Speakeasy forum

General discussion

Anybody familiar with Firesheep?

by Bill Osler / November 2, 2010 11:46 AM PDT

This is a bit scary:
Using Wi-Fi? Firesheep may endanger your security - CNN.com
I'm sitting in a coffee shop. At a table against the opposite wall is a guy named Michael C. I've never seen him before. However, I know his name (including his last name, which I'm deliberately not saying here) because right now we're using the same Wi-Fi network and he's logged in to his Facebook and Google accounts.

This means I'm also logged into his Facebook and Google accounts, although he probably doesn't know that. If I chose to, right now I could read and delete his private messages -- or send out messages from his accounts. I could even edit his account profiles, alter his privacy settings or forward all his mail somewhere else.

Discussion is locked
You are posting a reply to: Anybody familiar with Firesheep?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Anybody familiar with Firesheep?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
it works, it's nasty
by jonah jones / November 2, 2010 1:17 PM PDT
Collapse -
This is serious stuff
by MDFlax / November 2, 2010 11:03 PM PDT

and very scary.

If you don't use wifi, or use wifi with WPA-2 wireless security, you are going to be OK, but if you do, and especially if you use public hotspots where the providers don't care about security, this has the potential to cause real problems.

Wireless hacking has been around for years of course, but up to now it has been in the realm of professional hackers riding around in their cars using specialised software to sniff out unprotected wifi connections. Movie stuff.

FireSheep does away with all that. Just add a Firefox Add-on and it does all the work for you.

I'm fully expecting some strange posts in these forums soon.

Mark

Collapse -
re: public hotspots
by grimgraphix / November 3, 2010 3:11 AM PDT
In reply to: This is serious stuff

Thinking about it... the only times I have ever used a public hotspot was when I was taking college courses about 3 years ago. It wasn't entirely open, since one had to use a pass word and a VPN client to log on (and I'm not sure, but I think a VPN client gives one a secure connection anyway, since we used individual pass words).

I'm not sure what a truly public Hot Spot provider - such as a coffee shop - can do to provide security on their end of the service. Pass word protecting the connection, and then giving the pass word out to all patrons simply means anyone in the shop could still use FireSheep to snoop on everyone else, if I understand how it works.


A positive about FireSheep ?

This would allow parents to easily monitor (or, if you prefer, spy upon) their kids use of the internet.


I wonder if FireSheep has a key logger built into it, that captures data sent from the computer or if one has to actively watch your victims in order to steal pass words and other confidential info?

In many ways, this is an insidious program, but also quite an interesting one, from a geeky perspective. I wonder how long it will be available for download, or if FireFox will somehow block it?

Collapse -
That idea about Hot Spot security is spot on
by MDFlax / November 3, 2010 10:46 PM PDT
In reply to: re: public hotspots

Excuse the pun.

Hot Spot providers could easily provide a WPA-2 type security on their systems and post it on a poster in the place. Sure, it can be seen by others, but the data into and out of any computer is still encrypted.

Firesheep isn't a key logger. It reads cookies on the (unprotected) target system and these allow the user to steal login details.

I've just read some more about Firesheep. It isn't available from Mozilla:Addons. Whether it was before but has now been removed I can't say, but it can still be obtained.
http://support.mozilla.com/en-US/questions/760960

The problem is the cat is out of the bag, as it were. It's a proof of concept that stealing information from unprotected wifi connections is now as simple as 'installing an addon'.

Mark

Collapse -
My wife does stuff on her laptop
by drpruner / November 4, 2010 6:11 AM PDT

at Starbucks. They use a service from AT&T which requires a purchase from Starbucks, in which case you get logon info. (The requirement is very generous to the user IMO.) I don't know if the link is protected.

She also uses a nearby branch of the UNM campus, which has unlimited free wifi. Don't know about that either (but I plan to check).

My question is: On either one, will WPA2 security on her computer protect her?

Collapse -
at Starbucks she can get WPA
by James Denison / November 4, 2010 6:19 AM PDT

I suspect the other doesn't if she doesn't get "instructions" on how to access it.

http://www.timeatlas.com/reviews/reviews/wireless_hotspot_security
One example of a wireless carrier supplying connection software is T-Mobile. The company is best known as the wireless provider for Starbucks, Borders, Kinko's, Hyatt and many airline clubs. The company offers various plans ranging from "pay as you go" to subscription. You may also find offers for a 1 Day Free Pass at various locations, but you still need to create an account.

T-Mobile's software is called T-Mobile Connection Manager and provides Wi-Fi Protected Access (WPA) while on their network. The software is easy to use and allows you to connect to non-T-Mobile networks too. In the example below, T-Mobile will first try to connect you to their enhanced WPA network. Once you've connected to their WPA network or a VPN, checkmarks will display next to the proper indicator. If a WPA connection can't be made, you will be connected to an open network without the added security.

http://www.la.unm.edu/Wireless/
UNMLA-Guest is an open network primarily providing internet access (web browsing, web mail,?) and can be used by visitors and guests as well as faculty, staff and students. As an open network just select it and connect.. UNMLA-LEAP and UNMLA-PEAP are secured networks that provide access to more network services (IMAP for mail applications, printing,?). These networks are intended for users with UNM-Los Alamos computer accounts. The username and password are used in the authentication process. There are no other passphrases or keywords needed. We will continually be adjusting, configuring and re-configuring aspects of the networks as situations arise or are identified. And will make every attempt to get that information posted as needed. There some instructions below that should get most users connected.

