[LINK] Firesheep
stephen at melbpc.org.au
stephen at melbpc.org.au
Fri Feb 18 21:35:41 AEDT 2011
Firesheep
http://codebutler.com/firesheep
When logging into a website, you usually start by submitting your
username and password.
The webserver then checks to see if an account matching this information
exists, and if so, replies back to you with a "cookie" which is used by
your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting
the initial login, but surprisingly uncommon for websites to encrypt
everything else.
This leaves the cookie (and the user) vulnerable.
HTTP session hijacking (sometimes called "sidejacking") is when an
attacker gets a hold of a user's cookie, allowing them to do anything the
user can do on a particular website.
On an open wireless network, cookies are basically shouted through the
air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet
very popular websites continue to fail at protecting their users.
The only effective fix for this problem is full end-to-end encryption,
known on the web as HTTPS or SSL.
Facebook is constantly rolling out new "privacy" features in an endless
attempt to quell the screams of unhappy users, but what's the point when
someone can just take over an account entirely?
Twitter forced all third party developers to use OAuth, then immediately
released (and promoted) a new version of their insecure website.
When it comes to user privacy, SSL is the elephant in the room.
Today I announced the release of Firesheep, a Firefox extension designed
to demonstrate just how serious this problem is.
After installing the extension you'll see a new sidebar. Connect to any
busy open wifi network and click the big "Start Capturing" button. Then
wait.
As soon as anyone on the network visits an insecure website, known to
Firesheep, their name will be displayed.
Double-click on someone, and you're instantly logged in as them.
Firesheep is free, open source, and is available now for Mac OS X and
Windows. Linux support is on the way.
Websites have a responsibility to protect the people who depend on their
services. They've been ignoring this responsibility for too long, and
it's time for everyone to demand a more secure web.
My hope is that Firesheep will help the users win.
Eric Butler
--
Firesheep: https://github.com/codebutler/firesheep#readme
--
Wikipedia says: http://en.wikipedia.org/wiki/Firesheep
Firesheep is an extension developed by Eric Butler for the Firefox web
browser.
The extension uses a packet sniffer to intercept unencrypted cookies from
certain websites (such as Facebook and Twitter) as the cookies are
transmitted over (eg, WiFi) networks, exploiting session hijacking
vulnerabilities.
It shows the discovered identities on a sidebar displayed in the browser,
and allows the user to instantly take on the log-in credentials of the
user by double-clicking on the victim's name.
The extension was created as a demonstration of the security risk to
users of web sites that only encrypt the login process and not the cookie
created during the login process.
It has been warned that the use of the extension to capture login details
without permission would violate wiretapping laws and/or computer
security laws in some countries.
Despite the security threat surrounding Firesheep, representatives for
Mozilla Add-ons have stated that it would not use the browser's internal
add-on blacklist to disable use of Firesheep, as the blacklist has only
been used to disable spyware or add-ons which inadvertently create
security vulnerabilities, as opposed to attack tools (which may
legitimately be used to test the security of one's own systems).
Counter-measures: Multiple methods exist to counter Firesheep's
activities, such as preventing packet sniffing by using an HTTPS
connection; however, since many sites restrict the use of HTTPS to only
web login, the end user would have to resort to a corporate Virtual
Private Network or implement a personal VPN (for example via OpenVPN) to
a home PC to encrypt absolutely all the data transmitted over the Wi-Fi
link.
Connecting to a wifi network with a password offers varying levels of
security. Using a Wired Equivalent Privacy (WEP) password, the attacker
running Firesheep must have the password, but once this has been achieved
(a likely scenario if a coffee shop is asking all users for the same
basic password) they are able to decrypt the cookies and continue their
Firesheep attack. However, using Wi-Fi Protected Access (WPA) encryption
offers individual user isolation, preventing the attacker from decrypting
any cookies sent over the network even if they have logged into the
network using the same password. An attacker would be able to manually
retrieve and decrypt another user's data on a WPA-PSK connection, if the
key is known.
Another Firefox extension known as BlackSheep, developed by Zscaler, was
also created as a counter for Firesheep. BlackSheep works by sending fake
session data for Firesheep to detect, and promptly warning the user if a
computer running the extension is detected. The extension itself is
partially based on FireSheep's code.
A program called Fireshepherd can be installed to run on your computer.
It periodically sends out overwhelming amounts of data, aiming to
overload and crash running instances of Firesheep on computers that are
on the same network. Fireshepherd has been accused of not improving
security and potentially putting unwanted load on Facebook.
--
Cheers,
Stephen
More information about the Link
mailing list