18 replies to this topic

[Jamal H. Naji]

Ian Paul from PC WORLD lately posted an article about this horrifying new add-on, here are some paragraphs of what he wrote:

- Want to hack someone Else's Amazon, Facebook, Twitter or Windows Live account in just one click? A Firefox extension called Firesheep claims you can by hijacking a person's current user session over an open Wi-Fi connection.

- I tested the extension out and to my horror it works as advertised - almost that is.

- Theoretically, if I had tested this system over an unencrypted Wi-Fi network at a cafe, I should have been able to simply click on any of the accounts I saw in the Firesheep sidebar and then gain almost unrestricted access to the account.

- There's no question that Firesheep highlights an important Web browsing security flaw that could expose your account to a malicious hacker.

- Nevertheless, Firesheep, and side-jacking in general, is still a serious security threat if you happen to be using open or unprotected Wi-Fi.

- Firesheep may make it easier than ever for someone to snoop on other people over open, unencrypted Wi-Fi

One of the things that really made me furious when Ian wrote that JAW DROPPING statement as he said:

But it's also important to keep in mind that side-jacking has its limits. Using Firesheep is not likely to expose your user password.

So a hacker may be able to use Firesheep to take action on your behalf such as send an e-mail, post a status update, or send out a tweet. But it's unlikely that Firesheep could be used to steal your account by switching your password on you. Unless, of course, you are using a service that lets you change your password without entering the current one--a rare occurrence these days.

- What did you say Mr. Ian Paul? Sorry !! Are you underestimating the privacy and security breach issue that some snooper log into your accounts and take action on your behalf? Are you serious when you said that?

Read the full article HERE:


=======================================================================
Many computer security vendors offer free computer security checks for your computer. Visit this link to check your computer for known viruses, spyware, and more and discover if your computer is vulnerable to cyber attacks.
===================================================================

===================================================================
My Previous Topics & Tutorials HERE
===================================================================

[fxchby]

thats terifing jamal cant go net cafe anymore unles full armed

[Joeye]

wowwww intresting and very dangrous

[Sha0]

Here is someone who actually used this and wrote about their experience:

http://technologysuf...-york-city.html

An interesting read.

[Wonko the Sane]

Yep , wireless cookie stealing is not really news, sessionthief, surfjack, wifizoo and the like are around since years.

Maybe the fact that Firesheep has more publicity/hype now is a good thing, maybe this time more morons inexperienced users will start being more careful....


Wonko

[Jamal H. Naji]

HERE you find some more news discussing this threat and if it is legal or not to use this Firesheep at Starbucks, which was released just over a week ago and has been downloaded nearly half a million times since?

[Jamal H. Naji]

Chris Von Eitzen from The H Security wrote the following:

Microsoft responds to Firesheep cookie-jacking tool

The Firesheep developers continue to be under fire for releasing their cookie-jacking plug-in. However, in doing so they have already made Microsoft promise that it will fully convert its Hotmail / Windows Live email service to SSL. According to a report from the US news web site Digital Security, the services are to be converted before the end of November.

Read more HERE, and HERE.

[Nuno Brito]

Microsoft promise that it will fully convert its Hotmail / Windows Live email service to SSL

Hotmail was not supporting SSL in 2010?

[Jamal H. Naji]

Hotmail was not supporting SSL in 2010?

According to George OU he said:
UPDATE 11/4/2010 – Unfortunately, Microsoft confirmed that SSL will be optional and not the default setting which means the vast majority of customers will not be running SSL. Hopefully they’ll at least fix the cookie theft issue by default, and then consider the almost nonexistent overhead of maintaining SSL browsing for all Hotmail customers. All the hard work of setting up the SSL session during the initial authentication phase was already done.
Read More HERE

[Jamal H. Naji]

Also from George OU you might find his Online services security report card very interesting, only G-mail is on top, the rest are way below secure.

[Nuno Brito]

Yes, it seems that people only take this matter seriously when its all over the news.

[Jamal H. Naji]

Public hotspots are convenient. It is nice to be able to kick back and surf the Web while sipping a pumpkin spice latte at Starbucks. Just realize that the Wi-Fi is insecure and limit your activities. Go ahead and read the headlines at CNN.com, but don't check your bank balance, or do anything else that requires entering a username, password, or account number.

read more updates about this subject By Tony Bradley, from PCWorld HERE

[Jamal H. Naji]

Yep , wireless cookie stealing is not really news, sessionthief, surfjack, wifizoo and the like are around since years.
Maybe the fact that Firesheep has more publicity/hype now is a good thing, maybe this time more morons inexperienced users will start being more careful....

