INFORMATION SECURITY: Sidejacking Wi-Fi Hotspots – How a Hacker Can Access All of Your Online Accounts With a Free Program

anyone Can Access All of Your Online Accounts at a wi-fi hotspot using this Free Program

I’m sitting here in Starbucks right now playing around with something called firesheep.  Some of you may have heard of it as it’s been in the web news a lot in the last few days.

Let me give you a bit of background on what exactly firesheep is.

Firesheep is a Firerfox add-in that demonstrates just exactly how insecure those ‘secure’ sites are.  The sites I’m talking about are:

Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facbook, Flickr, foursquare, GitHub, Google, Gowalla, Hacker News, Harvest, Windows Live, New York Times, Pivotal Tracker, ToorCon: San Diego, Slicehost SliceManager, tumblr.com, Twitter, WordPress, Yahoo and Yelp

What it does is monitor the wi-fi network and grab any of the cookies that are posted to those sites as people are logging in and authenticating to the sites with their accounts. The initial login may be encrypted, but the ensuing cookie used by the sites to keep a track of the sessions aren’t.

A better and full description of what Firesheep does is here, from the author’s web site (Code Butler – http://codebutler.com/firesheep):

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.
It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else.

This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely?

Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

I’ll bet my entire years pay that you have used at least two out of all of the above listed sites at least once in the last week (assuming you have a network connection and you have had the time to get online for one reason or another).

You may also notice that there are a few sites up there that people think are ‘hack proof’ or so security conscious that they can’t be hacked by simple ‘leapfrog’ or hi-jacking attempts (as some people have said in previous posts here).

There are very few requirements to using Firesheep.  They are:

– Mac OS X: 10.5 or newer on an Intel Processor
– Windows: XP or newer.  Install Winpcap first!
– Firefox: 3.6.12 or newer. 32-bit only. Fireforx 4.x beta is currently not supported

Once you have it downloaded and installed, that’s it.  Open Firefox, open the side panel, click on start capture and start getting what you want.

You don’t even have to have a live session to get back into the peoples accounts.  You can just save them for later and go about your business collecting and playing later.  I can see this as a GREAT tool for law enforcement or military intelligence use as well as a great evil tool for stalkers.

The capture process does capture quite a bit, and tells it all to you in an easy to understand format (if you know what you’re looking at).

As I was playing around with it, I was sitting in a Starbucks and it started to get a little busy.  While ‘browsing’ I was able to capture several users information and with the help of a previously unaware user, I was able to verify that I can indeed log in as her and do whatever I wanted to do.

Let me explain something here, this tool gives you incredible power over someone’s account.  Just about the only thing that you could not do, would be to access an area that requests password verification a second time of the site that you are on.  I located the user that I had captured and approached them.

I introduced myself and let them know that I was doing an article for a magazine on the lack of security of some of the sites that they was visiting (in fact they visited 5 out of the sites listed within 20 minutes).  I explained exactly what I was doing and asked if I could log in as them.

They were hesitant till I produced my credentials (drivers license, business card, etc) and they asked if I wanted their password or if I wanted them to log in.  I said no, I just wanted permission to attempt to log in as them.  They gave me their computer and I stated that I didn’t need it.

I then showed them my screen and let them watch what I was doing.  I double clicked on the icon in my side bar and in fact made a posting from their Facebook and Twitter account with no problems.

At this point, let me explain to you that they just about jumped out of their skin.  They looked quite worried.  I assured them that I was not intending to do anything malicious and to prove it I removed the information from my system and cleared the cache.

Jacking yo shit – It style son!

I did let them know that they needs to be a little weary of open wi-fi access points and just because they ‘think’ they’re safe, they need to be careful of where they’re logging in.

We spoke for about another 30-40 minutes after I showed them this and I gave them a few pointers on internet security as well as helping to tighten down the facebook profile.

I think that we have another user that’s going to be playing with Firesheep (since it’s so easy even a caveman can do it), even though before today all they really used the computer for was to Facebook, Tweet and buy a few things from Amazon.com.

Because of the information that is stored within the cookies as well as some of the login information within the application, I’m not giving you actual screen shots of my attempt however; I have provided screen shots from the authors website to give you an idea.

