Password sniffing and account hijacking have become more prevalent in recent years due in part to the growth of Wi-Fi and software that make these hacking techniques so easy. This article discusses these techniques and how to prevent them to protect your accounts and privacy.
Both of the methods we're discussing require the eavesdropper to be connected to the same network as you. So you should be more concerned when using public Wi-Fi hotspots or public Internet ports in hotels, cafes, malls, or any other network that you can connect to without ever having to provide a password. Wi-Fi networks in your home or office should be secured with WPA or WPA2 encryption. When encrypted, people must have your security password in order to connect, so people without your password can't eavesdrop on your Wi-Fi signal.
These hacking techniques can still be used by other users on private networks using the Personal/Pre-Shared Key (PSK) mode of WPA/WPA2 encryption or the older WEP encryption. However, they can't be used on networks using the Enterprise/EAP mode of WPA/WPA2 encryption, which is usually used only by businesses and requires a separate 802.1X server.
Password Sniffing and Account Hijacking Techniques
One password sniffing technique is where the eavesdropper uses a program, such as SniffPass, to capture your username and password sent in clear-text when logging into websites, email, and other services that aren't using a secured connection with SSL encryption. Very sensitive websites like banks should be using SSL encryption. You should see a pad lock or alert in the browser when it's using SSL. But other websites, like social networks, email providers, gaming sites, and other less sensitive places don't always use SSL encryption. Those are the places that eavesdroppers might be able to capture your login credentials from.
One account hijacking technique is HTTP session hijacking. Again, this applies just to websites, email, and other services that aren't using a secured connection with SSL encryption. The eavesdropper can use software to monitor logins or web sessions and attempt to hijack them. Examples of software they might use include the Firesheep add-on for the Firefox web browser, or the FaceNiff or DroidSheep apps on an Android smartphone. The technique used by these applications doesn't necessarily give them your password, but it lets them get on your account.
Here are some of the popular websites that don't always use SSL encryption and could be vulnerable to these hacking techniques:
- Youtube
- Amazon
- Tumblr
- MySpace
On Public Wi-Fi Hotspots
The best way to ensure that all your Internet traffic and website login credentials are safe when using unencrypted networks is to connect to a Virtual Private Network (VPN). It prevents others on the local network from seeing any of your Internet traffic. Check with your employer if they offer VPN connections. If not, you can use a VPN service, such as the free Hotspot Shield for your computer or iPhone; or ProXPN for your computer, iPhone, and other mobile devices. On smartphones using the Android OS, consider using the SSH Tunnel app.
On Your Own Network
To prevent eavesdropping on your own wireless network, first make sure your wireless router (and all other access points) are set with at least the Personal/Pre-Shared Key (PSK) mode of WPA or WPA2 encryption. WPA2 uses a better encryption method than the first version, so try to use it. Keep in mind that all your computers and other Wi-Fi devices need to support the same encryption method as what's set by the router or access points. Any equipment manufactured in 2006 and after should support both WPA and WAP2. Older equipment may also by updating the driver of the wireless adapter or firmware of the router or access point.
If you're concerned about other users in your secured network (family members, employees, etc.) eavesdropping on your Internet traffic, consider using a VPN like that discussed in the previous section.
Another way to prevent eavesdropping between users is to enable AP isolation if the feature is supported by your wireless router and any other access points. It can also be called WLAN Partition or Layer 2 isolation. It blocks all user-to-user communication on the network. But keep in mind that it also blocks standard.
The best way to prevent user-to-user eavesdropping on your own wireless network while keeping the ability to use file and printer sharing is to use the Enterprise mode of WPA or WPA2 security. However, this requires setting up a separate RADIUS server to do the required 802.1X authentication and also requires a more complex configuration on each computer or device connecting to the wireless network. However, there are hosted services, such as AuthenticateMyWiFi, that make the whole process much easier and don't require you to have your own server.
Securing Individual Sites and Services
You should also try to make sure all the websites or services you use via the Internet are using SSL encryption. That way you're protected just in case you connect to a public network and use it without a VPN connection or someone on your own private network (secured with WPA/WPA2-Personal) can't eavesdrop. If the website address begins with http (not secure) instead of https (secure with SSL), try to place an s in the address. Then make sure your browser detects the SSL encryption via a padlock or other notification.
Some social networks, web-based email providers, and other websites you log in to allow you to enable SSL connections if it isn't used by default. Check your account settings to see whether this is the case.
Summary
The password sniffing and account hijacking techniques we discussed are possible only if the hacker or eavesdropper is on the same Wi-Fi network.
When using public or unsecured Wi-Fi networks, use a VPN to secure your traffic. Private networks you use at home or work should be secured with WPA2 security in order to keep hackers off of the network. However, to prevent users on your private network from eavesdropping on each other, consider using a VPN connection, enabling an AP isolation feature, or using the Enterprise mode of WPA2 security.