Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It's no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What's less clear is how much information is floating out there in the ether, especially with the rise of "Web 2.0" and rich social networking applications and other Web based sharing tools.
But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed "Firesheep," was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in "one-click" session hijacking feature.
Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP.
Days after researchers at the ToorCon Security Conference in San Diego released a tool to hijack insecure Web sessions on Facebook, iGoogle and Flickr, a developer has released a similar tool, dubbed "Idiocy" that does the same for insecure Twitter sessions.
There's a twist, though. Rather than just monitor the unsecured Web sessions, the new tool allows the attacker to post a warning message using the Twitter account of the unsuspecting user (can we call them "Twidiots"?)
The software is the creation of Jonty Wareing, a 26 year old software developer for Last.fm in London, UK. Wareing, who created idiocy "at 7 AM in a fit of irritation" and released it on github.com. The program "quitely (sp) watches for people unsecurely (sp) visiting twitter on public wifi networks, then hijacks their session to post a tweet warning them about the dangers," according to a description that accompanies the application.
There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, access their accounts and pose as them on sites such as Facebook and Twitter. While the developers chose to use the Firefox add-on API, the tool could have just as easily been written and distributed as a stand-alone program.
The introduction of this tool reinforces the importance of websites configuring themselves to require secure connections.
Not too long ago we announced HTTP Strict-Transport-Security that can be used to — among other things — ensure your Facebook or Twitter cookies can’t be sniffed by someone using a tool like Firesheep. In fact, it’s built into Firefox 4.
With more than 600,000 copies of the FireSheep browser plug-in downloaded in a matter of weeks, Web security firm zScaler have released a new Firefox plug-in, BlackSheep, in hopes of combating attempts by those using FireSheep to try to hijack their Web session.
So why does linuxquestions.org forums not use https? What will it take for website operators to recognize that the risks of not using https justify the additional costs? (Which will be less once every starts using https.)
One commentator said he didn't see why Firesheep cannot be used to sniff packets traveling over a "wired" network (assuming someone has plugged the sniffer into the network), and neither can I.
Why have no "major news organizations" recognized the importance of the January 2010 patent application in which Google clearly spelled out the scope and nature of their WiF-router-packet-sampling-correlated-with-meter-scale-3D-geolocation operation? I know the significance has been explained to reporters...maybe their editors keep canning the story?
So why does linuxquestions.org forums not use https? What will it take for website operators to recognize that the risks of not using https justify the additional costs? (Which will be less once every starts using https.)
The only thing that would need to be over https is the login page. The rest of the site is public info for the most part (besides PMs, etc).
Quote:
Originally Posted by Peufelon
One commentator said he didn't see why Firesheep cannot be used to sniff packets traveling over a "wired" network (assuming someone has plugged the sniffer into the network), and neither can I.
Wifi is (kind of) in a promiscuous state all the time because it does not know where to send the info like a switch does (ex. port 2 blade 3). Wifi knows that its somewhere close but does not know exactly where and since its using radio communications it just sends it out the antenna. Firesheep will work on a wired connection if you put it at a border switch and set up a span port on the switch so that it can see all the network traffic.
Quote:
Originally Posted by Peufelon
Why have no "major news organizations" recognized the importance of the January 2010 patent application in which Google clearly spelled out the scope and nature of their WiF-router-packet-sampling-correlated-with-meter-scale-3D-geolocation operation? I know the significance has been explained to reporters...maybe their editors keep canning the story?
The majority of general population does not really care about it. The need to post the major stories that bring in money. CNN, FOXNews, etc are all in the market to make money so they talk about what is going to help bring in the most revenue.
Worry about your network and your systems. There will ALWAYS be unsecured wireless connections or un-encrypted connections (http, telnet, etc) until they remove the option to do something unencrypted. The would have to remove http and telnet protocols in order to get it to stop (which will never happen).
Do you really care that your weather.com search to check the forecast for today was unencrypted? I know I do not.
These types of things should be planned for an accounted for ahead of time if possible.
I dont care if the wifi at starbucks is unencrypted because the first thing i do after connecting is start the connection to my vpn with certificate based authentication.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Plugin, FireSheep, Lays Open Web 2.0 Insecurity
Some obvious followup questions
