Tuesday, January 18, 2011

Open WiFi and Firesheep

Hijack Facebook Using Firesheep

What’s new about Firesheep isn’t the exploit – HTTP session hijacking has been well known for years – it’s that Firesheep is a simple Firefox plug-in that is available to anyone and requires no technical expertise to utilize. In other words it allows anyone with Firefox and Firesheep to be a hacker. No experience required.

What’s the problem with unsecured WiFi?

If you connect to the internet at unsecured WiFi hotspots, like say your favorite coffee shop or book store, then you have always been at risk of the vulnerability exploited by Firesheep. So what exactly is this vulnerability?

This exploit is commonly referred to as HTTP session hijacking or side-jacking and, it’s been known and used by bad guys for a very long time. Up until now it required some modicum of expertise on the part of the hacker to accomplish a side-jacking attack. The attacker had to use a packet sniffer to capture all those packets flying around, decode the packets to find session cookies in the clear and then create spoofed session cookie responses to join your session. For experienced hackers this wasn’t terribly challenging since they usually had software that would automate the process.

Firesheep was developed for the express purpose of exposing the HTTP session hijacking problem to everybody on the internet, ostensibly to force sites like Facebook to quit making it so easy. This Firefox plugin is named for the notorious Blackhat Wall of Sheep where clueless, unsuspecting users’ unprotected private information is intercepted and displayed very publicly. If you are foolish enough to attend the Blackhat conference in Las Vegas without seriously locking down your communications you will end up on the Wall of Sheep where you will be mocked and worse by other participants.

Firesheep automates side-jacking attacks in a very simple way by building it all right in to your Firefox browser. Facebook advised checking their new Account Security Page, which gives you a history of sign-ins by IP address thereby letting you know if there are two IPs currently signed-in from the same access point.

Anti-Firesheep tools like Fireshepherd were released. Written by Gunnar Atli Sigurdsson, an electrical engineering student at the University of Iceland, Fireshepherd periodically jams the local wireless network with a string of junk characters intended to crash Firesheep when the snooping program reads them.

How can websites keep you secure over unsecured WiFi?

The vulnerability that is exploited by side-jacking has been well understood for years, so too has the solution / mitigation. Consequently your bank has been using this more secure mechanism for most of those years.

On Internet banking websites, an HTTP over SSL (HTTPS) connection is established before you send your credentials to the your bank’s web site. But note that after your credentials are validated, the secure HTTPS connection is maintained for the entire session. In other words once you establish that secure encrypted channel with your bank, everything for the entire session is protected. I know what you’re thinking now:

Why doesn’t Facebook, Twitter and Flickr do their sessions like this? Clearly they have the SSL capability because they use it for the logging in part of the session. It turns out that Eric Butler, the developer of Firesheep, was motivated by exactly these questions. Quoting from the announcement on his blog:

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL.

There are several reasons that websites don’t use strictly HTTPS sessions. First, they want their sites to be accessible to the largest possible audience, including users of older mobile devices that may not support HTTPS connections. Second, there is a lot more overhead involved on both ends when everything is encrypted. Those are the main reasons, but I don’t mean to imply that they good reasons. The first reason may have been valid five years ago, but smart phones and other portable devices have come a long way in that time. The second reason may have been valid before broadband internet connections were ubiquitous, but certainly no one in a WiFi hotspot is connecting via a modem at 28K. Besides, it would be easy to keep the legacy mode connection for those few users who actually have old smart phones or dial-up connections. As always, the real reason is financial.

They would have to develop and roll out changes to not only the web servers but to all of those slick little apps that everybody is using. Remember the problems that Microsoft encountered when making Hotmail use fulltime HTTPS that were mentioned earlier.

What can you do to be secure over unsecured WiFi?

So while popular websites like Facebook are trying figure out how they can fix this problem with the smallest amount of effort, what can you and I do if we want to mess around on Facebook while enjoying a latte at our favorite coffee shop? There are several approaches you can take but the goal is to create a secure connection between your web browser and the insecure website. The best way to do this is to connect to a secure Virtual Private Network (VPN) and once that secure connection is established, surf wherever you like since the last hop on the journey to and from your web browser will be secure. This is great if you have access to a VPN like most road warriors use to connect to the office. Problem with that is that most businesses take a dim view of using VPN bandwidth and company resources to play around on Facebook.

You could install a VPN at home, but that is not an exercise for the fainthearted. There are some subscription based VPN services such as Hide My Ass (HMA http://hidemyass.com/ vpn/) that will provide a VPN to anyone for a fee. It’s not terribly expensive (1 month for around $12 US or a year for around $80 US) and is certainly easier than setting up your own VPN and way cheaper than getting fired for misusing the company VPN.

Finally there are browser add-ons that attempt to force HTTPS connections to sites that don’t offer them, like say Facebook, Twitter or Flickr. Unfortunately there are many websites where these just won’t work. Furthermore most of these add-ons are implemented as intrusive toolbars and egregious ad-ware.

No comments: