Gone in 60 Seconds Part 1: Your Online Identity on a Platter

It’s 2010 and 60% of adults in the UK are now accessing the internet on a daily basis, many of which are logging on to use emails and social networks.

In this two parter I hope to explain the dangers and why most of us are effected though little fault of our own.

In part two show you easy ways to improve your online security in a few simple steps

You’ve already heard the privacy warnings associated with Facebook and just how much personal data you put online, and many have started to protect their details by restricting who can see your full profile.

That’s great…but that data is still online and if you can see it so can anyone else who cares to look.

“I’m safe, I always check there is a padlock and my browser says things are secure before I login!”

That’s great!

Unfortunately however, one is assuming that you need a username and password to access your websites.

Meet Chip, the friendly session cookie. Chip makes things easier for you as you browse a website.

Like all good cookies chip is completely unique so once he sits on your computer he can be used to identify your computer.

No-one likes logging in every time they visit a new page so when you log into a site like Facebook good ol’ Chip is sent to your PC so that Facebook can just check if Chip is there. If he is you can look around the site without entering your username and password again.

That’s great but Chip isn’t encrypted like your username and password…he can be copied.

It used to be quite difficult to copy Chip. You had to be on the same PC or at least on the same network.

With the rapid take up of WiFi this is no longer the case.

Wi-Fi Foe FON

Most people are familiar with Wifi.

You use it every day, a lot of us on our mobiles.

Wifi isn’t limited to the home either, now you can access the web for free or for a small charge at pubs, hotels and petrol stations around the country.

The problem is on open WiFi (where no password is required)  all the data is broadcast in the open for anyone to plug out of the air.

So as Facebook looks for Chip, anyone on the same WiFi can take a copy of Chip.

If that same person goes to Facebook, Facebook will see the Copied chip and log that person on as you.

I don’t use FaceBook

Another thumbs up from the author J, but this problem is not just associated with Facebook.

In fact it can be much more dangerous on other sites.

Access to your email means access to any emails for any sites you have joined, particularly those related to usernames, passwords and bills.

The same method can be used on:

• Windows Live (Mail, Messenger, Calendars, Blog, Webspace and any site which uses the windows live login method)
• Yahoo (Mail, Apps, Webspace, Messenger etc)
• Amazon
• Ebay
• Digg
• Gmail
• Google Apps

And many many more

I only use my own WiFi

Great…(you can see this coming can’t you)…but!

The majority of broadband internet users in the UK use the router supplied by their ISP.

Setting up a router can be tricky for the non-technically minded, so the ISP’s decided that you should be able to plug it in and have it just work.

For this reason the majority of routers are still being used with the default WiFi passwords.

It would be a really bad idea to send out thousands of routers with the same password so cunning ISP’s set the password on each router using a clever bit of math based on each routers unique ID.

Unfortunately some cleverer people quickly figured out what that math was and you can easily figure out the WiFi password of a router using free tools available online.

The most at risk are users with routers who’s names include the text: BTHomeHub, Speedtouch, Thompson,Orange, DLink, Alice, FastWeb, DMAX, WLAN, Infinitum or Eirecom

How is it’s done?

I’m not going to go into detail for obvious reasons, but the basics are as follows.

A = Attacker

U= Normal User

1. U has a BTHomeHub, he hasn’t changed the default WiFi password
2. A gets the name of U’s WiFi network and uses free calculator online to generate possible passwords
3. A checks the passwords and finds one that works
4. U is happily checking his email
5. A steals Chip the friendly session cookie and uses it to login to U’s email
6. U chats to some friends on FaceBook on his phone
7. A sees that FaceBook has sent another friendly session cookie to U so he copies that too
8. A logs into FaceBook using U’s cookie and sees that U’s using the Facebook application on his phone. A knows that the FB app uploads the phones contact list so A goes to http://facebook.com/phonebook
9. A now has a list of all the contacts in U’s mobile phone including U’s mobile number
10. A is looking through U’s emails and has spotted U’s CV and a few electronic Bills and paypal details
11. A now has all the information needed to order things online using U’s details
12. U is unaware that his details have been accessed. A has since looked at U’s ancestry.com emails and downloaded U’s family tree. At this point A probably knows more about U than U’s spouse.

Securing yourself……..Part 2 coming soon