Social media philosophy blog
Monday June 26th 2017

50 ways to steal your password, part 4

What joy it is to find an open wireless Internet connection when you really need one! However, surfing on an open network can be very costly. Today, unfortunately, the standard recommendation is to avoid them altogether. Basic advice is to either connect with encryption (HTTPS) or VPN -tunnel or both.

16. The point was brought home by freelance software developer Eric Butler in October 2010 as he released Firesheep, a Mozilla Firefox plug-in for sniffing out passwords on open Wi-Fi networks. The program exploits a long-standing weakness in the handling of secure log in in connection with cookies. A common procedure is to use encryption at the actual log in. Thereafter, whenever the user continues interacting with the website, the browser is equipped with a cookie that contains login data. This facilitates the surfing experience so that the user need not log in every time she does something. However, as the cookie is not encrypted, it becomes possible for a sniffer application to read the log in data, including user ID and password. Common targets for hackers became Hotmail, Gmail and Facebook.

17. Since the vulnerability is old and well-known, it had been exploited long before Butler. The traditional approach has been to combine a packet sniffer, such as Wireshark, with specialised software such as Hamster and Ferret. Such attacks were not limited to Wi-Fi networks but targeted the overall vulnerability of using conventional HTTP.

18. Another problem with open wireless hotspots was that the signal itself could be intercepted. With the right equipment, one could easily tune in on and download all interaction on an open network.

19. A slightly more sophisticated approach was to simply establish a hotspot as a service, but with the sole purpose of stealing information.

20. A variation of that approach is to impersonate a legitimate hotspot, such as at a library, University or Hotel. This is rather common and customers need always be careful on checking to see that they are logging in at the right network.

Reader Feedback

2 Responses to “50 ways to steal your password, part 4”

  1. Michael Wong says:

    Hi, just wondering if you want to exchange links with me? If yes, just leave me a comment at http://michaelwong.blogs.com

    I’ll link to you first, then you can link back ok? If no, that’s cool too. Have a great day!

    Cheers, Michael

  2. Webmaster says:

    Sometimes we ourselves, as if on purpose, create all the conditions to steal our passwords. Using untrusted hotspots or using too simple widely-known passwords. Sometimes it seems like users play with prospective thieves giving them a hole(

Leave a Reply