Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Users of Wi-Fi Hotspots: Firesheep is On The Loose!
Old 10-30-2010, 04:07 PM   #1
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,829
Users of Wi-Fi Hotspots: Firesheep is On The Loose!

As a PSA for the readers of this board, I thought I'd mention that if you like to take your laptop to the Starbucks (or any other open wi-fi access point), there's been a huge increase in risk lately due to a Firefox plug in called "Firesheep".

If you have to type a password to get on your hot spot, you're probably ok, even if the password is posted on the wall at the coffee shop!
This is true because that means the traffic is WPA encrypted, and sniffers can't see each others' traffic.

But if there's no password, sniffers can see all of your traffic. It has been this way "forever". What's different NOW is that with a few clicks, anyone can hijack your session (basically they become you), for many web sites (Facebook, twitter, eBay, etc.... see this link for a list: Handlers - firesheep - GitHub).

Hijackers can "become you" in that coffee shop or wherever, meaning they could not only read everything that you can read on the hijacked account, but change anything they want too! This is going to be really fun to watch profile pictures get changed on Facebook! If there is any "good news" is that 1) They probably can't change your password (because most sites re-ask for your password, and the hijacker doesn't have that, and 2) If you log off of the site (instead of just closing the browser tab), the cookie will become invalid for the hijacker.

So what do you do? Don't use open wifi hotspots for web sites that don't protect your privacy all the time. The web sites that are the problem are ones that do https encryption during the login, but pop you out to non-encrypted http afterwards, and just use a session cookie to keep you going. This is how Firesheep works; it just listens for your session cookie, then uses it to "become you" on those sites at risk.

Be safe!

--Dale--
__________________

__________________
sengsational is online now   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 10-30-2010, 04:54 PM   #2
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
braumeister's Avatar
 
Join Date: Feb 2010
Location: Northern Kentucky
Posts: 8,592
I always use PublicVPN and I think I'm pretty safe.
__________________

__________________
Pas de lieu Rhône que nous.
braumeister is online now   Reply With Quote
Old 10-31-2010, 01:26 PM   #3
Thinks s/he gets paid by the post
walkinwood's Avatar
 
Join Date: Jul 2006
Location: Denver
Posts: 2,676
Thanks for the warning.
On our last vacation, none of the hotels had any encryption on their wi-fi.

You can also use a firefox plug-in called No Script to force sites to use https. I use it to enforce an https connection with gmail. I just added facebook and it works too. Some sites do not have the capability to use https, so it will not work everywhere.
__________________
walkinwood is offline   Reply With Quote
Old 11-02-2010, 05:03 PM   #4
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,829
Quote:
Originally Posted by braumeister View Post
I always use PublicVPN and I think I'm pretty safe.
Yep! Any tunneling solution will prevent this. Hotspot VPN is another, in case there are lurkers that want to go tunnel shopping.

Quote:
Originally Posted by walkinwood View Post
...force sites to use https.
Again, right-on. Such a well informed community here! I'm impressed! There are some sites where if you purposefully start out at the https link, it will keep you secure throughout, even without a plug in. I bet more sites will start going this direction when their help desks get flooded with "my account got hacked" messages!

--Dale--
__________________
sengsational is online now   Reply With Quote
Old 11-02-2010, 05:49 PM   #5
Thinks s/he gets paid by the post
walkinwood's Avatar
 
Join Date: Jul 2006
Location: Denver
Posts: 2,676
You've got to love the open source community.

Now, there's a Fireshepherd to tame firesheep

How To Screw With Firesheep Snoops? Try FireShepherd - Andy Greenberg - The Firewall - Forbes
__________________
walkinwood is offline   Reply With Quote
Old 11-02-2010, 11:07 PM   #6
Moderator Emeritus
 
Join Date: Oct 2007
Posts: 4,929
Quote:
Originally Posted by walkinwood View Post
You've got to love the open source community.

Now, there's a Fireshepherd to tame firesheep

How To Screw With Firesheep Snoops? Try FireShepherd - Andy Greenberg - The Firewall - Forbes
heh. He found a buffer overflow in Firesheep. Next step, hook it to a code injection hack, and use that to take over the browser running Firesheep, from which point we pown the Firesheep user's account, and if running as admin, his entire machine. Perhaps this could install a nice gift, such as one of those programs that at random intervals opens a few hundred porn sites.

Ya know, it's good to have hobbies in retirement to exercise the brain...
__________________

__________________
M Paquette is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cougar loose in Chicago Ronstar Other topics 10 04-16-2008 07:06 AM
loosehead at loose ends loosehead Life after FIRE 13 09-23-2007 10:08 AM
Juice no longer on the loose mickeyd Other topics 17 09-18-2007 08:01 PM
Use it or loose it, a mind question Mach1 Life after FIRE 27 10-11-2006 10:10 AM
Investing in future hotspots Whakamole FIRE and Money 8 09-12-2004 09:46 AM

 

 
All times are GMT -6. The time now is 02:49 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.