It's not paranoia: Using public or open Wi-Fi networks without taking your security into consideration is a bad idea. You don't even have to crack the network's passwords to grab tons of data from unsuspecting users on the network-We've shown you how to do it, and how to stop it from happening to you. Now, dSploit, a security toolkit for Android, makes that process so simple anyone can do it. Here's how it works, and how to protect yourself.
What is dSploit?
dSploit is actually a suite of security tools bundled together in one application. It runs on rooted Android (2.3+) devices, its code is freely available at GitHub, and it's actually a great utility if you're a security professional or otherwise enjoy the ins and outs of network security, hacking, and penetration testing. We want to be clear that we're not villainizing the tool here; unlike apps like Firesheep, Faceniff, and Droidsheep, dSploit isn't made for the sole purpose of cracking networks or hijacking user sessions. It can certainly sniff out passwords transmitted in plain text on an open network, and it can crack poorly secured Wi-Fi networks. It can also scan networks for vulnerabilities, crack keys on common routers, and of course, hijack browser, website, or social network sessions and hold on to them. You can see a full list of the tool's features here.
For a security professional, an amateur looking for an affordable way to learn more about network security (or who's been tasked by their office to secure their Wi-Fi but can't afford professional pen-testers), or someone looking to protect their own network, dSploit can be a valuable resource. It can also be a valuable resource for people looking to steal your data. That's why we're going to talk about how it works and how you can protect your passwords and private data from anyone else using it.
How dSploit (and other apps like it) work
dSploit makes it easy to do two things: Sniff out passwords being sent unencrypted, and hijack active browser sessions so you can masquerade as someone who's already logged in to a site or service. In both cases, they're really one-touch operations once you have the app installed. The former is easy to do. If someone is visiting a site, or logging in to a service without using HTTPS or SSL, your password is likely being sent in clear text. Anyone sniffing packets on a network can capture them without having to do any real kind of packet inspection, and once they have it, they'll try it on as many sites and services as possible to see if you use it for other accounts. The video above, from OpenSourceGangster, explains how the app works in detail, and how to use it.
The latter is a bit more intricate. If you're not familiar with session hijacking, it's the process of capturing cookies to exploit a valid active session that another user has with a secured service in order to impersonate that other user. Since no sensitive data like a login or password is transmitted in the cookie, they're usually sent in the clear, and in most cases they're used by web sites and social networks as a way of identifying a user with a current session so the site doesn't forget who you are every time you reload. This is the most common attack vector for apps that sniff out passwords and sessions via Wi-Fi. We showed you how this works when Disconnect, one of our favorite privacy protecting browser extensions, added protection against widget jacking and session hijacking, if you want to see an example.
dSploit approaches session hijacking in a similar manner to the other tools we've mentioned, mostly because it works well. The folks over at MakeUseOf explain how the app works in further detail, including some of the things you can do with it. Many web sites just encrypt your username and password, and once that handoff is made, everything else is unencrypted. While many sites have moved to HTTPS (and there are tools to help that we'll get to a little later), most require you to activate their HTTPS features. Many other sites haven't bothered moving to HTTPS universally at all.
What's the real risk here?
The real risk from tools like this varies. The odds of you encountering someone in your local coffee shop running dSploit, Firesheep, or any other app like them to capture passwords and hijack sessions is pretty slim, but as we've mentioned, it only takes one person to ruin your day.
Someone could just capture as many Facebook or Twitter sessions as they can (after which they can change a user's password and keep the Facebook account for themselves), hijack Amazon shopping sessions and grab address and credit card information, read your email and chats, and so on. The risk goes up with more and more tools available that are easy for anyone to use, and with the number of people out there who simply don't protect themselves by encrypting their data.
How can I protect myself?
Protecting yourself from these tools like it is actually remarkably easy if you put in the effort to actually do it:
* Turn on HTTPS on every site that allows you to connect with it, and install HTTPS Everywhere. This will make sure you're using HTTPS at all times, whenever possible, and none of your web browsing traffic is sent unencrypted.
* Get a privacy-protecting browser extension like Disconnect, which also protects against widget jacking or side-jacking. Disconnect is our favorite, but it shouldn't be the only tool in your toolkit.
* Use a VPN when browsing on public, free, or other open networks. We've explained why you should have a VPN before. We've even explained how to tell if a VPN is trustworthy. Using a VPN is the best way to make sure all of your data is encrypted and safe from anyone else on the same network, whether it's wired or wireless, public or private.
* Use your head, and practice good internet hygiene. Hone your phishing and scam detection skills, turn your BS detecter up to max, and learn how to protect yourself from online fraud. Someone doesn't have to hijack your session or passwords to get to you-they could just as easily replace the website you're on with one that looks like it but insists you give it a ton of data first. Be smart.
* It doesn't take much to use HTTPS everywhere you can, fire up a VPN if you're going to be working from the library, or just not to use public Wi-Fi and wait until you get home or tether to your phone instead (that's always another option). However, if everyone did it, unscrupulous use of tools like these wouldn't' be an issue and only the people who needed them would use them. However, as long as they're so effective, it makes sense for you to take the necessary steps to protect yourself.
