A Wolf In Sheep's Clothing - New Threat

Discussion in 'Computer Security' started by jack@eeiio.comnet, Nov 9, 2010.

  1. Guest

    http://www.dailyexaminer.com.au/story/2010/11/08/hackers-internet-scam-crime/

    Computer hackers surf new program

    MOST people have heard the term “a wolf in sheep’s clothing”. However,
    this old expression may need to be changed to a “hacker in sheep’s
    clothing” due to a sneaky new program called Firesheep, which allows
    hackers easy access to information on computers logged on to unsecured
    wireless networks.

    Firesheep is a downloadable plug-in application for internet browsers
    which allows users to scan for unsecured wireless networks and steal
    “cookies” – files automatically stored on computers using the network
    which can contain automatic log-in information for some websites.

    Websites such as Facebook, Twitter and some web mail services like
    hotmail allow users the option to automatically log-in to their
    accounts when they navigate to their pages, which creates a cookie
    file on their computer with their log-in information.

    If Firesheep users get a hold of these cookie files, it can allow them
    to log-in in to the victim’s account and view information. It also
    grants them the freedom to make any changes they like, such as status
    updates or sending emails and messages.

    Computer Troubleshooters North Coast owner Tony Hattam said
    downloading the plug-in and taking over someone’s account on an
    unsecured network was a relatively easy process and warned people to
    take precautions.

    “It’s certainly quite insidious,” Mr Hattam said.

    “Thankfully, it can’t track your username and password details, but
    it’s certainly the easiest way I’ve seen to take advantage of
    someone’s unsecured wireless connection.”

    Mr Hattam said unprotected wireless networks were vulnerable to the
    process and once a hacker had gained access to a computer on the
    network, they could then view and copy these cookies files to various
    web accounts at their leisure.

    Fortunately, sites such as bank websites which requested a password
    every time the user logged-on were safe from Firesheep attacks, but
    hackers could still potentially cause havoc and embarrassment by
    hijacking people’s Twitter, Facebook or web mail accounts.

    According to Mr Hattam, the Firesheep program had been downloaded more
    than 129,000 times in the day after it was released so there were a
    huge number of potential hackers just waiting for an opportunity.

    Mr Hattam said this, combined with the fact that many people were
    unintentionally running unsecured networks, gave potential Firesheep
    hackers a buffet of different targets to choose from.

    He said the best way to thwart potential “sheepers” was to make sure
    any wireless networks were secured and password-protected and to avoid
    logging on to an unsecured public network.

    “Setting up a password or securing your broadband connection is very
    easy to do,” Mr Hattam said.

    “Even things like the free wi-fi at McDonald’s can leave your computer
    at risk from programs like Firesheep.”

    He said a secure wireless network had to often be manually set up by
    the user and encouraged anyone wanting to establish a new network or
    secure their existing one to thoroughly read any documentation which
    came with the equipment.

    Mr Hattam also said to run any software which originally came bundled
    with the equipment because this often walked users through the process
    of securing their wireless network.
     
    , Nov 9, 2010
    #1
    1. Advertising

  2. Guest

    On Tue, 09 Nov 2010 11:31:12 -0600, et wrote:

    >
    >http://www.dailyexaminer.com.au/story/2010/11/08/hackers-internet-scam-crime/
    >
    >Computer hackers surf new program
    >
    >MOST people have heard the term “a wolf in sheep’s clothing”. However,
    >this old expression may need to be changed to a “hacker in sheep’s
    >clothing” due to a sneaky new program called Firesheep, which allows
    >hackers easy access to information on computers logged on to unsecured
    >wireless networks.
    >
    >Firesheep is a downloadable plug-in application for internet browsers
    >which allows users to scan for unsecured wireless networks and steal
    >“cookies” – files automatically stored on computers using the network
    >which can contain automatic log-in information for some websites.
    >
    >Websites such as Facebook, Twitter and some web mail services like
    >hotmail allow users the option to automatically log-in to their
    >accounts when they navigate to their pages, which creates a cookie
    >file on their computer with their log-in information.
    >
    >If Firesheep users get a hold of these cookie files, it can allow them
    >to log-in in to the victim’s account and view information. It also
    >grants them the freedom to make any changes they like, such as status
    >updates or sending emails and messages.
    >
    >Computer Troubleshooters North Coast owner Tony Hattam said
    >downloading the plug-in and taking over someone’s account on an
    >unsecured network was a relatively easy process and warned people to
    >take precautions.
    >
    >“It’s certainly quite insidious,” Mr Hattam said.
    >
    >“Thankfully, it can’t track your username and password details, but
    >it’s certainly the easiest way I’ve seen to take advantage of
    >someone’s unsecured wireless connection.”
    >
    >Mr Hattam said unprotected wireless networks were vulnerable to the
    >process and once a hacker had gained access to a computer on the
    >network, they could then view and copy these cookies files to various
    >web accounts at their leisure.
    >
    >Fortunately, sites such as bank websites which requested a password
    >every time the user logged-on were safe from Firesheep attacks, but
    >hackers could still potentially cause havoc and embarrassment by
    >hijacking people’s Twitter, Facebook or web mail accounts.
    >
    >According to Mr Hattam, the Firesheep program had been downloaded more
    >than 129,000 times in the day after it was released so there were a
    >huge number of potential hackers just waiting for an opportunity.
    >
    >Mr Hattam said this, combined with the fact that many people were
    >unintentionally running unsecured networks, gave potential Firesheep
    >hackers a buffet of different targets to choose from.
    >
    >He said the best way to thwart potential “sheepers” was to make sure
    >any wireless networks were secured and password-protected and to avoid
    >logging on to an unsecured public network.
    >
    >“Setting up a password or securing your broadband connection is very
    >easy to do,” Mr Hattam said.
    >
    >“Even things like the free wi-fi at McDonald’s can leave your computer
    >at risk from programs like Firesheep.”
    >
    >He said a secure wireless network had to often be manually set up by
    >the user and encouraged anyone wanting to establish a new network or
    >secure their existing one to thoroughly read any documentation which
    >came with the equipment.
    >
    >Mr Hattam also said to run any software which originally came bundled
    >with the equipment because this often walked users through the process
    >of securing their wireless network.
    >



