LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-26-2010, 05:00 PM   #1
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Arrow Plugin, FireSheep, Lays Open Web 2.0 Insecurity


Quote:
It's no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What's less clear is how much information is floating out there in the ether, especially with the rise of "Web 2.0" and rich social networking applications and other Web based sharing tools.

But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed "Firesheep," was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in "one-click" session hijacking feature.

Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP.
Complete Article
 
Old 10-26-2010, 05:42 PM   #2
hallamigo
Member
 
Registered: Feb 2004
Location: Utah, USA
Distribution: Debian
Posts: 230

Rep: Reputation: 31
The key part of all that being:

"Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP."
 
Old 10-27-2010, 08:12 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
New FireSheep-Style Tool Hijacks Twitter Sessions

Quote:
Days after researchers at the ToorCon Security Conference in San Diego released a tool to hijack insecure Web sessions on Facebook, iGoogle and Flickr, a developer has released a similar tool, dubbed "Idiocy" that does the same for insecure Twitter sessions.

There's a twist, though. Rather than just monitor the unsecured Web sessions, the new tool allows the attacker to post a warning message using the Twitter account of the unsuspecting user (can we call them "Twidiots"?)

The software is the creation of Jonty Wareing, a 26 year old software developer for Last.fm in London, UK. Wareing, who created idiocy "at 7 AM in a fit of irritation" and released it on github.com. The program "quitely (sp) watches for people unsecurely (sp) visiting twitter on public wifi networks, then hijacks their session to post a tweet warning them about the dangers," according to a description that accompanies the application.
Complete Article
 
Old 10-27-2010, 10:42 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Cooling Down the Firesheep

Quote:
There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, access their accounts and pose as them on sites such as Facebook and Twitter. While the developers chose to use the Firefox add-on API, the tool could have just as easily been written and distributed as a stand-alone program.

The introduction of this tool reinforces the importance of websites configuring themselves to require secure connections.

Not too long ago we announced HTTP Strict-Transport-Security that can be used to ó among other things ó ensure your Facebook or Twitter cookies canít be sniffed by someone using a tool like Firesheep. In fact, itís built into Firefox 4.
Complete Post
 
Old 11-08-2010, 04:41 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
BlackSheep Plugin Bites Back: Detecting FireSheep Hijack Attempts

Quote:
With more than 600,000 copies of the FireSheep browser plug-in downloaded in a matter of weeks, Web security firm zScaler have released a new Firefox plug-in, BlackSheep, in hopes of combating attempts by those using FireSheep to try to hijack their Web session.
Complete Article
 
Old 11-13-2010, 11:03 PM   #6
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Question Some obvious followup questions

  • So why does linuxquestions.org forums not use https? What will it take for website operators to recognize that the risks of not using https justify the additional costs? (Which will be less once every starts using https.)
  • One commentator said he didn't see why Firesheep cannot be used to sniff packets traveling over a "wired" network (assuming someone has plugged the sniffer into the network), and neither can I.
  • Why have no "major news organizations" recognized the importance of the January 2010 patent application in which Google clearly spelled out the scope and nature of their WiF-router-packet-sampling-correlated-with-meter-scale-3D-geolocation operation? I know the significance has been explained to reporters...maybe their editors keep canning the story?

Last edited by Peufelon; 11-14-2010 at 12:12 AM.
 
0 members found this post helpful.
Old 11-14-2010, 09:10 AM   #7
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Quote:
Originally Posted by Peufelon View Post
  • So why does linuxquestions.org forums not use https? What will it take for website operators to recognize that the risks of not using https justify the additional costs? (Which will be less once every starts using https.)
The only thing that would need to be over https is the login page. The rest of the site is public info for the most part (besides PMs, etc).


Quote:
Originally Posted by Peufelon View Post
  • One commentator said he didn't see why Firesheep cannot be used to sniff packets traveling over a "wired" network (assuming someone has plugged the sniffer into the network), and neither can I.
Wifi is (kind of) in a promiscuous state all the time because it does not know where to send the info like a switch does (ex. port 2 blade 3). Wifi knows that its somewhere close but does not know exactly where and since its using radio communications it just sends it out the antenna. Firesheep will work on a wired connection if you put it at a border switch and set up a span port on the switch so that it can see all the network traffic.

Quote:
Originally Posted by Peufelon View Post
  • Why have no "major news organizations" recognized the importance of the January 2010 patent application in which Google clearly spelled out the scope and nature of their WiF-router-packet-sampling-correlated-with-meter-scale-3D-geolocation operation? I know the significance has been explained to reporters...maybe their editors keep canning the story?
The majority of general population does not really care about it. The need to post the major stories that bring in money. CNN, FOXNews, etc are all in the market to make money so they talk about what is going to help bring in the most revenue.

Worry about your network and your systems. There will ALWAYS be unsecured wireless connections or un-encrypted connections (http, telnet, etc) until they remove the option to do something unencrypted. The would have to remove http and telnet protocols in order to get it to stop (which will never happen).

Do you really care that your weather.com search to check the forecast for today was unencrypted? I know I do not.


These types of things should be planned for an accounted for ahead of time if possible.

I dont care if the wifi at starbucks is unencrypted because the first thing i do after connecting is start the connection to my vpn with certificate based authentication.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Mozilla Foundation Lays Open its Financial Results LXer Syndicated Linux News 0 11-23-2009 07:20 PM
update ssl due to insecurity sir-lancealot Linux - Server 2 11-15-2007 09:04 AM
LXer: India lays down 'open' challenge LXer Syndicated Linux News 0 05-12-2006 03:21 PM
Wep insecurity exvor Linux - Wireless Networking 3 06-27-2005 09:55 PM
insecurity in suid-to-root prabhatsoni Linux - Security 5 11-13-2004 03:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration