Beware of Wi-fi ‘cookie monsters’

Published 12:03 am Thursday, March 3, 2011

“Someone stole my cookies.”

While it may sound like a simple squabble between siblings, it’s also a simplified definition for a process called sidejacking, which refers to the ability to hijack a Web session on another computer that is connected to the same open Wi-Fi network.

Which means it’s easy to steal e-mail accounts, passwords and personal information while surfing the Web at any free public hotspot found in coffee shops, hotels and restaurants.

The way the process works is this – the hacker downloads a few simple programs and add-ons that allow them to monitor the traffic on any open Wi-Fi network and capture the “session cookies” that are common to how most Web sites work with registered users.

For instance, when signing into a Facebook account, a session cookie is sent back to your machine for any other requests that you make during that session so that you don’t have to constantly input your username and password. Once you log off, the session cookie is terminated and is no longer in use.

If someone is sitting near you – 30 to 100 feet – is on the same unsecured network, they can snatch a copy of the session cookie out the air and start using your account as if you had just logged into their computer.

“This kind of stuff is more prevalent in the big cities, but it always comes down to one thing – the need for information,” said Sgt. Mike Hayden, who works computer forensics at the Andalusia Police Department.

“By taking the Internet traffic, getting that information such as e-mail addresses, passwords and such, the hijacker has the ability to mass produce what is collected,” he said. “Once they get that personal information, they can use it to trick people with a sophisticated phishing scam.

“We’ve all seen those emails come through to our account – so-and-so is stuck in London and needs cash to get home,” he said. “If you’ll notice, the email address that it originated from looks familiar, but pay particular attention. Compare the address to the known address for that person and you’ll see the difference.

“Best thing to do with those (e-mails) is ignore them,” he said.

To avoid falling victim to these practices, Hayden suggested:

• Never login to any of your e-mail, shopping or social networking accounts through a web browser on a public network.

• If using a smart phone, download apps instead of visiting the site on a public Wi-Fi network.

• Research add-ons for specific Web browsers such as Firefox and Google that automatically redirect you to secured pages for the sites you choose.

Leave your purse or wallet laying open with all your personal information inside just laying around. Don’t do it on the Internet.”