General discussion

Anybody familiar with Firesheep?

This is a bit scary:
Using Wi-Fi? Firesheep may endanger your security - CNN.com
I'm sitting in a coffee shop. At a table against the opposite wall is a guy named Michael C. I've never seen him before. However, I know his name (including his last name, which I'm deliberately not saying here) because right now we're using the same Wi-Fi network and he's logged in to his Facebook and Google accounts.

This means I'm also logged into his Facebook and Google accounts, although he probably doesn't know that. If I chose to, right now I could read and delete his private messages -- or send out messages from his accounts. I could even edit his account profiles, alter his privacy settings or forward all his mail somewhere else.

Discussion is locked

Follow
Reply to: Anybody familiar with Firesheep?
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Anybody familiar with Firesheep?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
it works, it's nasty
- Collapse -
This is serious stuff

and very scary.

If you don't use wifi, or use wifi with WPA-2 wireless security, you are going to be OK, but if you do, and especially if you use public hotspots where the providers don't care about security, this has the potential to cause real problems.

Wireless hacking has been around for years of course, but up to now it has been in the realm of professional hackers riding around in their cars using specialised software to sniff out unprotected wifi connections. Movie stuff.

FireSheep does away with all that. Just add a Firefox Add-on and it does all the work for you.

I'm fully expecting some strange posts in these forums soon.

Mark

- Collapse -
re: public hotspots

Thinking about it... the only times I have ever used a public hotspot was when I was taking college courses about 3 years ago. It wasn't entirely open, since one had to use a pass word and a VPN client to log on (and I'm not sure, but I think a VPN client gives one a secure connection anyway, since we used individual pass words).

I'm not sure what a truly public Hot Spot provider - such as a coffee shop - can do to provide security on their end of the service. Pass word protecting the connection, and then giving the pass word out to all patrons simply means anyone in the shop could still use FireSheep to snoop on everyone else, if I understand how it works.


A positive about FireSheep ?

This would allow parents to easily monitor (or, if you prefer, spy upon) their kids use of the internet.


I wonder if FireSheep has a key logger built into it, that captures data sent from the computer or if one has to actively watch your victims in order to steal pass words and other confidential info?

In many ways, this is an insidious program, but also quite an interesting one, from a geeky perspective. I wonder how long it will be available for download, or if FireFox will somehow block it?

- Collapse -
That idea about Hot Spot security is spot on

Excuse the pun.

Hot Spot providers could easily provide a WPA-2 type security on their systems and post it on a poster in the place. Sure, it can be seen by others, but the data into and out of any computer is still encrypted.

Firesheep isn't a key logger. It reads cookies on the (unprotected) target system and these allow the user to steal login details.

I've just read some more about Firesheep. It isn't available from Mozilla:Addons. Whether it was before but has now been removed I can't say, but it can still be obtained.
http://support.mozilla.com/en-US/questions/760960

The problem is the cat is out of the bag, as it were. It's a proof of concept that stealing information from unprotected wifi connections is now as simple as 'installing an addon'.

Mark

- Collapse -
My wife does stuff on her laptop

at Starbucks. They use a service from AT&T which requires a purchase from Starbucks, in which case you get logon info. (The requirement is very generous to the user IMO.) I don't know if the link is protected.

She also uses a nearby branch of the UNM campus, which has unlimited free wifi. Don't know about that either (but I plan to check).

My question is: On either one, will WPA2 security on her computer protect her?

- Collapse -
at Starbucks she can get WPA

I suspect the other doesn't if she doesn't get "instructions" on how to access it.

http://www.timeatlas.com/reviews/reviews/wireless_hotspot_security
One example of a wireless carrier supplying connection software is T-Mobile. The company is best known as the wireless provider for Starbucks, Borders, Kinko's, Hyatt and many airline clubs. The company offers various plans ranging from "pay as you go" to subscription. You may also find offers for a 1 Day Free Pass at various locations, but you still need to create an account.

T-Mobile's software is called T-Mobile Connection Manager and provides Wi-Fi Protected Access (WPA) while on their network. The software is easy to use and allows you to connect to non-T-Mobile networks too. In the example below, T-Mobile will first try to connect you to their enhanced WPA network. Once you've connected to their WPA network or a VPN, checkmarks will display next to the proper indicator. If a WPA connection can't be made, you will be connected to an open network without the added security.

http://www.la.unm.edu/Wireless/
UNMLA-Guest is an open network primarily providing internet access (web browsing, web mail,?) and can be used by visitors and guests as well as faculty, staff and students. As an open network just select it and connect.. UNMLA-LEAP and UNMLA-PEAP are secured networks that provide access to more network services (IMAP for mail applications, printing,?). These networks are intended for users with UNM-Los Alamos computer accounts. The username and password are used in the authentication process. There are no other passphrases or keywords needed. We will continually be adjusting, configuring and re-configuring aspects of the networks as situations arise or are identified. And will make every attempt to get that information posted as needed. There some instructions below that should get most users connected.

