[access-uk] Re: Fire Sheep - Security Alert
- From: "Barry Toner" <barry@xxxxxxxxxxxxxxxxx>
- To: <access-uk@xxxxxxxxxxxxx>
- Date: Sun, 31 Oct 2010 14:17:27 -0000
Hi,
I was just asked a few questions, regarding this on BCAB so I paste my
answers below to hopefully clarify what's going on here.
> 1. Does this work across only wifi networks, or are there other
> situations it could work?
This demonstration of the exploit is concerned more with WIFI networks.
It's highlighting two areas. A. Unsecured WIFI but more importantly B
Session Cookies that are handled in a non-secure way. Not using SSL
encryption. So it doesn't matter what connection you are using the
vunrability is still there. The guy is just using WIFI to demonstrate it
because it's quite easy to go into a public coffee shop, join the WIFI and
see who else is also on the WIFI and what they are up to.
>
> 2. Do I have to be using Firefox for this to be a problem?
No the plug-in is designed to work with Firefox but this concerns all Web
Browsers.
>
> 3. Can this be a problem on non-windows machines and mobile phones?
Yes it can. The platform isn't the issue the lack of security being used on
websites when dealing with personal or otherwise sensitive data is.
>
> 4. Are there easily explained settings people can change to ensure
> their safety?
This is were I often get stuck. Although my career is mainly in
Infastructure Support, Security is the area I have a deep interest in. Ask
any security certified IT Professional, out there and often as not, they
will be quite unforgiving and brutal with their advice. I realise that
allot of this is either not taken serious or simply shunned by home-users
over convenience. SO I'll offer some general advice and one or two
solutions if people want to go a bit further.
On the Wireless front.
My own recommendations would be to not use Unsecured WIFI at home or
especially in public areas. However, if you must on a regular basis use
them try to avoid money transactions, and/or sites like Facebook were you
are entering personal data. Google and Google Mail are secure.
At home make sure you are using at least WPA Encryption on your Router for
your Wireless encryption. Unsecured is just that and WEP can be hacked in
under two minutes by a novice with a step by step guide. Each Router is
different so it's difficult to say exactly where this setting would be
without being told the model.of the Wiress
If you need mobile internet either use one of the products you can put on
your mobile phone to use it as a Wireless Access point or grab one of the
Mobile Internet Sticks from O2, T Mobile, Virgin, Vodafone, 3 etc.
I hope that now this issue has been made so public sites who have simply not
bothered to use secure connections in the past will get their act together
and quite fast.
>
> Thanks
Barry
> -----Original Message-----
> From: access-uk@xxxxxxxxxxxxx [mailto:access-uk@xxxxxxxxxxxxx] On
> Behalf Of Barry Toner
> Sent: Sunday, October 31, 2010 9:45 AM
> To: access-uk@xxxxxxxxxxxxx
> Subject: [access-uk] Fire Sheep - Security Alert
>
> Hi,
> I apologise for the slap-dash manner of this mail. However, this is
> truly
> vital and worrying. So much so I got up out of my nice warm
> comfortable bed
> to make as many of you aware as possible. Sounds like scaremongering
> language? Read-on.
> I've just learned about this. It is major, major, majorly worrying and
> must
> be addressed.
>
> I am going to attempt to explain in a, (hopefully), straight forward
> manner
> and will post links below for you to read up about this more.
>
> Allot of folks, (including myself), for years and years have been aware
> of
> security vunrabilitys concerning what is called Session Cookies. In
> particular Session Cookies that are sent from a web site not using any
> form
> of SSL encryption. That is any form of protection for you while you do
> your
> thing on the net.
>
> It boils down like this. If you log into say, your Facebook account.
> When
> you log-in your username and password is sent to Facebook through a
> secure
> connection. However, once that authentication has taken place, (once
> Facebook confirms you've supplied the correct username/password you and
> let's you in) the site then goes back into a non-secure mode. Facebook
> (in
> my example), puts a cookie file onto your machine. The cookie is just
> a
> text file with some information relating to that time you are on the
> site.