In another article, I’ll be examining ways to block Firesheep and how to know when you’re being sniffed.

So, now that you’ve seen proof that these sites can be ‘hacked’ what are your thoughts on this?  Have you heard about Firesheep?  Are you using BlackSheep or Firesheep yourself?

READ PART II HERE: INFORMATION SECURITY: Sidejacking Wi-Fi Hotspots – How a Hacker Can Access All of Your Online Accounts With a Free Program Part II: How to Recognize and Protect Yourself

—————————————————————————————

~Norm W.
Information Security Correspondent

Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.

Be Sociable, Share!

33 thoughts on “INFORMATION SECURITY: Sidejacking Wi-Fi Hotspots – How a Hacker Can Access All of Your Online Accounts With a Free Program”

  1. Well – guess who is never going to use a wi-fi hotspot ever again in his life?

    Great article Norm

    ~James G

      (Quote This Comment)

    1. Amen

        (Quote This Comment)

  2. All I have to say is wow. Thanks for the article and I will definitely pass this one around.

      (Quote This Comment)

  3. I hardly ever used a wifi hot spot, but that’s changing to never using
    one after reading this. I knew you computer guys were good, but this
    is downright scary.

      (Quote This Comment)

    1. The scary part id this requires no real talent to do at all, back when I was working in corporate intel only highly skilled hackers could do stuff like this. Now any ass-hole with a laptop and a free program can do it – fucking freaky

      ~James G

        (Quote This Comment)

      1. Yeah, back in the day (God, I hate that phrase) it took a pro, or at least a serious hobbyist to do something like this. Now, the kid that spit in your coffee can do it while he’s on break. That’s the scary part.

        This sucks.

          (Quote This Comment)

  4. Hey, how can you tell if someone is using fire sheep near you at a wifi? Or is there any way to detect and find someone that is purposely trying to do this? That’s if you wanted to check who the jackasses were around you that are attempting to break into your stuff. lol

      (Quote This Comment)

  5. That is pretty scary. I just downloaded jelldonuts recommendation and can’t wait for yours norm. It is disturbing that this can actually happen but is just another step in being insecure. For myself I don’t access anything worth while on a wifi network. I don’t make purchases and I rarely ever check my facebook. And never, ever, EVER will be a person that twats. I can’t stand that.

    But one question does arise. Does this program only work with snatching things from another firefox enabled browser, or is any browser?

    Thanks for the info as always norm.

      (Quote This Comment)

  6. Chad,
    JG is right, it takes absolutely NO talent to use this. Just download Firefox, Download the extension and you’re in. Back in the day you’d have to use skilled man in the middle attacks to do something like this. Now, there’s a simple plugin for it.

    Matt,
    I’m working on the follow up article to this one right now and should have it to JG by the end of the day. I’ll be showing how to block it, detect it and a few tips to help keep secure.

    Eugene,
    No need to bypass this stuff on a wi-fi connection, just be careful and implement a little security. I’ll step through it in part two. As far as the program working with only firefox, no, it has pulled information from Firefox, Safari, IE, Opera, iPhone, iPad, tablet pc’s, windows, mac, iOS, linux, just about anything with a browser, I even was able to get a few hits from a few point of sale systems that were close. It currently only collects data for you if you’re using it within firefox, but I’m sure that’s coming for others as well. Also, without jailbraiking the iPad, iPhone, etc, I’m not sure of a way to block it. It may be a part three for those.

    Andrew,
    RE-IMAGE the computer, there’s no getting around it. It’s the only way to be secure. When it comes to trojans, viri, etc, you need to follow the old viking/celt rule. Leave no one behind you that would be able to take up arms against you. Same goes for malicious software on your computer, don’t let anything there that could allow anything back in. I spent almost 8 hours one night cleaning a system for a friend of mine because they didn’t have the reload software to get their box back to normal. Well, two weeks after that, I ended up forcing them into re-imaging their computer as they were as bad off as they were and then some.

    Thanks for the comments and like I said, I’m working on part two right now so keep your eyes open.

      (Quote This Comment)

  7. My preferred method is simply to use a VPN connection. DD-WRT will run on a whole host of home routers and includes in PPTP server. It’s not L2TP/IPSEC, but it works for shit like this.