- Collapse -
TUVM. As noted, the Starbuckses here

are using AT&T, with no special logons after the initial, with the passcode one gets with the purchase. That can go into the autologon, which will then work as long as one has enough credits. So, I guess the AT&T isn't as secure as we want.

- Collapse -
Correction. I believe the SB ATT connection

meets the standards for secure as noted above. (Can we assume that a big, pro outfit like The Phone Company is using heavy security?)

Most of the time- like now- we use the campus link because it's closer to home and has no logon requirements. (Says "guest" but we don't even need to do that. I believe we're OK at this minute, again per this thread, because there's no "Mike C" parked anywhere.

For most of my 'Net work I come up to the same campus and work. The Library boxes are on the secure net on-campus.

Sometimes my wife has to go to a public place to access her website or some such. That's where "Mike" comes in, maybe.

BTW thanks all for the useful info; I'll be looking in.

- Collapse -
I believe that is for the network..

not individual computers.

- Collapse -
Good point. In fact, The

UNM network is protected, but the Bad Guy at the next table is on the same network, of course. I don't know if that makes her available to him, but will her WPA protect her from him?

- Collapse -
Yes.

Steven makes a good point below. The laptop must connect to the router using WPA or WPA-2, otherwise security is compromised.

But as I understand it, even if Mr Bad Guy is sitting at the next table using the same public connection and has Firesheep, he cannot grab your laptop's cookies because the WPA is encrypted for each machine.

Mark

- Collapse -
that's true if

...AP isolation is turned on at the router. If not, then someone can guess the group name and maybe do a quick over shoulder and catch the computer name and connect through Network Neighborhood in Windows file explorer, unless they have sharing disabled or shared folders are password protected.

- Collapse -
Another good point. I believe neither of our

computers has any sharing- we don't need it- but I'll certainly make sure.

- Collapse -
WPA2, etc.

The security method only works when the wireless router/AP and the connecting device are both using that method. That a laptop is capable of WPA, WPA2, WEP (which isn't recommended) etc., doesn't provide the security. Her laptop will be able to connect to unsecured networks just as happily. I know that, at least with XP and its wireless zero utility, there is a setting to require a secured connection. Hope that helps more than it confuses.

- Collapse -
there is still weakness

One would be by spoofing as the wireless access point so people would connect through you instead, while you are sharing your connection to the actual access point. Encryption only protects the communications between the user and the wireless router, it doesn't protect anything past that point. If the wireless router itself is compromised, a person is vulnerable. The most important setting on a router is AP isolation to make it so no wireless connection can see or interact with any other wireless connection through the router.

- Collapse -
P3P
http://en.wikipedia.org/wiki/P3P

http://www.w3.org/P3P/

http://www.privacybird.org/

http://kb.mozillazine.org/Network.cookie.p3p

http://privacyfox.mozdev.org/PaperFinal.pdf

https://bugzilla.mozilla.org/show_bug.cgi?id=225287
It was removed. Reasons given.

http://kb.mozillazine.org/About:config_entries#Network.
see Network.Cookie.CookieBehavior by scrolling down.

http://kb.mozillazine.org/Cookies

http://privacyfox.mozdev.org/
The best browser tool for P3P translation is AT&T's Privacy Bird, but it is IE-specific. This is an attempt to create a simple version for Firefox,
- Collapse -
Use https everywhere
https://www.eff.org/https-everywhere

Many sites like your bank and GMail will use https by default anyhow so that your computers connection with that site is encrypted. It won't matter who else is connected on the same network, they won't have access to your connection.
- Collapse -
(NT) try using it here.
- Collapse -
Yep, it might be a problem

I haven't tried forcing secure logon here, so whether it is a problem or not I can't say, but I would guess that getting people to understand the risks will be difficult. In addition, CNET's association with FaceBook, full of known vulnerabilities, makes the task even more problematical.

Mark

- Collapse -
If I get time

CNet is not one of the built in rulesets so it would require time to configure it for that if CNet has secure logons enabled. Not all sites do. For those that do it offers a secure channel over insecure networks.

I have also used a secure VNC connection to my home computer where I could use it to remotely surf sites I was worried about.

- Collapse -
Now there's Blacksheep

CNET Forums

Forum Info