Firesheep!

Discussion in 'privacy problems' started by vasa1, Oct 25, 2010.

Thread Status:
Not open for further replies.
  1. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    http://techcrunch.com/2010/10/24/fi...u-hack-into-twitter-facebook-accounts-easily/


    Ooops!
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
     
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    http://www.pcmag.com/article2/0,2817,2371465,00.aspencrypted
    Any one can advise on this issue. Suppose I share my DSL router with five other users, wired and wireless. Does this mean that they can grab my credentials via firesheep?

    Thanks
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    It looks like the FireSheep add-on currently (last I checked was yesterday) only installs on Windows and Macs - not yet Linux per notice on author's website.

    -- Tom
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Everything says open Wi-Fi, but, what if all machines including the one with Firesheep are inside of a WPA2 network? Does it work in that situation? I don't have any time test myself.

    Edit: Actually I tried to test it and it gives a list of interface options, and my wireless adapter does not show. As it lists wired connections I would have to assume this will work on unswitched wired networks? Therefore if I had to guess it would work on any network where the Firesheep user was already inside though I am unable to test. My concern is that someone here at work will use this. I may need to turn off the wireless and plug into the gigabit switch on my desk.
     
    Last edited: Oct 28, 2010
  7. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Fight Firesheep with FireShepherd
     
  8. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Last edited: Oct 29, 2010
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Mozilla isn't responsible for how we use it. Removing it would just drive it underground. I installed it at work to see if it was a valid threat for us. I determined it was not. Then I removed it. That usage should not be illegal and I am not stupid enough to connect to an open wireless network. So the only cases where it is really a problem is for it to be used be people that are going to find one way or another to do what this accomplishes anyway.
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    The not being responsible for how it's used argument is used for many things, yet, when the s**t hits the fan, the argument never works. To many people, knowingly hosting such an add-on is damning enough. Do I necessarily agree that Mozilla is endorsing hackers now? Of course not. But, I do think it should be removed from their official add-on page just as a "CYA". It's a better PR move to toss it out than to keep it and let the news stories pile up, IMHO, even if the add-on isn't as "evil" as it may be made out to be. Mozilla doesn't need the "Google curse".
     
  12. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    Hey guys, i think you should read what Mozilla actually said
    http://blog.mozilla.com/security/2010/10/27/cooling-down-the-firesheep/
     
  13. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    The add-on is not hosted by Mozilla, they just stated they won't block it.

    http://www.computerworld.com/s/article/9193420/Mozilla_No_kill_switch_for_Firesheep_add_on
     
  14. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
  15. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Very true :oops:
     
  16. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
  17. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Wow this is crazy...

    Do you have to be connected to a WiFi network for it to work, or can hacks be hooked to a wired network and sniff with it?
     
  18. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
     
  19. sfouant

    sfouant Registered Member

    Joined:
    Nov 2, 2010
    Posts:
    1
    Yes, this vulnerability doesn't affect only wireless networks. This can be exploited on wired networks via a technique known as ARP Spoofing.

    It's not just OPEN wireless networks. Although it is slightly more difficult to exploit on networks using WPA2 due to the use of TKIP, if the attacker has access to the network they can use a technique known as ARP Spoofing to sniff your traffic.

    Yep, wired networks are vulnerable! You can read more about it at my post here: Misconceptions about Firesheep
     
  20. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    And they would only require FireSheep..?
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  22. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Microsoft responds to Firesheep cookie-jacking tool
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Even Forced SSL is broken for some sites.

    One of the comments there is from the author of NoScript:
     
  24. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Re: Firesheep! Microsoft will fix Hotmail/Windows Live with full SSL this month.

    In a reaction to George Ou, writer of a couple of articles on Firesheep for Digital Society, Microsoft has stated that it will offer full SSL for Hotmail/Windows Live this month;

    'In addition to protecting customers information at login, in November we will enable Hotmail customers to maintain full-session SSL encryption during their entire Hotmail session, which mitigates cookie-stealing exploits.'
    link

    Facebook has stated that they 'hope to provide it as an option in the coming months'. link

    Firesheep seems to achieve (partially) what it was made for; by pressuring/'naming and shaming' companies, forcing them to start offering full ssl to their customers.
     
  25. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Time for Yahoo! to get their finger out!
     
Thread Status:
Not open for further replies.