Black-hats and white-hats alike descended once again on Las Vegas last week for their annual DEFCON convention. The self-described “largest underground hacking event in the world” is a unique forum to get insight and information on the latest hacking trends, security vulnerabilities and exploits that may directly affect your business.

ZDnet blogger George Ou writes, in this post, about a DEFCON presentation that showcased yet another variant on how to exploit the inherent insecurity of public Wi-Fi Hotspots.

“It’s time to count sheep again and I don’t mean the ones in your sleep. I’m talking about the ones on the Wi-Fi Hotspot that are using insecure protocols and getting their online accounts compromised.”

Much has already been written about how unencrypted wireless data traffic can easily be captured by anybody with freely available tools on the Internet. Even the old and still predominant WEP based wireless encryption standard doesn’t offer real protection anymore, since the secret encryption key can be quickly discovered with the proper tools.

The latest variant on the topic is even more serious as the users are operating under a false sense of security. The exploit hinges on the common practice by many websites of using SSL encryption for user authentication only. Gmail for example is using HTTPS (SSL) by default only for their login pages and then dumps the user back into regular HTTP mode for viewing their email. Many people don’t realize what is happening. Do you check for the little lock icon at the bottom of your browser all the time?

Basically, as soon as you are logged in, all your web traffic is once again clearly visible to prying eyes, but that is not all. Robert Graham, CEO of Errata Security demonstrated how a hacker can easily obtain and clone all the session information (Session IDs and Cookies).

“Once the identity is cloned, the attacker is able to jump on to online services like Gmail masquerading as the victim with full access to read and send email on behalf of the victim. Furthermore, the attacker can go to maps.google.com and find the victim’s personal information like home address if it’s saved in to Google Maps.”

So how can corporate IT protect their sheep ahhhem… users?

The best protection for the corporate road-warrior, in my opinion, is the consistent use of a corporate VPNs when accessing any public networks – wired or wireless. That way all traffic is protected by an encryption tunnel, connecting the user to the Internet through a trusted endpoint, your corporate firewall. Besides the costs of acquiring and maintaining this technology, the challenge remains in educating the employees to actually use it.

In addition make sure to review any Internet accessible company web portals, corporate webmail services, wiki’s, blogs and the likes for persistent HTTPS use on all sensitive content, as the same exploit could be used to gain unauthorized access to those resources.

Technorati Tags: DEFCON, wireless security, vpn, zdnet, George Ou, Errata Security

If you are new here, you may want to subscribe to my RSS feed. An RSS Subscription will deliver new Blog posts automatically to your computer.
Thanks for visiting!