Please Set Your GMail to Secure Mode

[alexander]

I don't know how many of you follow what happens at Defcon, but many of you should, because it is the biggest black-hat conference of the year, newest volnurability vectors get described, and newest tools get put out. Genreally, if a tool is put out, there is generally a fix, such is the case with Surf Jack, a neat tool to steal gmail cookies.

 

Here's the thing, Google, as well as many other giants, set session cookies such that one can access the logged in account over HTTP or HTTPS. Utilizing this neat feature, Mike Perry has created a tool to hijack google cookie data. But utilizing the neat feature allows him to hijack the data, whether you logged in with http or https. It does this quite simply, if your session data is encrypted over HTTPS, next time you send a dns request, the tool forwards you to http:// and the session data is stolen.

 

Luckily for you, well, us, google has a fix. In your gmail settings, scroll all the way down, and select "Always use HTTPS". This will restrict the http access, and disallow the clear passing of the session data. Also remember, any time you use WiFi, to log into an account, ALWAYS log off that account when you are done...

 

My security tip of the day...

[freeztar]

Thanks again Alex!

 

Also remember, any time you use WiFi, to log into an account, ALWAYS log off that account when you are done...

Can you elaborate on why this is good practice and what could happen (and why) if you do not do this?

[alexander]

Because gathering session data wirelessly is even simpler. I love scapy, it's got to be my most favorite python program ever. Tools written on top of scapy are interesting, yet very dangerous, one such tool is called WiFiZoo, aimed as sniffing authentication data, right out of the air... Not just GMail data, any handshake, secure or not... and then with a flick of a mouse (has a very nice web interface) shazaam, you are able to use the data to get into the session, and it does not matter that you are on different IPs, scapy can bend (change) all of that...

[freeztar]

Because gathering session data wirelessly is even simpler. I love scapy, it's got to be my most favorite python program ever. Tools written on top of scapy are interesting, yet very dangerous, one such tool is called WiFiZoo, aimed as sniffing authentication data, right out of the air... Not just GMail data, any handshake, secure or not... and then with a flick of a mouse (has a very nice web interface) shazaam, you are able to use the data to get into the session, and it does not matter that you are on different IPs, scapy can bend (change) all of that...

 

But it can only sniff it out as it is being transmitted, correct?

[alexander]

No, but you can be tricked.... with some recent problems found with DNS you can forward say a dns request to mail.google.com when you were trying to hit msn.com or something, and your cookie will belong to the haxor

[freeztar]

So how does signing out help?

 

Btw, I checked my DNS servers and they are patched. :shrug:

[alexander]

ok, if you sign out the cookie data is invalid, and noone can just log in using that...

 

DNS servers are patched, problem is, the dns games will never leave the local network, especially on a wifi net :shrug:

[freeztar]

ok, if you sign out the cookie data is invalid, and noone can just log in using that...

 

But wouldn't they use it right after you log in anyways. :shrug:

I see what you're saying though.

DNS servers are patched, problem is, the dns games will never leave the local network, especially on a wifi net :phones:

 

At the risk of going off topic, how exactly would that work? Is it like, someone is wardriving, finds your SSID and monitors traffic acting as a relay between the router and the victim? How would it work for a wired network?

 

Sorry for all the questions, but I'm generally non-chalant about "lock-down" security and you're making me think that I need to learn about this stuff much more.

[DougF]

I have several emails G-Mail is not one of them, Question is this only a

G-Mail problem? or should I check all of my accounts?

 

Thanks DougF.

[alexander]

But wouldn't they use it right after you log in anyways.

50/50 there, probably not, but they may...

 

acting as a relay between the router and the victim

well, no, there is a jump you've made there, in order to act as a relay, you need to poison arp. If someone is wardriving, they are just monitoring packets on an AP, not in between, just catching rf data going out in all directions... MITM comes if they are able to connect, identify their target and successfully execute a Man In The Middle, whether by ARP poisoning, or by taking over the AP. At this point all your traffic is flowing through them, and yeah, all your base are belong to them.

 

How would it work for a wired network?

similarly, arp poisoning works on a wired network to execute a MITM, and unless you are running one of those nifty 5k cisco boxes thats all up to date, your wired network is very volnurable to a MITM, and as i said, once the attacker is successfully executing that, you are screwed ;) er :)

 

MITM can be executed using other protocols. One can create a rougue DHCP server on a network (you can see how dangerous that is), one can create a rougue DNS server, or bring down the network dns server and set up a computer to act as one (that would be really deep penetration)... I mean there are a plethora of ways to do it on a wired network...

[alexander]

Question is this only a G-Mail problem?

 

Google, as well as many other giants

 

yes, chances are that your other email accounts are susceptible to this attack vector... problem is, it is likely that they have not fixed the possibility of such attacks though, at least i have not seen the report yet ;)...