Collapse -
TUVM. As noted, the Starbuckses here
by drpruner / November 4, 2010 6:38 AM PDT

are using AT&T, with no special logons after the initial, with the passcode one gets with the purchase. That can go into the autologon, which will then work as long as one has enough credits. So, I guess the AT&T isn't as secure as we want.

Collapse -
Correction. I believe the SB ATT connection
by drpruner / November 7, 2010 10:13 AM PST

meets the standards for secure as noted above. (Can we assume that a big, pro outfit like The Phone Company is using heavy security?)

Most of the time- like now- we use the campus link because it's closer to home and has no logon requirements. (Says "guest" but we don't even need to do that. I believe we're OK at this minute, again per this thread, because there's no "Mike C" parked anywhere.

For most of my 'Net work I come up to the same campus and work. The Library boxes are on the secure net on-campus.

Sometimes my wife has to go to a public place to access her website or some such. That's where "Mike" comes in, maybe.

BTW thanks all for the useful info; I'll be looking in.

Collapse -
I believe that is for the network..
by EdHannigan / November 4, 2010 6:21 AM PDT

not individual computers.

Collapse -
Good point. In fact, The
by drpruner / November 4, 2010 6:35 AM PDT

UNM network is protected, but the Bad Guy at the next table is on the same network, of course. I don't know if that makes her available to him, but will her WPA protect her from him?

Collapse -
Yes.
by MDFlax / November 4, 2010 6:43 AM PDT

Steven makes a good point below. The laptop must connect to the router using WPA or WPA-2, otherwise security is compromised.

But as I understand it, even if Mr Bad Guy is sitting at the next table using the same public connection and has Firesheep, he cannot grab your laptop's cookies because the WPA is encrypted for each machine.

Mark

Collapse -
that's true if
by James Denison / November 4, 2010 2:40 PM PDT
In reply to: Yes.

...AP isolation is turned on at the router. If not, then someone can guess the group name and maybe do a quick over shoulder and catch the computer name and connect through Network Neighborhood in Windows file explorer, unless they have sharing disabled or shared folders are password protected.

Collapse -
Another good point. I believe neither of our
by drpruner / November 5, 2010 8:14 AM PDT
In reply to: that's true if

computers has any sharing- we don't need it- but I'll certainly make sure.

Collapse -
WPA2, etc.
by Steven Haninger / November 4, 2010 6:37 AM PDT

The security method only works when the wireless router/AP and the connecting device are both using that method. That a laptop is capable of WPA, WPA2, WEP (which isn't recommended) etc., doesn't provide the security. Her laptop will be able to connect to unsecured networks just as happily. I know that, at least with XP and its wireless zero utility, there is a setting to require a secured connection. Hope that helps more than it confuses.

Collapse -
there is still weakness
by James Denison / November 4, 2010 2:45 PM PDT
In reply to: WPA2, etc.

One would be by spoofing as the wireless access point so people would connect through you instead, while you are sharing your connection to the actual access point. Encryption only protects the communications between the user and the wireless router, it doesn't protect anything past that point. If the wireless router itself is compromised, a person is vulnerable. The most important setting on a router is AP isolation to make it so no wireless connection can see or interact with any other wireless connection through the router.

Collapse -
P3P
by James Denison / November 4, 2010 12:48 AM PDT
http://en.wikipedia.org/wiki/P3P

http://www.w3.org/P3P/

http://www.privacybird.org/

http://kb.mozillazine.org/Network.cookie.p3p

http://privacyfox.mozdev.org/PaperFinal.pdf

https://bugzilla.mozilla.org/show_bug.cgi?id=225287
It was removed. Reasons given.

http://kb.mozillazine.org/About:config_entries#Network.
see Network.Cookie.CookieBehavior by scrolling down.

http://kb.mozillazine.org/Cookies

http://privacyfox.mozdev.org/
The best browser tool for P3P translation is AT&T's Privacy Bird, but it is IE-specific. This is an attempt to create a simple version for Firefox,
Collapse -
Use https everywhere
by C1ay / November 5, 2010 10:05 AM PDT
https://www.eff.org/https-everywhere

Many sites like your bank and GMail will use https by default anyhow so that your computers connection with that site is encrypted. It won't matter who else is connected on the same network, they won't have access to your connection.
Collapse -
(NT) try using it here.
by James Denison / November 5, 2010 1:15 PM PDT
In reply to: Use https everywhere
Collapse -
Yep, it might be a problem
by MDFlax / November 5, 2010 11:47 PM PDT
In reply to: try using it here.

I haven't tried forcing secure logon here, so whether it is a problem or not I can't say, but I would guess that getting people to understand the risks will be difficult. In addition, CNET's association with FaceBook, full of known vulnerabilities, makes the task even more problematical.

Mark

Collapse -
If I get time
by C1ay / November 6, 2010 4:08 AM PDT
In reply to: try using it here.

CNet is not one of the built in rulesets so it would require time to configure it for that if CNet has secure logons enabled. Not all sites do. For those that do it offers a secure channel over insecure networks.

I have also used a secure VNC connection to my home computer where I could use it to remotely surf sites I was worried about.

Collapse -
Now there's Blacksheep
by C1ay / November 7, 2010 11:48 PM PST
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?