PSA: Do NOT Surf Non-End-To-End HTTPS Sites While On a Public Wi-Fi Network

I'm about to share a not-so-well-known issue with public Wi-Fi networks.  Essentially, many websites we know & love—when logged into while you're on a public Wi-Fi network—do not adequately protect your session information.

What's the problem?

In non-geek-speak (and by way of example):

If you are joined to a public Wi-Fi network…

   …and you log into Facebook (for example)

      …and someone nefarious on the same Wi-Fi network is "listening" to the traffic

         …then said nefarious person can easily log in as you and take over your session.

Let's look at this from the "attacker's perspective":

I, the "attacker," load a simple (free) plug-in for my Firefox browser called Firesheep, available here:

I then, in Firefox, go to View > Sidebar > Firesheep.  I then click the "Start Capturing" button and just wait…

On a busy public Wi-Fi network, and within a matter of 5-10 minutes, you can see a list of all of the logins that I can "hijack" (image has been obscured to preserve anonymity):

So, that's 9 Google accounts, 5 Facebook accounts, 1 Amazon account, and 1 Yahoo account that I can then "take over"--simply by double-clicking on the account I'm interested in.

Let's see what pops up on my screen when I double-click on one of these accounts (image has again been obscured to preserve anonymity):

Now, obviously, you can imagine how this session hijack could be a problem.  Use your imagination… will the "attacker" put up:

> Embarrassing photos?

> A derogatory wall post?

> A link to malware or a virus?

…and that's just for Facebook.  What if someone hijacked your Amazon account and sent you boxes upon boxes of random doodads and geegaws?

The problem (technically speaking) is when a website uses HTTPS only for the initial login.

In other words, your username and password are still encrypted to and from Facebook (for example), but all subsequent communications are across the un-secure HTTP protocol.  Firesheep "captures" the "session cookie"—a bit of code that tells Facebook that you are who you say you are—and intercepts it.  Once I (the "attacker") have a copy of the "session cookie," I'm effectively you, and can do anything that you could normally do once you logged in.

What's the solution?

In short, don't browse to non-end-to-end HTTPS sites while you're on a public Wi-Fi network.

What does "non-end-to-end HTTPS" mean?

When you log into Facebook for the first time, your login is encrypted; however, past that point, your address bar will show just a normal HTTP connection once you're logged in:

So, at this point, the "attacker" can intercept the "session cookie," and thus your entire Facebook login—and again, the same applies to any site that drops you back into HTTP once you log in.

What should I do if I log in while connected to public Wi-Fi and notice that my session is in HTTP mode and not HTTPS?

Log off of the website… and quickly!  Don't just close the browser… actually hit the "Log Off" link in the website itself.  Doing this will make the "session cookie" invalid—so even if the attacker has a copy of the "session cookie" that he/she has intercepted, it will no longer be valid.

Then, don't browse to that site again while you're on a public Wi-Fi network.

Best practices then, Dagan?

Here's a good general rule to follow when you're on a public Wi-Fi network:

Don't do anything on a public Wi-Fi network that you wouldn't want projected onto the side of a building for everyone in the area to see.

Safe surfing :-)

UPDATE: Confirmed: Your iPhone Is Tracking Your Every Move

NOTE: This is an update to my original post, located here: http://briandagan.com/confirmed-your-iphone-is-tracking-your-every

Apple has officially responded to the iPhone concerns (we are in the DC area… I’m surprised there hasn’t been a “gate” appended to this yet… iPhonegate… GPSgate).  Anyway, here’s the official press release:

http://www.apple.com/pr/library/2011/04/27location_qa.html

To boil it down into a couple of grossly oversimplified key points:

Why is this “tracking database” enabled by default?

The “tracking database” was designed to track cell towers & Wi-Fi hotspots in relation to each other.  This is part of the “Location Services” setting on your iPhone, but turning off “Location Services” won’t necessarily turn off communications to/from Apple to share this “crowdsourced” information, which appears to be a bug in their iOS software—a bug that should be fixed in the next iOS update.

What do you mean “crowdsourced?”

In the same way your TomTom GPS “Live” edition uses other TomToms to track traffic flow in near real-time, the iPhone (in collaboration with other iPhones) will, in the future, be able to do the same thing (even Apple says they’re working on “crowdsourced traffic reports”).  For now though, you’re sharing information about cell towers, Wi-Fi hotspots, and how they relate to each other geographically.  This helps pinpoint your location faster.

Why not just rely on the built-in GPS to figure out your current location?

GPS resolution (the initial “lock on” phase) is slow.  Try opening your new GPS navigator for the first time and turning it on.  Notice how it takes 3-5 minutes to initially triangulate your location?  That “lock on” time decreases as your GPS gets more familiar with where it “thinks” you spend most of your time, but the “lock on” time is always relatively slow.  The iPhone attempts to circumvent this limitation of GPS by using the aforementioned “crowdsourced” database of cell towers & Wi-Fi hotspots to triangulate your location based on the wireless signals being broadcast in your current location.  For example, I can’t get a clear GPS signal inside this warehouse—but I can pick up the closest cell towers & the Wi-Fi networks immediately—so the iPhone uses that to do the initial location calculation until the GPS chip can “lock on” to a more accurate location (within feet of where you are).

But why would this database need to be so large?

Good question—and Apple acknowledges that it doesn’t need to be an “indefinite record” as it is currently.  They’re going to reduce the database size by removing location data older than 7 days—again, in the next iOS update.  There’s a tradeoff here—the smaller you make the database, the longer it might take to calculate your location; however, the larger you make the database, the more likely it is that the data logged might come back to bite you (i.e. Try not to murder anyone while you’re carrying your iPhone around).

If I’m using this “crowdsourced” database, I’m sharing my information too, right?

Yes, you are.  But Apple says that the data is anonymous and encrypted.  For whatever you think that’s worth…

For me personally, I’m still leery that this data even exists, though I understand its purpose.  Words like “encrypted” and “anonymous” rarely hold true, and I believe it’s only a matter of time before this information can be intercepted, decrypted & correlated to you (if that isn’t happening already… *cough* Patriot Act (http://en.wikipedia.org/wiki/USA_PATRIOT_Act) *cough*)

Anyway, hope this helps…

Tip: Typing Phrases Repeatedly? Why Not Automate Commonly-Used Phrases?

After having found myself typing the following line (among others) roughly 5,000,000 times, I decided there must be a better way:

“The issue in this ticket appears to be resolved.  If you have any questions or if this same issue recurs, please reply back to this e-mail and the ticket will automatically be re-opened.  Alternatively, you can call XXX-XXX-XXXX xX and reference the ticket number in the subject line.  Thanks!”

I just completed a quick search for freeware that would automate typing in these commonly-used phrases.

For the PC, I’d recommend Autotext: http://www.autotext-software.com/

For the Mac, I’d recommend Kissphrase: http://www.chimoosoft.com/products/kissphrase/

Both allow you to find-and-replace in real time for key phrases or key combinations, which it will then replace with the text you specify.

Here’s a screenshot of the configuration of Kissphrase for the Mac:

…and the configuration screen for Autotext for the PC:

So, when I type in t-r-! (without the dashes), I get this:

Hope this helps save you some time!

Fix: Group Policy "Gotcha" for Internet Explorer Trusted Sites

There are two places that you can define “Trusted Sites” in Internet Explorer through Group Policy.

First, find the GPO that applies to the users/computers in question in your Group Policy Management Console.  If you don’t already have the GPMC installed, search Google for “GPMC for Server ______” and install the GPMC.

The first place Trusted Sites are defined is under:

User (and/or Computer (check both)) Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List:

Example list here:

When you check through the Group Policy Management console, changes to the “Site to Zone Assignment List” will show up as “Extra Registry Settings”… this is important, as you may wind up spending hours tearing your hair out trying to find an ADM file that doesn’t exist that would help you define the “Extra Registry Settings.”  There is no ADM file.

As you can see, here’s where the “Extra Registry Settings” appear after editing said list:

The second place Trusted Sites are defined is under:

User (and/or Computer (check both)) Configuration > Windows Settings > Internet Explorer Maintenance > Security > Security Zones and Content Ratings > “Import the current security zones and privacy settings”

You are effectively copying the Internet Security settings of the machine you’re on:

If Internet Explorer Enhanced Security Configuration is enabled on the local machine from which you’re editing the Group Policy, you must disable it to apply settings to computers that are not running IE ESC.

…and vice versa (If ESC is disabled on the local machine, you must enable it to apply settings to ESC-enabled endpoints).

Most times, you will want IE ESC to be disabled on the machine you’re using to apply the Group Policy, as it’s unlikely that the endpoints you’ll be applying the Group Policy to will have IE ESC enabled.  If you do want to apply this policy to an IE ESC-enabled server, you should probably create a separate policy.

I’m not sure if one policy setting overrides the other… so you should probably pick one.  If (in the case I’m currently working), both settings are defined, I’m going to update both locations in the Group Policy.

Confirmed: Your iPhone Is Tracking Your Every Move

Note: This post has been updated--read here: http://briandagan.com/update-confirmed-your-iphone-is-tracking-your

This is a rather disturbing assertion, that I wouldn’t have believed myself if I hadn’t tried it…

Your iPhone Is Secretly Tracking Everywhere You’ve Been, All The Time
http://gizmodo.com/#!5793925/your-iphone-is-secretly-tracking-everywhere-youve-been

Please note that you must have a Mac in order to run the application that can parse the map data.  Also, your iPhone must be running at least iOS 4 (which was released around a year ago).

You can download the Mac application from here: http://static.openheatmap.com.s3.amazonaws.com/iPhoneTracker.app.zip

…and an explanation of how it works: http://petewarden.github.com/iPhoneTracker/#faq

To test this, I plugged in my iPhone and fired up iTunes… I then had to run a manual backup to make sure the most up-to-date tracking data had been downloaded to my Mac from my iPhone.  To force a manual backup, right-click on your device in iTunes on your Mac and choose Back Up from the menu:


You can then extract and run the Mac application:

 

…and then prepare to be shocked, as you look at all of your logged locations from the time you upgraded to iOS 4 and onward:

 

 

…and here’s a zoomed-in view of my travels in the DC area:

 

At this point, there is no way to disable this tracking.

It does not use the GPS functionality—it triangulates your location based on cell towers…

This is spooky… I’m sure there will be updates to follow.  It will be interesting to see what Apple has to say about this.