought that a person who captured their session-id could impersonate them. This is something we have been teaching in our Hacking by Numbers course since 2000 and has had a solution (use SSL) for longer than time (internet time at any rate).

It was totally confusing to see it being called a "Web 2.0" problem" (and worse to see "Hamster plus Hotspot equals Web 2.0 meltdown!", and at a point i even heard "Well Google are ahead with Web 2.0 since they pioneered it with GMail, so they have a fix but other Web 2.0 sites are all broken". Stealing someone's session-id on a shared network when SSL is not being used is hardly a Web 2.0 problem...

Of course this didnt stop the press / blogosphere from exploding the story and i believe news of it made non-trade-press too with appearances on BBC & CNN? It truly blew me away, disillusionment++

(To be clear.. this casts no aspersions on the researchers, but the response to essentially an ancient problem..)

At a point, Robert did his demo live on stage.. which made me wonder if his Ferret/Hamster which was going to allow an attacker to exploit Web2.0 sites actually protected itself from other "Web2.0 attacks".. (it doesn't.. so essentially if an attacker is running hamster on your wifi connection, you should be able to attack him with about 5 lines of pasted text in a telnet session)(ill post details in a follow up post..)

/mh

1 comment

pdp on 2007/8/15
you are not the only one that was amazed about the media reaction on such an ancient problem. In fact, is that a problem? Of course, if someone gets your cookie they will be able to impersonate you, duhh... anyway.

Leave a comment

Name*:
Email*:(Won't be displayed)
URL:
Comment*:
*required
Blog
Video
Research
QotW
Categories
about:us (31)
blackhat (5)
blog (10)
broadview (2)
build-it (1)
cloud (12)
community (15)
conferences (60)
crypto (3)
fail (3)
foos (1)
fun (51)
goodbye (1)
hackrack (2)
Hope? (2)
howto (8)
imsojaded (2)
infosec-soapies (25)
infrastructure (3)
local (5)
mac (15)
management (7)
materials (3)
memcached (2)
mindless-politics (4)
mindmaps (1)
PCI (2)
post-it (1)
privacy (6)
product (2)
programming (5)
public (275)
qo[w|m|?] (5)
README (1)
real-world (14)
research (37)
reversing (4)
security-fyi (8)
security-news (6)
silly-yammerings (19)
tech-toys (3)
time-waster (6)
tin-foil-hat (6)
tools (46)
training (18)
travel (1)
tricks (1)
Uncategorized (3)
vendors (6)
videos (6)
vulnerability (7)
wasc (1)
webapps (6)
web_x.0 (2)
writing-advice (1)
zen-hacking (6)
Archives
August 2010 (4)
July 2010 (1)
June 2010 (4)
May 2010 (3)
April 2010 (3)
March 2010 (7)
Feburary 2010 (2)
January 2010 (3)
December 2009 (4)
November 2009 (4)
October 2009 (3)
September 2009 (5)
August 2009 (9)
July 2009 (1)
June 2009 (5)
May 2009 (4)
April 2009 (10)
March 2009 (13)
Feburary 2009 (12)
January 2009 (11)
December 2008 (9)
November 2008 (8)
October 2008 (5)
September 2008 (5)
August 2008 (6)
July 2008 (6)
June 2008 (6)
May 2008 (2)
April 2008 (3)
March 2008 (7)
Feburary 2008 (12)
January 2008 (9)
December 2007 (8)
November 2007 (4)
October 2007 (9)
September 2007 (14)
August 2007 (18)
July 2007 (13)
June 2007 (17)
May 2007 (2)
July 2006 (1)
April 2006 (1)
August 2005 (1)
June 2005 (1)
May 2005 (2)
Archives
Conditions of use Privacy statement
Top of Page Legal stuff