Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Grand Theft Cookie and ASIC chips for hacking


  • Please log in to reply
11 replies to this topic

#1 SuperSapien64

SuperSapien64

  • Members
  • 850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 26 September 2013 - 03:46 PM

Hi I'm new to this site and I have a couple of questions.

My first question is about cookie highjacking, exactly how easy can a hacker obtain your session/log-in cookies? And if a hacker where to get there hands on them lets say Google or Amazon for example would simply changing your password kick them off/deny them future access to your account?

 

 

 

 

 

 

And lastly I have a bit of a hypothetical concept here (I'm not a hacker/programer just curious and trying to think outside the box) regarding ASIC chips, is it possible to use them to do a brute-force hack for example cause normally hackers will just use standard hardware to do this. But since the renegade hackers are stepping up there game then we need to as well. So I got to thinking about Bitcoins and how there mined and it got me thinking well maybe this same technology could be used for other purposes booth good & bad such as perhaps a way to decode the Cryptolocker virus.

 

 

Here's a link to a YouTube video about these type of processors.

 

https://www.youtube.com/watch?feature=player_detailpage&v=GmOzih6I1zs#t=59

 

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:54 AM

Posted 26 September 2013 - 05:12 PM

:welcome:

 

Here are a few links which provide information on cookie theft.

 

Session (cookie) hijacking
Cookie theft and session hijacking
Cross-site request forgery
The Cross-Site Scripting (XSS) FAQ
Protecting Your Users From Session Hijacking
Mitigating cookies theft using HttpOnly


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 SuperSapien64

SuperSapien64
  • Topic Starter

  • Members
  • 850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 26 September 2013 - 07:18 PM

 

 

Thanks Bleepin' Janitor. :) So if I understand correctly the session/log-in cookie will become invalid to the hacker as soon you as you sign out? :busy:  Because I was suspecting this but I didn't want to make any assumptions, well I have my Firefox configured so not to accept third-party cookies plus all cookies (excluding one) are set as session only not mention it's also set to clear cache as well so

someone could logically come to this conclusion after all. But we all know what the 'acronym' for "assume" is. :crazy: :lol:

 

 

By the way what are your thoughts about my ASIC chip question? :idea:



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:54 AM

Posted 27 September 2013 - 08:48 AM

Session hijacking is a collective term used to describe various methods that allow an attacker to impersonate another in order to take control of that person's session after obtaining an authentication session ID. Session hijacking involves using packet sniffing to read network traffic, capture, force or reverse-engineer session IDs in order to gain the same access rights as the victim who was impersonated while that session is still in progress. From the web server's point of view, a request from an impersonating attacker, has the same authentication as the victims requests...therefore the request is performed on behalf of the victims session.

To mitigate this, many web applications associate session cookies to the IP address of the user who originally logged in so the web application only permits that IP to use that cookie. By only allowing trusted users to access communication the threat is reduced. To fully safeguard against session hijacking, all communication where session cookies are sent should be encrypted. Regenerating the session ID after a successful login prevents session fixation because the attacker does not know the session ID of the user after they have logged in.

Sorry, I'm not familiar with ASIC chips.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 SuperSapien64

SuperSapien64
  • Topic Starter

  • Members
  • 850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 28 September 2013 - 03:28 PM

Session hijacking is a collective term used to describe various methods that allow an attacker to impersonate another in order to take control of that person's session after obtaining an authentication session ID. Session hijacking involves using packet sniffing to read network traffic, capture, force or reverse-engineer session IDs in order to gain the same access rights as the victim who was impersonated while that session is still in progress. From the web server's point of view, a request from an impersonating attacker, has the same authentication as the victims requests...therefore the request is performed on behalf of the victims session.

To mitigate this, many web applications associate session cookies to the IP address of the user who originally logged in so the web application only permits that IP to use that cookie. By only allowing trusted users to access communication the threat is reduced. To fully safeguard against session hijacking, all communication where session cookies are sent should be encrypted. Regenerating the session ID after a successful login prevents session fixation because the attacker does not know the session ID of the user after they have logged in.

Sorry, I'm not familiar with ASIC chips.

 

 

Well I just had decision with the NoScript and Disconnect developers, so the NoScript dev explained how there add-on helps block/prevent such attacks(anti-XSS, anti-CSRF,
anti-Clickjacking & etc). And the Disconnect team also explained how there add-on can enhance security by adding additional encryption to webpages which have little to no encryption. :wink:

So I'm pretty sure myself & anyone else who has one or booth of these extensions installed have little need for concern, but if somebodies worried cookie theft or as I like to coin it Grand Theft Cookie (GTC) :grinner:  then I suggest they try Firefox and install NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=userprofile and or Disconnect: https://disconnect.me/ . B)



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:54 AM

Posted 28 September 2013 - 04:41 PM

 

Disconnect is pay-what-you-want software

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 SuperSapien64

SuperSapien64
  • Topic Starter

  • Members
  • 850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 30 September 2013 - 12:03 PM

 

 

Disconnect is pay-what-you-want software

 

 

 

 

Yep. But its fee to download/instal, donations are optional.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:54 AM

Posted 30 September 2013 - 12:36 PM

I use Ghostery
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:54 AM

Posted 04 October 2013 - 08:18 AM

Wouldn't Tor work for this situation? I've just been reading up on it.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:54 AM

Posted 04 October 2013 - 08:32 AM

Tor (anonymity network)

Tor (originally TOR, an acronym for The Onion Router, a use now abandoned) is free software for enabling online anonymity. Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than three thousand relays to conceal a user's location or usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity, including "visits to Web sites, online posts, instant messages, and other communication forms", back to the user and is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential business by keeping their internet activities from being monitored.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 SuperSapien64

SuperSapien64
  • Topic Starter

  • Members
  • 850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 14 October 2013 - 01:47 AM

Wouldn't Tor work for this situation? I've just been reading up on it.

 

 

Tor (anonymity network)

Tor (originally TOR, an acronym for The Onion Router, a use now abandoned) is free software for enabling online anonymity. Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than three thousand relays to conceal a user's location or usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity, including "visits to Web sites, online posts, instant messages, and other communication forms", back to the user and is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential business by keeping their internet activities from being monitored.

 

 

 

 

Well one downside to Tor is that it's kinda slow, so I would recommend Spotflux since it %100 free and unlimited bandwidth http://www.spotflux.com/   and the people at Disconnect are working on a pretty nice proxy service (beta) that's worth trying out, and I can tell you from my own experience that Spotflux is great on Android but I haven't tried the Windows version yet I also tried the 'Disconnect Search' add-on and while it's not perfect yet it does look most promising but much like Spotflux it doesn't seem to slow your connection. :thumbup2:



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:54 AM

Posted 14 October 2013 - 06:43 AM

About Spotflux - How it works

Spotflux is a global, cloud-based service providing online privacy and security services for users. Users download an application to their desktop, which then enables several privacy and anti-virus services:

• Secures internet connections through encryption, protecting electronically transmitted data.
• Blocks online ads, which could contain tracking and spyware applications that log users' private information and browsing history.
• Scans in real-time for malware viruses that could potentially infiltrate users' systems and compromise personal data.
• Unblocks services blocked in non-US countries, such as YouTube, as a side-effect.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users