Monday, November 8, 2010

How to Beat Firesheep - Secure Open Wifi (Part 3)

This is Part 3 of the Firesheep series, How to Beat Firesheep.  Part 1 introduced the tool and the attack, Part 2 talked about the seriousness of the vulnerability.   
Part 3 will tell you how to beat Firesheep.
Let's drop in a lil napalm and cook 'em down!
First, let's setup up some basic ground rules:
  • We all know you're going to be on Open Wifi at some point, so telling you "get off open wifi" is retarded
  • The problem is essentially owned by the website operators, not the Wifi operators.  The issue is HTTP cookies, and the ability to session-hijack, not the ability to login to a Wifi access point at Starmucks.
  • Sites that are vulnerable to this attack today may not be vulnerable tomorrow, however, there will always be sites that are vulnerable, therefore it is important to at least try and browse securely while on Open Wifi
Some of these solutions will be geared toward the technically savvy.  Some of them will be easy.  Some of them may require that you pay money.  Overall, I think at least one of these solutions will work for everyone.

 Let's get started.
  1. Secure your browsing on the Open Wifi by using VPN.  This is by far the most effective and best way of solving the problem.  This will encrypt all of your traffic on the wifi network and defeat anyone trying to use Firesheep against you.  It can however cause you to spend a few bucks.  Solutions like VyprVPN are perfect for solving the session-hijack problem.  See my earlier review on VyprVPN here (figures it would come in handy!)  quick note: VyprVPN is included free in Giganews subscriptions.
  2. Secure your browsing on the Open Wifi by using SSH.  This is very similar to using a VPN, except I would consider it much more difficult to setup.  Essentially it provides the same benefit, an encrypted connection. Lifehacker did a good tutorial awhile back on setting up a free SSH server using your home computer here.  Cygwin and OpenSSH are essentially the solutions here, but beware, setup is perhaps not for the faint of heart.  Ducks need not apply.     
  3. Utilize SSL versions of websites (HTTPS rather than HTTP).  This is easy.  Many websites have HTTPS versions, even Facebook.  However there is a major drawback:  often times while browsing you will inadvertently switch back to HTTP.  Try that Facebook link, then click around - see the problem?  You're switching from HTTPS to HTTP in a heartbeat.  This solution is easy, but perhaps less than ideal, and not very effective.
  4. Install Firefox addons that will automatically direct you to HTTPS website versions.  Two options are:  HTTPS Everywhere and Force-TLS.   This is also easy, and it will solve the problem of having to remember to type "HTTPS", or change your bookmarks.  The addon will automatically direct you to the secure version of the site.  Of course this still suffers from the same problem as #3, websites will easily switch you from HTTPS to HTTP, and is therefore still problematic.
  5. Use the "Blacksheep" addon. Blacksheep is a firefox addon that will supposedly scan the Open Wifi you are on and determine if anyone is running Firesheep on it.  So, if it you see a return, then at least you are aware of what's going on, and can hopefully take the necessary precautions.  Still this does not solve the problem, it only makes you aware of the potential danger.  Blacksheep does tell you the IP address of the attacker though.  But if you're sitting in Starmucks, this may mean all you can do is yell out "Hey 192.168.0.XXX, you SMOKE POLE!"  There is another drawback to this too - you don't need Firesheep to conduct this type of attack (Wireshark + WinPCap = Win).  So although Blacksheep may detect Firesheep, it does not solve the session-hijack problem.  The other issue here is this software is newly released, which could mean a back-and-forth between the "sheep".  (fix, counter, fix, counter)
  6. Use a Mifi/Cellular Modem/Hotpsot type device.  I think every major cellular provider in North America sells these things.  Some of them are just USB sticks you plug into the computer.  In other cases, you can tether your phone to the laptop.  The problem here is this costs money, a lot of money, and is tantamount to saying "don't use Open Wifi".  Not an ideal solution, although it is effective at solving the problem. 
  7. Use Fireshepherd.  This is a brand new piece of software designed specifically to combat Firesheep.  It is not an addon like Blacksheep.  Fireshepherd periodically sends out a stream of garbage that is intended to screwup or crash Firesheep.  YMMV with this software.  So far I have not read any reviews or done extensive tests myself.  As I said, it's brand new.  The other potential drawback is that this, like Blacksheep, does not apply to the actual root problem of session-hijacking.  In other words, this may be another solution to the Firesheep issue, but not a solution to the session-hijacking problem.  This is also vulernable to the same tit-for-tat as Blacksheep.   
  8. On a Mac? Try Meerkat.  This is basically setting up SSH for your Mac, but Meerkat makes it a little easier.  Of course, Meerkat costs money.  There is a very good guide that deals with the entire Meerkat setup process here.  Remember, OpenSSH is installed in Mac OS X by default.  However, you still are going to deal with setup though, and again, that depends on whether you're a duck or not...
Warning from Blacksheep that Firesheep is active on your network
What are the other pundits saying?  Most of them are going with VPN as the best solution, including the Firesheep developer himself.  Hey, if Harvard recommends VPN, there must be something to it, right? 
I heard these people were smart
I would honestly reccomend people look into a secure service like VyprVPN.  Cost is minimal and benefits are great.  Especially if you are conducting "work" over open Wifi, or if you are spending time on social, financial, or other private sites  Consider it your own little private encrypted tunnel on an otherwise open network.  I have no problem endorsing VyprVPN as an ideal solution that will keep you on Open Wifi, but keep you safe from kiddies session-hijacking your logins (VPN solves a number of other security concerns as well).  As I mentioned in my earlier review, this service also comes free with Giganews, so if you're already on Usenet, now may be the time to look at Giganews.  