    Here are more articles on the same:

    http://preview.tinyurl.com/27kd5t9
     
    , Nov 9, 2010
    #2
    1. Advertising

  3. Facebook and Twitter fail basic security test
    http://news.yahoo.com/s/digitaltren...rends/facebookandtwitterfailbasicsecuritytest

    from above:

    Riding off of the coattails of the FireSheep Firefox exploit, Digital
    Society has studied the basic security functions of 11 popular
    websites and given them grades. The results are not stellar for most,
    especially social networking sites Twitter and Facebook, which both
    received failing grades.

    .... snip ...

    Long ago and far away we were called in to consult with small
    client/server startup that wanted to do payment transactions on their
    server; they had also invented this technology called "SSL" they wanted
    to use; the result is now frequently called "electronic commerce". Part
    of the effort was study regarding security requirements for SSL
    deployment and use. Almost immediately the security requirements were
    violated because webservers found SSL cut their thruput 90-95%, dropping
    back to just using it for paying/checkout

    --
    virtualization experience starting Jan1968, online at home since Mar1970
     
    Anne & Lynn Wheeler, Nov 9, 2010
    #3
  4. "Anne & Lynn Wheeler" <> wrote in message
    news:...
    >
    > Facebook and Twitter fail basic security test
    > http://news.yahoo.com/s/digitaltren...rends/facebookandtwitterfailbasicsecuritytest
    >
    > from above:
    >
    > Riding off of the coattails of the FireSheep Firefox exploit, Digital
    > Society has studied the basic security functions of 11 popular
    > websites and given them grades. The results are not stellar for most,
    > especially social networking sites Twitter and Facebook, which both
    > received failing grades.
    >
    > ... snip ...
    >
    > Long ago and far away we were called in to consult with small
    > client/server startup that wanted to do payment transactions on their
    > server; they had also invented this technology called "SSL" they wanted
    > to use; the result is now frequently called "electronic commerce". Part
    > of the effort was study regarding security requirements for SSL
    > deployment and use. Almost immediately the security requirements were
    > violated because webservers found SSL cut their thruput 90-95%, dropping
    > back to just using it for paying/checkout


    Reading around on the net, I see recommendations for transport layer
    security as having some effect against this attack - I don't see how, if
    this really is about a cookie *file* on a computer on the usecured wireless
    network as indicated in the OP's quote. Getting hold of *cookies* in this
    sense must not be quite the same as getting hold of *cookie files* stored on
    a computer on the affected network - or else SSL/TLS wouldn't have any
    effect on it.
     
    FromTheRafters, Nov 9, 2010
    #4
  5. "FromTheRafters" <> writes:
    > Reading around on the net, I see recommendations for transport layer
    > security as having some effect against this attack - I don't see how, if
    > this really is about a cookie *file* on a computer on the usecured wireless
    > network as indicated in the OP's quote. Getting hold of *cookies* in this
    > sense must not be quite the same as getting hold of *cookie files* stored on
    > a computer on the affected network - or else SSL/TLS wouldn't have any
    > effect on it.


    cookie capture is evesdropping on open communication channel (during
    cookie transfer) ... followed by a "replay attack" of the harvested
    cooking ... then encrypting the communication is countermeasure to
    evesdropping (as opposed to a trojan running on the victim machine that
    harvests the cookie from disk file).

    there is separate discussion about cookies being a poor solution

    lcamtuf's blog: HTTP cookies, or how not to design protocols
    http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

