Free Wireless Surfing Is No Longer Secure

If you use free wireless hotspots (Panera, Starbucks, etc.), there is a new Firefox addon called Firesheep that allows ANYONE using the addon to pull your unencrypted cookies out of the air (cookie-jacking).  Once a user has your cookies, it’s a small jump to take over your webmail, facebook or twitter accounts.

THIS IS NOT A BUG THAT IS EASILY FIXED.  The problem exists because HTTP is not secure.  While user log on pages are secure, once you’re in, the security is lax…which allows unencrypted cookies to flow.

I easily downloaded the plugin and watched the traffic flow on my internal network.  It’s downright scary.

Right now, there are only 2 surefire ways to make sure your surfing is secure:

1. Only use websites that use https:// “s” is for secure.

2. Use a VPN to securely log into a corporate computer and use that internet instead.

An alternative is to download and install the firefox addon HTTPS Everywhere.  This automatically routes you to HTTPS sites for Twitter, Facebook, Google and many more.  This addon works really well and instantly redirects most of my websurfing to the alternate https site if there is one.

If you can help it, try not to use public wireless connections.  If you have to, take the necessary precautions NOW so your cookies can’t be hijacked!


6 Responses

  1. This isn’t just WiFi, this is a valid threat for any LAN.
    Also be wary that if your wireless is unencrypted at home, you are leaving yourself vulnerable to this type of attack. However, this isn’t anything new, as it has been around for ages; the only difference now is that it was made a little easier.

    For those of you who want to understand the attack a little more in depth I have written up a very simple tutorial on performing a session hijack without Firesheep.

  2. Aaron. All good points but the fact that this is now a simple plug-in for Firefox scares the pants off me. You don’t even need to be a script kiddie anymore to sniff the stuff around you.

    Again I will harp on security.
    1. Wireless security at home (lock down your router)
    2. Computer security when out and about (use HTTPS when possible)
    3. Keep your anti-virus up to date
    4. Oh, and for heaven’s sake, BACK UP YOUR DATA!

  3. Point and click running of some Firefox addon to allow you to capture cookies is the definition of a script kiddy.

    Attacks on open wireless have been pretty well known and covered in the Media for sometime Best Buy and TJ Max are some of the more well publicized examples.

    Last year an attack(SSLstrip) was published showing the weakness of websites that redirected from http to https

    As for the other comments about locking down your home wireless hiding the SSID and MAC filters are not acceptable security measures. At this time using WPA2 with a unique SSID and a strong pass phrase should be the only acceptable method. WEP is inherently insecure and was never designed to be a high security method of protecting data also using default SSIDs(linksys, netgear, home) leaves users open to precomputed passphrase cracking via rainbow tables.

    I would also suggest using https at all times not just when out and about.

    Signature based anti virus will sadly not protect you from most malware and drive by attacks. FireFox + NoScript is a fairly good combination in preventing most web based attacks.

    Users really need to stay vigilant in keeping their 3rd party applications(adobe, quicktime) updated Secunia PSI is a great free app for doing this.

    Adobes plans on implementing a a sandbox around their product in January this should cut down on the weekly 0day vulnerabilities being published in their software.

  4. Zscaler has developed a free Firefox add-on called Blacksheep that warns when someone on the same network is using Firesheep.

    I have not tried the tool, so cannot provide any recommendations on it.

    • This tool gives a false sense of security. It sends out multiple cookies every X-minutes and detects if someone tries to use those cookies.

      Problem is, how long do you wait before you ‘think’ you’re safe? What if the cookie that’s captured is really your good one and not a bogus one from this app?

      Best bet is to be diligent. Only use HTTPS or VPN to surf in public settings, and make sure your wireless network is encrypted.

    • This only detects one specific tool there are multiple other tools to capture traffic and execute this attack.

      There is a link above explaining the technical details of the attack.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: