Topic: Firesheep - Firefox add-on brings Hacking to the Masses (download)

[Samker]

Want to hack someone else's Amazon, Facebook, Twitter or Windows Live account in just one click? A Firefox extension called Firesheep claims you can by hijacking a person's current user session over an open Wi-Fi connection: http://codebutler.github.com/firesheep/

Ian Paul (from PCWorld) tested the extension out and it works as advertized - almost that is.

Firesheep was created by Seattle-based software developer Eric Butler who said he created the extension to highlight the security risks associated with session hijacking, also known as sidejacking: http://codebutler.com/firesheep

Firesheep targets 26 online services, and includes many popular online services such as Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, Wordpress and Yahoo. The extension is also customizable allowing a hacker to target other Websites not listed by Firesheep.

While Firesheep sounds scary (and once again highlights the security concerns of using open Wi-Fi) the new Firefox extension is not as frightening as it sounds.

How Firesheep works

Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension waits for someone to log in to any of the 26 sites listed in Firesheep's database. When you log in to Amazon, for example, your browser's Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.

As your browser swaps cookie information back and forth with the Website a third party can hijack that communication and capture info including your user name and session ID. Typically, the cookie will not contain your password. But even without your password, the fact that Firesheep has snagged your session cookie means that a hacker can, at least in theory, access your account and gain virtually unrestricted access. If the hacker got your Yahoo Mail cookie they could send an e-mail, if it was Facebook they may be able to post a message and so on. Any operations that require your password, however, such as accessing your credit card information on Amazon should not be possible using Firesheep.

Firesheep put to the test

Since I wasn't close to a public Wi-Fi hotspot today, I tested Firesheep on my own home network using Firefox 3.6 for Mac OS X. The problem is I use WPA2 encryption at home, a Wi-Fi security standard that encrypts all user traffic going between your PC and the router. So the only way I could test Firesheep was on my own machine, which I did by browsing on both Firefox and Chrome.

To get started I installed Firesheep on Firefox, and then opened it up by clicking on View>Sidebars>Firesheep. I then saw a blank sidebar with a button at the top that said "Start Capturing." Once I clicked the button to start snooping, the extension asked for my computer's master password so that the extension could access and make changes to my machine. Needless to say, this is not something I would recommend you try on your own computer.


After the sidebar was working it started grabbing user IDs as promised for sites I logged in to including Amazon, Facebook, Google and The New York Times. Firesheep was able to grab my user name and profile photo (when available) and then display each account in the sidebar.

Theoretically, if I had tested this system over an unencrypted Wi-Fi network at a cafe, I should have been able to simply click on any of the accounts I saw in the Firesheep sidebar and then gain almost unrestricted access to the account. But in my tests that's not what happened.

Firesheep gets corralled

After the sniffing was done, I was supposed to be able to click on each user ID listed in my sidebar and then see my online accounts. Obviously, I was able to do this when using an account I'd logged in to using Firefox since the browser contained my actual session IDs as well as the stolen cookies sitting in Firesheep. But when I tried to gain access to my New York Times account that I'd logged in to using Chrome, Firesheep couldn't give me access to my account in Firefox. This was despite the fact that my user name and profile picture appeared in Firesheep.

It's also important to note that once I logged out of any of the online services I tested, I could not use Firesheep's stolen cookie to log back in.

Now, as I said, my tests were not perfect since I was using Firesheep on one machine, and my home network is very secure already. So my test may have gone differently if I had tested Firesheep on an unsuspecting user over an open, unencrypted Wi-Fi network at a cafe or bar.

Firesheep Sidejacking limits

There's no question that Firesheep highlights an important Web browsing security flaw that could expose your account to a malicious hacker. But it's also important to keep in mind that sidejacking has its limits. Using Firesheep is not likely to expose your user password. So a hacker may be able to use Firesheep to take action on your behalf such as send an e-mail, post a status update, or send out a tweet. But it's unlikely that Firesheep could be used to steal your account by switching your password on you. Unless, of course, you are using a service that lets you change your password without entering the current one--a rare occurrence these days.

