Showing posts with label firesheep. Show all posts
Showing posts with label firesheep. Show all posts

Monday, November 8, 2010

How to Beat Firesheep - Secure Open Wifi (Part 3)

This is Part 3 of the Firesheep series, How to Beat Firesheep.  Part 1 introduced the tool and the attack, Part 2 talked about the seriousness of the vulnerability.   
Part 3 will tell you how to beat Firesheep.
Let's drop in a lil napalm and cook 'em down!
First, let's setup up some basic ground rules:
  • We all know you're going to be on Open Wifi at some point, so telling you "get off open wifi" is retarded
  • The problem is essentially owned by the website operators, not the Wifi operators.  The issue is HTTP cookies, and the ability to session-hijack, not the ability to login to a Wifi access point at Starmucks.
  • Sites that are vulnerable to this attack today may not be vulnerable tomorrow, however, there will always be sites that are vulnerable, therefore it is important to at least try and browse securely while on Open Wifi
Some of these solutions will be geared toward the technically savvy.  Some of them will be easy.  Some of them may require that you pay money.  Overall, I think at least one of these solutions will work for everyone.

 Let's get started.
  1. Secure your browsing on the Open Wifi by using VPN.  This is by far the most effective and best way of solving the problem.  This will encrypt all of your traffic on the wifi network and defeat anyone trying to use Firesheep against you.  It can however cause you to spend a few bucks.  Solutions like VyprVPN are perfect for solving the session-hijack problem.  See my earlier review on VyprVPN here (figures it would come in handy!)  quick note: VyprVPN is included free in Giganews subscriptions.
  2. Secure your browsing on the Open Wifi by using SSH.  This is very similar to using a VPN, except I would consider it much more difficult to setup.  Essentially it provides the same benefit, an encrypted connection. Lifehacker did a good tutorial awhile back on setting up a free SSH server using your home computer here.  Cygwin and OpenSSH are essentially the solutions here, but beware, setup is perhaps not for the faint of heart.  Ducks need not apply.     
  3. Utilize SSL versions of websites (HTTPS rather than HTTP).  This is easy.  Many websites have HTTPS versions, even Facebook.  However there is a major drawback:  often times while browsing you will inadvertently switch back to HTTP.  Try that Facebook link, then click around - see the problem?  You're switching from HTTPS to HTTP in a heartbeat.  This solution is easy, but perhaps less than ideal, and not very effective.
  4. Install Firefox addons that will automatically direct you to HTTPS website versions.  Two options are:  HTTPS Everywhere and Force-TLS.   This is also easy, and it will solve the problem of having to remember to type "HTTPS", or change your bookmarks.  The addon will automatically direct you to the secure version of the site.  Of course this still suffers from the same problem as #3, websites will easily switch you from HTTPS to HTTP, and is therefore still problematic.
  5. Use the "Blacksheep" addon. Blacksheep is a firefox addon that will supposedly scan the Open Wifi you are on and determine if anyone is running Firesheep on it.  So, if it you see a return, then at least you are aware of what's going on, and can hopefully take the necessary precautions.  Still this does not solve the problem, it only makes you aware of the potential danger.  Blacksheep does tell you the IP address of the attacker though.  But if you're sitting in Starmucks, this may mean all you can do is yell out "Hey 192.168.0.XXX, you SMOKE POLE!"  There is another drawback to this too - you don't need Firesheep to conduct this type of attack (Wireshark + WinPCap = Win).  So although Blacksheep may detect Firesheep, it does not solve the session-hijack problem.  The other issue here is this software is newly released, which could mean a back-and-forth between the "sheep".  (fix, counter, fix, counter)
  6. Use a Mifi/Cellular Modem/Hotpsot type device.  I think every major cellular provider in North America sells these things.  Some of them are just USB sticks you plug into the computer.  In other cases, you can tether your phone to the laptop.  The problem here is this costs money, a lot of money, and is tantamount to saying "don't use Open Wifi".  Not an ideal solution, although it is effective at solving the problem. 
  7. Use Fireshepherd.  This is a brand new piece of software designed specifically to combat Firesheep.  It is not an addon like Blacksheep.  Fireshepherd periodically sends out a stream of garbage that is intended to screwup or crash Firesheep.  YMMV with this software.  So far I have not read any reviews or done extensive tests myself.  As I said, it's brand new.  The other potential drawback is that this, like Blacksheep, does not apply to the actual root problem of session-hijacking.  In other words, this may be another solution to the Firesheep issue, but not a solution to the session-hijacking problem.  This is also vulernable to the same tit-for-tat as Blacksheep.   
  8. On a Mac? Try Meerkat.  This is basically setting up SSH for your Mac, but Meerkat makes it a little easier.  Of course, Meerkat costs money.  There is a very good guide that deals with the entire Meerkat setup process here.  Remember, OpenSSH is installed in Mac OS X by default.  However, you still are going to deal with setup though, and again, that depends on whether you're a duck or not...
Warning from Blacksheep that Firesheep is active on your network
What are the other pundits saying?  Most of them are going with VPN as the best solution, including the Firesheep developer himself.  Hey, if Harvard recommends VPN, there must be something to it, right? 
I heard these people were smart
I would honestly reccomend people look into a secure service like VyprVPN.  Cost is minimal and benefits are great.  Especially if you are conducting "work" over open Wifi, or if you are spending time on social, financial, or other private sites  Consider it your own little private encrypted tunnel on an otherwise open network.  I have no problem endorsing VyprVPN as an ideal solution that will keep you on Open Wifi, but keep you safe from kiddies session-hijacking your logins (VPN solves a number of other security concerns as well).  As I mentioned in my earlier review, this service also comes free with Giganews, so if you're already on Usenet, now may be the time to look at Giganews.  

