FireSheep Hijack Your Connections Data on Social Sites

[Renk]

Firesheep is a "new" FF addon (although based on some aged concepts) using wincap, allowing to sniff and capture other's connection datas when they are eg connecting to FB through a Wifi hotspot. This hack was recently presented at Torcoon 12 in San Diego.

A said Bruce Schneier:

October 27, 2010
Firesheep

Firesheep is a new Firefox plugin (that makes it easy for you to hijack other people's social network connections. Basically, Facebook authenticates clients with cookies. If someone is using a public WiFi connection, the cookies are sniffable. Firesheep uses wincap to capture and display the authentication information for accounts it sees, allowing you to hijack the connection.

Protect yourself by forcing the authentication to happen over TLS. Or stop logging in to Facebook from public networks.

EDITED TO ADD (10/27): To protect against this attack, you have to encrypt the entire session -- not just the initial authentication.

Schneier on Security: Firesheep

Other link:
FireSheep ha.ckers.org web application security lab


Fortunately, an other FF extension appeared recently, named Blacksheep, is able to alert you when some is sniffing your datas with Firesheep.

BlackSheep Alerts You When Networking-Sniffing Tool Firesheep Is After Your Passwords

Last release of EFF's HttpsEverywhere may help, also.

The 0.9.0 release of HTTPS Everywhere is a new beta version designed to offer improved protection against Firesheep. Most notably, it can provide much better protection for Facebook, Twitter and Hotmail accounts, as well as completely new protection for bit.ly, Dropbox, Amazon AWS, Evernote, Cisco and Github. Unfortunately, in order to obtain maximum Firesheep protection, especially on Facebook, you must take two extra steps:

* Turn on the "Facebook+" rule. You can do that in the Tools->Add Ons->HTTPS Everywhere->Preferences menu. It isn't on by default, because it can cause Facebook Apps to raise errors. We're still waiting for Facebook to fix this, and the chat problem :(.
* Install the Adblock Plus Firefox extension too, and use it to block the insecure http:// adds and trackers that Facebook (and other sites) sometimes include.

In conclusion (but is it really a surprise ?): Use SSL/TLS as often as possible ( SBI support SSL), and maybe, use Noscript also to encrypt cookies (but I have had problems in surfing on https SBI with "cookies encryption" activated in NoScript).

And for God's sake, don't use FB.

[Gapo]

Using a SSH connection protects against sniffing, AFAIK.

Plus, why not use FB? It's a great way to communicate and make a bigger social network.

[Renk]

Plus, why not use FB? It's a great way to communicate and make a bigger social network.

Because for the vast majority of people, FB is in practice a great way to lose al control about their personnal datas.

Because (as Apple) FB tends to impose its own narrow moral to the users, censoring what the Vatican itself would have considered as harmless

Because Facebook does not hesitate to censor what you write, even inside your emails, what in my opinion is a clear violation of privacy.

I think these kinds of behaviour have not to be tolerated, even for the price of some social-like relations-like.

And because diaspora is coming.

[Gapo]

Two options:

*Be lonely, use MSN and whatnot.
*Use FB. You'll give information about yourself (as much as you share) to FB and stay connected, which in return makes you happy.

I certainly find it much easier to keep up with relatives, family and friends using FB than MSN or some other IM service.

So I'd choose option 2. I don't like what FB are doing, but I'd rather stay up to date with my social network.

Hopefully Diaspora will become the next success.

[Renk]

Two options:

*Be lonely, use MSN and whatnot.

*Use FB. You'll give information about yourself (as much as you share) to FB and stay connected, which in return makes you happy.

I certainly find it much easier to keep up with relatives, family and friends using FB than MSN or some other IM service.


So I'd choose option 2. I don't like what FB are doing, but I'd rather stay up to date with my social network.

First, one can have many friends (not hundreds of thousands of course, but are hundred of thousands FB friends really friends?) without being member of any social networks. In facts, friendship and human relations have preceded these networks by tens of thousands of years. Moreover, on can be "alone", ie without having deep & trusted relationship, and having gazillions FB friends at the same time.

