Firesheep!

[vasa1]

Quote:

a Firefox extension that will let you essentially eavesdrop on any open Wi-Fi network and capture users’ cookies. As Butler explains in his post, “As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed” in the window. All you have to do is double click on their name and you will be able to log into the user’s site with their credentials.

http://techcrunch.com/2010/10/24/fir...counts-easily/


Ooops!

[JRViejo]

Quote:

Like the alternative option HTTPS Everywhere, the Force-TLS Firefox extension allows your browser to change HTTP to HTTPS on sites that you indicate in the Firefox Add On “Preferences” menu, protecting your login information and ensuring a secure connection when you access social sites.

How To Protect Your Login Information From Firesheep by Alexia Tsotsis.

[JRViejo]

Quote:

Mozilla has a "blocklist" mechanism that it can, and has in the past, applied as a last-resort defense against potentially-dangerous browser add-ons. The blocklist automatically cripples or uninstalls unwanted extensions that have been added to Firefox.

But Mozilla either can't or won't add Firesheep to the blocklist.

"[Firesheep] demonstrates a security weakness in a number of popular websites, but does not exploit any vulnerability in Firefox or other Web browsers," said Mike Beltzner, director of Firefox, in an e-mail reply to questions about Mozilla's possible moves.

Mozilla: No 'kill switch' for Firesheep add-on by Gregg Keizer.

[aigle]

http://www.pcmag.com/article2/0,2817...0.aspencrypted

Quote:

I don't think there's any particular reason why Firesheep should be limited to Wi-Fi networks. Regular wired Ethernet connections aren't by default either. I'll research this and report back.

Any one can advise on this issue. Suppose I share my DSL router with five other users, wired and wireless. Does this mean that they can grab my credentials via firesheep?

Thanks

[lotuseclat79]

It looks like the FireSheep add-on currently (last I checked was yesterday) only installs on Windows and Macs - not yet Linux per notice on author's website.

-- Tom

[xxJackxx]

Everything says open Wi-Fi, but, what if all machines including the one with Firesheep are inside of a WPA2 network? Does it work in that situation? I don't have any time test myself.

Edit: Actually I tried to test it and it gives a list of interface options, and my wireless adapter does not show. As it lists wired connections I would have to assume this will work on unswitched wired networks? Therefore if I had to guess it would work on any network where the Firesheep user was already inside though I am unable to test. My concern is that someone here at work will use this. I may need to turn off the wireless and plug into the gigabit switch on my desk.

[vasa1]

Fight Firesheep with FireShepherd

Quote:

an Icelandic engineering student named Gunnar Sigurdsson created FireShepherd, a program that crashes Firesheep with floods of nonsense packets.

Quote:

security researchers or malicious users could patch up the Firesheep flaw that FireShepherd exploits, but FireShepherd's creator has vowed to keep finding new ways to stop the snooping plug-in.

[vasa1]

Using Firesheep may be illegal!
http://www.downloadsquad.com/2010/10...-of-the-world/


Edit: This link now just points to the main page of downloadsquad.com.

[dw426]

Quote:

Originally Posted by vasa1

Using Firesheep may be illegal!
http://www.downloadsquad.com/2010/10...-of-the-world/

And yet Mozilla has officially stated they won't be removing the add-on from their site.

[xxJackxx]

Mozilla isn't responsible for how we use it. Removing it would just drive it underground. I installed it at work to see if it was a valid threat for us. I determined it was not. Then I removed it. That usage should not be illegal and I am not stupid enough to connect to an open wireless network. So the only cases where it is really a problem is for it to be used be people that are going to find one way or another to do what this accomplishes anyway.

[dw426]

Quote:

Originally Posted by xxJackxx

Mozilla isn't responsible for how we use it. Removing it would just drive it underground. I installed it at work to see if it was a valid threat for us. I determined it was not. Then I removed it. That usage should not be illegal and I am not stupid enough to connect to an open wireless network. So the only cases where it is really a problem is for it to be used be people that are going to find one way or another to do what this accomplishes anyway.

The not being responsible for how it's used argument is used for many things, yet, when the s**t hits the fan, the argument never works. To many people, knowingly hosting such an add-on is damning enough. Do I necessarily agree that Mozilla is endorsing hackers now? Of course not. But, I do think it should be removed from their official add-on page just as a "CYA". It's a better PR move to toss it out than to keep it and let the news stories pile up, IMHO, even if the add-on isn't as "evil" as it may be made out to be. Mozilla doesn't need the "Google curse".

[fsr]

Hey guys, i think you should read what Mozilla actually said

Quote:

Cooling Down the Firesheep


There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, access their accounts and pose as them on sites such as Facebook and Twitter. While the developers chose to use the Firefox add-on API, the tool could have just as easily been written and distributed as a stand-alone program.

The introduction of this tool reinforces the importance of websites configuring themselves to require secure connections.

Not too long ago we announced HTTP Strict-Transport-Security that can be used to — among other things — ensure your Facebook or Twitter cookies can’t be sniffed by someone using a tool like Firesheep. In fact, it’s built into Firefox 4. To protect their users from the this attack, a site simply needs to set the Strict-Transport-Security HTTP header when they serve you a secure log-in page, and make the rest of their site available over HTTPS. Firefox will take care of the rest: automatically fetching that site over a secure connection and blocking any third parties from seeing the unencrypted traffic.

We recommend that website authors make use of this header in order to protect their users.

