gs7 All American 2354 Posts user info edit post |
It just got a whole lot friendlier and easier for little Johnny to sniff an unencrypted wireless network and use the data he finds. In other words, he can pretend to be you.
For those of you who didn't realize that this was possible, shame on you, this is nothing new.
http://codebutler.com/firesheep
I am actually amazed it took this long for something like this to happen, should be fun reading the news for a few days. 10/25/2010 1:29:06 AM |
lewisje All American 9196 Posts user info edit post |
This helps mitigate its effects: https://www.eff.org/https-everywhere 10/25/2010 1:59:14 AM |
FroshKiller All American 51913 Posts user info edit post |
Yeah, we should start using VPNs because someone wrote a new Firefox extension to exploit an old security issue.
How about we just turn on wireless encryption, smartass? 10/25/2010 8:24:47 AM |
quagmire02 All American 44225 Posts user info edit post |
Quote : | "How about we just turn on wireless encryption, smartass?" |
are you able to enable wireless encryption on public wireless networks, smartass?10/25/2010 8:36:04 AM |
FroshKiller All American 51913 Posts user info edit post |
Provided they haven't changed the router's default username and password, yes. But more to the point, I don't be authenticating on strange networks to begin with. 10/25/2010 8:41:06 AM |
Master_Yoda All American 3626 Posts user info edit post |
^^ NCSU is the first one that comes to mind.
Hell the CSC dept does it legally. They have papers signed with the university to sniff all traffic in EB2. I know others that have done it elsewhere on campus. 10/25/2010 9:52:29 AM |
kiljadn All American 44690 Posts user info edit post |
Quote : | "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win." |
Anyone who uses an open AP should be aware of the risks.
The purpose of this plugin is not to expose that risk, it's to urge sites to start using SSL and https like they should have been doing from the start10/25/2010 10:22:16 AM |
quagmire02 All American 44225 Posts user info edit post |
so i guess it would be consider amoral of me to start using this in public places for shits and giggles? 10/25/2010 10:56:03 AM |
timswar All American 41050 Posts user info edit post |
It would be immoral.
Although, if your intent is simply to be amusing or put messages on their computers along the lines of "seriously, I could have destroyed your life, be thankful I'm not an asshole and get better security for your laptop" it'd probably balance out.
[Edited on October 25, 2010 at 11:23 AM. Reason : BEBEBEBEBEBEBEBEBE] 10/25/2010 11:23:17 AM |
confusi0n All American 5076 Posts user info edit post |
http://techcrunch.com/2010/10/25/firesheep/ 10/25/2010 11:25:09 AM |
wwwebsurfer All American 10217 Posts user info edit post |
haahahhaa - this is awesome. I'm definitely trying this at church to see what the youth are up to sunday morning
[Edited on October 25, 2010 at 12:18 PM. Reason : and did someone check the source code? It'd be REALLY funny if this was a virus. lol] 10/25/2010 12:16:40 PM |
Novicane All American 15416 Posts user info edit post |
would this work over a LAN? (if ran on the dns server) 10/25/2010 12:55:35 PM |
quagmire02 All American 44225 Posts user info edit post |
Quote : | "Although, if your intent is simply to be amusing or put messages on their computers along the lines of "seriously, I could have destroyed your life, be thankful I'm not an asshole and get better security for your laptop" it'd probably balance out." |
that's more of what i was thinking...something like this as a facebook status:
"D'oh! My account has been hijacked! Changing my password won't help. Read more at http://codebutler.com/firesheep. You could be next!"10/25/2010 1:14:30 PM |
dFshadow All American 9507 Posts user info edit post |
any good easy how-to's to set up and use a VPN? 10/25/2010 2:36:44 PM |
ThatGoodLock All American 5697 Posts user info edit post |
is it illegal to track ANY cookies on your own network, regardless of who is connected, even if you suspect someone else is using it without permission? 10/25/2010 3:13:49 PM |
Prospero All American 11662 Posts user info edit post |
hamachi & squid if you want to use your home internet
or you can use something like Tor 10/25/2010 3:14:23 PM |
Master_Yoda All American 3626 Posts user info edit post |
^^While I dont diss them, If you can get a home server box with win 2k3 or 2k8 its really easy to use them as well. 10/25/2010 4:19:36 PM |
smoothcrim Universal Magnetic! 18968 Posts user info edit post |
how the fuck does ssl or https help on an un-encrypted wireless network? the same guy sniffing your traffic to facebook is sniffing the key exchange in the first place, making ssl just as trivial. disabling broadcast and end to end encryption are the only things that are gonna help on public wifi 10/25/2010 7:15:39 PM |
disco_stu All American 7436 Posts user info edit post |
The handshake includes a random number that's generated using the site's certificate (their public key) that can only be decrypted using the site's private key to establish the encryption formula for the rest of the conversation.
