[tech] ALERT: FIRESHEEP: Man-in-the-Middle now in Convenient Firefox Plug-In!
Via ms_danson (you slackers): Firesheep In Wolves' Clothing: Extension Lets You Hack Into Twitter, Facebook Accounts Easily
Holy !@#$. Massive popular man-in-the-middle credential-stealing attacks on popular web 2.0 sites is no longer hypothetical. You too can sidejack people's accounts, thanks to firesheep, a handy, convenient Firefox plug-in for packet sniffing the login transactions of Facebook, Twitter, and other popular sites that has just been released to the public. (Free as in beer! Free as in speech!)
Once you've installed firesheep and started[*] it, you're presented with a continuously updating menu of accounts that other folks on the same local network (e.g. public wifi network) have logged into. With the click of a mouse, you may take over their accounts! From the article:As Butler explains in his post, "As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed" in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user's site with their credentials.
[* An act that, since firesheep is a packet sniffer, is a massive violation of many ISPs' Terms of Service, grounds for termination from many jobs, and expulsion from many colleges. Just because it is specialized and has a slick and convenient user interface doesn't make it not a packet sniffer. In fact, this is precisely why packet sniffers are srlyomg forbidden.]
Extensive use in the wild has already been reported. The built-in list of sites firesheep can compromise is:Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp.
However, since anyone can write and share plug-ins for the services they want to hack into (and there have already been contributions of new services over on GitHub), expect LJ and DW to join that list very fast.
NOTE: Gmail already confronted this exact problem and offered its users end-to-end encryption. If you took the advice and turned this feature on (actually, I think it's now opt-out, so you may be fine if you just didn't turn it off), I think your gmail account is fully protected from this attack. Here's discussion and instructions.
Now, I expect the article got something wrong. From the article:Anytime you're using an open Wi-Fi connection, anyone can swiftly access some of your most private, personal information and correspondence (i.e. direct messages, Facebook mail/chat) -- at the click of a button. And you will have no idea.
Absolutely true. Open Wi-Fi connections are now very dangerous. But firesheep presumably works just fine on "closed" Wi-Fi connections, too, if they only require username/password and aren't encrypted. For that matter, given my understanding of ethernet and cable, I don't see why it wouldn't work on those, as well. (Can someone who knows comment? I have yet to get this working on my home computer to test.) Unless you're using encryption, anyone on the same local network as you can sniff your packets. Presumably, this is as true for the ethernet in your dorm or office, and as true for the cable loop in your apartment building or neighborhood, as it is for WiFi. And the people on those networks might have much more specific reasons for wanting to compromise your accounts. That sophomore you snubbed at the dance, that neighbor who keeps complaining about your dog, your pissy 15 year old, the mean kids who think you're fun to pick on, that creep down in accounting who is always prying into everyone's business. ETA: See comments. If a network setup is sufficiently old, it might still have this vulnerability (which in the early days of cable modems was the source of much hilarity), but modern cable and ethernet hardware mostly get it right, with some lingering snags.
This is also incredibly dangerous for anyone who has been using web 2.0 sites for moral or other support, who has been planning to leave an abuser or who is being stalked. Especially if that person has been using the same home/business/school/public network as their abuser/stalker. ETA: again, see the comments. If your abuser is your de facto sysadmin, you're in trouble, but that should not be news. Wires are statistically much more likely to be safe than wifi.
Things you can to do protect yourself
This article, also from TechCrunch, discusses two FireFox plug-ins that will protect FireFox users' accounts on many, but not all, of the targetted sites. It can't protect, e.g. parts of Amazon accounts (and it wouldn't be able to protect LJ or DW, because neither has the requisite feature), but it does protect FB, Twitter, and "Google" -- which, I don't know if that's all google services or what.
Obviously, a FireFox plug-in doesn't help IE, Chrome, Opera, Camino, etc users.
In the meanwhile, you may want to think hard about just who you are or may be sharing your network with before you log in to a web 2.0 site "in the clear".
If you are using a service for email that, unlike Gmail, does not provide for end-to-end encryption... what are you waiting for? Get a flipping Gmail account already. I expect Gmail will be able to grab your emails from the other service, and usually there's a variety of mechanisms to help you migrate or co-operate with other email services.
