• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Session Hijacking Via Firefox Extention

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Want to know just how serious session sidejacking is? Read this and you’ll know. Thanks to Rhialto for the heads up on this one.

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed. Double-click on someone, and you're instantly logged in as them.
Click to expand...
 
bh192012 said:
Actually the problem is almost nobody is fixing this.
Click to expand...

Probably because the cost of heavier server load due to having to encrypt/decrypt SSL server side...

For one person using one computer this is negligible. Over a server farm hosting - say - Facebook, you wind up talking real money...

I'm not justifying their inaction, but that is likely why...
 
This is bullshit. They should lock up the person who released this for a couple years...

This is akin to someone selling Ford & Chrysler master keys in a busy parking lot. You may not be actually doing anything illegal, but the people using your product will be (and on second thought, I'm going to guess selling master keys is illegal for this very reason lol).

He is enabling people to commit illegal acts, they should throw the book at him. If everyone had his mentality, every single home in North America practically would be open season, very few homes are "secure". To fully secure every home would be billions of dollars, and it's no different for a website. Just because you CAN break in doesn't mean you should. Nor does it mean people should give you the tools to do so...

...and them hiding behind the cloak of "I'm doing this for the greater good! I want more secure websites!" is bullshit. Not every website owner has tens of thousands of dollars to throw at security firms to make sure their website is 100% protected... And tools like this make the average Joe website a prime target. Big companies like facebook, amazon etc. won't be affected by this AT ALL. It's the little guy who will get hurt.
 
Here is what Mr Butler says:

Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.
Click to expand...

What about the small company with 5-10 employees who pays a freelance web designer $10000 to make a website that gets hacked because some script kiddie used his program and then dicked around with the website, resulting in the small company's big client choosing to go with another competitor thereby not giving that company the $250,000 contract they were depending on to make sure their employees get paid? Sort of puts shit into perspective when little Timmy has nothing under his tree because daddy got laid off.
 
This is how you force companies to fix security problems.

At least now it's out in the open. He just automates it to the point where people will notice, thus forcing websites to become more secure.

Had he not released this, the issue would have stayed in te shadows and countless people would never know what had hit them for a long time to come.

Yes, short term it will suck, bit at least there is a chance this will be fixe once and for all because of this.

What he did was a very positive thing for Internet security as a whole.
 
this forces big companies to fix it. Little ones don't.

It is irresponsible for him to release such a tool into the masses when it's actually not targetted at the masses but the "big" sites.

Would you feel the same way about houses being broken into? It would force people to build more secure homes after all.
 
It's not really a security bug, it's just a fact that most sites do not continue SSL connections at all time due to the added overhead. It was probably a calculated risk that became more plausible now that people are more likely to use networks they can't trust. But make not mistake, this has been known for years which is why some people never use wifi or any hub based network without a VPN or SSH filter.

Facebook, and the other major sites can afford to add more servers for SSL. The smaller companies? Probably not.
 
Ryokurin said:
Facebook, and the other major sites can afford to add more servers for SSL. The smaller companies? Probably not.
Click to expand...

Small companies either have a server for their limited web traffic and as such, the added CPU cycles are probably ones that otherwise would have been idle, or they odor web hosting services from a large company that can implement SSL.
 
RyanLucier said:
This is bullshit. They should lock up the person who released this for a couple years...
Click to expand...

You do understand this isn't the only way to do it, right? You're acting as if packet sniffing is some new mystical thing he just created.

RyanLucier said:
What about the small company with 5-10 employees who pays a freelance web designer $10000 to make a website that gets hacked because some script kiddie used his program and then dicked around with the website, resulting in the small company's big client choosing to go with another competitor thereby not giving that company the $250,000 contract they were depending on to make sure their employees get paid? Sort of puts shit into perspective when little Timmy has nothing under his tree because daddy got laid off.
Click to expand...

No one said anything about a website being hacked. He talked about people getting their accounts hijack due to insecure logins. Generally speaking it is a secure login to alter a website.

FTFA:
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
Click to expand...
 
RyanLucier said:
This is bullshit. They should lock up the person who released this for a couple years...

