Attacks/Breaches
11/9/2010
01:58 PM
50%
50%

Tools Gut Firesheep Cookie Hijacking Attack

BlackSheep, FireShepherd, and HTTPS Everywhere released to block controversial Firefox plug-in.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

Scared by the recent arrival of Firesheep, a controversial plug-in for Firefox that allows attackers to hijack your web sessions? The cookie-stealing tool, downloaded at least 600,000 times to date, works against users of a number of Web 2.0 websites, including Facebook, Twitter, and Flickr.

Now, however, free tools are appearing to help users defend themselves.

On Monday, SaaS security firm Zscaler released BlackSheep, a free Firesheep countermeasure. (As with Firesheep, Windows users must first install Winpcap.) BlackSheep works by making HTTP requests using fake variables to the websites watched by Firesheep. BlackSheep then detects and blocks Firesheep clients at work on the local network when they attempt to reuse the fake variables.

Meanwhile, Gunnar Atli Sigurdsson, a 21-year-old engineering students at the University of Iceland, released FireShepherd for Windows, "a small console program that floods the nearby wireless network with packets designed to turn off Firesheep." The tool has the added benefit of blocking Firesheep for anyone else using the same Wi-Fi connection.

Another workaround is HTTPS Everywhere, from the Tor Project and Electronic Freedom Foundation, which forces websites to SSL-encrypt every page. The only caveat is that websites must offer HTTPS.

Countermeasures aside, controversy continues to rage over whether Firesheep itself is good or bad. The goal of releasing it, according to its creator, Eric Butler, was to expose the lack of security inherent to using unencrypted Wi-Fi networks.

"Facebook is constantly rolling out new 'privacy' features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely?" said Butler. Indeed, the necessary packet-sniffing tools, including free utilities such as NetStumbler and Kismet, have been available for years -- and Firesheep blockers won't even detect them.

Accordingly is it "mission accomplished" for publicizing Wi-Fi insecurity? "People have been living under the impression that capturing a session by stealing a cookie can only be done by skilled hackers with special tools. This has now changed," said F-Secure's chief research officer, Mikko Hypponen.

"What can users do right now? Force SSL on if you can. Don't use Wi-Fis without encryption. Or, use a VPN," said Hypponen. "If you have a VPN, always turn it on when you are on a hotspot, even if you're not 'working' but just surfing Facebook. All good VPN products will encrypt all of the traffic, even to Facebook."

Why not simply SSL-enable for Facebook, Twitter, and everything else under the sun? Many sites do use SSL, but only for encrypting logon information. With the exception of Gmail, few use SSL for the entire session.

Previously, using SSL took a bite out of performance. But today, said Google software engineer Adam Langley, "SSL/TLS is not computationally expensive anymore." In other words, "you too can afford to enable HTTPS for your users."

According to statements made by Facebook and Twitter, they're working on it.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4793
Published: 2014-12-27
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

CVE-2013-5958
Published: 2014-12-27
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a si...

CVE-2013-6041
Published: 2014-12-27
index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action.

CVE-2013-6043
Published: 2014-12-27
The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests.

CVE-2013-6227
Published: 2014-12-27
Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location specified by the format param...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.