Networking

Hacking made easy: Protecting yourself from the Firesheep extension

Derek Schauland took the Firesheep extension for Firefox out for a spin, and discovered how easy it makes stealing credentials on open wireless networks. Here is his take on how to protect yourself.

Recently a new plug-in was released for Mozilla Firefox called Firesheep. This plug-in is used to capture the user name and password of unsuspecting users connecting to a rather wide array of websites, such as Facebook and Twitter, via open wireless networks.

The plug-in was created to drive home the point that websites need to take better responsibility for the data of their users and require secure logins that make use of end-to-end encryption.

Firesheep makes hacking really easy (and scary)

Because trying out the technology is part of the fun of blogging, I decided to see what this plug-in was all about and installed it in Firefox. Then I thought I would test it out. Note: I used my own open wireless network and laptops for testing for this article. I did not compromise any user credentials in testing this plug-in.

After installing Fire Sheep, I connected to my Mi-Fi on that computer, and started looking for information.

Then I connected another laptop to the open network, and logged into Facebook. Almost faster than I was logged in, my credentials appeared in Firesheep. Then I logged into Twitter using the web client and the same thing happened there.

This being the first time I had used Fire Sheep, I was a bit surprised at how fast it gathered my information. WOW.

Not only does it capture credentials, logging in with the gathered information is as simple as a double-click.

What if I just stay off of open wireless networks?

This is a good idea in general, however, if someone on your own wireless network is running Firesheep and you log in to one of the affected websites, it will grab the credentials and display them in the side bar. The likelihood of anyone running the Firesheep plug in on a known trusted network, i.e., your workplace or home, is probably slim to none, however, it doesn't stop someone from trying.

Why anyone would be using either an open Wi-Fi network or a WEP-encrypted network in a business setting is a bit beyond me. The technology was good enough when it was the only technology available, but WPA runs circles around the older technology and is certainly better than an open network. Because access to information is just as crucial these days as access to the super-secret file cabinet in the HR manager's office, it is best to use the highest level of security offered to ensure the safety of your information, from employees and non-employees alike. The cost of access points today is relatively cheap (depending on what your needs are) and can get your wireless infrastructure up to the WPA standard with very little spend and configuration effort.

What about other browsers?

I tried Chrome, Internet Explorer and Firefox with Firesheep running and was able to capture the credentials for Facebook and Twitter.

What can I do to keep my information safe?

In a previous post, I covered a personal VPN service called WiTopia that encrypts your traffic from your PC all the way to WiTopia's servers. Requests for sites are then sent to the hosts and the response is encrypted back to you, virtually eliminating the problem.

Now that Fire Sheep is around, and I have seen how easy it is to get a hold of information for some sites, the $60 annual price tag for encrypted data on any connection via a personal VPN is worth the price of admission for me. Especially since you are allowed to install the application on any computers you own (as long as you only use them one at a time).

Note: VPN Connections or other proxies connections that you may have access to will also encrypt your traffic and may be free or provided by your workplace.

Further research shows some Wi-Fi is okay

I tried several types of wireless networks to see which would allow Firesheep to gather information.

  • Open - allows easy information capture
  • WEP - allows information capture by other connected users
  • WPA - does not allow information capture by Firesheep

I was quite surprised that WEP would still allow Firesheep to capture information and glad to know that attempts to collect information on WPA wireless networks did not work.

So what is the bottom line?

There have always been ways to get access to people's data via fairly simple hacking attempts, and especially on unsecured networks, but Firesheep makes it extremely easy for the masses. If you don't already have access to a VPN connection, services like WiTopia are a good way to help ensure your data is a bit more secure when using wireless networks, regardless of their security level.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

27 comments
seanferd
seanferd

The developer did all the hacking.

ginmemphis
ginmemphis

Glad to know about this. You say this was created to "drive home" the point about a security issue--but it adds to problem in and of itself. Of course hackers can do this, but don't hand it out to every Tom, Dick and Harry. That's sort of like saying, since criminals have guns let's go ahead and give one to every junior high kid.

TobiF
TobiF

It may feel shocking that eavesdropping neighbours may pick up a lot of things when you're using an open network: "borrow" your session token; sniff up your logon credentials (unless encrypted (including email, by the way). However, remember that until now, you have anyway been trusting all this information with your Internet Provider. Just feel the taste of it. Unless you're using a secured (encrypted) connection to your email provider, anyone, who handles the ip packets between you and your email server, will see your logon credentials in clear, along with the email contents, of course. Further: Whenever you visit a site using ordinary http, all parts involved in the communication between you and the web server, will see the communication in full. Even if the login page is protected by https, it is easy to hi-jack an ongoing session. One only needs to replay the session cookie. (Oh: I'm saying "cookie", since that's the typical way to track pages in a session, but one could also use, say, URL parameters) So, for an evil minded person with access to internet hubs, it is very easy to build long lists of passwords, send and read mail on behalf of unknowing people (from their real accounts - i.e. not simply spoofing email addresses, which is a different internet plague.) So, to me the main message the authors of Firesheep want to make is the following: Since long, we have the ssl/tls infrastructure for protection of the link between your computer and whatever server you're talking to. It is long overdue that site owners, email providers etc. start enforcing use of this protective layer. In the meantime, you can at least protect your open traffic from preying eyes when you're using unprotected wireless access, by employing vpn technology. VPN (virtual private network) establishes an encrypted channel from your computer to an "anchor" somewhere on the internet, and then all your internet traffic travels through this tunnel. The "anchor", or VPN host, can be organized in different ways. There are paid services, of course. But you can also find free services (which may, though, be ad-funded or even evil - remember that they may pick up a bunch of your passwords!) or something you set up yourself, for instance with help of your home router. Alternative firmware for home routers often are able to be a VPN host.

