Cookie monster eats into email accounts

Industry experts have described a set of tools that can be used to steal people’s login details when they sign into an email account over an unprotected wireless hotspot as “potentially dangerous.”

Wireless manufacturer Zyxel, and Security firm Sophos, have called on websites and email providers such as Yahoo and Google, to offer encrypted logins as a default to keep consumers safe.

The latest concerns over unencrypted wireless hotspots come after security company Errata showed how two of its tools, Hamster and Ferret, watched the traffic flowing in and out of an unprotected public Wifi hotspot and let attackers grab cookies, which are used to identify a user each time they log on, and store information about how that person uses the site in question.

Errata said the tools would allow a hacker to pose as the victim and give the same level of access to an email account as its rightful owner. The company also said that this method could also be extended to social networking services such as Facebook and Myspace which are fast becoming popular with computer hackers due to the amount of personal information stored on them.

Zyxel said the information in these cookies could be potentially dangerous, especially if the passwords used for email and social network accounts were the same as those used for personal banking.

James Walker, product manager at Zyxel, told Computeractive: “Although many websites have a secure login option, they tend to offer members unsecured logins as the default because they are easier to access and less complicated.

“By using an unsecured network to log into their emails people could therefore be giving away more than just their email details especially those who tend to use the same password across all their other accounts, such as personal banking, so they can remember them.”

During the demonstration, which took place at the Black Hat 2007 security conference in Las Vegas, Robert Graham, the CEO of Errata security demonstrated the hi-jacking of a Google mail session, by finding an unsecured network amongst the audience and using the cookies to obtain the log in details. In what could also be a worrying piece of news to consumers he also said that these tools would be on offer to download from the company’s website.

However, both Sophos and Zyxel said there were some simple steps that could be taken to prevent any data being stolen from people’s accounts such as ensuring people are logged on to any account using a safe network.

Graham Cluley, senior technology consultant at Sophos, advised users to log out of their web sessions as a matter of habit as it “wipes out cookies related to the website logged into, and should prevent hackers from using tools like the one demonstrated at Blackhat.”

Both also urged website owners to take some responsibility in ensuing consumers were as “safe as possible” when using wireless networks. “Offering secure logins as default will be a step to doing this,” Mr Walker added.