>
> Where this becomes a problem is if you are on an Internet connection
> that is
> not secure that information is being sent un-encrypted or in an easy to
> see
> format. So easy that a plug-in has been developed for the Firefox
> Web-Browser to show exactly how "Out there" your personal details can
> be.
> Below is a Youtube video (that has decent dialog), demoing this plug-
> ins
> capabilitys. In a nutshell using this plug-in you can view other
> people who
> are connected to your Wireless network and what they are up to on
> selective
> websites. Not only view in-fact hi-jack that Facebook/Twitter/etc
> session.
> So you can log-in and act as if you are that person.
>
> This becomes doubly serious when used in an area where Free or Open
> WIFI is
> used. That is a WIFI connection that does not prompt for a password or
> other form of authentication. EG. Starbucks, a Library, an Airport,
> or
> your own home WIFI connection if you have just left it opened. Using
> this
> plug-in for Firefox you can do all of the above to any peoples Facebook
> etc
> accounts. You used to have to use some crypto stuff in Linux to do
> this.
> But this concept plug-in demonstrates nicely how serious this (un-
> encrypted
> problem), really is.
>
> On sites like Facebook etc they should pull their fingers out and use
> SSL
> Encryption throughout your session (or time) when logged in. At home
> and in
> your Business/coffee shop etc they should not be using Open WIFI but
> something like WPA to help protect themselves from legal recourse and
> their
> customers privacys.
>
> Furhter information here
>
> Youtube demo - Hijack Facebook, Myspace, Twitter and more!
> http://is.gd/gw1zW
>
> Security Now where I first heard about the Firesheep plug-in for
> Firefox.
> " Firesheep
> After catching up with a very busy week of security-related news and
> events,
> Steve
> and Leo celebrate the game-changing creation and release of
> "Firesheep", an
> add-on
> for the Firefox web browser which makes online web session hijacking as
> easy
> as it
> could possibly be. This WILL change the world for the better."
> https://www.grc.com/securitynow.htm
> Text transcript of the show and various mp3s can be had there.
>
> A good BLOG entry that includes snippits from an interview with the guy
> who
> wrote the plug-in and explains nicely what I and others are in such of
> a
> flap over.
> Firesheep In Wolves? Clothing: Extension Lets You Hack Into Twitter,
> Facebook Accounts
> Easily
> http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-
> you-h
> ack-into-twitter-facebook-accounts-easily/
>
>
>
> Barry Toner
> Microsoft Certified Professional Technology Specialist (MCTS)
>
> BCS Belfast Branch
> YPG Representative & Disability Group
> http://www.bcs.org/server.php?show=nav.10444
>
> Contact me @
> Professional: barry.toner@xxxxxxxxxx
> Personal Email: barry@xxxxxxxxxxxxxxxxx
> MSN/Live: djpaddy@xxxxxxxxxxxxx
> AIM/FB: barry@xxxxxxxxxxxxxxxxx
> TWITTER: dj_paddy
> Skype: djpaddy
> Mobile: (UK) +44 (0) 7921 611 253
>
>
>
> ** To leave the list, click on the immediately-following link:-
> ** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=unsubscribe]
> ** If this link doesn't work then send a message to:
> ** access-uk-request@xxxxxxxxxxxxx
> ** and in the Subject line type
> ** unsubscribe
> ** For other list commands such as vacation mode, click on the
> ** immediately-following link:-
> ** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=faq]
> ** or send a message, to
> ** access-uk-request@xxxxxxxxxxxxx with the Subject:- faq
** To leave the list, click on the immediately-following link:-
** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=unsubscribe]
** If this link doesn't work then send a message to:
** access-uk-request@xxxxxxxxxxxxx
** and in the Subject line type
** unsubscribe
** For other list commands such as vacation mode, click on the
** immediately-following link:-
** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=faq]
** or send a message, to
** access-uk-request@xxxxxxxxxxxxx with the Subject:- faq
Other related posts:
