Ok.. so its a lot later than i promised, but i did mention that i would post some feedback on some of the talks i ended up catching at this years BlackHat. By far the talk that grabbed the most press was the Erratasec talk on Side-Jacking.
Essentially the researchers demonstrated a tool (hamster) that allows an attacker on a shared network (wifi was used as an example, but i guess any shared medium would suffice) to hi-jack users accounts by sniffing their session-ids.
The confusing thing about the talk (other than the fact that in discussions about it, people seem to completely confuse the concepts of a cookie, a session, a cookie-expiry, a session-timeout and other basic HTTP concepts) was the crowd reaction to it. People were amazed and clapped loudly as Robert Graham “impersonated” some other user whos session-id he captured.
It felt a little surreal to see the number of people who were visibly shaken at the thought that a person who captured their session-id could impersonate them. This is something we have been teaching in our Hacking by Numbers course since 2000 and has had a solution (use SSL) for longer than time (internet time at any rate).
It was totally confusing to see it being called a “Web 2.0″ problem” (and worse to see “Hamster plus Hotspot equals Web 2.0 meltdown!“, and at a point i even heard “Well Google are ahead with Web 2.0 since they pioneered it with GMail, so they have a fix but other Web 2.0 sites are all broken”. Stealing someone’s session-id on a shared network when SSL is not being used is hardly a Web 2.0 problem…
Of course this didnt stop the press / blogosphere from exploding the story and i believe news of it made non-trade-press too with appearances on BBC & CNN? It truly blew me away, disillusionment++
(To be clear.. this casts no aspersions on the researchers, but the response to essentially an ancient problem..)
At a point, Robert did his demo live on stage.. which made me wonder if his Ferret/Hamster which was going to allow an attacker to exploit Web2.0 sites actually protected itself from other “Web2.0 attacks“.. (it doesn’t.. so essentially if an attacker is running hamster on your wifi connection, you should be able to attack him with about 5 lines of pasted text in a telnet session)(ill post details in a follow up post..)
/mh