MOST people have heard the term “a wolf in sheep’s clothing”. However,
this old expression may need to be changed to a “hacker in sheep’s
clothing” due to a sneaky new program called Firesheep, which allows
hackers easy access to information on computers logged on to unsecured
wireless networks.
Firesheep is a downloadable plug-in application for internet browsers
which allows users to scan for unsecured wireless networks and steal
“cookies” – files automatically stored on computers using the network
which can contain automatic log-in information for some websites.
Websites such as Facebook, Twitter and some web mail services like
hotmail allow users the option to automatically log-in to their
accounts when they navigate to their pages, which creates a cookie
file on their computer with their log-in information.
If Firesheep users get a hold of these cookie files, it can allow them
to log-in in to the victim’s account and view information. It also
grants them the freedom to make any changes they like, such as status
updates or sending emails and messages.
Computer Troubleshooters North Coast owner Tony Hattam said
downloading the plug-in and taking over someone’s account on an
unsecured network was a relatively easy process and warned people to
take precautions.
“It’s certainly quite insidious,” Mr Hattam said.
“Thankfully, it can’t track your username and password details, but
it’s certainly the easiest way I’ve seen to take advantage of
someone’s unsecured wireless connection.”
Mr Hattam said unprotected wireless networks were vulnerable to the
process and once a hacker had gained access to a computer on the
network, they could then view and copy these cookies files to various
web accounts at their leisure.
Fortunately, sites such as bank websites which requested a password
every time the user logged-on were safe from Firesheep attacks, but
hackers could still potentially cause havoc and embarrassment by
hijacking people’s Twitter, Facebook or web mail accounts.
According to Mr Hattam, the Firesheep program had been downloaded more
than 129,000 times in the day after it was released so there were a
huge number of potential hackers just waiting for an opportunity.
Mr Hattam said this, combined with the fact that many people were
unintentionally running unsecured networks, gave potential Firesheep
hackers a buffet of different targets to choose from.
He said the best way to thwart potential “sheepers” was to make sure
any wireless networks were secured and password-protected and to avoid
logging on to an unsecured public network.
“Setting up a password or securing your broadband connection is very
easy to do,” Mr Hattam said.
“Even things like the free wi-fi at McDonald’s can leave your computer
at risk from programs like Firesheep.”
He said a secure wireless network had to often be manually set up by
the user and encouraged anyone wanting to establish a new network or
secure their existing one to thoroughly read any documentation which
came with the equipment.
Mr Hattam also said to run any software which originally came bundled
with the equipment because this often walked users through the process
of securing their wireless network.
>
>http://www.dailyexaminer.com.au/stor...et-scam-crime/
>
>Computer hackers surf new program
>
>MOST people have heard the term “a wolf in sheep’s clothing”. However,
>this old expression may need to be changed to a “hacker in sheep’s
>clothing” due to a sneaky new program called Firesheep, which allows
>hackers easy access to information on computers logged on to unsecured
>wireless networks.
>
>Firesheep is a downloadable plug-in application for internet browsers
>which allows users to scan for unsecured wireless networks and steal
>“cookies” – files automatically stored on computers using the network
>which can contain automatic log-in information for some websites.
>
>Websites such as Facebook, Twitter and some web mail services like
>hotmail allow users the option to automatically log-in to their
>accounts when they navigate to their pages, which creates a cookie
>file on their computer with their log-in information.
>
>If Firesheep users get a hold of these cookie files, it can allow them
>to log-in in to the victim’s account and view information. It also
>grants them the freedom to make any changes they like, such as status
>updates or sending emails and messages.
>
>Computer Troubleshooters North Coast owner Tony Hattam said
>downloading the plug-in and taking over someone’s account on an
>unsecured network was a relatively easy process and warned people to
>take precautions.
>
>“It’s certainly quite insidious,” Mr Hattam said.
>
>“Thankfully, it can’t track your username and password details, but
>it’s certainly the easiest way I’ve seen to take advantage of
>someone’s unsecured wireless connection.”
>
>Mr Hattam said unprotected wireless networks were vulnerable to the
>process and once a hacker had gained access to a computer on the
>network, they could then view and copy these cookies files to various
>web accounts at their leisure.
>
>Fortunately, sites such as bank websites which requested a password
>every time the user logged-on were safe from Firesheep attacks, but
>hackers could still potentially cause havoc and embarrassment by
>hijacking people’s Twitter, Facebook or web mail accounts.
>
>According to Mr Hattam, the Firesheep program had been downloaded more
>than 129,000 times in the day after it was released so there were a
>huge number of potential hackers just waiting for an opportunity.
>
>Mr Hattam said this, combined with the fact that many people were
>unintentionally running unsecured networks, gave potential Firesheep
>hackers a buffet of different targets to choose from.
>
>He said the best way to thwart potential “sheepers” was to make sure
>any wireless networks were secured and password-protected and to avoid
>logging on to an unsecured public network.
>
>“Setting up a password or securing your broadband connection is very
>easy to do,” Mr Hattam said.
>
>“Even things like the free wi-fi at McDonald’s can leave your computer
>at risk from programs like Firesheep.”
>
>He said a secure wireless network had to often be manually set up by
>the user and encouraged anyone wanting to establish a new network or
>secure their existing one to thoroughly read any documentation which
>came with the equipment.
>
>Mr Hattam also said to run any software which originally came bundled
>with the equipment because this often walked users through the process
>of securing their wireless network.
>
Riding off of the coattails of the FireSheep Firefox exploit, Digital
Society has studied the basic security functions of 11 popular
websites and given them grades. The results are not stellar for most,
especially social networking sites Twitter and Facebook, which both
received failing grades.