This is akin to someone selling Ford & Chrysler master keys in a busy parking lot. You may not be actually doing anything illegal, but the people using your product will be (and on second thought, I'm going to guess selling master keys is illegal for this very reason lol).

He is enabling people to commit illegal acts, they should throw the book at him. If everyone had his mentality, every single home in North America practically would be open season, very few homes are "secure". To fully secure every home would be billions of dollars, and it's no different for a website. Just because you CAN break in doesn't mean you should. Nor does it mean people should give you the tools to do so...

...and them hiding behind the cloak of "I'm doing this for the greater good! I want more secure websites!" is bullshit. Not every website owner has tens of thousands of dollars to throw at security firms to make sure their website is 100% protected... And tools like this make the average Joe website a prime target. Big companies like facebook, amazon etc. won't be affected by this AT ALL. It's the little guy who will get hurt.
Click to expand...
There's tons of 0 day exploits that get released for all types of things that cause millions of dollars in damage, this is nothing in comparison.
 
its actually quite sad nowadays to see things like these, to have something fixed you have to drag everyone else with you :( , oh well, hope a solution comes out before things like these gets really out of control
 
webpages I do for our business have always been 100% SSL, never cared about the overhead... tho people using IE always complain to me about the constant popups warning the page is both secure and unsecure since twitter's api javascript stuff dosn't work right if you call it over https... or at least i've never found a way yet
 
This is why I get directly angry whenever someone claims self-signed SSL certificates are worse than nothing and a danger against the fabric of the world etc: Sure, they leave you vulnerable to a MITM attack. But you would be anyway - and at least it removes the risk of passive eavesdropping.
 
Three ways you can protect yourself. Any way by itself is fine.

1. Only connect to access points that use WPA or better and are passworded. WPA and WPA2 gives each device connected to it a unique session key so your info is kept private from everyone else. Before someone chimes in and say WPA is broken, only TKIP is broken, AES is fine and still protected. and what I said still applies if everyone knows the password.

2. Use a VPN

3. use HTTPS everywhere or force TLS
 
ScottSwing said:
So I need to secure my wireless network. How is this not old news?
Click to expand...

except that this completely invalidates the use of SSL. The whole point of SSL was that at no point could anybody splice into your connection short of a huge collusion of subpoenas. The fact that this has been doable for years is news to me, the fact that this is the industry defacto-standard is also news to me, but the fact that it has a UI?

Securing your home secures one portion of the connection: SSL guarantees point-to-point authentication and encryption. And the obvious question is what about those using Starbucks Wifi? What about at your work/school?

Maybe I'm just paranoid because I'm on open-wireless networks so much, but this seems to me to be a joke.

Anyways, I don't know, but it seems to me to be completely moot to implement e-mail login as over SSL and then have a vulnerability that allows a man in the middle to not just intercept content, but impersonate the legitimate user to an undisputed degree.

The biggest problem is that when I go to starbucks I don't have a choice. Not mentioned, but vulnerable to the same attacks, is steam. If my e-mail client logs on, and that cookie is captured, and someone hits the password recovery facilities of steam, I could walk into a cafe and lose more than the $2 I was planning on spending on coffee.
 
NO it does not invalidate SSL. What is happening is that people used SSL to authenticate you but then immediately went to a open connection for the rest of your session. all someone has to do is take your cookie and as far as the site is concerned it's you.

All sites need to do is use SSL for the entire session, which isn't as resource intensive as people think. As I mentioned as well as long as the AP has a password on it and uses WPA you are safe, and you are safe as long as you force SSL all the time.
 
Who cares?

You have got to be a SHEEP to be using facebook, and even bigger SHEEP to be using it unsecured on a starbuck WiFi.

Nothing on any unsecure WiFi is not "catchable" to a true hax0r.... tether your laptop to your smartphone and get with the times!
 
By the way, this is a great tool in NYC and big cities where you cannot find out who is stealing and hacking your clients open WiFi computers/files.

And this will be useful obviously for law enforcement.... they can catch unknowing WiFi thiefs whom might be using the stolen WiFi for illegal acts (internet fraud, child porn, etc)
 
Luxor said:
Who cares?

You have got to be a SHEEP to be using facebook, and even bigger SHEEP to be using it unsecured on a starbuck WiFi.

