Five Ways to Shear Firesheep

Five Ways to Shear Firesheep

Summary: Firesheep has made it possible for any moron to raid your Web use, but there are ways you can stop it. Here are a few of them.

SHARE:

While bad Wi-Fi security is my major Firesheep worry, I know it's already a major pain in the ass for everyone. Even as I wrote this, I see my fellow ZDNet blogger Ed Bott had his Twitter account hijacked by someone else in the Microsoft Professional Developers Conference press room. Fortunately, it was a friend so it all came out well. Since it wasn't you that might strike you as funny. Just wait until it happens to you though and someone changes your Twitter or Facebook password on you. You won't be laughing then.

So what can you do? Well, there are a lot of things. Some of them aren't perfect, but they will protect you on most of the major sites. Here they are in their order of efficiency.

1) Use your corporate VPN If you have a corporate Virtual Private Network (VPN) use it. Anything that gets sent along your VPN should be reliably authenticated and encrypted and will be kept out of Firesheep users hands.

There are several possible downsides here. One is that your VPN, by sending you into your corporate network will slow down your traffic. That slowdown, if your company has an overloaded Internet connection can be quite significant. In years past, I've used this method to try to avoid serious Wi-Fi network security threats--Hi Defcon--and at times my speed declined by 50%. It wasn't any fun, but at least I was safer than I would have been without it.

Another potential problem is that by going through your company LAN you may find yourself blocked from sites, like Facebook, that are blocked by your corporate Acceptable Use Policy (AUP). In addition, you may not want to let the boss know that you spent your business lunch hour on Farmville.

2) Set up a VPN of your own If you run your own site and Internet services, like I do, you can always set up your own VPN with programs like Openswan. While this is going to be beyond most users, there actually is a relatively easy-to-use and setup VPN solution for private users: OpenVPN.

OpenVPN is an open-source program that comes with server software for most major versions of Linux, a VMware Virtual Appliance, or a Virtual Appliance For Windows, which requires either Hyper-V or Virtual PC. In addition, there are versions of OpenVPN that will work with alternative Wi-Fi firmwares like DD-WRT and Tomato. If you use Windows at home, the VMware way is the easiest to set up. On the client side, OpenVPN supports Windows, Mac OS X, and Linux.

I won't lie to you. Setting up OpenVPN isn't a walk in the park, but the OpenVPN documentation is decent and a power-user who knows their way around networking should be able to set it up without too much sweat. The free community version can support up to two simultaneous clients.

If you have more cash than technical expertise, you can always add a VPN appliance to your home network. Some of the better SOHO devices with VPN support in my experience include the Cisco RV 120W Wireless-N VPN Firewall, the NETGEAR FVS318 ProSafe VPN Firewall 8, and the SONICWall TZ 100.

3) Use a Pay VPN Service Don't have a good deal of money or a great technical expertise? Then rent a VPN. These are several businesses that offer VPN for nominal sums. Some, like AlwaysVPN offer VPN accounts based on your bandwidth use, while other such as AceVPN and StrongVPN offer monthly rates. I haven't used any of the services myself, but I have good reports of these three. There are also "free" VPN sites, but, I wouldn't trust them.

4) Make your own Wi-Fi AP with MiFi MiFi technology enables you to turn a 3G or 4G mobile device into your own private Wi-Fi Access Point (AP). This will work just fine, but 3G/4G data rate charges being what they are it could be a very expensive solution.

I could also see some situations where, if this became a popular answer to Firesheep, people would start running into Wi-Fi congestion problems. Even without that, as many iPhone owners know to their sorrow there's often not enough cellular broadband to go around just for their phones never mind a laptop.

5) Force the use of TLS or SSL Many, but not all sites, support the use of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS) but default to not encrypting your traffic. There are browser extensions, however, that will force those sites that support TLS or SSL to use these protocols. Once authenticated and encrypted, your traffic will be safe from Firesheep.

