ATS Hackers and Guru's: What do you think about this? Firesheep

Browser Plugin Makes Wi-fi Hacking Easy

A new Firefox feature called “Firesheep” can be used to easily hack into a person’s computer over a public Wi-Fi network and gain access to several popular sites, including Facebook, Twitter, and Amazon.

An add-on to the Mozilla Firefox browser, Firesheep allows someone to view the networking session identification and authentication codes – cookies – being sent from the public Wi-Fi network to each computer logged on to it. Access to that information affords the hacker the same unimpeded privileges as the computer's rightful user.

Out of curiosity, I looked up this add-on on Firefox and this is the first add-on that I've run across that offers no information to the user about it's function or about it's developer.

According to the Livescience article, the developer wrote on his blog:

“Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure Web. My hope is that Firesheep will help the users win.”

So, who is this a "win" for?

reply to post by LadySkadi


Yeah, this is like breaking into houses to convince people to get better locks.

Well that's one Firefox update I'll avoid when I get back home. Right now I'm visiting a friend
This is just Amazing that he supposedly wrote a blog and admited it.

Sounds like something that can really push the population to "demand" a safer network, being many people conduct personal and business activities online these days.

Sounds like those who have something to gain, are those who hate the Internet as it is.

The more things like this that come down the pipe, the more people we will see parroting the "new better Internet" that is ultra-censored and controlled in order to keep it "safe".

So safe in fact, that you will have to pay huge fees $$$ for access to limited websites with limited content and restrictions everywhere.

But doesn't "safe" = "BORING as hell"?

Seems like it.

His blog entry in which he talks about Firesheep after release:

Here

100,000+ downloads and counting...

I'm not surprised.

Although it really doesn't work all that well, anybody with a decent security software package can easily block this program from phishing for information.

Sure I like the idea, create an intrusive program in order to have people be more concious of internet security, there's a big need to improve that. Although it's usually under the guise of protectionism and internet censorship.

~Keeper

doupble

i don't know but i'm having a hard time absorbing my observation that everybody seems to be trying to feed everyone else's fears. there's already a so-called fix for firesheep.

I'll re-post what I said yesterday about this in the original thread:

Just to add so that you don't go causing mass panic;

This won't work on your SECURE WIFI at home, or if you use a normal Home Router connected to your ADSL. In other words, most home users of the internet have nothing to fear of this, unless you just plugged everything in right out of the box and did nothing else.

It only works on a LAN - or a Local Area Network - where you and others using same Network (Not the same ISP) share one access point. The average home internet user who is not using Unsecure WIFI or is using a Wired ADSL setup connected to your phone line, will not be able to either use this tool, or have it used on you.

It would work extremely well at a WIFI hotspot. So in that you would want to be very wary of what you connect to if out in Public.

(You know how people around here are, you give them something and they make a mountain out of it.. you have to spell it out for them!!)

Origial thread

reply to post by toreishi


Well done!

I knew it would not take long for somebody to counter this. Anything is easy on the interwebz these days.

Thanks for posting .

~Keeper

Oops - I missed the original thread. Thanks for bringing that up. And just to clear up any misconceptions, I wasn't intending to "feed any fears" it was simply a question about what the add-on could actually do vs what it claims it can do, hence the posting in the science and tech forum.

reply to post by toreishi


So, an extension is needed to "work around" the original extension... geez.

when it comes to the internets, this is how you get stuff done the fastest.

This wont work with most people's laptops, the network card can't enter into "promiscuous" mode (a requirement for this add-on). TBH the FF add-on isn't doing anything hackers on a wifi network can't already do, this just brings it to the masses.

A FF add-on called "Force-TLS" will prevent anyone from tracking your web activity over an open wifi network.

Originally posted by LadySkadi
Oops - I missed the original thread. Thanks for bringing that up. And just to clear up any misconceptions, I wasn't intending to "feed any fears" it was simply a question about what the add-on could actually do vs what it claims it can do, hence the posting in the science and tech forum.

edit on 26-10-2010 by LadySkadi because: (no reason given)

hehe I wasn't referring to you causing fear, I didn't mean the post to sound that way. It's just that's just how ATS works most of the time, and I was hoping to get people to consider it before jumping on the Zomg Im being haxorzed !!11 posts..