Unless they have the site's private key, I'm not sure how they're going to break the SSL session. To my knowledge, there is no "key exchange". The client and the server generate their keys independently based off of this random number which can only be decrypted by the site's private key.
[Edited on October 26, 2010 at 9:01 AM. Reason : .] 10/26/2010 8:57:52 AM |
smoothcrim Universal Magnetic! 18968 Posts user info edit post |
if your site's cert isn't a root cert that you already have stored locally, how can you verify that the cert you're receiving is legit? you could be receiving a forged cert from a MITM party.
basis: http://forums.devshed.com/security-and-cryptography-17/ssl-man-in-the-middle-attack-86557.html theory on how it could be used (chinese gov't did some of this): http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html tool to do it with: http://crypto.stanford.edu/ssl-mitm/ 10/26/2010 9:41:25 AM |
disco_stu All American 7436 Posts user info edit post |
Getting MITM'd has nothing to do with the encryption strength of TSL and the difficulty of putting a 3rd party proxy on a public connection shouldn't be called 'trivial'. I suppose you could make a van, park it next to a starbucks, name the connection something very similar to their SSID, hope they don't use some other sort of authentication (I don't know if starbucks uses access cards or something) that would tip you off as a fake and trick people into using your connection instead of starbucks.
This is like saying SSL is trivial because you could get a virus that modifies your HOSTS file and routes you to a fake Bank of America page.
I do welcome the discussion however, and learning about new ways assholes work to break our stuff.
Or I suppose you could capture some traffic, spoof the site's ip...but then the client would become confused by receiving 2 sessions back and probably break the session anyway, so I'm not sure it would work like it does in movies. I think you'd have to compromise either the client's machine (in which case it's over no matter what encryption you use) or trick them into using your network.
[Edited on October 26, 2010 at 11:04 AM. Reason : .] 10/26/2010 11:01:50 AM |
gs7 All American 2354 Posts user info edit post |
The easiest, is to install DD-WRT on your wireless router and use the built-in basic VPN or more advanced OpenVPN server.
http://www.dd-wrt.com/wiki/index.php/VPN
http://www.dd-wrt.com/wiki/index.php/OpenVPN
Then configure your computer to use your new VPN. Done.
Also, if Tomato is your flavor, it looks like there might be a usable VPN build as well. I never used it so YMMV:
http://tomatovpn.keithmoyer.com/
[Edited on October 26, 2010 at 12:26 PM. Reason : .] 10/26/2010 12:22:58 PM |
dFshadow All American 9507 Posts user info edit post |
http://modernerd.com/post/1407610448/solved-protect-yourself-on-public-wi-fi-networks
$55 a year? i don't know if it's worth that much to me... 10/26/2010 1:31:41 PM |
BIGcementpon Status Name 11319 Posts user info edit post |
So why hasn't anyone posted about the fun had with this add-on? 10/26/2010 1:42:54 PM |
Prospero All American 11662 Posts user info edit post |
Correct me if I'm wrong, but it's not the VPN that makes you safe is it? Doesn't it depend on the protocol? 10/26/2010 2:47:16 PM |
gs7 All American 2354 Posts user info edit post |
Sure, it's a two-part solution.
