“You’re an idiot if you use T-Mobile HotSpot.” That’s what Robert Graham, the CEO of Errata Security, had to say last Thursday about checking email from public wireless hotspots.
And he knows of what he speaks. Earlier in the day, Graham hijacked a Gmail session in front of a packed audience at the Black Hat security convention in Las Vegas. Using a pair of programs called Hamster and Ferret, which sniff the data transferred between a wireless router and a computer, Graham grabbed an unencrypted cookie used in a recent Black Hat Wi-Fi session and used it to hijack an attendee’s Gmail account. “I see 10 people’s cookies on my screen, I just need to click on the guy’s IP address and I’m in,” Graham said. “Once you get someone’s Google account, you’d be surprised at the stuff you’d find. … If I sniff your Gmail connection and get all your cookies and attach them to my Gmail, I now become you, I clone you. Web 2.0 is now fundamentally broken.”