User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » If you don't use a VPN, you should probably start. Page [1]  
gs7
All American
2354 Posts
user info
edit post

It just got a whole lot friendlier and easier for little Johnny to sniff an unencrypted wireless network and use the data he finds. In other words, he can pretend to be you.

For those of you who didn't realize that this was possible, shame on you, this is nothing new.

http://codebutler.com/firesheep


I am actually amazed it took this long for something like this to happen, should be fun reading the news for a few days.

10/25/2010 1:29:06 AM

lewisje
All American
9196 Posts
user info
edit post

This helps mitigate its effects: https://www.eff.org/https-everywhere

10/25/2010 1:59:14 AM

FroshKiller
All American
51913 Posts
user info
edit post

Yeah, we should start using VPNs because someone wrote a new Firefox extension to exploit an old security issue.

How about we just turn on wireless encryption, smartass?

10/25/2010 8:24:47 AM

quagmire02
All American
44225 Posts
user info
edit post

Quote :
"How about we just turn on wireless encryption, smartass?"

are you able to enable wireless encryption on public wireless networks, smartass?

10/25/2010 8:36:04 AM

FroshKiller
All American
51913 Posts
user info
edit post

Provided they haven't changed the router's default username and password, yes. But more to the point, I don't be authenticating on strange networks to begin with.

10/25/2010 8:41:06 AM

Master_Yoda
All American
3626 Posts
user info
edit post

^^ NCSU is the first one that comes to mind.

Hell the CSC dept does it legally. They have papers signed with the university to sniff all traffic in EB2. I know others that have done it elsewhere on campus.

10/25/2010 9:52:29 AM

kiljadn
All American
44690 Posts
user info
edit post

Quote :
"Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."




Anyone who uses an open AP should be aware of the risks.


The purpose of this plugin is not to expose that risk, it's to urge sites to start using SSL and https like they should have been doing from the start

10/25/2010 10:22:16 AM

quagmire02
All American
44225 Posts
user info
edit post

so i guess it would be consider amoral of me to start using this in public places for shits and giggles?

10/25/2010 10:56:03 AM

timswar
All American
41050 Posts
user info
edit post

It would be immoral.

Although, if your intent is simply to be amusing or put messages on their computers along the lines of "seriously, I could have destroyed your life, be thankful I'm not an asshole and get better security for your laptop" it'd probably balance out.

[Edited on October 25, 2010 at 11:23 AM. Reason : BEBEBEBEBEBEBEBEBE]

10/25/2010 11:23:17 AM

confusi0n
All American
5076 Posts
user info
edit post

http://techcrunch.com/2010/10/25/firesheep/

10/25/2010 11:25:09 AM

wwwebsurfer
All American
10217 Posts
user info
edit post

haahahhaa - this is awesome. I'm definitely trying this at church to see what the youth are up to sunday morning

[Edited on October 25, 2010 at 12:18 PM. Reason : and did someone check the source code? It'd be REALLY funny if this was a virus. lol]

10/25/2010 12:16:40 PM

Novicane
All American
15416 Posts
user info
edit post

would this work over a LAN? (if ran on the dns server)

10/25/2010 12:55:35 PM

quagmire02
All American
44225 Posts
user info
edit post

Quote :
"Although, if your intent is simply to be amusing or put messages on their computers along the lines of "seriously, I could have destroyed your life, be thankful I'm not an asshole and get better security for your laptop" it'd probably balance out."

that's more of what i was thinking...something like this as a facebook status:

"D'oh! My account has been hijacked! Changing my password won't help. Read more at http://codebutler.com/firesheep. You could be next!"

10/25/2010 1:14:30 PM

dFshadow
All American
9507 Posts
user info
edit post

any good easy how-to's to set up and use a VPN?

10/25/2010 2:36:44 PM

ThatGoodLock
All American
5697 Posts
user info
edit post

is it illegal to track ANY cookies on your own network, regardless of who is connected, even if you suspect someone else is using it without permission?

