Firesheep Detection and Defence with FireShepherd [and BlackSheep]
When Firesheep intercepts a valid session cookie for the sites it supports, it automatically makes its own request to that site using that session. Just as the Firesheep user can intercept network traffic over wifi, so can the normal users, so this behaviour means that Firesheep itself is detectable.
By transmitting a request to Facebook, Twitter or Google with a fake session ID, and monitoring the network using Wireshark, it is possible to look for follow-up connections from another host, using your fake session ID. By performing this ‘reverse attack’ on loop, it’s possible to flood the attacker’s Firesheep window with tons of invalid sessions. Note that this doesn’t protect you entirely, and any valid login to these sites will still be intercepted by Firesheep. But it’s possible to detect whether a Firesheep user is on the network.
Someone has released FireShepherd (currently Windows only), a tool that automates the flooding of invalid sessions, supposedly temporarily killing Firesheep running on the local network. Note that FireShepherd doesn’t detect the presence of Firesheep on the network.
[Updated] BlackSheep, a Firefox plugin, has been released which alerts the user if Firesheep is in use on the network. It does this using the method described above.
Intercepting Unencrypted Sessions with Firesheep
Firesheep, a new Firefox extension that allows you to intercept unencrypted sessions being transmitted over the network, has been released by Eric Butler. Taking advantage of websites that don’t use SSL by default, such as Facebook and Twitter, Firesheep uses network-sniffing to intercept the cookies used to transport session IDs (also known as sidejacking). Note this attack will work over Wifi by default, but will require extra work on a switched wired network.
Once Firesheep has intercepted a user’s cookie over the network, it allows you to be logged in as that user. The concept of session-stealing is as old as the internet, but to have a Firefox extension that does it in such a user-friendly manner is great. It’s also a lot more dangerous as it makes this attack so much easier for any unskilled attacker to carry out.
Protecting Yourself
The are a couple ways of protecting yourself from sidejacking attacks. The first and foremost is to ensure that you use SSL when visiting popular or particularly sensitive web services, including Gmail, Hotmail, Facebook, Twitter, or any other site that’s of importance to you (online banking?). The best way of doing this is to make sure your bookmarks (or the URL you type in) starts with “https://”, and that no SSL certificate errors appear. Another Firefox plugin, HTTPS Everywhere, from the privacy advocates over at the Electronic Frontier Foundation (EFF), enforces SSL on predefined sites. You can also protect your searches by using Google over SSL (encrypted.google.com).
Another way of protecting yourself is to channel your browser traffic through a VPN or SSH Tunnel. Your data is then sent through an encrypted link to a remote host (preferably one you control), before being sent to the destination.
Installing Firecat
Firebug runs in Firefox on Mac OS X and Windows, however Windows users will need to install WinPcap first. After downloading the extension file (xpi), simply open it by going to File -> Open File (you will need to restart Firefox). To clarify some confusion, once you’ve installed the extension, you need to go to View -> Sidebar -> Firesheep to enable it, and click Start Capturing.
Give it a try for yourself.
[Update] Detecting and protecting against Firesheep with FireShepherd.
Facebook Introduces One-time Passwords and Remote Log-out
Hot on the heels of my last post about Facebook’s Suspicious Login Tracking,the social networking site has just introduced two additional authentication/session security mechanisms. The first news item is the introduction of one-time passwords, with the aim of increasing account security for those who log into Facebook on public or shared computers.
The proposed one-time password mechanism would require you to register your mobile phone number with Facebook. You would then be able to text “otp” to 32665 (currently U.S. only), and Facebook would send back a single-use password for your account that expires after 20 minutes. This feature will become available in the coming weeks.
Although it’s a good idea in theory, and helps mitigate against malware or key loggers, it also makes targeted attacks more easy to perform. It is easy to lose one’s phone, or even leave it unattended. If an attacker can get to your phone for a minute, they may be able to get a one-time password for your account. How Facebook actually implements this remains to be seen.
The second feature they introduced, available now, is the ability to remotely sign-out a session. Remember that time you logged in to Facebook at your friend’s house, and forgot to log out, resulting in a slew of embarrassing posts and images being posted on your behalf? With this feature you may have been able to prevent that by logging in to Facebook and then killing that session. I think this is a great feature, and would be useful in other long-session-based services such as Gmail.
You can find this by going to Account -> Account Settings ->Account Security. Your current session will be showed under ‘Most Recent Activity’. If you see anything under ‘Also Active’ that you don’t recognise, just click ‘end activity’ and Facebook will delete the server-side session ID for that session.
Loading ...