Wonko

Thank you Wonko,

Yes actually while sniffing/stealing session credentials is nothing new, the Firesheep plug-in which was developed by security researchers in the first place to highlight how insecure public WiFi networks can be. Mission accomplished, yes. But unfortunately the tool works quite well, and it's free for public to download and use, and its public availability places a relatively powerful snooping tool that as I said requires virtually no hacking skills whatsoever,this tool exposed this capability to the masses, by automating the process, so that absolutely everyone with no technical know-how can simply log on to your bank account or your facebook or hotmail or anywhere you are using your user name and password and act on your behalf, while you are sitting quietly sipping your morning coffee, and you don't know what the other kid next to you is doing on your behalf!!

And unfortunatley its quite difficult to defend against Firesheep because most sites only permits SSL connections during the initial log in, not while surfing, so while your user name and password are encrypted, your session ID is not, and it's available to all other machines on the same network, and as I mentioned, that kid next to you in Starbucks can act on your behalf on any account you are logged in on your machine!

The good news now is coming from Zscaler research team, they invented a Firefox add-on they called it BlackSheep, this BlackSheep won't secure your wireless data, and it won't prevent your information from being snooped by Firesheep per se, but it will alert you when Firesheep is in use on the network you're connected to so that you're aware, and shows you his IP address also, so it's up to you to call the cops then and let them catch this snooper kid red handed.

Here is all the info you need:

BlackSheep
==========
Version: 1.3
License Type: Free
Price: Free
Date available: Nov 12, 2010
Operating Systems: Windows XP, Windows Vista, Windows 7
Requirements: 32-bit Mozilla Firefox 3.5 or higher+ WinPcap
File Size: 3994 KB
Author: Zscaler

Download WinPcap from HERE
Download BlackSheep from HERE

Here is a youtube video link of of both (Firefox-Sheeps) in actions:
http://www.youtube.c...layer_embedded#!

[carloscape]

If you set your wireless network with WPA2-Personal would Firesheep still be a problem? How about if you enable wireless isolation within the router?

[Jamal H. Naji]

Thank you carloscape for your post and concern question,
you might find this article By Steven Andrés, of PC World useful to you and an answer to your concerns.

[Jamal H. Naji]

A new tool has been released today in a collaboration between the EFF - the Electronic Frontier Foundation and the TOR-project, this free tool offered to combat Firesheep Hackers, and is called HTTPS-EVERYWHERE, and it's a Firefox extension that contains enhancements specifically designed to foil Firesheep-inspired attacks. "It will go a long way towards protecting your Facebook, Twitter, or Hotmail accounts from Firesheep hacks," asserted EFF Senior Staff Technologist Peter Eckersley. "And, like previous releases, it shields your Google searches from eavesdroppers and safeguards your payments made through PayPal."

Read the full story by John P. Mello Jr., from PCWorld HERE.

Official download link of the HTTPS-EVERYWHERE tool HERE

[Nuno Brito]

I've visited their site and looks like a reliable tool, thanks for the update on this matter.

[dog]

If you set your wireless network with WPA2-Personal would Firesheep still be a problem?

Nope, you'd be safe from it.

A new tool has been released today

A new version of the tool, the tool has been available since at least July.

[Jamal H. Naji]

In addition to what we previously said about the Firesheep Firefox add-on that lets someone with virtually no hacking experience steal your identity when you visit a number of Web sites, including Facebook. Here's more bad news: Firesheep is far from the only privacy danger out there. There are plenty of powerful tools that hackers can use to steal private information from you not just specific Web sites, but wherever you are on the Web, or when you use other Internet services, such as client-based e-mail and instant messaging. The for-pay AlwaysVPN (pricing varies with bandwidth) does a great job of keeping you safe no matter what you do and where you go on the Internet.

AlwaysVPN uses Virtual Private Networking technology to encrypt all of your communications, and it's especially useful for those who connect at public Wi-Fi hot spots, where all communications are in the open and not encrypted.

Read more from Preston Gralla of PC WORLD HERE