What is dSploit?
dSploit is actually a suite of security tools bundled together in one application. It runs on rooted Android (2.3+) devices, its code is freely available at GitHub, and it's actually a great utility if you're a security professional or otherwise enjoy the ins and outs of network security, hacking, and penetration testing. We want to be clear that we're not villainizing the tool here; unlike apps like Firesheep, Faceniff, and Droidsheep, dSploit isn't made for the sole purpose of cracking networks or hijacking user sessions. It can certainly sniff out passwords transmitted in plain text on an open network, and it can crack poorly secured Wi-Fi networks. It can also scan networks for vulnerabilities, crack keys on common routers, and of course, hijack browser, website, or social network sessions and hold on to them. You can see a full list of the tool's features here.
For a security professional, an amateur looking for an affordable way to learn more about network security (or who's been tasked by their office to secure their Wi-Fi but can't afford professional pen-testers), or someone looking to protect their own network, dSploit can be a valuable resource. It can also be a valuable resource for people looking to steal your data. That's why we're going to talk about how it works and how you can protect your passwords and private data from anyone else using it.
How dSploit (and other apps like it) work
dSploit makes it easy to do two things: Sniff out passwords being sent unencrypted, and hijack active browser sessions so you can masquerade as someone who's already logged in to a site or service. In both cases, they're really one-touch operations once you have the app installed. The former is easy to do. If someone is visiting a site, or logging in to a service without using HTTPS or SSL, your password is likely being sent in clear text. Anyone sniffing packets on a network can capture them without having to do any real kind of packet inspection, and once they have it, they'll try it on as many sites and services as possible to see if you use it for other accounts. The video above, from OpenSourceGangster, explains how the app works in detail, and how to use it.
The latter is a bit more intricate. If you're not familiar with session hijacking, it's the process of capturing cookies to exploit a valid active session that another user has with a secured service in order to impersonate that other user. Since no sensitive data like a login or password is transmitted in the cookie, they're usually sent in the clear, and in most cases they're used by web sites and social networks as a way of identifying a user with a current session so the site doesn't forget who you are every time you reload. This is the most common attack vector for apps that sniff out passwords and sessions via Wi-Fi. We showed you how this works when Disconnect, one of our favorite privacy protecting browser extensions, added protection against widget jacking and session hijacking, if you want to see an example.
dSploit approaches session hijacking in a similar manner to the other tools we've mentioned, mostly because it works well. The folks over at MakeUseOf explain how the app works in further detail, including some of the things you can do with it. Many web sites just encrypt your username and password, and once that handoff is made, everything else is unencrypted. While many sites have moved to HTTPS (and there are tools to help that we'll get to a little later), most require you to activate their HTTPS features. Many other sites haven't bothered moving to HTTPS universally at all.
What's the real risk here?
The real risk from tools like this varies. The odds of you encountering someone in your local coffee shop running dSploit, Firesheep, or any other app like them to capture passwords and hijack sessions is pretty slim, but as we've mentioned, it only takes one person to ruin your day.
Someone could just capture as many Facebook or Twitter sessions as they can (after which they can change a user's password and keep the Facebook account for themselves), hijack Amazon shopping sessions and grab address and credit card information, read your email and chats, and so on. The risk goes up with more and more tools available that are easy for anyone to use, and with the number of people out there who simply don't protect themselves by encrypting their data.
How can I protect myself?
Protecting yourself from these tools like it is actually remarkably easy if you put in the effort to actually do it:
* Turn on HTTPS on every site that allows you to connect with it, and install HTTPS Everywhere. This will make sure you're using HTTPS at all times, whenever possible, and none of your web browsing traffic is sent unencrypted.
* Get a privacy-protecting browser extension like Disconnect, which also protects against widget jacking or side-jacking. Disconnect is our favorite, but it shouldn't be the only tool in your toolkit.
* Use a VPN when browsing on public, free, or other open networks. We've explained why you should have a VPN before. We've even explained how to tell if a VPN is trustworthy. Using a VPN is the best way to make sure all of your data is encrypted and safe from anyone else on the same network, whether it's wired or wireless, public or private.
* Use your head, and practice good internet hygiene. Hone your phishing and scam detection skills, turn your BS detecter up to max, and learn how to protect yourself from online fraud. Someone doesn't have to hijack your session or passwords to get to you-they could just as easily replace the website you're on with one that looks like it but insists you give it a ton of data first. Be smart.
* It doesn't take much to use HTTPS everywhere you can, fire up a VPN if you're going to be working from the library, or just not to use public Wi-Fi and wait until you get home or tether to your phone instead (that's always another option). However, if everyone did it, unscrupulous use of tools like these wouldn't' be an issue and only the people who needed them would use them. However, as long as they're so effective, it makes sense for you to take the necessary steps to protect yourself.
Post a Comment