I agree nevertheless that one can have profunds relationship and have many FB friends at the same time. But I think each of this condition are neither necessary nor sufficient for the other.

Second, I'm convinced that you know what you are doing with the personnal data when you chose to release them on FB. But I am even more convinced that the average user does not know what he does with his own data in publishing them on FB. In some sense, many are paying some illusion of friendship with what they have most personal, most precious maybe. I think it's a kind of faustian pact. But Faust (I think) had knowledge about mephistopheles, and knew what he was engaging in. The average FB user has even not this knowledge.

[Gapo]

First, one can have many friends (not hundreds of thousands of course, but are hundred of thousands FB friends really friends?) without being member of any social networks. In facts, friendship and human relations have preceded these networks by tens of thousands of years. Moreover, on can be "alone", ie without having deep & trusted relationship, and having gazillions FB friends at the same time.

I agree nevertheless that one can have profunds relationship and have many FB friends at the same time. But I think each of this condition are neither necessary nor sufficient for the other.

My FB friends are people I know. I don't willy-nilly accept people I don't know, so it isn't "just FB friends". It's people I personally know or would like to know better.
Secondly, of course you don't need to use FB to keep up with your contacts, but due to the way it is - it's much easier for me. I can contact and keep myself up to date with old friends and whatnot. Without FB, that would be hard. So instead of fighting it, I'm embracing it while at the same time am reluctant to it, due to the privacy issues.

[slikrapid]

I think these kinds of behaviour have not to be tolerated, even for the price of some social-like relations-like.
And because diaspora is coming.

somehow i doubt anyone will currently be able to shake fb sufficiently to take over their position or grab a significant bite off of its userbase, as fb is something like the m$/windows or youtube or google, a monopolist with plenty to offer regardless of its serious (intentional) privacy flaws - as diaspora already in its title admits, its goal is to collect the renegades/outcasts who still need a similar kind of network, luring them with privacy promises which might fairly soon be abandoned after a taste of fame/earnings/investments

But I am even more convinced that the average user does not know what he does with his own data in publishing them on FB. In some sense, many are paying some illusion of friendship with what they have most personal, most precious maybe. I think It's a kind of faustian pact. But Faust (I think) had knowledge about mephistopheles, and knew what he was engaging in. The average FB user has even not this knowledge.

well, they're all free to choose what to do, user lack of knowledge/care or fb's lacking privacy is no excuse for either one of them, if people use some service it is always advisable to at least superficially familiarize themselves with it, otherwise they might be in for a (unpleasant) surprise or few, its the same with web-unrelated subjects, every single one of them carries a certain baggage that affects the user, likewise every single one of them requires some effort/input/sacrifice in order to provide results

as for fb itself, it is merely the 'middle man' (an advanced tool if you like), though a snoopy one - the 'happiness' comes from communicating/interacting with other users since without them fb would be yet another one of internet's dead ends (the vice versa does not apply here), its not the primary source of relevant knowledge/skills/emotions so the faustian example doesn't quite nail it - also, the most precious/personal is likely not contained within mere digital data or linguistic exposure/info, it is that which resides within a person, its irremovable essence, obscured even to the person itself, let alone to some other persons, whether they are strangers or not - naturally, that does not mean one is impervious to other influences or shouldn't take care of himself, but rather that a certain loss of privacy is simply a logical outcome of social interactions and that the user himself decides what will be exposed to others and what not, the subsequent actions concerning the info being largely beyond the user's control but at the same time not too important/vital either

also, lets not forget that fb is required to operate within defined legal boundaries which is likely to happen for most of its actions, the question is why have these boundaries been left so loose as to allow for behavior that intrudes into matters concerning privacy, is it an intentional legislative loophole for corporations like fb left for them to use & abuse at will - one fix at the legal level sends a message over to all companies concerned, that is where the primary citizen response should be aimed at, as it strikes at the core of the issue & its availability to use in a legal way, whereas reactions on particular company-related level has a secondary priority