VyprVPN Personal VPN lets you browse securely

I figure it's also worth mentioning solutions that are NO GOOD.  In other words, these will NOT WORK.
  • Using Tor.  Tor will not solve your problems.  In fact, if the owner of the exit node is running Firesheep, you just got pwned, hard.  Even the Firesheep developer thinks using Tor is a bad idea.
  • Enable WPA2 and tell yourself "it's all good now".  Sure, you've done good, but you can still get pwned, pretty hard.  ARP poisioning and DNS spoofing take a little bit more tech savvy, but software exists to conduct those attacks as well - on either a wirless WPA2 network, or a wired network.  Google: Cain and Abel.  
  • Using a VPN or SSH tunnel you don't know and trust.  This is bad, mmkay?  You just pushed the problem off to that exit connection.  Since you don't know anything about it, and clearly can't trust it...you're basically asking for trouble.  "Use VPN" is good, but just blindly using whatever VPN is not - get it? 
As you can see from the above, the solutions basically come in two flavors:
  • Encrypt all of your communications on the wireless network (VPN, SSH, Meerkat, etc)
  • Encrypt the communications with the particular website (HTTPS, Addons, etc.)

Both of these flavors have one thing in common: encryption.  If you don't know, now you know. 

BTW, if you are running Firesheep for whatever purpose, be aware that Microshaft is detecting it as a "virus/malware".  I lol'd.  Another BTW, if you are using the standard Windows antivirus/antimalware you should seriously consider upgrading to an alternative.
Getting pwned by script kiddies is bad, mmmkay?
Posted by stoneycase at 1:08 PM 52 comments
Labels: , , , ,

Saturday, November 6, 2010

Attack Clients on Open Wifi - Firesheep (Part 2)

Looks like the 15 minutes of fame for Firesheep is getting extended...