.... snip ...
Long ago and far away we were called in to consult with small
client/server startup that wanted to do payment transactions on their
server; they had also invented this technology called "SSL" they wanted
to use; the result is now frequently called "electronic commerce". Part
of the effort was study regarding security requirements for SSL
deployment and use. Almost immediately the security requirements were
violated because webservers found SSL cut their thruput 90-95%, dropping
back to just using it for paying/checkout
--
virtualization experience starting Jan1968, online at home since Mar1970
"Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message
news:m3hbfqb8t0.fsf@garlic.com...
>
> Facebook and Twitter fail basic security test
> http://news.yahoo.com/s/digitaltrend...icsecuritytest
>
> from above:
>
> Riding off of the coattails of the FireSheep Firefox exploit, Digital
> Society has studied the basic security functions of 11 popular
> websites and given them grades. The results are not stellar for most,
> especially social networking sites Twitter and Facebook, which both
> received failing grades.
>
> ... snip ...
>
> Long ago and far away we were called in to consult with small
> client/server startup that wanted to do payment transactions on their
> server; they had also invented this technology called "SSL" they wanted
> to use; the result is now frequently called "electronic commerce". Part
> of the effort was study regarding security requirements for SSL
> deployment and use. Almost immediately the security requirements were
> violated because webservers found SSL cut their thruput 90-95%, dropping
> back to just using it for paying/checkout
Reading around on the net, I see recommendations for transport layer
security as having some effect against this attack - I don't see how, if
this really is about a cookie *file* on a computer on the usecured wireless
network as indicated in the OP's quote. Getting hold of *cookies* in this
sense must not be quite the same as getting hold of *cookie files* stored on
a computer on the affected network - or else SSL/TLS wouldn't have any
effect on it.
"FromTheRafters" <erratic.howard@gmail.com> writes:
> Reading around on the net, I see recommendations for transport layer
> security as having some effect against this attack - I don't see how, if
> this really is about a cookie *file* on a computer on the usecured wireless
> network as indicated in the OP's quote. Getting hold of *cookies* in this
> sense must not be quite the same as getting hold of *cookie files* stored on
> a computer on the affected network - or else SSL/TLS wouldn't have any
> effect on it.
cookie capture is evesdropping on open communication channel (during
cookie transfer) ... followed by a "replay attack" of the harvested
cooking ... then encrypting the communication is countermeasure to
evesdropping (as opposed to a trojan running on the victim machine that
harvests the cookie from disk file).
there is separate discussion about cookies being a poor solution
On Tue, 9 Nov 2010 14:57:37 -0500, FromTheRafters wrote:
> "Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message
> news:m3hbfqb8t0.fsf@garlic.com...
>>
>> Facebook and Twitter fail basic security test
>> http://news.yahoo.com/s/digitaltrend...icsecuritytest
>>
>> from above:
>>
>> Riding off of the coattails of the FireSheep Firefox exploit, Digital
>> Society has studied the basic security functions of 11 popular
>> websites and given them grades. The results are not stellar for most,
>> especially social networking sites Twitter and Facebook, which both
>> received failing grades.
>>
>> ... snip ...
>>
>> Long ago and far away we were called in to consult with small
>> client/server startup that wanted to do payment transactions on their
>> server; they had also invented this technology called "SSL" they wanted
>> to use; the result is now frequently called "electronic commerce". Part
>> of the effort was study regarding security requirements for SSL
>> deployment and use. Almost immediately the security requirements were
>> violated because webservers found SSL cut their thruput 90-95%, dropping
>> back to just using it for paying/checkout
>
> Reading around on the net, I see recommendations for transport layer
> security as having some effect against this attack - I don't see how, if
> this really is about a cookie *file* on a computer on the usecured wireless
> network as indicated in the OP's quote. Getting hold of *cookies* in this
> sense must not be quite the same as getting hold of *cookie files* stored on
> a computer on the affected network - or else SSL/TLS wouldn't have any
> effect on it.
The Wheelers have addresses the regeneration of info from a cookie but
let's make sure that it is understood that this attack isn't
particularly new
or limited to unsecured wireless networks. Wired networks are as
vulnerable but not as easy to find (sometimes).
The answer is full SSL via HTTPS but as the Wheelers have also pointed
out the speed cost is high hence we have encrypted sessions typically
only where financial info is being transmitted.
IMO the only answer is ToR and with the speed at which ToR operates
these days, it is little price to pay. Think of Tor this way. Imagine
not having anything except ToR for browsing. Speed seems OK now
doesn't it.
--
<http://2.bp.blogspot.com/_WhnvofcHy48/SDxAZbSaqnI/AAAAAAAAADo/Qh2FYauXJMo/s400/RIMG0019-2.JPG>
"Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message
news:m3d3qeb5zv.fsf@garlic.com...
>
> "FromTheRafters" <erratic.howard@gmail.com> writes:
>> Reading around on the net, I see recommendations for transport layer
>> security as having some effect against this attack - I don't see how, if
>> this really is about a cookie *file* on a computer on the usecured
>> wireless
>> network as indicated in the OP's quote. Getting hold of *cookies* in this
>> sense must not be quite the same as getting hold of *cookie files* stored
>> on
>> a computer on the affected network - or else SSL/TLS wouldn't have any
>> effect on it.
>
> cookie capture is evesdropping on open communication channel (during
> cookie transfer) ... followed by a "replay attack" of the harvested
> cooking ... then encrypting the communication is countermeasure to
> evesdropping (as opposed to a trojan running on the victim machine that
> harvests the cookie from disk file).
Yes, what I meant was that the quoted article referred to cookie files - and
SSL doesn't deal with files.
Reply With Quote
Bookmarks