As a journalist at iTnews:
The Web is a pretty nasty place, according to reverse engineer and privacy advocate Mike Perry -- and he should know.
At underground hacker convention DEFCON last month, Perry revealed vulnerabilities in cookies used by sites such as Gmail, Facebook and LinkedIn.
As if publicising the security flaws isn’t enough, Perry will be releasing an automated hacking tool that exploits them.
The self-proclaimed 'mad computer scientist' spoke with iTnews about the vulnerability, his plans, and the online security landscape.
What security issues will be exposed with the release of your https hacking tool?
There are actually two vulnerabilities here. The first is that many sites do not secure their content via https past the initial login page. This allows an attacker to steal their users' cookies and impersonate them on the local network whenever they use the site.
A tool to do this (Robert Graham's 'Hampster') has been circulating for a year, but there has been no response from the major sites.
The second vulnerability is that many sites that do use https past the login page but do not mark their cookies as 'secure'. This is what allows an attacker to induce their browser to transmit these cookies over unsecured, regular http connections so they can observe them and impersonate the user.
Why are you releasing your https hacking tool to the public?
There are two issues I am trying to tackle here. One is to launch a more direct assault against the trend towards 'security theater' -- providing the show of security to people while not actually protecting them at all.
This is exactly what websites exposed to the first vulnerability are doing, and have been doing in the face of a publicly available exploit for over a year.
The second goal is to ensure that the second vulnerability is well publicised and well understood - because it is a subtle one that even many web developers do not consider.
Both of these goals have required the threat of an automated tool to really make any progress towards addressing.
Again, I waited a full year after announcing the vulnerability without a proof of concept exploit, and nothing happened. It was only the existence of and the threat of release of the tool that has caused things to move forward.
When will the tool be released?
I am still continuing to wait a limited time while major sites (such as Google and Microsoft) continue to work on fixing the issue.
However, eventually we'll reach the point at which the major sites that intend to fix the issue have done so, and all we have left are sites that have no intention of investing in the security of their users, or at least no intention of doing so in a timely fashion.
At this point, I will make the tool more widely available, and attempt to use the publicity to encourage people to move away from these sites towards their more secure counterparts.
How easily exploitable is the https cookie vulnerability? Do you expect there to have been many accounts hacked this way so far?
I have seen anecdotal accounts of hijacked 'security theater' webmail accounts (such as Yahoo mail) being hijacked on the comments sections of various articles about the tool.
These were likely performed by the 'sidejacking' tool, or similar independently derived method, since my tool has only been shown to a limited number of people, and was even then only in a reliable, working state very shortly before DEFCON.
So yes, people have begun to exploit this vulnerability even though I have delayed my tool from public release.
What information can typically be obtained using the https cookie vulnerability?
The risks are quite large for affected sites, and very frequently run all the way up to complete identity theft and access to financial data. An incomplete list of sites that are vulnerable (including the type of information available) is here.
Have you had any discussions with owners and administrators of large vulnerable sites so far?
The only sites to even respond to my attempts to contact them have been Google, Microsoft, Twitter, and LinkedIn.
LinkedIn has given several indications that they do not intend to provide SSL protection for the ability to edit profiles on the site, and to view user messages. The exact statement I received was that ‘this is an attack against the end-user, not the web application itself’, which I suspect is the attitude many sites seem to have towards this issue.
How have Web sites like Gmail, Facebook and Hotmail been able to get away with this vulnerability in the past?
I think it stems from three factors: lack of awareness on the part of their users, a desire for ‘usability’, and a desire to avoid the expense of providing secured connections to their users.
To their credit, Gmail has been the most proactive about fixing this: in fact they are the only major email provider to offer complete SSL at all. It's just that their multi-service single sign-on system has made it difficult to properly implement this securely. They are working on fixing this, though.
What is your opinion of the security of most popular consumer Web sites?
In general the web is a pretty nasty place. A lot of this stems from the way the web was designed: as an open, stateless, and mostly unauthenticated medium where sites can load content from other sites, refer their users to other sites, and have them execute almost arbitrary actions automatically.
This requires each site to have to do a lot of custom, independent legwork to secure things from this originally open state, and a lot of them end up getting bits and pieces wrong. Sometimes even fundamental pieces that are fully supported in major browsers, such as the cookie issue we see here.
As more and more people - Internet pros and newbies alike - begin to use social networking Web sites, do you think online security demands will change?
I'm not sure. I certainly hope so. However, while Internet security pros are well aware of these issues, they are a minority.
Without widespread publicity to create a market differentiator around web security, it is going to be hard for people to 'vote with their feet' to avoid insecure sites.
By taking this issue to the public and releasing this tool, I am trying to create this differentiator. It's my opinion that sites that are willfully negligent in securing their users do not deserve any customers at all.
What does a reverse engineer like yourself do? What sparked your interest in privacy, security and censorship resistance?
In general, reverse engineers help to bridge knowledge gaps by figuring out how systems behave so that products and services can interoperate together. At least this is the most common legal form of reverse engineering.
I actually came to privacy, security, and censorship resistance through my independent study of reverse engineering in University.
Right around the turn of the century, all of these ideas came under attack in my country [USA] via rather draconian laws such as the PATRIOT Act and the DMCA. Because of the vague nature of these laws and the climate of surveillance and fear, it was necessary to be very careful about what I studied and how, while the legal climate stabilised.
It has since become a bit more clear exactly what is legal and what is not, but for a student facing these very vague and overreaching laws while just trying to learn, it was a very frightening time, and I naturally sought ways to protect myself.
We still have a long way to go, of course. Many security professionals and computer researchers are still afraid to travel to the USA, and several that do face extreme difficulty at customs. I've even heard cases where they have been flat out refused entry.
What is your opinion of privacy - or lack thereof - in today's world? What is your opinion of information-rich companies like Google?
It's pretty scary. Many companies are compiling a large amount of data about us, and often simply because we willingly cede it over to them without thinking about the consequences.
Privacy policies are often a joke and riddled with exceptions, loopholes, rapidly changing terms, and I believe not even regarded as binding contracts by the courts.
I don't think society has had time to evaluate the consequences of all of this data being accumulated by these organisations. From the fact that it can be stolen or leaked; used in lawsuits, divorce cases, or custody battles, or the fact that it will rapidly become a political weapon used to manipulate our public officials, the consequences of all this data being gathered (and often sold), even if it is held under the strictest of safeguards, is very dangerous.
It is my hope that the more enlightened companies will begin to realise the importance of allowing people to 'opt-out' of this constant surveillance.
Google in particular is showing some signs of understanding the need for projects like Tor (an anonymity, privacy, and censorship resistance network which I volunteer for) to exist and mature, to allow this 'opt-out' option. But only time will tell how it will all shake out.