Nothing on any unsecure WiFi is not "catchable" to a true hax0r.... tether your laptop to your smartphone and get with the times!
Click to expand...

It's not just facebook. Here's a list of things that it works on, and it's not complete.

Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google (except gmail), HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp

Bet you use at least one of these sites.
 
Ryokurin said:
All sites need to do is use SSL for the entire session, which isn't as resource intensive as people think.
Click to expand...

Yup. Setting up an SSL session is expensive, but once it is set up it switches to a symmetrical encryption which is super fast. It even has ways of resuming sessions to prevent unnecessary handshakes. Even for major sites full SSL all the time wouldn't increase load by much at all.
 
Ryokurin said:
It's not just facebook. Here's a list of things that it works on, and it's not complete.

Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google (except gmail), HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp

Bet you use at least one of these sites.
Click to expand...
IIRC Gmail was converted to full SSL throughout after this vulnerability was pointed out to them a year or so back. (May have been Chinese related... can't remember the exact reason). I think you may need to dig into settings to turn this on. Google searches will work on https://www.google.com to keep things hidden.

It has been trivial to install a network sniffer and watch unsecured networks for years. I first did it in the 90's using Etherpeek on a Mac. Which is why I train my clients to act as if they have someone watching over their shoulder when using a laptop on WiFi.

This will now cause the bigger names to start offering real security. I want to see my Amazon sessions fully encrypted as that includes my credit card details on the servers.

I am surprised to not yet see EBay and Paypal on that list...


The funny side effect of this will be that Government spying from the Spooks will get disrupted. RIPA acts and similar will not be able to watch us as closely if we all get reliable, safe encryption by default. :)
 
Ryokurin said:
NO it does not invalidate SSL. What is happening is that people used SSL to authenticate you but then immediately went to a open connection for the rest of your session. all someone has to do is take your cookie and as far as the site is concerned it's you.

All sites need to do is use SSL for the entire session, which isn't as resource intensive as people think. As I mentioned as well as long as the AP has a password on it and uses WPA you are safe, and you are safe as long as you force SSL all the time.
Click to expand...

YES it does invalidate SSL.

Whats the point in implementing as secure a front-end as SSL if you're going to fall back to a completely insecure infrastructure for the remaining part of the session? SSL is not broken, (at least as long as your implementing a no-renegotiation policy), but any implementation of it is if you're totally defeating the point with this stupidity.

And no, even simpler than implementing SSL for the rest of your session is to just hash the damn cookie against the key described in the symmetric portion of your SSL handshake.
 
MrWizard6600 said:
And no, even simpler than implementing SSL for the rest of your session is to just hash the damn cookie against the key described in the symmetric portion of your SSL handshake and salted with your systems current time
Click to expand...

--fixed... damn you no edit.
 
Anyone that uses open/public wifi for anything is an idiot that is giving away all of their information. Now it is just easier to get.
 
Many of you had no issue with google capturing wifi data so what's the big deal?
 
Ryokurin said:
Three ways you can protect yourself. Any way by itself is fine.

1. Only connect to access points that use WPA or better and are passworded. WPA and WPA2 gives each device connected to it a unique session key so your info is kept private from everyone else. Before someone chimes in and say WPA is broken, only TKIP is broken, AES is fine and still protected. and what I said still applies if everyone knows the password.

2. Use a VPN

3. use HTTPS everywhere or force TLS
Click to expand...

WPA2 is not completely secure... http://www.darknet.org.uk/2010/07/wpa2-vulnerability-discovered-hole-196-a-flaw-in-gtk-group-temporal-key/
 
PooprScooper said:
WPA2 is not completely secure... http://www.darknet.org.uk/2010/07/wpa2-vulnerability-discovered-hole-196-a-flaw-in-gtk-group-temporal-key/
Click to expand...

It's a hell of a lot harder to pull off a man in the middle attack and induce a AP to decrypt one users traffic under their private key and then reencrypt it under an attacker's key and forward than installing a plugin and clicking start.

And if the router supports client isolation (that is forbidding client to client traffic)then Hole 196 is also eliminated.
 
You must log in or register to reply here.
Back
Top