10/25/2010 3:13:49 PM

Prospero
All American
11662 Posts
user info
edit post

hamachi & squid if you want to use your home internet

or you can use something like Tor

10/25/2010 3:14:23 PM

Master_Yoda
All American
3626 Posts
user info
edit post

^^While I dont diss them, If you can get a home server box with win 2k3 or 2k8 its really easy to use them as well.

10/25/2010 4:19:36 PM

smoothcrim
Universal Magnetic!
18968 Posts
user info
edit post

how the fuck does ssl or https help on an un-encrypted wireless network? the same guy sniffing your traffic to facebook is sniffing the key exchange in the first place, making ssl just as trivial. disabling broadcast and end to end encryption are the only things that are gonna help on public wifi

10/25/2010 7:15:39 PM

disco_stu
All American
7436 Posts
user info
edit post

The handshake includes a random number that's generated using the site's certificate (their public key) that can only be decrypted using the site's private key to establish the encryption formula for the rest of the conversation.

Unless they have the site's private key, I'm not sure how they're going to break the SSL session. To my knowledge, there is no "key exchange". The client and the server generate their keys independently based off of this random number which can only be decrypted by the site's private key.

[Edited on October 26, 2010 at 9:01 AM. Reason : .]

10/26/2010 8:57:52 AM

smoothcrim
Universal Magnetic!
18968 Posts
user info
edit post

if your site's cert isn't a root cert that you already have stored locally, how can you verify that the cert you're receiving is legit? you could be receiving a forged cert from a MITM party.

basis:
http://forums.devshed.com/security-and-cryptography-17/ssl-man-in-the-middle-attack-86557.html
theory on how it could be used (chinese gov't did some of this):
http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html
tool to do it with:
http://crypto.stanford.edu/ssl-mitm/

10/26/2010 9:41:25 AM

disco_stu
All American
7436 Posts
user info
edit post

Getting MITM'd has nothing to do with the encryption strength of TSL and the difficulty of putting a 3rd party proxy on a public connection shouldn't be called 'trivial'. I suppose you could make a van, park it next to a starbucks, name the connection something very similar to their SSID, hope they don't use some other sort of authentication (I don't know if starbucks uses access cards or something) that would tip you off as a fake and trick people into using your connection instead of starbucks.

This is like saying SSL is trivial because you could get a virus that modifies your HOSTS file and routes you to a fake Bank of America page.

I do welcome the discussion however, and learning about new ways assholes work to break our stuff.

Or I suppose you could capture some traffic, spoof the site's ip...but then the client would become confused by receiving 2 sessions back and probably break the session anyway, so I'm not sure it would work like it does in movies. I think you'd have to compromise either the client's machine (in which case it's over no matter what encryption you use) or trick them into using your network.

[Edited on October 26, 2010 at 11:04 AM. Reason : .]

10/26/2010 11:01:50 AM

gs7
All American
2354 Posts
user info
edit post

The easiest, is to install DD-WRT on your wireless router and use the built-in basic VPN or more advanced OpenVPN server.

http://www.dd-wrt.com/wiki/index.php/VPN

http://www.dd-wrt.com/wiki/index.php/OpenVPN

Then configure your computer to use your new VPN. Done.

Also, if Tomato is your flavor, it looks like there might be a usable VPN build as well. I never used it so YMMV:

http://tomatovpn.keithmoyer.com/


[Edited on October 26, 2010 at 12:26 PM. Reason : .]

10/26/2010 12:22:58 PM

dFshadow
All American
9507 Posts
user info
edit post

http://modernerd.com/post/1407610448/solved-protect-yourself-on-public-wi-fi-networks

$55 a year? i don't know if it's worth that much to me...

10/26/2010 1:31:41 PM

BIGcementpon
Status Name
11319 Posts
user info
edit post

So why hasn't anyone posted about the fun had with this add-on?

10/26/2010 1:42:54 PM

Prospero
All American
11662 Posts
user info
edit post

Correct me if I'm wrong, but it's not the VPN that makes you safe is it? Doesn't it depend on the protocol?

10/26/2010 2:47:16 PM

gs7
All American
2354 Posts
user info
edit post

Sure, it's a two-part solution.

