Press Esc to close
Monday 08 February 2016
News updated at 8:02 PM IST
Weather
Max: 32°C
Min : 18°C
In Bengaluru
Partially cloudy

Firewalls can help hackers break into Facebook, Twitter

Washington, May 22, 2012, (IANS)

 Firewall technology designed to boost security can unwittingly reveal data that could help a hacker break into Facebook and Twitter accounts, a new study says.

Using Android smartphones, Z. Morley Mao, computer science associate professor at the University of Michigan, and doctoral student Zhiyun Qian revealed how an attacker could hijack a TCP (transmission control protocol) Internet connection by taking advantage of publicly available information on smartphones.

Hackers could also take advantage of users' willingness to download untrusted apps and network firewall middleboxes, which block data bundles that don't appear to be part of the flow of information traffic.

The researchers detected these middleboxes on 32 percent of the nearly 150 networks they tested worldwide. "Firewall middleboxes are supposed to protect against this kind of attack, but it turns out they do the opposite," Qian said.

"Most vendors and carriers that deploy such firewall middleboxes still believe they are safe and we want them to be aware of this design flaw," said Qian, according to a Michigan statement.

Middleboxes monitor the "sequence numbers" of data packets on their way to mobile devices. When you snap and share a photo with a friend, for example, it gets chopped into numerous packets before it's sent across the network.

Your friend's smartphone looks to the sequence numbers to put the picture back together. Middleboxes could help hackers use the process of elimination to home in on a number in the right range.

"An attacker can try to guess at sequence numbers. It's usually hard to get feedback on whether a guessed number is correct, but the firewall middlebox makes this possible," Qian said. "The attacker can try a range of sequence numbers. The firewall will only allow one through if it is in the valid range."

How does the attacker know he has succeeded? That's where the Android spyware comes in (smartphone malware is already very popular, the researchers say, and it wouldn't be hard for an attacker to add this capability into an existing program).

The intelligence the spyware needs is not privileged information. It doesn't need special administrator or root access. It would just read a couple of the phone's publicly available incoming packet counters and let the attacker know when the counters ­advanced.

Armed with a valid sequence number, the hacker could spoof Facebook or Twitter's HTTP (as opposed to the more secure HTTPS) web login page and gain the user's passwords.

These findings were presented on Tuesday at the IEEE Symposium on Security and Privacy in San Francisco, US.


Go to Top

Photo Gallery
A leopard attacks a man in a school premises in Bengaluru on Sunday...

A leopard attacks a man in a school premises in Bengaluru on Sunday...

Sand sculpture of turtles at Marina Beach as part of a 'Save a Turtle campaign'...

Sand sculpture of turtles at Marina Beach as part of a 'Save a Turtle campaign'...

Awareness about road safety rules at the launch of 'Aster SafeRoads campaign in New Delhi...

Awareness about road safety rules at the launch of 'Aster SafeRoads campaign in New Delhi...

Tourists enjoy Shikara rides at Dal Lake as tourism in J&K comes back to life after 2014 floods...

Tourists enjoy Shikara rides at Dal Lake as tourism in J&K comes back to life after 2014 floods...

Gen DS Hooda pays tribute at Jagdunath memorial on the occasion of Nowshera Day celebration...

Gen DS Hooda pays tribute at Jagdunath memorial on the occasion of Nowshera Day celebration...

Swimmer Sayani Ghosh during final round of women 400M Medley event at the 12th South Asian Games...

Swimmer Sayani Ghosh during final round of women 400M Medley event at the 12th South Asian Games...

Swimmer Sayani Ghosh (M), Shraddha Sudhir (L) and Sri Lankan swimmer JUI Silva (R), with their medal

Swimmer Sayani Ghosh (M), Shraddha Sudhir (L) and Sri Lankan swimmer JUI Silva (R), with their medal

Indian Swimmers Sajan Prakash (M), Saurabh Sangvekar (R) and Bangladeshi swimmer Mahfizur Rahman...

Indian Swimmers Sajan Prakash (M), Saurabh Sangvekar (R) and Bangladeshi swimmer Mahfizur Rahman...

Indian and Nepal women Hockey Team players in action during the 12th South Asian Games in Guwahati..

Indian and Nepal women Hockey Team players in action during the 12th South Asian Games in Guwahati..

Cyclists on a 40 kms criterium race during 12th South Asian Games, in Guwahati on Sunday...

Cyclists on a 40 kms criterium race during 12th South Asian Games, in Guwahati on Sunday...

Copyright 2014, The Printers (Mysore) Private Ltd., 75, M.G Road, Post Box 5331, Bengaluru - 560001
Tel: +91 (80) 25880000 Fax No. +91 (80) 25880523