VyprVPN Personal VPN lets you browse securely

I figure it's also worth mentioning solutions that are NO GOOD.  In other words, these will NOT WORK.
  • Using Tor.  Tor will not solve your problems.  In fact, if the owner of the exit node is running Firesheep, you just got pwned, hard.  Even the Firesheep developer thinks using Tor is a bad idea.
  • Enable WPA2 and tell yourself "it's all good now".  Sure, you've done good, but you can still get pwned, pretty hard.  ARP poisioning and DNS spoofing take a little bit more tech savvy, but software exists to conduct those attacks as well - on either a wirless WPA2 network, or a wired network.  Google: Cain and Abel.  
  • Using a VPN or SSH tunnel you don't know and trust.  This is bad, mmkay?  You just pushed the problem off to that exit connection.  Since you don't know anything about it, and clearly can't trust it...you're basically asking for trouble.  "Use VPN" is good, but just blindly using whatever VPN is not - get it? 
As you can see from the above, the solutions basically come in two flavors:
  • Encrypt all of your communications on the wireless network (VPN, SSH, Meerkat, etc)
  • Encrypt the communications with the particular website (HTTPS, Addons, etc.)

Both of these flavors have one thing in common: encryption.  If you don't know, now you know. 

BTW, if you are running Firesheep for whatever purpose, be aware that Microshaft is detecting it as a "virus/malware".  I lol'd.  Another BTW, if you are using the standard Windows antivirus/antimalware you should seriously consider upgrading to an alternative.
Getting pwned by script kiddies is bad, mmmkay?

52 comments:

  1. already knew about some of this but there are some great things i didn't know about nonetheless.

    ReplyDelete
  2. holy crap this is some legit info! thanks!

    ReplyDelete
  3. hm, might have to check that out- thanks

    ReplyDelete
  4. wow... the world of technology is scary

    ReplyDelete
  5. I think I might just disconnect from the web, that seems easiest :D

    ReplyDelete
  6. great tips for the unknowing. firesheep is dangerous!

    ReplyDelete
  7. That's really worth reading there. LMAO! that duck picture is so funny! Just like my mum!

    ReplyDelete
  8. well well but too bad cain&abel doesn't run on win7 ;/

    ReplyDelete
  9. thanks for the info... do you have any other helpful tips?

    ReplyDelete
  10. some very cool tricks there, following

    ReplyDelete
  11. This is going to come in handy. I think your writing style is very clever, so I will definitely follow. Cheers.