Even with a VPN direct to your home's internet connection, your data is still vulnerable to sniffing. But it's much harder for someone to sniff the internet traffic leaving your house, than say, the unsecured Wi-Fi at Starbucks, or on a college campus like NCSU where the wireless packets are broadcast in the clear and available for anyone to capture and analyze.

So, using a VPN when using a public Wi-Fi is what you do to prevent public sniffing ... while enabling (or forcing) SSL/HTTPS connections is the security responsibility of the web server in order to actually fix the problem being exploited by Firesheep.


Edit: To further answer your question about protocol, using a VPN will allow you to tunnel ALL your traffic through a secure pipe to your home, effectively removing any possibility that your public Wi-Fi communications can be sniffed.

[Edited on October 26, 2010 at 2:54 PM. Reason : .]

10/26/2010 2:53:40 PM

disco_stu
All American
7436 Posts
user info
edit post

When you VPN, all traffic is encrypted between you and your computer and then whatever between your computer and the site.

It's still "unsafe" but it's much less likely to be someone grabbing your packets between your home and the site. For one, it's not a wireless connection at that point.

Facebook's problem is they're not actually using SSL for all traffic and are including authentication cookies in plaintext. They suck.

[Edited on October 26, 2010 at 2:56 PM. Reason : it's]

10/26/2010 2:53:42 PM

Pikey
All American
6421 Posts
user info
edit post

We were stealing and editing cookies like 3 years ago on campusblender.com.

Someone finally made a script kiddie app for it.





Today, we are all hax0rs.

10/26/2010 3:24:20 PM

Prospero
All American
11662 Posts
user info
edit post

^^^not entirely true.

If you use GRE or L2TP for tunneling (without PPTP or IPSec) those are plaintext tunnels to VPN and not secure. My point is in theory it's all about the protocol, not the VPN itself that makes it secure.

i assume though all Windows machines default to PPTP?

[Edited on October 26, 2010 at 3:29 PM. Reason : .]

10/26/2010 3:25:47 PM

gs7
All American
2354 Posts
user info
edit post

Like I said ...

http://codebutler.com/firesheep-a-day-later
Quote :
"Since being released just over a day ago, Firesheep has been downloaded over 129,000 times. Firesheep has consistently been one (if not more) of the “Top Tweets” on Twitter, on top of Hacker News, was at one point the #10 trending search on Google in the US, and is the second suggestion on Bing when you start typing “fire”."


His new blog post also details lots of useful information about what you should and shouldn't do to protect yourself. Tor is definitely on the "do not use" list. VPN is on the list, but only because it doesn't solve the HTTPS issue, it just solves the unencrypted Wi-Fi issue. Definitely check out the extensions he points out, they are a good start, but the responsibility is ultimately in the hands of the web server administrators.

Good read.


Edit: ^Of course, but who would use an unencrypted VPN? Seems kind of pointless.

[Edited on October 26, 2010 at 3:27 PM. Reason : .]

10/26/2010 3:25:59 PM

Prospero
All American
11662 Posts
user info
edit post

i wasn't saying they would, i'm just saying it's not the VPN itself, that's all i was trying to clarify. i know what a VPN is and does, and maybe it was a silly question if VPN software automatically encrypts the traffic

[Edited on October 26, 2010 at 3:49 PM. Reason : .]

10/26/2010 3:30:37 PM

Master_Yoda
All American
3626 Posts
user info
edit post

With the VPN bit, this is a prime thing here at NCSU. NCSU's VPN is open to all vpn.ncsu.edu, that said it only secures ncsu applications and traffic. It uses split tunnel, so all net traffic is sent unencrypted.