Holy !@#$. Massive popular man-in-the-middle credential-stealing attacks on popular web 2.0 sites is no longer hypothetical. You too can sidejack people's accounts, thanks to firesheep, a handy, convenient Firefox plug-in for packet sniffing the login transactions of Facebook, Twitter, and other popular sites that has just been released to the public. (Free as in beer! Free as in speech!)
Once you've installed firesheep and started[*] it, you're presented with a continuously updating menu of accounts that other folks on the same local network (e.g. public wifi network) have logged into. With the click of a mouse, you may take over their accounts! From the article:As Butler explains in his post, "As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed" in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user's site with their credentials.
[* An act that, since firesheep is a packet sniffer, is a massive violation of many ISPs' Terms of Service, grounds for termination from many jobs, and expulsion from many colleges. Just because it is specialized and has a slick and convenient user interface doesn't make it not a packet sniffer. In fact, this is precisely why packet sniffers are srlyomg forbidden.]
Extensive use in the wild has already been reported. The built-in list of sites firesheep can compromise is:Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp.
However, since anyone can write and share plug-ins for the services they want to hack into (and there have already been contributions of new services over on GitHub), expect LJ and DW to join that list very fast.
NOTE: Gmail already confronted this exact problem and offered its users end-to-end encryption. If you took the advice and turned this feature on (actually, I think it's now opt-out, so you may be fine if you just didn't turn it off), I think your gmail account is fully protected from this attack. Here's discussion and instructions.
Now, I expect the article got something wrong. From the article:Anytime you're using an open Wi-Fi connection, anyone can swiftly access some of your most private, personal information and correspondence (i.e. direct messages, Facebook mail/chat) -- at the click of a button. And you will have no idea.
Absolutely true. Open Wi-Fi connections are now very dangerous. But firesheep presumably works just fine on "closed" Wi-Fi connections, too, if they only require username/password and aren't encrypted. For that matter, given my understanding of ethernet and cable, I don't see why it wouldn't work on those, as well. (Can someone who knows comment? I have yet to get this working on my home computer to test.) Unless you're using encryption, anyone on the same local network as you can sniff your packets. Presumably, this is as true for the ethernet in your dorm or office, and as true for the cable loop in your apartment building or neighborhood, as it is for WiFi. And the people on those networks might have much more specific reasons for wanting to compromise your accounts. That sophomore you snubbed at the dance, that neighbor who keeps complaining about your dog, your pissy 15 year old, the mean kids who think you're fun to pick on, that creep down in accounting who is always prying into everyone's business. ETA: See comments. If a network setup is sufficiently old, it might still have this vulnerability (which in the early days of cable modems was the source of much hilarity), but modern cable and ethernet hardware mostly get it right, with some lingering snags.
This is also incredibly dangerous for anyone who has been using web 2.0 sites for moral or other support, who has been planning to leave an abuser or who is being stalked. Especially if that person has been using the same home/business/school/public network as their abuser/stalker. ETA: again, see the comments. If your abuser is your de facto sysadmin, you're in trouble, but that should not be news. Wires are statistically much more likely to be safe than wifi.
Things you can to do protect yourself
This article, also from TechCrunch, discusses two FireFox plug-ins that will protect FireFox users' accounts on many, but not all, of the targetted sites. It can't protect, e.g. parts of Amazon accounts (and it wouldn't be able to protect LJ or DW, because neither has the requisite feature), but it does protect FB, Twitter, and "Google" -- which, I don't know if that's all google services or what.
Obviously, a FireFox plug-in doesn't help IE, Chrome, Opera, Camino, etc users.
In the meanwhile, you may want to think hard about just who you are or may be sharing your network with before you log in to a web 2.0 site "in the clear".
If you are using a service for email that, unlike Gmail, does not provide for end-to-end encryption... what are you waiting for? Get a flipping Gmail account already. I expect Gmail will be able to grab your emails from the other service, and usually there's a variety of mechanisms to help you migrate or co-operate with other email services.