Besides, the other thread appears to have gone dormant, it's not suprising you missed it.

Oh one thing however, when I checked the other thread, the link to the plugin had been deleted by a mod, referring to the T&C about hacking.




Oh lol, you already removed it )

reply to post by Blackmarketeer


There is a program which can be installed which sets up drivers to allow almost all network cards to go into promiscuous mode. It's even promoted on the link to the main blog site.

You are right. Cain and Abel has allowed this for years (Albeit in a lot less GUI fashionable way) and this does jsut bring it to the masses.

But think of all the university students, WiFi poachers and unknowing business people who will get duped by this over the next few weeks.

Everything is about to go HTTPS.

-m0r

reply to post by badw0lf


Ok. Thanks for the head's up. I just went back and deleted the link I provided to the extension too.
Not needed anyway, it's easy enough to look up if anyone wants too...

reply to post by m0r1arty


I look forward to this so long as the mobile phones keep up. I recently went through a bit of fuss because a certificate provider merged with another company and the certs changed... my android phone did not get an update to reflect this so all sites using that are not trusted by default.. *sigh*

Certificate based security is great.. but the technology is still moving out of pace with itself.

reply to post by rogerstigers


I agree that the tech isn't as quick as it should be yet.

However since you are using Android I think you'll see that eventually (sort of like Windows for drivers) all sites that do update will do so through Google Chrome. 1 place to implement changes which will update and have a knock on effect for everything under that hierarchy.

I don't know if any other browser will be so ingrained with the Cloud as Google - but it's a start I suppose.

I mean if 15 years ago someone told you you would have a GPS, augmented reality, high speed internet capable, mobile telephone with lots of free perks added onto it which integrated with your work and/or home computer you would have laughed them out of existence.

So who knows what'll be like in 15 more years.

I do hope talking smilies aren't there.

-m0r

Originally posted by Blackmarketeer
This wont work with most people's laptops, the network card can't enter into "promiscuous" mode (a requirement for this add-on). TBH the FF add-on isn't doing anything hackers on a wifi network can't already do, this just brings it to the masses.

A FF add-on called "Force-TLS" will prevent anyone from tracking your web activity over an open wifi network.

Force TLS only works if the router is also serving tls. One sided encryption never works. After your information leaves your router, it will still be in plain text. So this will only help on your local network.

Originally posted by tothetenthpower
I'm not surprised.

Although it really doesn't work all that well, anybody with a decent security software package can easily block this program from phishing for information.
~Keeper

There is no local security package that can stop you from sending plain text over an open network. Kismet has been doing this for years, and has been very effective. (see google taps into open wifi thread)

The reason a local security package cannot stop this is because you have already sent the data when it's being intercepted. It's a lot like throwing a ball to someone and a third party catching it in flight..reading and weighing the ball then sending it along the original flight path. WEP is also relatively insecure. Kismet contains packages to decrypt common WEP algorithms.

For the most part neither you, nor the government really wants your data to be secure. If they did, it would already be. It is true though that most network cards being shipped do not have a promiscuous mode, so the software doesn't work on those systems.

Originally posted by toreishi
i don't know but i'm having a hard time absorbing my observation that everybody seems to be trying to feed everyone else's fears. there's already a so-called fix for firesheep.

This fix will not work unless the connection your trying to make supports an ssl connection.

HTTPS encrypts user data, so if a script like Firesheep’s like tries to pull it, it can’t be read. Force-TLS forces a number of sites to make all of their requests over an SSL secured channel and while some sites, like Amazon, don’t currently have the secure option, the majors like Facebook, Twitter, Google, etc all allow a HTTPS connection.

As there is a cost for SSL certs and a limit that can be installed on shared hosts many sites will simply not have an SSL connection. Try visiting Abovetopsecret

..Ex