Sunday, October 31, 2010
(W) (F) Warning all public WiFi users... Home users too.. FireSheep arrives and Grandma can hack your accounts via WiFi
A game changing tool was released this week that will result in a significant change in WiFi security. How?, Why?...
FireSheep, an add-on for FireFox, Windows users will need WinPcap installed, Mac users are ready to go, Linux is coming... (FireSheep website)
FireSheep takes advantage of the way websites make session cookies that keep track of who and where you are when surfing the InterWebbings over WiFi... And NOT encrypted after you logon via HTTPS... So yes, HTTPS will NOT protect you from this vulnerability. I have tried it and 'ZOIKS Scooby Doo !!!!' I so can Pown your account over open WiFi...
A simple Add-On for FireFox that you just have to press 'Start Collecting' and after a short time, 'Stop Collecting' and you will see icons for all the FaceBook, Twitter, Yelp, DropBox, etc. Sites that people visited while on the same WiFi network like, say ... Starbucks, the Airport, or yes.. Your home, so your neighbors...
Now this only works over OPEN WiFi and not WiFi secured with WPA or WPA2 preferably.
I was at a Starbucks near the first LASCON Web App Security Con Friday and told this info to a visiting manager that was in the location recording with a webcam the art of space planning so we can get served quickly.. I informed him of this and told him to check my Blog... Hopefully companies like Starbucks get this and fast or users will have their accounts 'popped' as we call it, quickly.
If you want to protect yourself and you are a WiFi HotSpot like Starbucks, then all you need to do is have a WPA2 WiFi Key and make it obvious, like Starbucks or FREE. It does not have to be unique, just set to something everyone knows so it is still easy for your users to remember or your family to remember, but you MUST setup a WPA Key to beat FireSheep.
So what can I do if I hijack your session? post a Malware link as you, change your password, steal any data I choose, send a message to your girlfriend to meet you, or really... ME ( Hey Samy.. Add this to your presentation) and steal your files, login info and anything else in the list of websites seen in the image... And MORE sites coming !!!!
Let me know what you think... Send me an email.