[...] finished reading about Surf Jacking from Ronald van den Heetkamp (and Sandro Gauci and Mike Perry), the demonstration movie that Sandro published really set in stone how interesting [...]

[...] el siguiente video se utiliza una nueva herramienta de seguridad llamada Surf Jack que demuestra como robar cookies de cualquier sitio. La prueba de concepto muestra cómo es posible [...]

[...] video), Sandro demonstrates how an attacker on the same network physical network can use his tool (SurfJacking) to hijack another user’s authenticated SSL session with GMail and successfully obtain the [...]

[...] Jack Sandro Gauci has posted a very interesting video demonstration about what he called Surf Jack. Say hello to a new security tool called “Surf Jack” which [...]

http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html
rings a bell?

sure does ;) The paper obviously mentions that .. and it is what triggered the development of the surf jack tool.

[...] démonstration de piratage de compte Gmail avec l’outil Surf Jack [...]

[...] démonstration de piratage de compte Gmail avec l’outil Surf Jack [...]

[...] les sites vulnérables à cette attaque: https://addons.mozilla.org/fr/firefox/addon/8454 Source: http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/ [...]

[...] [...]

[...] 最近在網上看到一個叫“Surf Jack - HTTPS will not save you”的post。Surf jack是一個新的入侵工具，作者Sandro Gauci利用它成功偷取別人賬戶： Surf Jacking Gmail demonstration from Sandro Gauci on Vimeo. [...]

[...] qu’on pouvait facilement pirater un compte Gmail par l’intermédiaire du logiciel surf jack. Voici la démonstration en vidéo [...]

[...] change my log on credentials or even worse. For more details on the attack, please go to the “Enablesecurity.com” web site and watch the video. It shows how surf jacking can be used against a vulnerable [...]

[...] Avec cet outil, et un sniffer réseau, une personne malicieuse peut prendre le contrôle sur un compte Gmail quasiment sans difficulté. Vous pouvez trouver une description assez détaillée de la procédure (avec vidéo à l’appui) sur EnableSecurity. [...]

Hey Sandro, excellent demo video. Good job man.

It's worth mentioning that although Gmail now has the "enforce SSL" option, very few users will actually bother enabling it :( Unfortunately, Gmail - and all other large free webmail providers - don't have the infrastructure required to handle all the extra overhead traffic caused by SSL.

Also, even if a site uses SSL and sets cookies using the 'secure' flag, couldn’t sessions still
be hijacked via SSL MITM? Of course, the victim would get an invalid certificate warning, but still many users ignore those.

Very true what you said about the "enforce SSL" option. People use defaults, only geeks change options and such ;-) So until it becomes easier for services such as Gmail to serve everyone with SSL, I don't see the default changing.

Yes - SSL MITM still works if the user accepts an invalid certificate or the attacker has access to a valid key (like the case of the Debian issue of 3 months ago). It is however becoming more difficult to accept an invalid certificate with Firefox and IE. But truth is that yea, this will always work until current browsers stop allowing users to do (not so) stupid things.

bug when i choose my interface, line 271, 272..

currently the tool supports Scapy 1.x. The new scapy version 2 was not tested with Surf Jack and will probably not work.

Sandro,

A cookie marked as "secure" should be a simple workaround no ?

Session hijacking...

Recently, two publications raised awareness of a problem with ssl secured websites.

If a website is configured to always forward traffic to ssl, one would assume that all traffic is safe and nothing can be sniffed. Though, if one is able to sniff ne...

Congratulations Sandro is a great job...

Hello Sandro,

My 2 GMail password was hijacked. I can not acsess my accounts till now. One account at mail.gmail.com, one again at Google mail Apps custom domain.

After reading this, I give "always use https" for all my gmail acc. But in GoogleApps Mail it's not provided (CMIIW).

I access the internet via WIFI to my ISP network. I think my ISP network was not secure. This is my assumption, cause I do not know how to check it.

So, I decide to move to DSL or Cellular (HSDPA) internet connection this month. I hope this is the best solution for my online access security. I'll avoid WIFI. Give me your advice please.

I use backtrack 3.0 for posting this. But I do not find your apps for hijacking gmail (surfjack?) and other tools for waching the IPs as seen on the video.

Anyway, thanks for the information. I keep trying to take my gmail account back. It will be nice if you give me feed back.

Regards.

Hi Parah

For a home user, avoiding WiFi will normally reduce your exposure to this kind of attack; so I think that it is a good solution.

Regarding Backtrack - you simply need to download the file to the Backtrack machine from surfjack.googlecode.com. By making use of backtrack you avoid dependency hell ;-)

Goodluck with the Gmail account recovery!

[...] Added Surf Jacking Cookie Security Inspector in “Misc->Anti phishing /pharming/jacking” : This extension is based on Sandro Gauci’s paper [...]