Nevertheless, Firesheep, and sidejacking in general, is still a serious security threat if you happen to be using open or unprotected Wi-Fi. Here are a few basic things you can do to protect yourself when using public Wi-Fi.

Use A VPN

Try using a Virtual Private Network client such as the free version of HotSpot Shield. This piece of software basically creates a secure tunnel for your data that runs between the Wi-Fi router and your computer. This means Firesheep will not be able to steal any data passing between your computer and the router since all communications will be encrypted.

HTTPS Everywhere

If you're a Firefox user you can also use extensions such as HTTPS Everywhere built by the Electronic Frontier Foundation. This extension forces certain Websites to use a secure SSL connection for your entire browsing session instead of just the login. The problem with HTTPS Everywhere is it only works on a limited number of sites that support full SSL encrypted browsing. Often a site uses SSL encryption for your log in, but reverts you back to the non-encrypted HTTP standard after you've logged in. Check out the EFF's HTTPS Everywhere page for more information: http://www.eff.org/https-everywhere

Use Strict Transport Security (STS)

Strict Transport Security (STS) is a relatively new security feature that is starting to appear in some browsers. STS automatically forces your browser to make a secure connection with every Web page that supports SSL encryption. Once you start using STS, you will not be able to use an insecure connection ever again when connecting to a specific site such as Facebook or Amazon. Chrome has supported STS since Chrome 4, and Firefox 4 will include STS when the official version launches in the coming months: http://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-force-https/
Be aware that STS is still relatively new, and may not be available for all browsers.

Finally, if you don't have a password on your router at home, make sure you set one up. If your router supports WPA2 then use that security standard instead of the more widely used and less secure standard known as WEP.

Firesheep may make it easier than ever for someone to snoop on other people over open, unencrypted Wi-Fi, but keep in mind that sidejacking is an old trick that's been around since at least 2007. To stay safe just make sure that over an open Wi-Fi connection you are using a secure connection with a VPN or HTTPS (SSL). When at home use the WPA2 standard if your router supports it, or at the very least secure your router with a WEP password. Also, don't forget that you should never use an open Wi-Fi connection for highly sensitive online activities such as accessing your bank or credit card accounts.

(PCW)

[haz]

Thanks for the news, a new plugin called "FireShepherd" is out there, its purpose is to detect any "FireSheep" activity and fill it with rubbish packets ( so that it cannot gather any useful data ) ! of course it uses a vulnerability in FireSheep that might get patched soon, but its developer vowed to keep it updated always.

[Samker]

Thanks for the news, a new plugin called "FireShepherd" is out there, its purpose is to detect any "FireSheep" activity and fill it with rubbish packets ( so that it cannot gather any useful data ) ! of course it uses a vulnerability in FireSheep that might get patched soon, but its developer vowed to keep it updated always.

Here it is, FireShepherd: http://notendur.hi.is/~gas15/FireShepherd/

Thanks haz - for great additional info's. 

[Samker]

Zscaler Develops Free Tool to Detect Firesheep Snooping

A security company has developed a free Firefox add-on that warns when someone on the same network is using Firesheep, a tool that has raised alarm over how it simplifies an attack against a long-known weakness in Internet security.

Firesheep: http://codebutler.github.com/firesheep/ , which was unveiled at the ToorCon security conference in San Diego last month by Eric Butler, collects session information that is stored in a Web browser's cookie. The session information is easily collected if transmitted back and forth between a user's computer and an unencrypted Wi-Fi router while a person is logged into a Web service such as Facebook.

While most Web sites encrypt the traffic transmitted when logging into a Web site, indicated by the padlock on browsers, most then revert to passing unencrypted information during the rest of the session, a weakness that security analysts have warned of for years, particularly for users of public open Wi-Fi networks.