Sites you can pwn using Firesheep:
  • Facebook
  • Twitter
  • Flickr
  • Yahoo! Mail
  • Windows Live
  • Hotmail
  • Google.com (not GMail)
  • Slashdot
  • Amazon
  • Newegg
  • Home Depot
  • United Airlines
  • Office Max
  • Wordpress (when not using their optional SSL)
  • More coming soon!
Why is it so easy for mass pwnage?  A lot of sites, including most social networking sites, use HTTPS only for the login form.  After that, it's all good ol' HTTP.  Also, in general, its very difficult to have persistent HTTPS, or end-to-end encryption.  So, for this type of "session-hijack" you don't even need the user/pass of the victim.  Essentially the attacker can impersonate the victim, thus taking control of the account.
In truth, Wireshark did this ages ago via the little-known-method of copy/paste :)  Turn the clock back to the beginnings of 802.11, war-driving, wep-cracking, and this type of attack was still valid.  Why all the discussion now?  Because instead of copy/paste, you get a nice little GUI and employ the uber-powerful double-click!
What does all this mean?  Whenever an attack gets easier, it tends to become more popular.  You can bet top dollar that going forward, at Starbucks, Safeways, Hotels, or wherever there is free open wifi, there will be someone running Firesheep.  Hint:  look for the script kiddie, social outcast, or the dude laughing so hard he looks like he may shit himself.
Few words of caution if you intend on "testing" this out in your neighborhood:
  • People are already doing this, so you're behind the times (see above link)
  • Most owners of open-wifi at commercial establishments have ToS (terms of service), you are likely violating those terms of service.  However, those ToS also go both ways, informing users that there can be no expectation of privacy, or liability for the store/wifi owner, should damage occur.
  • In many countries/states/counties/cities, it is illegal to sniff networks for user information unless said users authorize the action.  Check your local laws. IANAL
To finish out this post I think I'll add a short list of additional "connections/networks/protocols" that are vulnerable to Firesheep (yeah so I interchanged words that shouldn't be interchanged, sue me)
  • POP3 Mail
  • SMTP Mail
  • IMAP Mail
  • FTP
Hint:  SSL/TLS, SSH, and VPN are your friends!  Stay tuned for Part 3 that will describe how to beat Firesheep!
Posted by stoneycase at 11:19 AM 22 comments
Labels: , , ,

Attack Clients on Open Wifi - Firesheep

Keeping the theme of security rolling, I wanted to put a quick post about Firesheep.

BBQ Sheep
This is a relatively new tool, but its based on a fairly old attack method (sidetracking/session-hijacking).

Why do we care about this?  Because it's a legit attack over open WiFi that will allow a user to essentially hack your logins/passwords and gain access to your "private accounts" (i.e. Facebook, Email, etc.)

All your HTTP logins belongs to me
Slashdot and many other publications have already picked up on Firesheep, and the developer has already felt the full effects of what is known as the "security shitstorm."  The security shitstorm normally ensues when an old attack (or a new attack) becomes "easy" in the wild.  People moan and groan and bitch at the developer, mostly.  How could you do this, they say.  Why are you such an ass, other developers moan.  You're just enabling the script kiddies, all the old dudes yell.  Yeah, yeah, whatever.  Software is software, get over it.

Onto the heart of the subject, Firesheep.

Firesheep was released on Monday, November 1st, and has already been downloaded something like 500,000 times.  Firesheep is an addon to Firefox.  The addon allows you to "sniff" the open wireless network you are on (at starbucks, safeway, the airport, whatever).  Firesheep sniffs for, put simply, logon cookies.  Other users on the same open Wifi as you, that login to say, Facebook...well you steal that "logon cookie" (I'm simplifying, run with me here...).  You then use that logon cookie and gain access to whatever private site that user was logged into (i.e. Facebook).  Pretty cool eh?
Screenshot of Firesheep - Stealin Facebook Logins
Think of it this way, when you login to Facebook, and then close that tab/window/whatever...but decide 20 minutes later to go back...you don't always have to retype your user/password...do you?  No, you don't.  That information and the session authentication is stored in a little piece of shit called a cookie.  Well if someone can copy that cookie, they can fake Facebook into thinking they are you.  Viola - they are now in your account.
There are limitations, of course, and I think the developer does an excellent job of explaining them on his website.  The problem essentially arises from only securing the login page and information.  I won't get into the details, because they don't really matter to most of the public.  You just need to know that your shit is vulnerable.  Maybe if I get bored I'll put a list of major websites that are vulnerable, maybe not...By the way, screw you if you don't like the dude or the tool...as I said, software is software.

You may recall me mentioning how that wonderful open wifi at the airport was not-so-good after all in an earlier post about VyprVPN.  Well, here's your proof.  Seriously folks, be careful.  I didn't mention the longer methods, that of course, are still valid...but now that Firesheep is out in the wild, it's gotten a lot easier.  I'll be posting again with some screenshots of Firesheep in action around town.  I'll also incorporate a how-to-beat Firesheep in the very near future.  Hint:  VPN
This isn't just Facebook or Flickr we're talking about here, a lot of your logins are potentially vulnerable to this type of attack.
Posted by stoneycase at 5:51 AM 4 comments
Labels: , , ,
Subscribe to: Posts (Atom)