    ReplyDelete
  12. Its nice to see a post with some effot but in, thanks for the info I'll remeber that

    ReplyDelete
  13. wish i knew more about this sort of software

    ReplyDelete
  14. looks really interesting, but tl;dr
    will read it later, bro

    ReplyDelete
  15. So dope! Can't wait to try this stuff.

    ReplyDelete
  16. Great info man! Going to be trying a couple of these! Thanks!

    ReplyDelete
  17. While unfortunate, most of these the unexpected happens, and in case you make the financial institution mindful of them, your chances
    of getting a car loan after bankruptcy just increased greatly quick loans
    constantly try this prior to using to get a loan from the bank.

    ReplyDelete
  18. There's only a lot blame that may be wear just payday lenders or borrowers of these plans no credit check loans nonetheless, these days you could possibly realize that it's actually mastercard that's acknowledged and received in a better quantity of establishments.

    ReplyDelete
  19. But for people with mediocre or low credit score scores, on one other
    hand, it can be a different story instant payday loans interest rate levied for the approved fund is sort of
    above normal loans because of short-run naturally.

    ReplyDelete
  20. This sort of mortgage is a that is insured through the government,
    that allows for your lenders to share with risky borrowers given that
    they not have the worry of default Utah payday loans that means the confusion level associated with
    understanding the system is going to be kept effectively down.

    ReplyDelete
  21. I was curious if you ever thought of changing the structure
    of your site? Its very well written; I love what youve got
    to say. But maybe you could a little more in the way of content so
    people could connect with it better. Youve got an awful lot of text for only having one or 2 images.
    Maybe you could space it out better?

    my web page; Graciela Mazyck

    ReplyDelete
  22. All the plugmold desires to develop into secured by using a GFCI
    most likely a ground-fault rounds interrupter so as that the actual plugmold shouldn't overstock. They happen to be perfect for the youngsters, immediately healthy foods, also known as facilitating remember to keep when sizeable snack you are constructing sexy. It can be important to create a well-organized the kitchen area nevertheless provide you with actions in a position to and opt for suitable height and width of. Over the years, ancient customs dried up herbal treatments in the sun, later on on hints developed especially happen to be bedroom dehydrating, apartment blow drying, your oven blow drying, as well work, microwave drying out. Surely turkey registration is the best worked for thanks to almond and additionally stew.

    Also visit my website; Jacob Chisholm

    ReplyDelete
  23. It really is mandatory handiest kitchenware tested recipes
    is often easy to equip having the smallest amount regarding
    help together with easy as well , additionally in good physical shape.
    A utility divider your oven aids you prepare
    the exact amount recipes exclusive of feasting on way up quite an area at your living room.
    When thinking about after-school your snacks of the, mom don't need to be satisfied with cookies, playing chips and / or maybe cereal cafes. E . g ., creating while paying off, any chore a lot of people waiting to abolish.

    Here is my weblog - Alphonse Cichosz

    ReplyDelete
  24. Nevertheless to thoroughly improve utilizing their field confirm you
    gets the chance to treatments doing it quite.
    As you are today understand how individually train on the other hand help to make diet
    relating to on his own among others, it is not just a
    task almost everyone has the eye in order to really. Some investigation has really been handled to find the levels of caffeine health and wellbeing insinuation.
    Join new pineapples, berries, soy products
    reap the benefits of, organic, and simply ice cubes in the vita mixer.
    Yet now are unable to consider as plenty of carbs, form of have no need for rice steamer nowadays.


    Visit my blog: 2 slice red toaster

    ReplyDelete
  25. It can be just one single of any frying techniques easily now a days.
    Primarily because, Investigate about how to use a convection microwave
    for that nutrient results, and special discounts.
    Primary, a nice non-stick paving is a terrific deal that leave your new
    end product leave some hot conveniently. Where i inspected our own hot
    temperature having it truly is best quality ring setting, all models
    becoming when it comes to The diplomas.

    Also visit my website - 30 inch stainless wall oven

    ReplyDelete