      (Quote This Comment)

  8. My preferred method is simply to use a VPN connection. DD-WRT will run on a whole host of home routers and includes in PPTP server. It’s not L2TP/IPSEC, but it works for shit like this.  

    That is a great option however; it would work best if you’re in a hotel or at a conference, but when you’re out and about in say a coffee shop, it’s a bit of an issue to pull out a router and go from there.

      (Quote This Comment)

  9. I have two laptops and three USB harddrives. I keep all my files on the external hard drives. I also only use one computer to go online. It is my 5 year old laptop and the one I take with me on trips as well. If they hack it or steal it they get nothing, no personal information no nothing. Just because you are paranoid doesn’t mean that no one is out to get you.

      (Quote This Comment)

  10. Good info here, lots I didn’t know before.

    How about stealing information sent over cell signals, like from a smartphone over 3G? That’s how I’ve been using the internet lately and have been wondering about the relative security of that.

    Thanks for teaching me a thing or two about a thing or two. & looking forward to the follow-up article.

      (Quote This Comment)

  11. Smartphones are usually incredibly vulnerable when it comes to bluetooth traffic. In addition to intercepting broadcast’ information, some can be hacked remotely and turned into a wireless internet hub, or you can contract a worm that forwards all message/call log information. Protip: stay away from dodgy “free” apps.

    I once had an interesting discussion with a professor of mine, this took place in a lab where we learn to control industrial installations with multiple PC-borne interface systems. He explained how he could check up on the programmable controllers from his office or home even.

    (paraphrased)

    Prof: … in reality, no industrial installation would be controlled by a computer linked to the internet, it’s a guarantee that in the long run, somebody WILL find a way in. Unauthorized access is a recipe for disaster

    Me: I was tought that if you’re online, you should assume someone else is always watching over your shoulder.

    Prof: Now don’t be ridiculous, try “a whole crowd is watching and they all brought cameras”. SomeONE … how naïve.

      (Quote This Comment)

  12. That is a great option however; it would work best if you’re in a hotel or at a conference, but when you’re out and about in say a coffee shop, it’s a bit of an issue to pull out a router and go from there.  

    Sorry man, I guess I should have been clearer. The router stays at your house and connected to the internet. VPN server service runs on it. Laptop goes with you. Configure a VPN client on laptop. You establish a tunnel to router from your laptop over the intertubes. Once the connection is established, barring a few special extraordinary scenarios, any traffic to or from your machine travels through the tunnel to your home (or wherever it is) router.

      (Quote This Comment)

  13. From the wifi hotspot, use Remote Desktop to connect to your (non-Wifi) machine at home. Do all surfing on that machine. Problem solved.

      (Quote This Comment)

  14. Wow, just wanted to wirte and say thanks for this warning… I had heard of Firesheep, but had had no idea what it was, or why it was problematic. I’m totally computer illiterate, and this thing only took me two minutes to Google, download, and install (I hate to admit I had to google how to do that, too).

    I’m sitting at a Mcdonalds, (they have free Wi-fi here), and I’m totally freaked out that I can now jack the facebook and email of the girl sitting two tables over.

    Let’s go ahead and file this under: “with great power comes great responsibility…”

    Keep up the good work! I really enjoy this site, and it has become a daily must-read!

      (Quote This Comment)

  15. Sorry, Norm, I think we mis-understood each other as I assume it was me (the only slightly negative comment to your last article) you are referring to. I didn’t say anyone was hack-proof, I’m not that naive. I was trying to explain that it’s a world of difference between hacking a corporation using leapfrog from vendors (the specific angle of attack you gave in your previous article) and hacking a web site; the first is damn hard and the second is relatively easy.

    I agree with you completely that users’ personal data isn’t remotely secure enough, and that personal data hacks are common and getting more so – Firesheep is just the latest greatest iteration of that. The attack has moved away from hardened areas (i.e. big corporations because they’ve learned their lessons and cleaned up at least a little bit), to now the users who haven’t yet learned their lesson. It’s the same way with malware – it used to be that malware only targeted the OS code because Windows was so buggy and open to attack. Now it’s gotten better (again, not hack proof by any stretch but better than it was before), so a lot of the attacks have moved up the application stack to less secure applications.