10/26/2010 7:24:46 PM

yrrah
All American
894 Posts
user info
edit post

firesheep in the title would have helped

i just found out about this though
https://vpn.ncsu.edu/

your school business will be protected, but all web traffic goes straight out

10/26/2010 7:28:07 PM

Master_Yoda
All American
3626 Posts
user info
edit post

^ me and you were just in the same meeting

10/26/2010 7:58:52 PM

qntmfred
retired
40816 Posts
user info
edit post

ya know i finally got around to checking out openvpn b/c of this and this is pretty funny

http://www.openvpn.net/index.php/open-source/downloads.html

OpenVPN 2.1.3 -- released on 2010.08.27
OpenVPN 2.0.9 -- released on 2006.10.01

10/28/2010 1:19:10 PM

dFshadow
All American
9507 Posts
user info
edit post

i went to a starbucks yesterday and started trying this but the whole setup just took longer than i had. anyone else tried it?

also, this. http://blogs.forbes.com/andygreenberg/2010/10/28/how-to-screw-with-firesheep-snoops-try-fireshepherd/

i'm going back today and trying both. if i see anyone throw his arms up in frustration after i start fireShepherd, i swear i will go put visine in his drink or something...

10/29/2010 6:06:01 AM

quagmire02
All American
44225 Posts
user info
edit post

hah.

10/29/2010 7:17:08 AM

dFshadow
All American
9507 Posts
user info
edit post

http://www.fastcompany.com/1698627/firesheep-idiocy-privacy-facebook-twitter-google-foursquare-eric-butler-wifi

Idiocy = twitter cookie jacker to send a tweet under that account showing the victim is an idiot

wow, this isn't going to blow over anytime soon, is it?

10/29/2010 9:42:46 AM

gs7
All American
2354 Posts
user info
edit post

^Nope, I'll go make some fresh popcorn.

10/29/2010 10:16:53 AM

qntmfred
retired
40816 Posts
user info
edit post

ok so i tried setting up openvpn yesterday. it was hard i thought it was gonna be easy, installation wizard that set up most stuff for me

anybody got any pointers or know of a good tutorial?

10/29/2010 10:23:41 AM

gs7
All American
2354 Posts
user info
edit post

I'm assuming you are not using OpenVPN provided by DD-WRT or Tomato? In that case, here are a couple sites that seem to have correct information for setting up your own server and clients:

http://openmaniak.com/openvpn_tutorial.php

http://www.wi-fiplanet.com/tutorials/article.php/3831021/How-to-Run-OpenVPN-on-Windows-Mac-and-LinuxUnix.htm

10/29/2010 2:06:24 PM

qntmfred
retired
40816 Posts
user info
edit post

yeah i've got a standard WRT310N, no tomato (though that's another thing i've been meaning to try)

thx for the links, i think i found that 2nd one on google yesterday. i'll try it again later, was just surprised at how many manual steps were required

[Edited on October 29, 2010 at 2:08 PM. Reason : .]

10/29/2010 2:07:49 PM

lewisje
All American
9196 Posts
user info
edit post

I have DD-WRT

OpenVPN is in my interests

10/29/2010 8:26:25 PM

Grandmaster
All American
10829 Posts
user info
edit post

For anyone that uses Giganews, they're offering VyperVPN from Golden Frog for an additional 5.00 if you upgrade to their Diamond package by December 31st.

They have US servers for those out of the country that want to watch hulu/cnn/abc/etc or if you want to bypass your ISP's QoS implementation. And they also have an EU server for Spotify and BBC streams. I can max out 16Mb/1.5Mb while connected.

11/8/2010 7:53:38 AM

Prospero
All American
11662 Posts
user info
edit post

http://lifehacker.com/5684348/blacksheep-alerts-you-when-networking-sniffing-tool-firesheep-is-active

http://www.zscaler.com/blacksheep.html

11/8/2010 3:45:24 PM

Master_Yoda
All American
3626 Posts
user info
edit post

Ars Technica did a good follow up on this.

http://arstechnica.com/security/news/2010/11/researcher-free-wifi-should-use-free-password-to-protect-users.ars?comments=1#comments-bar

Still doesnt fix the base issue and just makes "secure" networks as usefuluseless as open networks. I have a friend that already proved this as he tested firesheep on a wpa network and still got it to work (more sucessfully than on an open network actually which we found funny).

11/10/2010 5:30:16 PM

 Message Boards » Tech Talk » If you don't use a VPN, you should probably start. Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.