deskhero
deskhero

What about using on a LAN - presume also wide open as no encryption? I guess this tool also opens up the NIC into accept all packets.

TobiF
TobiF

Firesheep is intended as a tool to demonstrate hijacking of session cookies. Even if you'd enter your password on a page with https, you are in most cases pushed back to usual http when you start browsing a site. And then a "session cookie" is used to recognize you and your session. Firesheep sniffes for session cookies captured over one of your network interfaces. If you're on an open network, you may this way be able to assume other peoples identities, by reusing a session cookie captured from somebody else browsing. In most cases, it doesn't matter which browser was used by the other user. And even if a site would use "fingerprinting" based on browser-id, accepted languages etc, this is all also spoofable...

Neon Samurai
Neon Samurai

There is now a FF plugin which monitors the network traffic and recognizes the signatures for Firesheep. (And the arms race takes another step forward.)

jsaubert
jsaubert

I think I may have to use this extention to prove a point to my young nieces and nephews about online scurity ... and likely my parents as well.

dliedl
dliedl

When you connected to Facebook or Twitter, were you using http or https?

gunnarzdad
gunnarzdad

Just another example that people need to run WPA2 encrypted networks at HOME and the office.

Neon Samurai
Neon Samurai

Enter the ages old term "skript kiddie" who bravely claims to be a "ahx0rsez" because they can download a pre-existing utility and push a button. - nothing creative about re-running someone else's packaged exploit - nothing added to the understanding of the exploit - nothing learned by the kiddie who stops at pressing the button and claiming victory among there friends (with no idea about how it actually works) This is, of course, different from some kid downloading the utility then setting about learning why it works, how to perform the exploit without the utility and how to protect the system from it. Any idiot can use a pre-packaged exploit. A Hacker is the researcher that created the proof of concept for testing and education or the person that downloaded that PoC utility, learned from it and discovered related exploits or better protection methods.

TobiF
TobiF

You're right. What kind of adorable hacking is it to unlock your phone, if all it takes is to visit a web page? And "FireCheap" (Pun intended, and maybe even a bit funny) is the same type of precanned "hacking". ("Just add water")

praseo
praseo

Use of a hacking tool is also called hacking. Not only the developer. In that case, using guns is not crime, the gun manufacturer is the criminal. What say?

Ocie3
Ocie3

more in theory than in practice, I suspect: https://panopticlick.eff.org/ Thanks for explaining the purpose of the [i]Firesheep[/i] add-on. Although I have installed [i]Firesheep[/i], WinPcap must be installed (and, I presume, also executing) to make the actual capture of the packets. Since I have occasionally used Wireshark (I'm not an expert with it, though), WinPcap is installed but doesn't run unless Wireshark or some other process launches it. Which is to say that I could do the same thing with Wireshark if WinPcap is sitting on the Ethernet NIC of my computer. But as far as I know, WinPcap only captures the traffic from and to my computer. Is there some way that it can capture the packets routed from and to other computers over the same network but which don't pass through the NIC on my machine? WinPcap would have to be sitting on the router's connection to the Internet to capture every packet from and to a computer on my own LAN, wouldn't it?

robo_dev
robo_dev

e.g.: GreaseMonkey TamperData Firebug ChickenFoot and don't forget Native Firefox Debugging tools that you get if you do a 'custom' install. If you do security analysis of Web Application Security, Firefox offers a whole swiss-army-knife of tools.

Derek Schauland
Derek Schauland

Im not sure... I think I tried both, but do not explicitly remember.

pafrisch
pafrisch

As long as you and your users can do what they NEED to do, then there is no such thing as too much security. Many would MUCH rather have convience than security. That mindset MUST change through out the entire user group.

Ocie3
Ocie3

appears to have been chosen by a Linux software developer who decided to create something that could have a much, much larger market, for a change.

Neon Samurai
Neon Samurai

Unlocking one's phone by visiting a website makes them a Hacker like riding in a taxi makes one a professional Driver. If they are Hackers for running a pre-packaged utility then I must be a medical doctor after having wrapped a twisted ankle the way the doctor showed me.

