Firesheep

| 0 Comments
Last updated 11/11/10

As open wireless networks continue to grow in availability, so do the computer security vulnerabilities associated with these networks. While the ability to access wireless networks makes it convenient for travelers and mobile commuters, most networks don't provide any form of encryption between a user's device and the network's access point. This makes information visible as it travels back and forth between the wireless network and the user's device. In addition, although many Web sites provide full encryption (typically denoted by https), others only encrypt a user's login information.

While wireless vulnerabilities are nothing new, they are now far easier to exploit with a new type of Web browser extension that makes visiting social media sites via open Wi-Fi networks very dangerous. Penn State students, faculty, and staff should especially be aware of a Firefox web browser extension called Firesheep. Firesheep lets anyone using a wireless device "side-jack" your social media session. The vulnerability is created when a user logs into a site like Facebook, Twitter, or Flickr over https, receives a cookie, but then the site uses http for the remaining browsing session. Since wireless networks in locations such as coffee shops, hotels and airports are typically open, anyone using these networks can grab the cookie and use it to assume another user's identity.

There are several ways in which users can avoid this type of attack and create a safer Web browsing experience. As a way to assist the user community, SOS has created the following Firesheep FAQ. Questions and requests for assistance should be directed to helpdesk@psu.edu.

What is Firesheep?
Firesheep is an extension for Mozilla Firefox on the Windows and OSX platforms (Linux to come). It provides a very simple and easy to use interface for finding unencrypted session cookies on open networks. The plug-in allows users to point and click to hijack other users' sessions on sites like Facebook, Twitter, and Foursquare. While Firesheep is an extension that only runs in Firefox, it is able to capture session data from any web browser.

Do I need to worry about this type of snooping at Penn State?
Yes! While Firesheep will not be able to capture cookies from the wireless 1.0 and 2.0 networks, once traffic leaves the Penn State network, it can still be captured prior to reaching its final destination. The AT&T Visitor Wireless is completely unencrypted, and is easily snooped. The only way to fully prevent this type of attack is to use web sites that use HTTPS for the login AND the rest of the browsing session.

How do I protect myself?
Use SSL or TLS whenever possible. The following Firefox extensions can help to keep traffic encrypted: HTTPS Everywhere, NoScript, and Force TLS. Chrome and Opera have add-ons that switch an HTTP session to HTTPS, but can leak your authentication cookies prior to establishing the secure session. Safari and Internet Explorer do not have any means to force an HTTPS session at this time. If you use Gmail, go into your settings and choose, "Always use HTTPS". If you have a wireless router at home, make sure it is set to use WPA or WPA2. WEP keys are easily broken, and once someone is on the network, traffic on WEP protected networks is not encrypted and sessions are easily hijacked.

Does the VPN protect me?
No. When you connect to the Penn State VPN, only traffic bound to Penn State IPs is encrypted. Traffic to other sites, like Google and Facebook, is not encrypted.

What can someone do if they hijack my session with Firesheep?
They should not be able to access your password or change your password, but they can still make posts as you, read and change personal/privacy settings, send messages, or log you out.

Read on for more technical information.

End to end protection
Firesheep works by placing a network interface into promiscuous mode and listening to all traffic on a network. While securing wireless access points helps with this issue, a web session hops across many networks between the client computer and the remote web server. Even when you use HTTP-based web applications on a secure wireless connection, any of the hops between your computer and the server could fall victim to foul play like ARP or DNS cache poisoning. When a web session is carried out with SSL, these types of hijacking attacks are ineffective because each packet is encrypted. The best way to ensure that your web sessions are safe is to use HTTPS, and verify that the certificates are in order.

Using Firesheep to your advantage
When Firesheep is run on a secured network, it will only list your cookies. This is actually very good information if you use web services like Facebook and Twitter. By running Firesheep, you get a clear picture of the cookies that are floating around unencrypted. By knowing which applications send cookies over HTTP, you can make more informed decisions when you are using open wireless services. If you need to check Facebook or Gmail at the coffee shop, use a VPN. If you don't have a VPN, don't use these applications on these networks. Contact the maintainers of the applications that don't use SSL, and tell them that you want SSL for the entire session.

List of default sites scanned in Firesheep
By default Firesheep only searches for some of the most popular HTTP-based web services. Here is the default list, but be aware that it is easy to add sites to this list, and even if your favorite site is not listed, be very careful with applications that do not provide end to end SSL protection for your entire session.

Amazon.com, Basecamp, Bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Foursquare, GitHub, Google, Gowalla, Hacker News, Harvest, Windows Live, New York Times, Pivotal Tracker, ToorCon: San Diego, Slicehost SliceManager, Tumbler.com, Twitter, Wordpress, Yahoo, Yelp

Written by Matt Soccio
ITS - Security Operations and Services

Photo by Greg Grieco, 2003

Leave a comment

RECENT NEWS

The Heartbleed Bug
The problem: The Heartbleed Bug, which is being actively exploited in the wild, affects OpenSSL by allowing attackers to read…
Join us on March 13, 2014 for the next Security Series!
The next installment of the "Security Series" offered by Security Operations and Services and ITS Training Services will be held…
Learning Tree's UNIX® and Linux® Security: Hands-On - March 25-28, 2014
Registration is now open for Learning Tree's UNIX® and Linux® Security: Hands-On training class coming up in March. The class…
KEEP UP WITH SOS
 
SOS on Facebook      SOS on Twitter      SOS News RSS Feed