7 sneak attacks used by today’s most devious hackers: Stealth attack No. 1: Fake wireless access pointsNo hack is easier to accomplish than a fake WAP (wireless access point). Anyone using a bit of software and a wireless network card can advertise their computer as an available WAP that is then connected to the real, legitimate WAP in a public location.
Think of all the times you — or your users — have gone to the local coffee shop, airport, or public gathering place and connected to the “free wireless” network. Hackers at Starbucks who call their fake WAP “Starbucks Wireless Network” or at the Atlanta airport call it “Atlanta Airport Free Wireless” have all sorts of people connecting to their computer in minutes. The hackers can then sniff unprotected data from the data streams sent between the unwitting victims and their intended remote hosts. You’d be surprised how much data, even passwords, are still sent in clear text.
The more nefarious hackers will ask their victims to create a new access account to use their WAP. These users will more than likely use a common log-on name or one of their email addresses, along with a password they use elsewhere. The WAP hacker can then try using the same log-on credentials on popular websites — Facebook, Twitter, Amazon, iTunes, and so on — and the victims will never know how it happened.
Lesson: You can’t trust public wireless access points. Always protect confidential information sent over a wireless network. Consider using a VPN connection, which protects all your communications, and don’t recycle passwords between public and private sites.
Stealth attack No. 2: Cookie theftBrowser cookies are a wonderful invention that preserves “state” when a user navigates a website. These little text files, sent to our machines by a website, help the website or service track us across our visit, or over multiple visits, enabling us to more easily purchase jeans, for example. What’s not to like?
Answer: When a hacker steals our cookies, and by virtue of doing so, becomes us — an increasingly frequent occurrence these days. Rather, they become authenticated to our websites as if they were us and had supplied a valid log-on name and password.
Sure, cookie theft has been around since the invention of the Web, but these days tools make the process as easy as click, click, click. Firesheep, for example, is a Firefox browser add-on that allows people to steal unprotected cookies from others. When used with a fake WAP or on a shared public network, cookie hijacking can be quite successful. Firesheep will show all the names and locations of the cookies it is finding, and with a simple click of the mouse, the hacker can take over the session (see the Codebutler blog for an example of how easy it is to use Firesheep).
Worse, hackers can now steal even SSL/TLS-protected cookies and sniff them out of thin air. In September 2011, an attack labeled “BEAST” by its creators proved that even SSL/TLS-protected cookies can be obtained. Further improvements and refinements this year, including the well-named CRIME, have made stealing and reusing encrypted cookies even easier.
With each released cookie attack, websites and application developers are told how to protect their users. Sometimes the answer is to use the latest crypto cipher; other times it is to disable some obscure feature that most people don’t use. The key is that all Web developers must use secure development techniques to reduce cookie theft. If your website hasn’t updated its encryption protection in a few years, you’re probably at risk.
Lessons: Even encrypted cookies can be stolen. Connect to websites that utilize secure development techniques and the latest crypto. Your HTTPS websites should be using the latest crypto, including TLS Version 1.2.
Stealth attack No. 3: File name tricksHackers have been using file name tricks to get us to execute malicious code since the beginning of malware. Early examples included naming the file something that would encourage unsuspecting victims to click on it (like AnnaKournikovaNudePics) and using multiple file extensions (such as AnnaKournikovaNudePics.Zip.exe). Until this day, Microsoft Windows and other operating systems readily hide “well known” file extensions, which will make AnnaKournikovaNudePics.Gif.Exe look like AnnaKournikovaNudePics.Gif.
Years ago, malware virus programs known as “twins,” “spawners,” or “companion viruses” relied on a little-known feature of Microsoft Windows/DOS, where even if you typed in the file name Start.exe, Windows would look for and, if found, execute Start.com instead. Companion viruses would look for all the .exe files on your hard drive, and create a virus with the same name as the EXE, but with the file extension .com. This has long since been fixed by Microsoft, but its discovery and exploitation by early hackers laid the groundwork for inventive ways to hide viruses that continue to evolve today.