StarDestroyer.Net BBS

Firesheep is a Firefox plugin that grabs session information from the network.

"As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed. Double-click on someone, and you're instantly logged in as them. That's it."

There was a guy at my Uni who was injecting coments of his own into Facebook chats when the users were connected through the university's wifi. I wonder if this is how he did it?

Phantasee wrote:There was a guy at my Uni who was injecting coments of his own into Facebook chats when the users were connected through the university's wifi. I wonder if this is how he did it?

Almost certainly.

The saddest part is the tabloid press is saying 'OMG TEH HAXX0RS' instead of 'wow, that's a pretty insecure website. Maybe I shouldn't trust such sites with my personal data?'

But STRAK, they wouldn't be able to collect data so easily!!!

For sites like FB its probably simply the extra overhead for SSL/etc would cost them money rather than anything else.

Ah, yeah, that seems more reasonable.

Stark wrote:For sites like FB its probably simply the extra overhead for SSL/etc would cost them money rather than anything else.

SSL/TLS is fairly cheap, as it happens. Google's metrics indicate less than 1% CPU, 2% network and 10KB/connection overhead for encrypted gmail.

Stark wrote:The saddest part is the tabloid press is saying 'OMG TEH HAXX0RS' instead of 'wow, that's a pretty insecure website. Maybe I shouldn't trust such sites with my personal data?'

Well, to be fair it's not really the site that's insecure but the network that is.

Ryan Thunder wrote:But STRAK, they wouldn't be able to collect data so easily!!!

Facebook can collect plenty of data with or without SSL. You're still connecting to them, after all.

Huh. I figured they'd be secure if it didn't necessitate better hardware at their ends.

Well, crap. And my university has not just one, but two open Wi-Fi networks, one of which could allow anyone from the outside to use our Internet connection. (that's right, no login at all! yes I know. thankfully it is subnetted away from our normal, encrypted SSID.) Which means that any enterprising con will be able to rip off of some of our...lazier students.

We DID warn every student that asked us about these two networks to NOT log into their personal sites, if they so chose to use those SSIDs (which we also strongly recommended against in the first place, but hey, no one listens to us). I am very much willing to bet that a considerable amount of them conduct online shopping using these open networks, too.

Oh well...I guess. If they did not take our warnings to heart, then they are the ones who dug their own graves. It makes me wonder why those two open networks even exist at all.

UTAS wifi is so secure that most of its own students can't even log in because it's implemented so poorly securely.

This is probably the only time not being able to find any decent unsecured networks during my average day has turned out to be beneficial.

Well, you have to realize that the technology used to sniff open networks has already existed for ages, especially with nifty little UIs that make what is needed to do a matter of point, click, and read (or not even, depending on what is used). This Firefox addon merely reduces the number of clicks that you have to make.

Open networks were never, ever safe to use in the first place.

Stark wrote:Huh. I figured they'd be secure if it didn't necessitate better hardware at their ends.

There's something of the perception that HTTPS requires substantially more hardware. That used to be true and a lot of sysadmins probably gained that experience.

Stark wrote:For sites like FB its probably simply the extra overhead for SSL/etc would cost them money rather than anything else.

I don't have a facebook account, but it seems that there is an equivalent https://www.facebook.com option but no one seems to be using it. Wouldn't be 100% secure but atleast constrict firesheep.

It doesn't work. Navigate around the Facebook website and it just tosses you back to plain HTTP.

Not the most ethical way of bringing light to a critical security flaw. Wouldn't it have been just as illuminating to display all the accounts that you COULD hijack without actually allowing you to do so?

True enough. If I had written it I might have only allowed hijackers to post a stock status update along the lines of "This account has been hijacked by Firesheep, go here to find out how and the easy thing Facebook could do to prevent it"

It's not like Facebook is scrambling to implement https or anything, as far as I can tell they're ignoring it. Hotmail and Gmail are https at least.

So quick question: if I were to browse, say, SDN on my school's wifi while using an iPhone would I be safer using the https option?

So when does the class-action lawsuit hit for enabling worthless trolling palm-fuckers everywhere to pretend they're clever by committing identity fraud?

Phantasee wrote:So quick question: if I were to browse, say, SDN on my school's wifi while using an iPhone would I be safer using the https option?

Yes.

Uraniun235 wrote:It doesn't work. Navigate around the Facebook website and it just tosses you back to plain HTTP.

A flatmate of mine seems to be successfully using the https version of facebook with this:
http://www.eff.org/https-everywhere

Phantasee wrote:So quick question: if I were to browse, say, SDN on my school's wifi while using an iPhone would I be safer using the https option?

You're always safer using HTTPS when it's available.

Of course, I generally don't care too much if one of my message-board accounts is broken into (although it's never happened to me thus far) and anything important like I do over the Internet like e-mail, banking and online shopping is already using SSL, so this isn't that huge a deal.

Still, hopefully this will encourage more sites to start encrypting.

Uraniun235 wrote:It doesn't work. Navigate around the Facebook website and it just tosses you back to plain HTTP.

Your username/password will still be encrypted at least. Hm, actually, looking at the source, it's encrypted even via the normal HTTP link, although that's vulnerable to MITM.

phongn wrote:

Stark wrote:The saddest part is the tabloid press is saying 'OMG TEH HAXX0RS' instead of 'wow, that's a pretty insecure website. Maybe I shouldn't trust such sites with my personal data?'

Well, to be fair it's not really the site that's insecure but the network that is.
.

Well, data could still be intercepted at other points in the link- networks really shouldn't be trusted. I'd blame the website. After all, SSL is used on wirelines too...

Regarding MITM attacks, one thing is people tend to be rather sloppy about checking for HTTPS (myself included ), or will attribute the lack of it to a site glitch or something.

Here at GMU, our wireless "security" consists of a standard captive portal login over unencrypted wifi (the captive portal itself is SSL secured), w/ the added annoying quirk of the captive portal page needing to be open to ping the security server every X minutes.

It'd be somewhat trivial to create a fake AP w/ the same ESSID as the real "gmu" one, complete w/ a fake captive portal w/o SSL to capture login passwords. The lack of SSL probably wouldn't be noticed, and if it was would be attributed to some error (alternatively use a fake certificate, and when the error pops up it will be attributed to a system glitch- that has happened before due to domain mismatchs, but people probably don't check why all that closely). Once they enter their wifi username and password, you also have their student account password, payroll password (if they work for GMU), grading console (if they are faculty and use Blackboard), and a bunch of other passwords since they all share the same password

Pu-239 wrote:

Uraniun235 wrote:It doesn't work. Navigate around the Facebook website and it just tosses you back to plain HTTP.

Your username/password will still be encrypted at least. Hm, actually, looking at the source, it's encrypted even via the normal HTTP link, although that's vulnerable to MITM.

Firesheep isn't about capturing passwords though, it's capturing the session cookies instead. Yeah, if you're logging in, it's handy to protect your password - but on an open network someone could come in after you've logged in to Facebook, and still get access to your FB account.