Firesheep: Be aware of what's not safe to do on open Wifi

[FlyingPenguin]

Details here: http://steve.grc.com/2010/10/28/why-fir ... -has-come/

Basically this is a session cookie hijack and it's been exploitable for years, it just used to take some L33t skillz to do it. Not anymore. Firesheep is a Firefox plugin that lets you access web accounts that other users on an open Wifi hotspot are using, making it very simple with an easy to use UI.

For instance, if you're running Firesheep at a Starbucks, and someone else was using Starbuck's Wifi to access their Facebook account, you could access their Facebook account and do anything they can with it EXCEPT change the password (most sites require that you type in the old password in order to change it).

It doesn't grab passwords, and passwords are generally passed via SSL nowadays by even the most careless Wed 2.0 site. The problem is that once you log in, most sites just maintain your presence with a non SSL session cookie. Any non SSL session cookie can be intercepted by a man in the middle attack and someone could then could access whatever site you're on as if they were you during that session.


What can you do? What you should have been doing all along. OPEN WIFI IS NOT SECURE. Don't access any web sites that don't maintain FULL SSL during the entire session. All Google services for instance maintain a full SSL connection - a change Google made a year ago just for this reason.

The trouble is that for a non-techie it's hard to know if your service doesn't force SSL for the whole session. One way to know is to check the list of services that Firesheep can hack. If it's on the list, it's not properly secured. That's why these hackers released it - to force these services to secure their systems.

Another option would be to use a VPN or a remote access app/service like TeamViewer, GoToMyPC or LogMeIn to access your home computer and then browse from there. All these remote access services use an encrypted SSL connection.


If you are running an open Wifi hotspot yourself, or you know someone who does, this can EASILY be blocked by just enabling WPA encryption and making the password public if you want other people to use it (for instance a Starbucks could just use the word "Starbucks" as the password). This is because WPA isolates every user on a wireless network on their own secure connection, even if you're all using the same WPA password.

[normalicy]

To me, using an open WiFi connection is equivalent to changing your clothes in behind a bush. Sure, maybe no-one will see ya. But I there's a good chance that someone will & you'll be embarrassed or worse.

[EvilHorace]

Yeah, personally I don't ever need to be on the internet at Starbucks, MCD's, Arby's or at any place where there's an open network. My iPod Touch plays Pandora at work (not an opened network either) but that's about it. I don't understand the "need" for a valid Facebook acct. I made a fake one just so I can view them but that's about it.

[b-man1]

http://www.securitynewsdaily.com/firesh ... tack-0248/

possible solution in the works...limited, but better than nothing if you need it.

[FlyingPenguin]

Blacksheep lets you know if someone is running Firesheep on your Hotspot:

http://www.downloadsquad.com/2010/11/08 ... r-network/