    Some possible fixes – HTTPS anywhere is a good idea, but that requires Firefox which I don’t trust – too many script kiddies writing ad-ons to that one for my liking. The Remote Desktop / VPN is a good idea too, but it requires a home router / home PC that is always on, always connected to the internet, and able to accept outside requests – that strikes me as both expensive and adding some risk. Some script kiddie sees an ‘always on’ connection as a challenge and a great prize for their own nefarious purposes…

    I think, unfortunately, this one’s down to the providers to fix and given the track record of most social networking sites resistance to chance, it’s gonna be a while.

      (Quote This Comment)

  16. Norm,

    Thanks for another great article. Are there different dynamics in a wireless router/modem in my home as opposed to a public Wi-Fi? Am I as vulnerable at home to wireless sidejacking?

      (Quote This Comment)

    1. How secure is your home wi-fi? Works with anyone on the same subnet, so if someone driving by your house ( say ) could log on to your home wi-fi this is just as much a problem.

        (Quote This Comment)

  17. One way to defeat this is to use VPN ( as noted already ) or SSH tunneling:

    http://www.revsys.com/writings/quicktips/ssh-tunnel.html

    http://thinkhole.org/wp/2006/05/10/howto-secure-firefox-and-im-with-putty/

    Does require a remote machine with an active internet connection, so might not be for everyone.

      (Quote This Comment)

  18. Well the next time I’m kicking it at Starbucks of wherever, if I see some s**thead using this, they better be prepared to be loudly and embarassingly shamed in front of the entire establishment.

    ….and I’m also never using a wifi hotspot again.

      (Quote This Comment)

  19. GoneWithTheWind
    That’s a great idea as far as the laptops and hard drives, but remember, not all information is received from the device itself. You’ve got to be aware and careful with your online activities as well.

    Chris B
    That’s a lot safer than public wi-fi if you’re connected via cable. If you’re using USB or IR or Wi-Fi to connect to it, it’s just as vulnerable. Bluetooth is extremely unsecure and I haven’t found too much in the way of BT security. Cellular modems are safer, but they’re not totally secure. Definitely a better choice as they’re harder to intercept.

    Michael Hawkins
    “Prof: Now don’t be ridiculous, try “a whole crowd is watching and they all brought cameras”. SomeONE … how naïve.” I like that quote.

    Chris C
    Yes, that is a better option, but remember unless you’ve got layer 2 encryption on your system, it’s still vulnerable till it makes the VPN connection. Again though, it’s a more acceptable risk unless you’re a ‘targeted’ individual.

    Cullen
    No offense taken from the last article, I’m definitely open to people to challenge my thoughts and ideas (they’re my ideas and thoughts unless I specifically quote or re-print an article or portion of an article and reference). I was also hoping that you weren’t that naive. I have met a few people that think that way and it scares the living crap out of me. Yes, HTTPS anywhere is a nice little application. the VPN/RD is also a good idea, but in total truth, you’ve got to choose your best risk mitigation and decide what is an acceptable risk for you. I relate it to this; For me, grabbing my sidearm and maybe 1 extra clip (depending on where I’m going, how long I’m going to be gone) as I leave the house every day is an acceptable risk for me. If I were to get into trouble, if I need more than that, I’m in SERIOUS trouble that needs bigger hardware. That’s an acceptable risk. For someone like JG, because of where they are, they’re going to need auto weapons, several weapons and a boat load of ammo because of the area they’re in. As far as the price tag on the RD/VPN system it’s actually a lot less than you’d think. I could set it up for someone for under $200 with most likely the hardware they have. It’s just where you’re willing to get the hardware/software and how knowledgeable you are.

