Firesheep

[faith_michele]

Firesheep: Baaaaad News for the Unwary

By Brian Krebs, 27 October 2010

“Firesheep,” a new add-on for Firefox that makes it easier to hijack e-mail and social networking accounts of others who are on the same wired or wireless network, has been getting some rather breathless coverage by the news media, some of whom have characterized this a new threat. In reality, this tool is more of a welcome reminder of some basic but effective steps that Internet users should take to protect their personal information while using public networks.

Most online services use secure sockets layer (SSL) encryption to scramble the initial login — as indicated by the presence of “https://” instead of “http://” in the address field when the user submits his or her user name and password. But with many sites like Twitter and Facebook, subsequent data exchanges between the user and the site are sent unencrypted and in plain text, potentially exposing that information to anyone else on the network who is running a simple Web traffic snooping program.

Why should we care if post-login data is sent in unencrypted plain text? Most Web-based services use “cookies,” usually small, text-based files placed on the user’s computer, to signify that the user has logged in successfully and that he or she will not be asked to log in again for a specified period of time, usually a few days to a few weeks (although some cookies can be valid indefinitely).

The trouble is that the contents of these cookies frequently are sent unencrypted to and from the user’s computer after the user has logged in. That means that an attacker sniffing Web traffic on the local network can intercept those cookies and re-use them in his own Web browser to post unauthorized Tweets or Facebook entries in that user’s name, for example. This attack could also be used to gain access to someone’s e-mail inbox.

More.....

http://krebsonsecurity.com/2010/10/firesheep-baaaaad-news-for-the-unwary/

And.....

Ill take the Firesheep with a side order of ARP Poisoning please…

By David Marcus, October 25, 2010


I read with great relish about the release of Firesheep over the weekend at ToorCon. Firesheep, written by Eric Butler, is a FireFox plugin that allows for the capturing of “insecure” login information. From the Firesheep website:

“When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.”

Excerpt...

Let us be clear here – this plugin is not the issue. Insecure login procedures are the issue. Websites that do not require SSL logins or enforce strong encrytion are the problem. Most users are unaware of this. Consider what an attacker could do by combining classic ARP poisoning with this…. From Wikipedia:

“ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. The attack can only be used on networks that actually make use of ARP and not another method of address resolution. The principle of ARP spoofing is to send fake, or “spoofed”, ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker’s MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim’s default gateway.

ARP spoofing attacks can be run from a compromised host, or from an attacker’s machine that is connected directly to the target Ethernet segment.”

Classic man-in-the-middle attacking. Any traffic meant for the desired address is routed to the attacker instead allowing them to capture, sniff or modify it as they see fit. Quite a tidy way to sniff, intercept or capture cookies methinks….. or just install this plugin (Firefox only) on a shared or public machine. However all is not lost or dim. Users can take control so that Firesheep can be defeated. Enter HTTPS-Everywhere from our friends at the Electronic Freedom Foundation – the great EFF.

HTTPS-Everywhere encrypts user communication with a number of websites, hence defeating what Firesheep does. It rewrites all requests to a number of sites as HTTPS. It is a Firefox extension that ALL users should install and use anyway (I have been a user of it since it first came out).

More......

http://blogs.mcafee.com/uncategorized/ill-take-the-firesheep-with-a-side-order-of-arp-poisoning-please

[Bugbatter]

http://blog.eset.com/2010/10/27/unencrypted-wireless-in-like-a-lion-out-like-a-lamb

[Bugbatter]

Five Ways to Shear Firesheep

"...Regardless of which method you use, you must use one. Firesheep makes it trivial to not only peek at your private information, but, in some cases, actually take over your accounts. Mozilla will not be locking Firesheep out of its browser, so don’t look for any help from them.

It wouldn’t matter if Mozilla did try to blacklist it. The source code is out there. I know there are already Firesheep variations out there that can attack more social networking sites and I’m sure there will be others that work on different browsers. The genie of broken network security is out and until Web sites start using secure protocols by default you’re only to being attacked..."

Details here:
http://www.zdnet.com/blog/networking/five-ways-to-shear-firesheep/283

[faith_michele]

http://blog.eset.com/2010/10/27/unencrypted-wireless-in-like-a-lion-out-like-a-lamb

These are always good practices.

In the meantime, here’s how you can make sure you stay immune to these attacks:

   1. Never connect to an open, unencrypted wireless network for any reason.
   2. Strongly avoid WEP-protected wireless networks if possible as this encryption can be trivially bypassed.
   3. Ensure your account settings around the web are configured to use HTTPS/SSL if it is supported. For example, http://mail.google.com/support/bin/answer.py?hl=en&answer=74765 shows how to enable this for your Google account.
   4. Always “sign out” or “log out” of a service as soon as you are finished using it.  Oftentimes this will expire the session cookie, and subsequent attempts to use it will fail.
   5. Avoid settings like “keep me logged in” when logging in to services.

[Bugbatter]

Extinguishing Firesheep for safe WiFi browsing

Firesheep has already taught 750,000 people how to hijack your unencrypted WiFi sessions with a single click.

So here's how to extinguish Firesheep with a technological defence that you can put together in just 60 seconds, even when you're on the road, and even if you're connecting over unencrypted WiFi to start with.

Once you're done, you can browse over unencrypted WiFi access points with no more risk than you'd browse at home.

Video demo here:
http://nakedsecurity.sophos.com/2010/11/15/extinguishing-firesheep-for-safe-wifi-browsing/?ref=nf

[Bugbatter]

The Electronic Frontier Foundation has updated its popular web browser security tool to guard against attacks waged by the Firesheep script-kiddie snoop kit.

HTTPS Everywhere 0.9.0 has been updated to force websites such as Facebook and Twitter to activate a secure flag in cookies used to authenticate users on those websites, said EFF Senior Staff Technologist Peter Eckersley. By forcing the sites to send the authentication cookies only when a connection is protected by secure sockets layer encryption, man-in-the-middle attacks like the ones launched by cookie-jacking Firesheep are thwarted.

Complete Article:
http://www.theregister.co.uk/2010/11/23/https_everywhere_update/