Even with a VPN direct to your home's internet connection, your data is still vulnerable to sniffing. But it's much harder for someone to sniff the internet traffic leaving your house, than say, the unsecured Wi-Fi at Starbucks, or on a college campus like NCSU where the wireless packets are broadcast in the clear and available for anyone to capture and analyze.
So, using a VPN when using a public Wi-Fi is what you do to prevent public sniffing ... while enabling (or forcing) SSL/HTTPS connections is the security responsibility of the web server in order to actually fix the problem being exploited by Firesheep.
Edit: To further answer your question about protocol, using a VPN will allow you to tunnel ALL your traffic through a secure pipe to your home, effectively removing any possibility that your public Wi-Fi communications can be sniffed.
[Edited on October 26, 2010 at 2:54 PM. Reason : .] 10/26/2010 2:53:40 PM |
disco_stu All American 7436 Posts user info edit post |
When you VPN, all traffic is encrypted between you and your computer and then whatever between your computer and the site.
It's still "unsafe" but it's much less likely to be someone grabbing your packets between your home and the site. For one, it's not a wireless connection at that point.
Facebook's problem is they're not actually using SSL for all traffic and are including authentication cookies in plaintext. They suck.
[Edited on October 26, 2010 at 2:56 PM. Reason : it's] 10/26/2010 2:53:42 PM |
Pikey All American 6421 Posts user info edit post |
We were stealing and editing cookies like 3 years ago on campusblender.com.
Someone finally made a script kiddie app for it.
Today, we are all hax0rs. 10/26/2010 3:24:20 PM |
Prospero All American 11662 Posts user info edit post |
^^^not entirely true.
If you use GRE or L2TP for tunneling (without PPTP or IPSec) those are plaintext tunnels to VPN and not secure. My point is in theory it's all about the protocol, not the VPN itself that makes it secure.
i assume though all Windows machines default to PPTP?
[Edited on October 26, 2010 at 3:29 PM. Reason : .] 10/26/2010 3:25:47 PM |
gs7 All American 2354 Posts user info edit post |
Like I said ...
http://codebutler.com/firesheep-a-day-later
Quote : | "Since being released just over a day ago, Firesheep has been downloaded over 129,000 times. Firesheep has consistently been one (if not more) of the “Top Tweets” on Twitter, on top of Hacker News, was at one point the #10 trending search on Google in the US, and is the second suggestion on Bing when you start typing “fire”." |
His new blog post also details lots of useful information about what you should and shouldn't do to protect yourself. Tor is definitely on the "do not use" list. VPN is on the list, but only because it doesn't solve the HTTPS issue, it just solves the unencrypted Wi-Fi issue. Definitely check out the extensions he points out, they are a good start, but the responsibility is ultimately in the hands of the web server administrators.
Good read.
Edit: ^Of course, but who would use an unencrypted VPN? Seems kind of pointless.
[Edited on October 26, 2010 at 3:27 PM. Reason : .]10/26/2010 3:25:59 PM |
Prospero All American 11662 Posts user info edit post |
i wasn't saying they would, i'm just saying it's not the VPN itself, that's all i was trying to clarify. i know what a VPN is and does, and maybe it was a silly question if VPN software automatically encrypts the traffic
[Edited on October 26, 2010 at 3:49 PM. Reason : .] 10/26/2010 3:30:37 PM |
Master_Yoda All American 3626 Posts user info edit post |
With the VPN bit, this is a prime thing here at NCSU. NCSU's VPN is open to all vpn.ncsu.edu, that said it only secures ncsu applications and traffic. It uses split tunnel, so all net traffic is sent unencrypted. 10/26/2010 7:24:46 PM |
yrrah All American 894 Posts user info edit post |
firesheep in the title would have helped
i just found out about this though https://vpn.ncsu.edu/
your school business will be protected, but all web traffic goes straight out 10/26/2010 7:28:07 PM |
Master_Yoda All American 3626 Posts user info edit post |
^ me and you were just in the same meeting 10/26/2010 7:58:52 PM |
qntmfred retired 40816 Posts user info edit post |
ya know i finally got around to checking out openvpn b/c of this and this is pretty funny
http://www.openvpn.net/index.php/open-source/downloads.html
OpenVPN 2.1.3 -- released on 2010.08.27 OpenVPN 2.0.9 -- released on 2006.10.01 10/28/2010 1:19:10 PM |
dFshadow All American 9507 Posts user info edit post |
i went to a starbucks yesterday and started trying this but the whole setup just took longer than i had. anyone else tried it?
