In September, I presented at Crunch Lunch and the video of my presentation is now online. Each presenter was given exactly five minutes to present using 20 slides. Slides automatically advanced every 15 seconds. Enjoy watching me fumble over my words as I try to pass on too much information in that short timeframe.
This is nothing new, but a recently released tool demonstrates how easy it is for someone to hijack your sessions and pose as you on certain websites. This problem has been around as long as there have been websites where you login. It is not a complex attack and has been made easier to execute with the proliferation of wireless networks.
Imagine that you’re out of the office, on the road or at the coffee shop and decide to read up on those that you follow on Twitter. You post an update or two, replying to your followers and continue working. Later that day, you realize that someone has posted updates as you on Twitter. Has someone hacked into your computer? Nope, but someone hijacked your session after you logged in to Twitter. The same thing could happen to you on Facebook, your blog (WordPress included) and many other web sites that don’t properly protect your data. Even if you use WPA/WPA2 encryption on your wireless network, you can still be vulnerable to this type of attack.
What can you do to protect yourself?
Don’t use wireless networks (yeah, right…)
Use a VPN to send your Internet traffic to a “trusted” network, then out to the Internet. This will protect you from attackers on the wireless network, but it only pushes out the problem out to your “trusted” network. Combine that with the fact that some VPN clients sometimes just disconnect without warning and send all of your network traffic unprotected over the network without notifying you.
Only use websites that send everything over SSL (check for the https:// in the URL) – Check out the HTTPS Everywhere extension for Firefox.
You run a website, what can you do to protect your users?
Serve every part of your site over SSL when a user is logged in. It only costs $30/year for an SSL certificate to protect your users. There really is no excuse. Some certificate issuers charge over 50x that per year (yes, $1,500/year) The level of encryption is the same on those very expensive certificates as it is on the $30 certificates.
Don’t serve mixed content. When you serve content over HTTPS and some images over HTTP a warning pops up in the browser about some items on the page being insecure. Don’t desensitize your users to security warnings like this.
When setting cookies for your users, set the Secure attribute on the cookie. This will make the browser only send that cookie with HTTPS requests.
Be cautious about what you do when accessing the Internet over wireless networks. And remember, the work involved in using SSL/HTTPS is minimal compared to the protection it offers your users.
Contact us if you would like assistance configuring your web site & servers for SSL/HTTPS. If we are managing your servers, we’ll configure SSL/HTTPS at no additional cost.
There is a new OpenSSL vulnerability that has been discovered, which might be quite critical:
Rob Hulswit discovered a race condition in the OpenSSL TLS server
extension parsing code when used within a threaded server. A remote
attacker could trigger this flaw to cause a denial of service
or possibly execute arbitrary code with application privileges.
Be sure to update your servers with a patched version of OpenSSL.
The new Millcreek Systems .deb package repository is now online. We will be using this repository to post customized software and systems management software specific to servers managed by Millcreek Systems. It is currently for Debian and Ubuntu systems only and can be added by running the following command(s):