Comments on: Surf Jack – HTTPS will not save you

By: Maximiliano Soler /blog » FireCAT 1.5 released

Maximiliano Soler /blog » FireCAT 1.5 released — Sun, 11 Jan 2009 14:10:50 +0000

[...] Added Surf Jacking Cookie Security Inspector in “Misc->Anti phishing /pharming/jacking” : This extension is based on Sandro Gauci’s paper [...]

By: Sandro

Sandro — Wed, 03 Dec 2008 14:30:06 +0000

Hi Parah

For a home user, avoiding WiFi will normally reduce your exposure to this kind of attack; so I think that it is a good solution.

Regarding Backtrack – you simply need to download the file to the Backtrack machine from surfjack.googlecode.com. By making use of backtrack you avoid dependency hell ;-)

Goodluck with the Gmail account recovery!

By: Parah Dab

Parah Dab — Tue, 02 Dec 2008 23:56:10 +0000

Hello Sandro,

My 2 GMail password was hijacked. I can not acsess my accounts till now. One account at mail.gmail.com, one again at Google mail Apps custom domain.

After reading this, I give “always use https” for all my gmail acc. But in GoogleApps Mail it’s not provided (CMIIW).

I access the internet via WIFI to my ISP network. I think my ISP network was not secure. This is my assumption, cause I do not know how to check it.

So, I decide to move to DSL or Cellular (HSDPA) internet connection this month. I hope this is the best solution for my online access security. I’ll avoid WIFI. Give me your advice please.

I use backtrack 3.0 for posting this. But I do not find your apps for hijacking gmail (surfjack?) and other tools for waching the IPs as seen on the video.

Anyway, thanks for the information. I keep trying to take my gmail account back. It will be nice if you give me feed back.

Regards.

By: Eduardo Rubio

Eduardo Rubio — Wed, 05 Nov 2008 10:59:50 +0000

Congratulations Sandro is a great job…

By: Hanno's blog

Hanno's blog — Thu, 25 Sep 2008 20:31:15 +0000

Session hijacking…

Recently, two publications raised awareness of a problem with ssl secured websites.

If a website is configured to always forward traffic to ssl, one would assume that all traffic is safe and nothing can be sniffed. Though, if one is able to sniff ne…

By: Jipe

Jipe — Thu, 11 Sep 2008 16:36:28 +0000

Sandro,

A cookie marked as “secure” should be a simple workaround no ?

By: Sandro

Sandro — Tue, 09 Sep 2008 19:05:34 +0000

currently the tool supports Scapy 1.x. The new scapy version 2 was not tested with Surf Jack and will probably not work.

By: er0b

er0b — Tue, 09 Sep 2008 14:08:55 +0000

bug when i choose my interface, line 271, 272..

By: Sandro

Sandro — Sun, 31 Aug 2008 13:24:09 +0000

Very true what you said about the “enforce SSL” option. People use defaults, only geeks change options and such ;-) So until it becomes easier for services such as Gmail to serve everyone with SSL, I don’t see the default changing.

Yes – SSL MITM still works if the user accepts an invalid certificate or the attacker has access to a valid key (like the case of the Debian issue of 3 months ago). It is however becoming more difficult to accept an invalid certificate with Firefox and IE. But truth is that yea, this will always work until current browsers stop allowing users to do (not so) stupid things.

By: Adrian Pastor

Adrian Pastor — Sun, 31 Aug 2008 13:12:01 +0000

Hey Sandro, excellent demo video. Good job man.

It’s worth mentioning that although Gmail now has the “enforce SSL” option, very few users will actually bother enabling it :( Unfortunately, Gmail – and all other large free webmail providers – don’t have the infrastructure required to handle all the extra overhead traffic caused by SSL.

Also, even if a site uses SSL and sets cookies using the ‘secure’ flag, couldn’t sessions still
be hijacked via SSL MITM? Of course, the victim would get an invalid certificate warning, but still many users ignore those.