Neon Samurai
Neon Samurai

Using a pre-packaged utility (sic. "hacking tool") does not make someone a Hacker any more than using a hammer on a nail qualifies someone as a Master Carpenter. Hacking simply means "understanding" a specific topic to a deep level. I hack computers = "I understand computers at a detailed level through self directed learning." Using a pre-packaged utility (sic. "hacking tool") is not hacking. It is not understanding or learning anything. It is not doing something new and interesting. You might consider using the word "criminal" when what you mean is criminal intent. The word "hacker" is better reserved for the legal activities that are actually Hacking.

seanferd
seanferd

You misunderstand the intent of my comment. You also misunderstand the definition of "hacking".

seanferd
seanferd

But as far as I know, WinPcap only captures the traffic from and to my computer. -Correct. Is there some way that it can capture the packets routed from and to other computers over the same network but which don't pass through the NIC on my machine? -No. You would have to install it on a routing device/proxy/server through which all traffic passes. With wireless, all the packets are in the air, so everything can be captured. WinPcap would have to be sitting on the router's connection to the Internet to capture every packet from and to a computer on my own LAN, wouldn't it? -Yes.

TobiF
TobiF

Most cookies are merely random strings, pointing to database entries on the server side. Uh-oh. That credit card thing was was a really bad cookie. A couple of weeks ago, I tried to buy cinema tickets online. But the browser warned me that, although the "payment page" was encypted, the action button of the form with credit card data was pointing to an ordinary "http" link, i.e. the credit card data was about to be sent in clear over the internet!

Ocie3
Ocie3

Thanks for the reminder that the "password" is actually a string that is used to initiate encrypting messages sent and received by the wireless router. (It is not transmitted from any computer to the router.) It seems that everyone calls it a "password" for lack of another term, which perhaps could be "seed". With regard to cookies, I have examined many of them over the years. During the past couple of years there has been a trend toward what appears to be encryption of the contents, especially for third-party cookies. The vast majority of the others contain ASCII plain text although often its meaning is not apparent, [i]e.g.[/i], "DFX = 1". Once I found a cookie that contained a string which identified the credit card which I had used for an online purchase (!).

TobiF
TobiF

I put "password" in quotation marks, since it is actually not sent from the computer to the AP. Instead, it is used as a "shared secret", used to encrypt the communication. But, a different computer in the same network (which needs to also know the shared network password) may also be able to decrypt the message. Regarding Firesheep, the presentation of it explains that it doesn't pick up logon credentials, but rather snaps up the session cookies from web sessions. However, as Michael Kassner points out, your wireless interface needs to support a mode where it will pick up not only traffic sent to the own address. Winpcap needs to be instructed as to which network interface to eavesdrop. In the Firesheep settings, you can choose network interface.

Ocie3
Ocie3

It is not clear to me whether your reply pertains to the Linksys WRT54G router that I'm still using after all these years. (It might soon be supplanted by one of the most recent gigabit models.) At least two neighbors in the area where I currently reside have wireless access to their own LANs enabled, as do I. Although my router broadcasts a session ID (like theirs do), no one can access it without the password. (Also, I have WPA with AES enabled.) Which brings to mind: when someone logs-on to the router wirelessly, is that password sent in the clear? I would suspect that it is, so anyone who can capture the signal would be able to use it. I could use MAC addresses to authenticate users instead; they are stored in a table in the router but they would not be more secure if a MAC could be spoofed. That said, everything that leaves the router into the Internet ([i]via[/i] cable) is "in the clear" until and unless the browser or e-mail client establishes a SSL/TLS connection, then only for traffic to and from that connection. My former ISP did not permit TLS on their POP3 server. My current ISP [i]requires[/i] TLS for their POP3 server, but, as far as I know, neither ISP uses TLS for their SMTP server. As it is currently configured, the [i]Firesheep[/i] add-on captures the credentials if I log-on to any of the services which are listed in its options, because it is intercepting packets that transit the the Ethernet NIC on my computer (which is cabled to the router). If I changed that to use a USB wireless adapter, then things might become "interesting".

Michael Kassner
Michael Kassner

The Wi-Fi NIC would have to be in this mode in order to capture all Wi-Fi traffic. Some NICs don't do that with the current installed driver. that may be your problem. AirPCap is not a normal NIC, it is used with specific applications like WireShark.

Ocie3
Ocie3

With Wireshark, at least, we need to use AirPcap to capture wireless packets: http://www.cacetech.com/products/airpcap.html I've never used AirPcap, but maybe all we need is a computer that has a wireless transceiver, [i]i.e.,[/i] one that is equipped to send and receive wireless packets. Then we don't have to put WinPcap on the gateway router's Internet connection. On the Wireshark home page, there are links to sites where they discuss and/or sell "Wireshark appliances", including ones that capture wireless traffic. But I don't have the slightest idea as to whether [i]Firesheep[/i] will work with AirPcap. The author of this article implies that simply installing WinPcap on a wireless connection will capture all of the wireless packets which are on the same network, [i]i.e.,[/i] the ones which send packets to the same wireless router. If there is any documentation available from the [i]Firesheep[/i] developer, then I haven't found it. I haven't been able to get it working, yet. Installing the add-on does not add anything apparent to the Firefox menus that would allow me to activate it, and I don't think that it automatically generates the displays that the author shows in the screenshots.

Editor's Picks