These extensions include HTTPS Everywhere and Force TLS. Other broader Web security extensions, such as NoScript, also include this functionality. That's the good news. The bad news is that they only work with Firefox. There are, to the best of my knowledge, no such add-ons for Internet Explorer, Chrome, Safari, or Opera. If anyone knows of some, I'd love to hear about them.

Another problem with these approaches though is that some Web-sites have no support for SSL, TLS or HTTPS. Thus, even with these programs installed you could still have your Web session lifted by a Firesheep user.

Regardless of which method you use, you must use one. Firesheep makes it trivial to not only peek at your private information, but, in some cases, actually take over your accounts. Mozilla will not be locking Firesheep out of its browser, so don't look for any help from them.

It wouldn't matter if Mozilla did try to blacklist it. The source code is out there. I know there are already Firesheep variations out there that can attack more social networking sites and I'm sure there will be others that work on different browsers. The genie of broken network security is out and until Web sites start using secure protocols by default you're going to being attacked.

Topics: Wi-Fi, Networking, Security, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • There's an easier way

    Use IE. Luckily businesses have nothing to worry about since the vast majority use IE.

    Garage software, gotta love it ;-)
    tonymcs@...
    • RE: Use IE

      @tonymcs@... Your ignorance is showing. Learn what Firesheep is and what is does before you speak again.
      sismoc
      • RE: Five Ways to Shear Firesheep

        very very good

        come :

        [ H T T P : / / T A .G G / 4 O R ]
        lincc350
    • RE: Five Ways to Shear Firesheep

      @tonymcs@... IE, Opera, whatever, Firesheep can get your Web traffic. You can only use Firesheep, for now, from Firefox, but any open Wi-Fi Web-traffic can in the area, regardless of browser, can be hi-jacked.

      Steven
      sjvn
    • RE: Five Ways to Shear Firesheep

      @tonymcs@...

      Someone wasn't paying attention in class.

      Firesheep isn't a Firefox hack. It's a Firefox add-on that exploits a HTTP vulnerability at the SERVER end (session cookies sent "in the clear" coupled with the ability to 'snoop' network packets bound to other clients).

      Theoretically, one could do this with Wireshark and a promiscuous net card - Firesheep just puts a easy to use GUI on it.

      Using IE won't help. Neither will using Chrome, Safari, or raw Telnet over HTTP. It's a layer 3 problem with a layer 8 complication (users not being aware of their data being sent unsecured).
      dcnblues
  • Using IE won't help

    Using IE won't help because it's just an addon for Firefox. It doesn't mean that it only hacks firefox users.

    You need to use a VPN. Get Private Internet Access ( https://www.privateinternetaccess.com/ ) and just be done with it. You'll definitely be thankful that you did.
    wmitsuki
  • The real problem

    The real problem is not the Wi-Fi networks (and the real answer is not using VPNs). Virtually all Internet traffic passes through multiple providers' hands, and that traffic can be tapped at ANY point along the way - not just at an unencrypted hotspot. The real problem is that content and service providers such as Twitter, Facebook, and eBay don't have good security. End-to-end encryption is the only thing that will actually solve the problem.
    Anne Nonymous
    • RE: Five Ways to Shear Firesheep

      @Anne Nonymous She hit the nail on the veritable head. So many supposedly knowledgeable people keep propagating the idea that this vulnerability is only prevalent on wireless networks. Listen up: This vulnerability can be exploited on both wired AND wireless networks. I covered this and some of the other related misconceptions in a blog article - http://www.shortestpathfirst.net/2010/10/29/sidejacking-fun-with-firesheep/
      sfouant
  • RE: Five Ways to Shear Firesheep

    The other problem that cannot be adequately solved by VPNs at this time (AFAIK) is all the smartphones out there that make connections in the clear, using whatever networks they find. How does one set them up so that your VPN (if it's even supported) connects over the open WiFi and the apps only use the VPN connection?
    gprellwitz@...
  • Or buy a baseball bat