Firesheep identifies that unencrypted traffic and allows an interloper to "hijack" the session, or log into a Web site as the victim, with just a couple of clicks. The style of attack has been possible for a long time, but because of its simple design, Firesheep has given less-sophisticated users a powerful hacking tool.

Zscaler's The Blacksheep add-on: http://research.zscaler.com/ , however, will detect when someone on the same network is using Firesheep, allowing its users make a more informed security decision about their behavior while on an open Wi-Fi network, for example.

Once Firesheep has intercepted someone's session credentials for a Web site, it makes a request to that site using the same cookie values. Blacksheep plays on this by making HTTP requests every five minutes to those sites monitored by Firesheep -- but using fake cookie values. If Blacksheep then detects Firesheep making a request to the site using the same fake cookie values, it can raise a warning, Zscaler said.

Security analysts have recommended that Web sites encrypt all traffic, but many sites have been unwilling to do it because of the extra processing power needed to maintain encryption. However, there has been progress: In January, Google turned on HTTPS encryption for all users of its Gmail service, where previously it had only been an option.

Other defenses against Firesheep include simply not using open Wi-Fi networks. If that's not an option, the Electronic Frontier Foundation built a Firefox add-on called "HTTPS Everywhere": https://www.eff.org/https-everywhere , which will automatically trigger an encrypted session with those Web sites capable of providing one. A VPN connection can also thwart attacks.

(PCW)

[npasher]

I just received a blacksheep warning that someone is using firesheep on my home secured network. I have 2 laptops on this network and only one is giving the warning. My network is very secured and no one has the passkey but myself. Is this a glitch or should I be very worried that one of my laptops have been compromised?

[Samker]

I just received a blacksheep warning that someone is using firesheep on my home secured network. I have 2 laptops on this network and only one is giving the warning. My network is very secured and no one has the passkey but myself. Is this a glitch or should I be very worried that one of my laptops have been compromised?

First of all, check on that (problematic) lap do you have all software (latest) Updates like on first one??

Second, check which standard your router supports??

[Samker]

Browser add-on updated to slaughter Firesheep

The Electronic Frontier Foundation has updated its popular web browser security tool to guard against attacks waged by the Firesheep script-kiddie snoop kit.

HTTPS Everywhere 0.9.0 has been updated to force websites such as Facebook and Twitter to activate a secure flag in cookies used to authenticate users on those websites, said EFF Senior Staff Technologist Peter Eckersley: https://www.eff.org/https-everywhere
By forcing the sites to send the authentication cookies only when a connection is protected by secure sockets layer encryption, man-in-the-middle attacks like the ones launched by cookie-jacking Firesheep are thwarted.

“By forcing cookies to Secure, HTTPS Everywhere adds protection against Firesheep that site operators should have but failed to provide,” said Chris Palmer, an EFF technology director who also worked on the project.

Although the web has been vulnerable to such attacks for more than a decade, many webmasters still don't follow best practices when granting users access to restricted parts of a site. A case in point, the latest version of HTTPS Everywhere breaks parts of Facebook that can only send authentication cookies over unprotected HTTP channels. That means that using the updated tool with Facebook chat and certain apps isn't possible – at least until changes are made to parts of social networking site.

The update also works with several widely used cloud-based services, including Amazon storage service s3.amazonaws.com and twimg.com, reducing the problems when one of those sites is used by Twitter, Facebook or another website. It has also been updated to work with more websites, including Bit.ly, Cisco, Dropbox, Evernote and GitHub.

HTTPS Everywhere is a Firefox plugin that, like NoScript, is a must-have for security-minded users of the open-source browser. It was released in June by the EFF and members of the Tor Project. It has been downloaded more than 500,000 times.

The code behind the add-on is based in part on the Strict Transport Security response header that's under consideration by the Internet Engineering Task Force as a way for websites and browsers to exchange data only when an encrypted connection is being used. Eventually, the technology will probably be widely available: http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
For now, it's available for only a small smattering of websites and browsers.

(Elreg)

[krrjhn]

I have heard very little about it, but i think its enough now !!