[Micronet] Firesheep Question

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Firesheep Question

Jon Johnsen
Is this something to worry our users about?

Firesheep
All of you should know about Firesheep. This exploit is wild and spreading
like crazy because it so easy to use. Firesheep is a Firefox extension
which intercepts unencrypted cookies from certain websites (such as Facebook
and Twitter) transmitted over public Wi-Fi connections using a packet
sniffer. It shows the discovered identities on a sidebar displayed in the
browser, and allows the user of Firesheep to instantly take on the log-in
credentials of the user just by double-clicking on the name.

The fix for this is simple, don't allow your users to us a Wi-Fi Hotspot
that's not using encryption. (WEP doesn't count.) This is NOT a
vulnerability in Firefox. Firesheep captures the unencrypted cookies some
web site use while logging in. Yes the login process is secure and
encrypted, but the cookie that's passed with proxy login credentials is not.
(Blame the web site developer not Firefox for this vulnerability.)

-- 
Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Firesheep Question

Bill Clark
The underlying problem is nothing new, although the plugin does make it easier to exploit. I'd say the best approach is to just reiterate the same advice they should already be following -- don't do anything that requires a login unless the entire website is using SSL. You could stick the qualifier "over wifi" in there, or even "over unsecured wifi" but it's generally good advice even over wired connections. 

Bill Clark

On Nov 1, 2010, at 8:18 AM, Jon Johnsen <[hidden email]> wrote:

Is this something to worry our users about?

Firesheep
All of you should know about Firesheep. This exploit is wild and spreading
like crazy because it so easy to use. Firesheep is a Firefox extension
which intercepts unencrypted cookies from certain websites (such as Facebook
and Twitter) transmitted over public Wi-Fi connections using a packet
sniffer. It shows the discovered identities on a sidebar displayed in the
browser, and allows the user of Firesheep to instantly take on the log-in
credentials of the user just by double-clicking on the name.

The fix for this is simple, don't allow your users to us a Wi-Fi Hotspot
that's not using encryption. (WEP doesn't count.) This is NOT a
vulnerability in Firefox. Firesheep captures the unencrypted cookies some
web site use while logging in. Yes the login process is secure and
encrypted, but the cookie that's passed with proxy login credentials is not.
(Blame the web site developer not Firefox for this vulnerability.)

-- 
Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357

-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Firesheep Question

Patrick Schmitz
You can also tell folks to get some protection using Force-TLS. See also:
 
 
Patrick


From: [hidden email] [mailto:[hidden email]] On Behalf Of Bill Clark
Sent: Monday, November 01, 2010 8:47 AM
To: Jon Johnsen
Cc: [hidden email]
Subject: Re: [Micronet] Firesheep Question

The underlying problem is nothing new, although the plugin does make it easier to exploit. I'd say the best approach is to just reiterate the same advice they should already be following -- don't do anything that requires a login unless the entire website is using SSL. You could stick the qualifier "over wifi" in there, or even "over unsecured wifi" but it's generally good advice even over wired connections. 

Bill Clark

On Nov 1, 2010, at 8:18 AM, Jon Johnsen <[hidden email]> wrote:

Is this something to worry our users about?

Firesheep
All of you should know about Firesheep. This exploit is wild and spreading
like crazy because it so easy to use. Firesheep is a Firefox extension
which intercepts unencrypted cookies from certain websites (such as Facebook
and Twitter) transmitted over public Wi-Fi connections using a packet
sniffer. It shows the discovered identities on a sidebar displayed in the
browser, and allows the user of Firesheep to instantly take on the log-in
credentials of the user just by double-clicking on the name.

The fix for this is simple, don't allow your users to us a Wi-Fi Hotspot
that's not using encryption. (WEP doesn't count.) This is NOT a
vulnerability in Firefox. Firesheep captures the unencrypted cookies some
web site use while logging in. Yes the login process is secure and
encrypted, but the cookie that's passed with proxy login credentials is not.
(Blame the web site developer not Firefox for this vulnerability.)

-- 
Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357

-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Firesheep Question

Michael Sinatra-2
In reply to this post by Jon Johnsen
This is the sort of discussion that should actually be on ucb-security.

michael

On 11/01/10 08:18, Jon Johnsen wrote:

> Is this something to worry our users about?
>
>> Firesheep
>> All of you should know about Firesheep. This exploit is wild and spreading
>> like crazy because it so easy to use. Firesheep is a Firefox extension
>> which intercepts unencrypted cookies from certain websites (such as
>> Facebook
>> and Twitter) transmitted over public Wi-Fi connections using a packet
>> sniffer. It shows the discovered identities on a sidebar displayed in the
>> browser, and allows the user of Firesheep to instantly take on the log-in
>> credentials of the user just by double-clicking on the name.
>>
>> The fix for this is simple, don't allow your users to us a Wi-Fi Hotspot
>> that's not using encryption. (WEP doesn't count.) This is NOT a
>> vulnerability in Firefox. Firesheep captures the unencrypted cookies some
>> web site use while logging in. Yes the login process is secure and
>> encrypted, but the cookie that's passed with proxy login credentials
>> is not.
>> (Blame the web site developer not Firefox for this vulnerability.)
>
> --
> Jon Johnsen
> Information Systems Office
> 433 University Hall
> School of Public Health, UC Berkeley
> 510 643-4357
>
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Firesheep Question

Edgar Ortega
In reply to this post by Jon Johnsen

If I recall my reading on this correctly, it only applies to cards that are capable of running under promiscuous mode. Can anyone say with certainty how common it is to find consumer-level priced network adapters or OEM adapters that allow promiscuous mode?

 

-Edgar Ortega

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Jon Johnsen
Sent: Monday, November 01, 2010 8:19 AM
To: [hidden email]
Subject: [Micronet] Firesheep Question

 

Is this something to worry our users about?


Firesheep
All of you should know about Firesheep. This exploit is wild and spreading
like crazy because it so easy to use. Firesheep is a Firefox extension
which intercepts unencrypted cookies from certain websites (such as Facebook
and Twitter) transmitted over public Wi-Fi connections using a packet
sniffer. It shows the discovered identities on a sidebar displayed in the
browser, and allows the user of Firesheep to instantly take on the log-in
credentials of the user just by double-clicking on the name.

The fix for this is simple, don't allow your users to us a Wi-Fi Hotspot
that's not using encryption. (WEP doesn't count.) This is NOT a
vulnerability in Firefox. Firesheep captures the unencrypted cookies some
web site use while logging in. Yes the login process is secure and
encrypted, but the cookie that's passed with proxy login credentials is not.
(Blame the web site developer not Firefox for this vulnerability.)



-- 
Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Firesheep Question

Michael Sinatra-2
On 11/01/10 11:14, Edgar Ortega wrote:
> If I recall my reading on this correctly, it only applies to cards that
> are capable of running under promiscuous mode. Can anyone say with
> certainty how common it is to find consumer-level priced network
> adapters or OEM adapters that allow promiscuous mode?

Extremely common.  In fact, it is rare if not impossible to find
adapters that do not support promiscuous mode.

Again, this discussion should be continuing on ucb-security@

michael

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.