also, this. http://blogs.forbes.com/andygreenberg/2010/10/28/how-to-screw-with-firesheep-snoops-try-fireshepherd/
i'm going back today and trying both. if i see anyone throw his arms up in frustration after i start fireShepherd, i swear i will go put visine in his drink or something... 10/29/2010 6:06:01 AM |
quagmire02 All American 44225 Posts user info edit post |
hah. 10/29/2010 7:17:08 AM |
dFshadow All American 9507 Posts user info edit post |
http://www.fastcompany.com/1698627/firesheep-idiocy-privacy-facebook-twitter-google-foursquare-eric-butler-wifi
Idiocy = twitter cookie jacker to send a tweet under that account showing the victim is an idiot
wow, this isn't going to blow over anytime soon, is it? 10/29/2010 9:42:46 AM |
gs7 All American 2354 Posts user info edit post |
^Nope, I'll go make some fresh popcorn. 10/29/2010 10:16:53 AM |
qntmfred retired 40816 Posts user info edit post |
ok so i tried setting up openvpn yesterday. it was hard i thought it was gonna be easy, installation wizard that set up most stuff for me
anybody got any pointers or know of a good tutorial? 10/29/2010 10:23:41 AM |
gs7 All American 2354 Posts user info edit post |
I'm assuming you are not using OpenVPN provided by DD-WRT or Tomato? In that case, here are a couple sites that seem to have correct information for setting up your own server and clients:
http://openmaniak.com/openvpn_tutorial.php
http://www.wi-fiplanet.com/tutorials/article.php/3831021/How-to-Run-OpenVPN-on-Windows-Mac-and-LinuxUnix.htm 10/29/2010 2:06:24 PM |
qntmfred retired 40816 Posts user info edit post |
yeah i've got a standard WRT310N, no tomato (though that's another thing i've been meaning to try)
thx for the links, i think i found that 2nd one on google yesterday. i'll try it again later, was just surprised at how many manual steps were required
[Edited on October 29, 2010 at 2:08 PM. Reason : .] 10/29/2010 2:07:49 PM |
lewisje All American 9196 Posts user info edit post |
I have DD-WRT
OpenVPN is in my interests 10/29/2010 8:26:25 PM |
Grandmaster All American 10829 Posts user info edit post |
For anyone that uses Giganews, they're offering VyperVPN from Golden Frog for an additional 5.00 if you upgrade to their Diamond package by December 31st.
They have US servers for those out of the country that want to watch hulu/cnn/abc/etc or if you want to bypass your ISP's QoS implementation. And they also have an EU server for Spotify and BBC streams. I can max out 16Mb/1.5Mb while connected. 11/8/2010 7:53:38 AM |
Prospero All American 11662 Posts user info edit post |
http://lifehacker.com/5684348/blacksheep-alerts-you-when-networking-sniffing-tool-firesheep-is-active
http://www.zscaler.com/blacksheep.html 11/8/2010 3:45:24 PM |
Master_Yoda All American 3626 Posts user info edit post |
Ars Technica did a good follow up on this.
http://arstechnica.com/security/news/2010/11/researcher-free-wifi-should-use-free-password-to-protect-users.ars?comments=1#comments-bar
Still doesnt fix the base issue and just makes "secure" networks as usefuluseless as open networks. I have a friend that already proved this as he tested firesheep on a wpa network and still got it to work (more sucessfully than on an open network actually which we found funny). 11/10/2010 5:30:16 PM |