    Tahoma
    Yes, you’re as exposed (and probably more so) from your home wi-fi as opposed to public. The home wi-fi you feel safe, secure, but in public you’ve got more of something to look out for. Someone could be sitting in the apartment or even house next to yours or on the street sidejacking you as you’re typing this. The best thing to do to help secure your connection is using encryption (WEP, WAP {even though it’s been cracked it’s better than nothing} or some other form). Also, hide your SSID and make sure that you have MAC filtering turned on along with turning off DHCP on the router. Yes, all of this is a pain in the wang, but it all depends on how secure you want to be, how paranoid you are and how much problems you want to put up with. Again, what is your level of acceptable risk. For me, I’m not as concerned as some others out there to hide my SSID. I do, but I don’t need to be. If anyone is sitting along my road or anywhere they’d be able to even see my signal, they’d be definitely within spitting distance of my place and be noticed by either myself or one of my neighbors. And we don’t take too kindly to ANYONE that we don’t know even being ON our property. The chance of a drive-by wi-fi discovery is absolutely nill, even with a high gain antennae. The road is a good distance away from my place and the construction of the house limits Wi-fi to barely the limits of inside my house.

    Caleb H
    It’s not as easy to find as you’d think. While at Starbucks this weekend, I was alerted that someone was using it. I tracked their IP, got their host name and OS and was able to determine it was one of four people that were using it. I wasn’t able to figure out exactly which one it was (even with some social engineering), but I think some of the stuff I was saying got their attention. They logged off not soon after I started poking around. I logged their information and will be watching for it again, I’ll track them down. I like a good challenge every now and again.

      (Quote This Comment)

  20. Norm – thanks for that. I didn’t want any hard feelings either :)

    And I know it’s about $200 for the VPN anywhere kit, but I figure the risk is low for me. Facebook / Twitter / LinkedIn / whatever is non-critical to me. If someone hacks me, I’ll know about it shortly and correct it. I don’t use them much anyways. So in the calculus of risk, it’s pretty low. I use VPN and SSP for all my work stuff when in public, WEP and non-broadcast on home wifi, so I figure i’m ‘good enough’ for my requirements.

    I am more worried about the vulnerabilities of my smartphones, but that’s another topic all together :)

    Cheers

    C

      (Quote This Comment)

  21. And I know it’s about $200 for the VPN anywhere kit, but I figure the risk is low for me.

    I use VPN and SSP for all my work stuff when in public, WEP and non-broadcast on home wifi, so I figure i’m ‘good enough’ for my requirements.I am more worried about the vulnerabilities of my smartphones, but that’s another topic all together
    CheersC  

    Oh, don’t even get me started on the smart/cell phone vulnerabilities, I reviewed a number of them in an article on here, but since then I’ve been finding a lot more. I may have to do a follow update with it.

    As far as the VPN kit is concerned, a lot of SOHO routers now come with them built in, or by using a free Linux distro, you can set one up fairly simple. Use dynamic DNS and you’re good to go.

    For work, I’ve got layer 2 encryption and dedicated line, so no worries there (so to speak). There’s usually just e-mail and some remote mgt traffic on it, nothing too serious.

      (Quote This Comment)

  22. I said it in another thread about OpSec.
    YOU SHOULD JUST GET RID OF IT.

    That goes for twitter, facebook, myspace, and the like.
    Learn some web development skills, now a whole lot, just enough to setup a photogallery (http://fffff.at/fuckflickr-info/), and build a blog(http://wordpress.org/). Get away from the following email providers..

    @hotmail
    @aol
    @google (guilty :/)

    Your email should be considered private, these companies arent sharing your data or physically inspecting your email, but they do mine your data. Why not buy a domain? Setup your own email? Its yours, its more private than the bigboxes.

    Just saying…

      (Quote This Comment)

  23. If you think “firesheep” is a threat(which it is) start looking up information about R.F.I.D. chips in use by our own Government. It will definitely piss you off , especially if you value your privacy and your freedom.

      (Quote This Comment)

  24. Good info and straight to the point. I am not sure if this is really the best place to ask but do you guys have any thoughts on where to employ some professional writers? Thx :)

      (Quote This Comment)

  25. I’m gone to tell my little brother, that he should also visit this web site on regular basis to get updated
    from most up-to-date information.

      (Quote This Comment)

  26. Many thanks for giving this specific with persons you will find out what that you are chatting close to! Book-marked. Nicely additionally talk to my own web page Is equal to). We will have a very exchanging links long term contract involving us all

      (Quote This Comment)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Upload Files

You can include images or files in your comment by selecting them below. Once you select a file, it will be uploaded and a link to it added to your comment. You can upload as many images or files as you like and they will all be added to your comment.