Firesheep

Firesheep
Developer(s) Eric Butler
Stable release 0.1-1[1]
Operating system Microsoft Windows and Mac OS X (highly unstable on Linux)
Available in English
Type Add-on (Mozilla)
Website codebutler.com/firesheep

Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.[2]

The extension was created as a demonstration of the security risk to users of web sites that only encrypt the login process and not the cookie(s) created during the login process.[3] It has been warned that the use of the extension to capture login details without permission would violate wiretapping laws and/or computer security laws in some countries. Despite the security threat surrounding Firesheep, representatives for Mozilla Add-ons have stated that it would not use the browser's internal add-on blacklist to disable use of Firesheep, as the blacklist has only been used to disable spyware or add-ons which inadvertently create security vulnerabilities, as opposed to attack tools (which may legitimately be used to test the security of one's own systems).[4]

Later a similar tool called Faceniff was released for Android mobile phones.[5]

Contents

Countermeasures

Multiple methods exist to counter Firesheep's local network sniffing, such as preventing sniffing by using a secure connection. This can be realized in several ways: for example by using HTTPS,[6] or a Virtual Private Network (VPN) connection, or using Wireless Security. These approaches may be employed individually or in any combination, and their availability in any given situation will vary, in part due to web site and local network characteristics and configuration. BlackSheep is a Firefox plugin designed to combat Firesheep. BlackSheep drops ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked.[7]

HTTPS

HTTPS offers end-to-end security between the user agent and the web server. This works well with web sites that are offered uniformly over HTTPS. However, many web sites employ HTTPS only for accomplishing what is sometimes called "web login" (also often inaccurately referred to as "form-based authentication"), then revert the user's session back to insecure HTTP.

This can be addressed in two intersecting fashions:

Virtual private network

The end user may also employ a corporate Virtual Private Network or implement a personal VPN (for example via OpenVPN) to a home PC acting as a VPN server to encrypt absolutely all the data during transmission over the public Wi-Fi link.

However, one must then trust the VPN's operators not to capture the session cookies themselves. That is particularly a concern with the Tor network, for which anyone can set up an exit node and monitor traffic going to non-HTTPS websites.

Wireless network security

Local Wi-Fi networks may be configured with varying levels of security enabled. Using a Wired Equivalent Privacy (WEP) password, the attacker running Firesheep must have the password, but once this has been achieved (a likely scenario if a coffee shop is asking all users for the same basic password) they are able to decrypt the cookies and continue their attack. However, using Wi-Fi Protected Access (WPA) encryption offers individual user isolation, preventing the attacker from decrypting any cookies sent over the network even if they have logged into the network using the same password.[10] An attacker would be able to manually retrieve and decrypt another user's data on a WPA-PSK connection, if the key is known.

See also

References

  1. ^ Butler, Eric. "Firesheep - codebutler". http://codebutler.com/firesheep?c=1. Retrieved December 20, 2010. 
  2. ^ Steve Gibson, Gibson Research Corporation. "Security Now! Transcript of Episode #272". Grc.com. http://www.grc.com/sn/sn-272.htm. Retrieved November 2, 2010. 
  3. ^ "Firesheep Sniffs Out Facebook and Other User Credentials on Wi-Fi Hotspots". Lifehacker. http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep. Retrieved October 28, 2010. 
  4. ^ Keizer, Gregg. "Mozilla: No 'kill switch' for Firesheep add-on". Computer World. http://www.computerworld.com/s/article/9193420/Mozilla_No_kill_switch_for_Firesheep_add_on. Retrieved October 29, 2010. 
  5. ^ "Sniff and intercept web session profiles on Android". Help Net Security. http://www.net-security.org/secworld.php?id=11107. Retrieved June 2, 2011. 
  6. ^ a b Seth Schoen (29 October 2010). "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"". https://www.eff.org/deeplinks/2010/10/message-firesheep-baaaad-websites-implement. Retrieved 8 March 2011. 
  7. ^ "BlackSheep – Firefox Add-on". http://www.zscaler.com/blacksheep.html. 
  8. ^ Chris Palmer (15 November 2010). "How to Deploy HTTPS Correctly". https://www.eff.org/pages/how-deploy-https-correctly. Retrieved 8 March 2011. 
  9. ^ a b Jeff Hodges (31 October 2010). "Firesheep and HSTS (HTTP Strict Transport Security)". http://identitymeme.org/archives/2010/10/29/firesheep-and-hsts-http-strict-transport-security/. Retrieved 8 March 2011. 
  10. ^ See episode 272 "Firesheep"[1]

External links