Hearing or reading about hacking in one form or another has become an almost daily occurrence, with even the largest companies feeling the sting (just look at the Sony breach in April 2011, which left millions of gamers without access to the Playstation Network for weeks).
The mere mention of ‘hackers’ to the general public instantly conjures up images of individuals hunched away in darkened bedrooms, frantically clattering away at their keyboards, devoid of any social life and focussed only on looking for ways to get into your computer. This, however, is not always the case.
The attack on Sony in 2011 played a large role in bringing hacking and its effects to the public’s attention, echoing a modern day David and Goliath story. Suddenly, people with malfunctioning computers, who months previous had been asking ‘Has my computer got a virus?’, were asking ‘Has my computer been hacked?’
Passwords previously set to ‘password’ or ‘123456’ were changed to something slightly more complicated; antivirus software was installed and set to update daily; companies battled to implement new techniques to secure their data.
More importantly, however, hacking began to gain a level of coolness, and with that the number of incidents of hacking began to escalate. Now, any person with a computer of average specifications, a connection to the Internet and the willingness to learn could download freely available software and begin poking around. For those who didn’t really want to learn anything but have a go at hacking anyway, there were tools that did the task for them (these people, previously referred to as ‘script kiddies’, now tend to be called ‘skiddies’).
It is a firm belief among users that a strong password, incorporating letters, numbers and symbols, is enough to prevent their accounts being hacked. It is quite common when creating a user account nowadays to be provided with an indicator which states just how strong your password is. Whilst a long, strong password is definitely a good start, a person wanting access to your Facebook account will not necessarily need your password.
This is where session hijacking (or sidejacking) comes in.
When a user successfully logs into an online account, they are given a ‘session key’. This allows the computer to access information within that account. Session hijacking steals this key and places it onto the attacker’s computer, thereby allowing them access to the victim’s account.
Imagine a person stood in front of your house. This person’s job is to validate who you are, then to hand you a unique key which opens your front door. When you leave later, you tell that person you have left. The person locks your door, changes the lock and destroys the key, which will be replaced by a new one when you return.
The attacker in this case gains a copy of your key when it is originally produced, giving themselves access to your house. Once the key is destroyed, access is lost.
Session hijacking works best when users simply close their browsers, rather than logging off first. This is like leaving the house in the imaginary scenario and not informing the person you have left. The front door is open and the attacker has a working key.
Once the attacker has the ‘session key’, they can splice it into their own Internet browsing data and gain access to the victim’s user account. From interception of the key to access of the account can take just a few seconds. Knowledge of the user’s password is not required.
Intercepting the ‘session key’ when it is administered is a relatively simple task which can be accomplished using freely available software. In order to perform the hijack, however, the attacker needs to be on the same network as the victim. This illustrates the need for a strongly secured home network, with MAC filtering enabled and a complicated passphrase. If the attacker can’t get onto your network, he can’t attempt the session hijack.
Problems arise in shared or open networks (such as those found in some coffee shops and shopping areas), where data can be available to be intercepted or ‘sniffed’, giving an attacker the opportunity to perform many attacks.
It is recommended that access to personal and confidential data only be performed on a secured network, where the user is comfortable enough to feel a malicious third-party has not or cannot gain access. Further to this, the user should always log out of their accounts before closing browsers.
Tip: Facebook adds remote log out feature – If you have logged into Facebook from a friend’s mobile phone or computer and forget to sign out Facebook now has the ability to sign out of Facebook remotely. These session controls can be useful. From your Account Settings, you can check if you’re still logged in on other devices and remotely log out.
Computer Forensic Experts