    --
    virtualization experience starting Jan1968, online at home since Mar1970
     
    Anne & Lynn Wheeler, Nov 9, 2010
    #5
  6. On Tue, 9 Nov 2010 14:57:37 -0500, FromTheRafters wrote:

    > "Anne & Lynn Wheeler" <> wrote in message
    > news:...
    >>
    >> Facebook and Twitter fail basic security test
    >> http://news.yahoo.com/s/digitaltren...rends/facebookandtwitterfailbasicsecuritytest
    >>
    >> from above:
    >>
    >> Riding off of the coattails of the FireSheep Firefox exploit, Digital
    >> Society has studied the basic security functions of 11 popular
    >> websites and given them grades. The results are not stellar for most,
    >> especially social networking sites Twitter and Facebook, which both
    >> received failing grades.
    >>
    >> ... snip ...
    >>
    >> Long ago and far away we were called in to consult with small
    >> client/server startup that wanted to do payment transactions on their
    >> server; they had also invented this technology called "SSL" they wanted
    >> to use; the result is now frequently called "electronic commerce". Part
    >> of the effort was study regarding security requirements for SSL
    >> deployment and use. Almost immediately the security requirements were
    >> violated because webservers found SSL cut their thruput 90-95%, dropping
    >> back to just using it for paying/checkout

    >
    > Reading around on the net, I see recommendations for transport layer
    > security as having some effect against this attack - I don't see how, if
    > this really is about a cookie *file* on a computer on the usecured wireless
    > network as indicated in the OP's quote. Getting hold of *cookies* in this
    > sense must not be quite the same as getting hold of *cookie files* stored on
    > a computer on the affected network - or else SSL/TLS wouldn't have any
    > effect on it.


    The Wheelers have addresses the regeneration of info from a cookie but
    let's make sure that it is understood that this attack isn't
    particularly new

    http://www.wallofsheep.com/about/history/

    or limited to unsecured wireless networks. Wired networks are as
    vulnerable but not as easy to find (sometimes).

    The answer is full SSL via HTTPS but as the Wheelers have also pointed
    out the speed cost is high hence we have encrypted sessions typically
    only where financial info is being transmitted.

    IMO the only answer is ToR and with the speed at which ToR operates
    these days, it is little price to pay. Think of Tor this way. Imagine
    not having anything except ToR for browsing. Speed seems OK now
    doesn't it.
    --
    <http://2.bp.blogspot.com/_WhnvofcHy48/SDxAZbSaqnI/AAAAAAAAADo/Qh2FYauXJMo/s400/RIMG0019-2.JPG>
     
    Ari Silverstein, Nov 9, 2010
    #6
  7. "Anne & Lynn Wheeler" <> wrote in message
    news:...
    >
    > "FromTheRafters" <> writes:
    >> Reading around on the net, I see recommendations for transport layer
    >> security as having some effect against this attack - I don't see how, if
    >> this really is about a cookie *file* on a computer on the usecured
    >> wireless
    >> network as indicated in the OP's quote. Getting hold of *cookies* in this
    >> sense must not be quite the same as getting hold of *cookie files* stored
    >> on
    >> a computer on the affected network - or else SSL/TLS wouldn't have any
    >> effect on it.

    >
    > cookie capture is evesdropping on open communication channel (during
    > cookie transfer) ... followed by a "replay attack" of the harvested
    > cooking ... then encrypting the communication is countermeasure to
    > evesdropping (as opposed to a trojan running on the victim machine that
    > harvests the cookie from disk file).


    Yes, what I meant was that the quoted article referred to cookie files - and
    SSL doesn't deal with files.

    > there is separate discussion about cookies being a poor solution
    >
    > lcamtuf's blog: HTTP cookies, or how not to design protocols
    > http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html


    I'll have a look, thanks.
     
    FromTheRafters, Nov 10, 2010
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sandy B

    Microsoft logo clothing

    Sandy B, Dec 13, 2003, in forum: Microsoft Certification
    Replies:
    2
    Views:
    9,765
    Cindy Winegarden
    Dec 16, 2003
  2. Lindsey Wolf

    Follow up to Chris Wolf posts....of 9-6-04

    Lindsey Wolf, Sep 7, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    532
    °Mike°
    Sep 7, 2004
  3. Slonocode

    Lighting, Background for Shooting Clothing Indoors

    Slonocode, Apr 1, 2004, in forum: Digital Photography
    Replies:
    7
    Views:
    1,588
    The Other Harry
    Apr 2, 2004
  4. Daryl ~OZDAZ~

    LONE WOLF and CUB (Baby Cart Series) 6 DVD's

    Daryl ~OZDAZ~, Dec 22, 2003, in forum: DVD Video
    Replies:
    1
    Views:
    793
    Invid Fan
    Dec 22, 2003
  5. Writer R5
    Replies:
    0
    Views:
    482
    Writer R5
    May 4, 2004
Loading...

Share This Page