Saturday, October 30, 2010

Evils of Firesheep

Firesheep is a Firefox add-on that allows anyone to hijack other people’s social network accounts in open wifi zones. I'm not sure of the legalities of this is the US since state laws differ from state to state. I think cali has sticked laws on this. I think in the UK u can get into some legal trouble with their cyber security council thing.


This thing is extremely easy to use. Just head into a wifi populated area and boom your in peoples business like crazy.  I need to look up the laws on this because you can do some serious damage to people using this extension. The possibility of the amount of PII you will be collecting on people is scary. Whats even scarier is that people are more then likely doing it to you now since this craze has spread like wildfire.


Use of this addon IS illegal outside of private use to test network security.


The program was originally created to get people aware of the insecure login credentials on social networks. It has done its job very well and is out of control.


Tomorrow i will post a program for anyone in a public wifi area to use that will keep you and people around you safe from someone looking at your private information.

------------------------------------

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

23 comments:

  1. Pretty rigged, but worth using if you really need it for some obscure purpose

    ReplyDelete
  2. Sounds like it should be illegal!

    ReplyDelete
  3. I won't try this lol
    I have no business looking at other people's business!

    ReplyDelete
  4. @swift: i will try this too!

    ReplyDelete
  5. ooo sooo creepy and presents a scary thought in itselfs.

    ReplyDelete
  6. Yeah, people are a little ignorant when it comes to shit like that. I remember scaring the hell out of my friends with just some of the BackTrack tools back in the day.

    ReplyDelete
  7. ROFL super sketch.... im totally not gonna use it >.>

    ReplyDelete
  8. This is such a troublemaker...
    Brilliant!

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. Just so you know, this is NOT legal.

    It's only legal if you have the account owner's permission, and is typically done by security professional to test server. There are better tools than that addon, though.

    Using it as you suggest is extremely illegal, and if you get caught you're getting the same sentence as a bank robber in the US. And I don't wanna sound like an asshole, but it's against the Google ToS. I won't report it of course, but if they see it they won't like it

    ReplyDelete