But this technology is new to Firefox 4. To get HTTP Strict-Transport-Security support in Firefox 3.6, you will need to install an add-on that implements it such as ForceTLS. ForceTLS also gives you a way to opt-in to this extra security for sites who haven’t yet started sending that helpful HTTP header; it provides a user interface to add and remove sites that should never be contacted insecurely. Both HSTS and the manual opt-in are also available as part of NoScript. However, manually opting-in to HSTS on a site which does not yet make itself fully available securely may break the site; not all sites are ready for secure access.

If you are already using Firefox 4 beta or nightly versions, you can enable the additional controls with the STS-UI add-on. While the core Strict-Transport-Security features are already built into Firefox 4, this UI gives advanced users the ability to further ensure the security of their connections.

Sid Stamm
Conspiracy Theorist

http://blog.mozilla.com/security/201...the-firesheep/

[Sadeghi85]

The add-on is not hosted by Mozilla, they just stated they won't block it.

Quote:

"[Firesheep] demonstrates a security weakness in a number of popular websites, but does not exploit any vulnerability in Firefox or other Web browsers," said Mike Beltzner, director of Firefox, in an e-mail reply to questions about Mozilla's possible moves.

Beltzner did not respond to questions about whether Mozilla is technically able to cripple Firesheep, or simply chooses not to.

As Beltzner pointed out, Firesheep is not an officially-approved Firefox add-on, but was "created and distributed by a third-party developer."

http://www.computerworld.com/s/artic...resheep_add_on

[chrisretusn]

Quote:

Originally Posted by vasa1

Using Firesheep may be illegal!
http://www.downloadsquad.com/2010/10...-of-the-world/

That link is no longer valid. The article is gone. All you get now is the Download Squad main page.

[vasa1]

Quote:

Originally Posted by chrisretusn

That link is no longer valid. The article is gone. All you get now is the Download Squad main page.

Very true

[trismegistos]

Schneier on Security: Firesheep

[DasFox]

Wow this is crazy...

Do you have to be connected to a WiFi network for it to work, or can hacks be hooked to a wired network and sniff with it?

[JRViejo]

Quote:

But while the tool itself is not illegal, using it may be a violation of federal wiretapping laws and an invasion of privacy, experts said.

"There are two schools of thought," said Jonathan Gordon, a partner in the Los Angeles office of law firm Aston & Bird. "The first is that there's no reasonable expectation of privacy in a public insecure Wi-Fi connection."

Gordon, who regularly counsels clients on their Internet business practices, cited the U.S. statute pertaining to wiretapping, which states that it's not a violation of the law "to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public."

But a second school of thought, said Gordon, "is that when people are accessing their social network [account], they have an expectation that whatever they're doing is governed by the privacy settings in that network." In other words, the fact that accessing a site takes place in an unsecure environment is beside the point.

Gordon acknowledged that the second position was held by a minority of legal experts.

Is it legal to use Firesheep at Starbucks? by Gregg Keizer.

[sfouant]

Quote:

Originally Posted by aigle

Any one can advise on this issue. Suppose I share my DSL router with five other users, wired and wireless. Does this mean that they can grab my credentials via firesheep?

Yes, this vulnerability doesn't affect only wireless networks. This can be exploited on wired networks via a technique known as ARP Spoofing.

Quote:

Originally Posted by xxJackxx

Everything says open Wi-Fi, but, what if all machines including the one with Firesheep are inside of a WPA2 network? Does it work in that situation? I don't have any time test myself.

It's not just OPEN wireless networks. Although it is slightly more difficult to exploit on networks using WPA2 due to the use of TKIP, if the attacker has access to the network they can use a technique known as ARP Spoofing to sniff your traffic.

Quote:

Originally Posted by DasFox

Do you have to be connected to a WiFi network for it to work, or can hacks be hooked to a wired network and sniff with it?

Yep, wired networks are vulnerable! You can read more about it at my post here: Misconceptions about Firesheep

[Baserk]

Quote:

Originally Posted by sfouant

Yes, this vulnerability doesn't affect only wireless networks. This can be exploited on wired networks via a technique known as ARP Spoofing.

And they would only require FireSheep..?

[aigle]

Quote:

Originally Posted by sfouant

Yes, this vulnerability doesn't affect only wireless networks. This can be exploited on wired networks via a technique known as ARP Spoofing.

Thanks. Nice article by you.

http://www.shortestpathfirst.net/201...ith-firesheep/

[vasa1]

Microsoft responds to Firesheep cookie-jacking tool

Quote:

Plug-ins such as HTTPS Everywhere for Firefox can, at least, automatically redirect connections to SSL-encrypted pages – but only if this is supported by the server.

Quote:

... LosHuertos' conclusion after his short tests: The weakest link in security has been, and always will be, the user's (errors of) judgement.

[MrBrian]

Even Forced SSL is broken for some sites.

One of the comments there is from the author of NoScript:

Quote:

NoScript’s “Force HTTPS” feature covers all the request and the subrequests to the forced domains (no matter if images, scripts, stylesheets or anything else), hence you’re fully covered against this kind of attacks.

[Baserk]

In a reaction to George Ou, writer of a couple of articles on Firesheep for Digital Society, Microsoft has stated that it will offer full SSL for Hotmail/Windows Live this month;

'In addition to protecting customers information at login, in November we will enable Hotmail customers to maintain full-session SSL encryption during their entire Hotmail session, which mitigates cookie-stealing exploits.' link

Facebook has stated that they 'hope to provide it as an option in the coming months'. link

Firesheep seems to achieve (partially) what it was made for; by pressuring/'naming and shaming' companies, forcing them to start offering full ssl to their customers.

[vasa1]

Time for Yahoo! to get their finger out!