Prevent Session Hijack ?

Message

punkid · Post by **punkid** » Fri Dec 07, 2007 4:19 pm

Hi all,
Yesterday I found my internet connection got session hijacked (MITM), it keeps injecting the spam script into my browser webpage. Here's the screenshot

I've read some documents about session hijack, such as this one:
Theft On The Web: Prevent Session Hijacking

But still i'm quite n00b about networking security, so is there anyway to prevent the session hijack attack before my ISP's slow response ?

Best Regards

sundialsvc4 · Post by **sundialsvc4** » Sun Dec 09, 2007 12:59 am

Well... it's a bit hard to determine, from this screen shot, exactly what did happen -- and if your computer actually had anything to do with it. It could be that the nefarious content is simply being served by whatever host is running that site.

Firefox does have some very good spam-killing plugins which will help you to shut-down requests like these.

This particular article is one that has been circulating in various forms for quite some time now, and I'm not sure it is really "aging" very well at all. The bottom line for you, as a web "endpoint," is to simply make sure that you have done all of the things that you can do from your position -- as an endpoint; as a would-be requester and consumer of whatever web content you seek.

First question: does the unwanted content appear now, while you are reading this? Since I most-assuredly have not slipped a "mickey" into this post, if you don't see the garbage while you are looking at this posting right now (assuming that you have no other Firefox windows or tabs open), then the garbage that you are seeing is simply clever spam. And you react to it by filtering it out as aforementioned.

punkid · Post by **punkid** » Sun Dec 09, 2007 4:25 am

Hi sundialsvc4, i can ensure that the nefarious content isnt served by that host, as many other sites are also get contaminated, sometimes even my google reader (not https secured).

The spam isnt around the whole web all the time, sometimes it appears, sometimes it doesnt. When i was reading this post, it didnt. Then i opened a new tab, switched to another legal site, it appeared again.

What i'm doing now is to reject both of the incoming and outgoing requests by iptables. But i'm wondering is there any effective way to prevent the data packet being observed by the man in the middle?

bunder · Post by **bunder** » Sun Dec 09, 2007 5:36 am

could it be your ISP injecting the ads? i've been reading articles of some ISP's doing just that.

punkid · Post by **punkid** » Sun Dec 09, 2007 6:37 am

After contacted the ISP service, i was told that they were never gonna do these. But when i was trying to ask 'em to have a check on this issue, they kept asking me those stupid questions like 'Does your system get contaminated by viruses' or 'Have you updated your antivirus software to the latest version', it was ignorant that they said they didnt have any obligation if there was a session hijack b/w the connections and nothing they could help by far.

bunder · Post by **bunder** » Sun Dec 09, 2007 6:46 am

does it happen to other pc's on your LAN?

punkid · Post by **punkid** » Sun Dec 09, 2007 6:58 am

Yes, it happens to many other computers.
I have confirmed it was not the problem of the OS, the viruses or the DNS.

bunder · Post by **bunder** » Sun Dec 09, 2007 7:23 am

if you swap out your router, does it still happen? if so, then it is indeed your isp, or a peering along the way... or perhaps the great chinese firewall.

punkid · Post by **punkid** » Sun Dec 09, 2007 8:02 am

I'm using ADSL connection, which doesnt require a router.

Lets go back to the point, if it is a peering along the way which intercepts the data packets from the client side, and replies with fake packets. Is there any way to secure my data packets that guarantees the packets wont be intercepted by the third one?

bunder · Post by **bunder** » Sun Dec 09, 2007 8:13 am

looks like you're not alone...

http://wtanaka.com/node/62

still trying to see if its blockable.

edit: if its javascript they're injecting... can you use firefox and flashblock? perhaps along with adblock and filterset.g updater?

double edit: oh god, now we're doing it...

http://www.cbc.ca/technology/story/2007 ... ogers.html

punkid · Post by **punkid** » Sun Dec 09, 2007 9:02 am

Hmm... the noscript or adblock doesnt help as the injection is directly from the data packets. If i block the script, it also prevents the sites from loading, since the site pages are <iframe>d to be load by the script.

There's no way that i can secure the data packets so that the attackers cannot intercept 'em and reply with fake ones? I think that's the best way to prevent the injection so far from my side as an endpoint

Paralox · Post by **Paralox** » Sun Dec 09, 2007 7:16 pm

punkid wrote:Hmm... the noscript or adblock doesnt help as the injection is directly from the data packets. If i block the script, it also prevents the sites from loading, since the site pages are <iframe>d to be load by the script.

There's no way that i can secure the data packets so that the attackers cannot intercept 'em and reply with fake ones? I think that's the best way to prevent the injection so far from my side as an endpoint

Of course the simplest solution would be to use an external secured proxy server for all of your web traffic.
I would recommend a service like anonymizer.

There is no way that ads could be injected into that.