Users of Wi-Fi Hotspots: Firesheep is On The Loose!

[sengsational]

As a PSA for the readers of this board, I thought I'd mention that if you like to take your laptop to the Starbucks (or any other open wi-fi access point), there's been a huge increase in risk lately due to a Firefox plug in called "Firesheep".

If you have to type a password to get on your hot spot, you're probably ok, even if the password is posted on the wall at the coffee shop!
This is true because that means the traffic is WPA encrypted, and sniffers can't see each others' traffic.

But if there's no password, sniffers can see all of your traffic. It has been this way "forever". What's different NOW is that with a few clicks, anyone can hijack your session (basically they become you), for many web sites (Facebook, twitter, eBay, etc.... see this link for a list: Handlers - firesheep - GitHub).

Hijackers can "become you" in that coffee shop or wherever, meaning they could not only read everything that you can read on the hijacked account, but change anything they want too! This is going to be really fun to watch profile pictures get changed on Facebook! If there is any "good news" is that 1) They probably can't change your password (because most sites re-ask for your password, and the hijacker doesn't have that, and 2) If you log off of the site (instead of just closing the browser tab), the cookie will become invalid for the hijacker.

So what do you do? Don't use open wifi hotspots for web sites that don't protect your privacy all the time. The web sites that are the problem are ones that do https encryption during the login, but pop you out to non-encrypted http afterwards, and just use a session cookie to keep you going. This is how Firesheep works; it just listens for your session cookie, then uses it to "become you" on those sites at risk.

Be safe!

--Dale--

[braumeister]

I always use PublicVPN and I think I'm pretty safe.

[walkinwood]

Thanks for the warning.
On our last vacation, none of the hotels had any encryption on their wi-fi.

You can also use a firefox plug-in called No Script to force sites to use https. I use it to enforce an https connection with gmail. I just added facebook and it works too. Some sites do not have the capability to use https, so it will not work everywhere.

[sengsational]

Quote:

Originally Posted by braumeister I always use PublicVPN and I think I'm pretty safe.

Yep! Any tunneling solution will prevent this. Hotspot VPN is another, in case there are lurkers that want to go tunnel shopping.

Quote:

Originally Posted by walkinwood ...force sites to use https.

Again, right-on. Such a well informed community here! I'm impressed! There are some sites where if you purposefully start out at the https link, it will keep you secure throughout, even without a plug in. I bet more sites will start going this direction when their help desks get flooded with "my account got hacked" messages!

--Dale--

[walkinwood]

You've got to love the open source community.

Now, there's a Fireshepherd to tame firesheep

How To Screw With Firesheep Snoops? Try FireShepherd - Andy Greenberg - The Firewall - Forbes

[M Paquette]

Quote:

Originally Posted by walkinwood You've got to love the open source community. Now, there's a Fireshepherd to tame firesheep How To Screw With Firesheep Snoops? Try FireShepherd - Andy Greenberg - The Firewall - Forbes

heh. He found a buffer overflow in Firesheep. Next step, hook it to a code injection hack, and use that to take over the browser running Firesheep, from which point we pown the Firesheep user's account, and if running as admin, his entire machine. Perhaps this could install a nice gift, such as one of those programs that at random intervals opens a few hundred porn sites.

Ya know, it's good to have hobbies in retirement to exercise the brain...