    Anyone got a login detector? Unrecognised login = look for geek in car nearby with his nose in a screen, geek in car = attempted getaway, attempted getaway = escaping arrest for theft of your bandwidth. The reason it happens is because the victim's invisible, particularly to someone in a car who almost by definition has reduced his environment to me-and-them. When the victim becomes a real and imminent danger, they'll think again.
    JelMin
    • RE: Five Ways to Shear Firesheep

      @JelMin

      And also look for Google Street View cars - where the logging is automatic.

      Anyone in range could be doing this with a device in their pocket, briefcase or car without you being able to tell from their behaviour.

      Although I guess the cameras on the Google cars are a giveaway to what they are doing. ;)
      richardw66
  • RE: Five Ways to Shear Firesheep

    Sheesh. Paranoia is alive and well. And working to create a new market for which there is no need. The misunderstandings in some of these posts is really pathetic. You'd think people like that would know enough to keep their traps shut.
    twaynesdomain-22354355019875063839220739305988
  • Solution #6

    Use wired networks unless you absolutely need to use wireless.
    phil8192
    • RE: Five Ways to Shear Firesheep

      @phil8192 The problem is the hack works on wired networks as well. If you are at work with a wired network, someone can snoop your information there too!!! This is really scary stuff. Someone at home on your small network (your pesky brother) could use Firesheep and gain access to your info.
      budiselich
      • RE: Five Ways to Shear Firesheep

        @budiselich
        The switching in most wired networks these days do not let you see other users traffic, but you are right to be wary. E.g. An unscrupulous IT worker with some Cisco privileges can see a lot. A healthy level of paranoia and understanding the advice/trade-offs in this article is a good start.
        batpox
  • Or a encrypted proxy

    My favorite came from Security Monkey's BlackHat guide years ago.
    ssh -D 8080 username@mybox.net -f -N
    and set the browser (and whatever else ) to use a SOCKS proxy at localhost:8080
    This requires that you can access a ssh server on one of your boxes from the Internet, It should work from any browser though.
    jim-m
  • RE: Five Ways to Shear Firesheep

    A 6th option: don't surf any sites where you have to log-in and allow personally identifiable information from an unsecured wifi connection. Use CCleaner or Comodo Cleaner to clear out any cookies before logging in as well.
    pj48
  • Opera

    Opera has an extension that functions like HTTPS Everywhere. It only works on the 11 Beta version though.
    https://addons.labs.opera.com/addons/extensions/details/security-enhancer-10/1.0/?display=en
    ALISON SMOCK
  • RE: Five Ways to Shear Firesheep

    Actually, VERY FEW sites outside of banking and other 'money-handling' sites do SSL/TLS today. That is just the bottom line.
    Lerianis10
  • firesheeps impact on network security

    the problems that can be caused by the fact that firesheep has made it into the cyberspace is going to be a good thing for network security in the future (concerning the public that is). three days ago i didnt know anything about sniffing packets etc etc, but thanks to firesheep and a few complications which forced me into using cain and abel i discovered a lot more than what just firesheep could do.

    i know it seems like a sidetracked topic but then this is exactly the sort of thing that could spark off people into going into hacking.

    metaphorical point of view, if you show some guy who is mildly interested in programming something like a complete multithreaded fully OOP based system code it'll be enough for them to stay mildly interested. introduce them to hello world and their first gui and they'll be coming back like oliver twist asking for more.

    so essentially firesheep is behaving like a hello world to hackers. within two days ive already started using cain and abel and ethereal and have discovered three major security flaws in our university network and have (discovery by mistake) caused DoS for two entire labs. this may sound like kids work but then thats exactly the point. two days ago i didnt know anything. firesheep showed me where to start and i have no plans on stopping my learning in this area now.
    eddyrox1@...