A Wolf In Sheep's Clothing - New Threat

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

http://www.dailyexaminer.com.au/story/2010/11/08/hackers-internet-scam-crime /

Computer hackers surf new program

MOST people have heard the term “a wolf in sheep’s clothing”. However,
this old expression may need to be changed to a “hacker in sheep’s
clothing” due to a sneaky new program called Firesheep, which allows
hackers easy access to information on computers logged on to unsecured
wireless networks.

Firesheep is a downloadable plug-in application for internet browsers
which allows users to scan for unsecured wireless networks and steal
“cookies” – files automatically stored on computers using the network
which can contain automatic log-in information for some websites.

Websites such as Facebook, Twitter and some web mail services like
hotmail allow users the option to automatically log-in to their
accounts when they navigate to their pages, which creates a cookie
file on their computer with their log-in information.

If Firesheep users get a hold of these cookie files, it can allow them
to log-in in to the victim’s account and view information. It also
grants them the freedom to make any changes they like, such as status
updates or sending emails and messages.

Computer Troubleshooters North Coast owner Tony Hattam said
downloading the plug-in and taking over someone’s account on an
unsecured network was a relatively easy process and warned people to
take precautions.

“It’s certainly quite insidious,” Mr Hattam said.

“Thankfully, it can’t track your username and password details, but
it’s certainly the easiest way I’ve seen to take advantage of
someone’s unsecured wireless connection.”

Mr Hattam said unprotected wireless networks were vulnerable to the
process and once a hacker had gained access to a computer on the
network, they could then view and copy these cookies files to various
web accounts at their leisure.

Fortunately, sites such as bank websites which requested a password
every time the user logged-on were safe from Firesheep attacks, but
hackers could still potentially cause havoc and embarrassment by
hijacking people’s Twitter, Facebook or web mail accounts.

According to Mr Hattam, the Firesheep program had been downloaded more
than 129,000 times in the day after it was released so there were a
huge number of potential hackers just waiting for an opportunity.

Mr Hattam said this, combined with the fact that many people were
unintentionally running unsecured networks, gave potential Firesheep
hackers a buffet of different targets to choose from.

He said the best way to thwart potential “sheepers” was to make sure
any wireless networks were secured and password-protected and to avoid
logging on to an unsecured public network.

“Setting up a password or securing your broadband connection is very
easy to do,” Mr Hattam said.

“Even things like the free wi-fi at McDonald’s can leave your computer
at risk from programs like Firesheep.”

He said a secure wireless network had to often be manually set up by
the user and encouraged anyone wanting to establish a new network or
secure their existing one to thoroughly read any documentation which
came with the equipment.

Mr Hattam also said to run any software which originally came bundled
with the equipment because this often walked users through the process
of securing their wireless network.

Re: A Wolf In Sheep's Clothing - New Threat

On Tue, 09 Nov 2010 11:31:12 -0600, jack@eeiio.comnet wrote:

Quoted text here. Click to load it

Here are more articles on the same:


Re: A Wolf In Sheep's Clothing - New Threat

Facebook and Twitter fail basic security test

from above:

Riding off of the coattails of the FireSheep Firefox exploit, Digital
Society has studied the basic security functions of 11 popular
websites and given them grades. The results are not stellar for most,
especially social networking sites Twitter and Facebook, which both
received failing grades.

... snip ...

Long ago and far away we were called in to consult with small
client/server startup that wanted to do payment transactions on their
server; they had also invented this technology called "SSL" they wanted
to use; the result is now frequently called "electronic commerce". Part
of the effort was study regarding security requirements for SSL
deployment and use. Almost immediately the security requirements were
violated because webservers found SSL cut their thruput 90-95%, dropping
back to just using it for paying/checkout

virtualization experience starting Jan1968, online at home since Mar1970

Re: A Wolf In Sheep's Clothing - New Threat

Quoted text here. Click to load it
Quoted text here. Click to load it

Reading around on the net, I see recommendations for transport layer
security as having some effect against this attack - I don't see how, if
this really is about a cookie *file* on a computer on the usecured wireless
network as indicated in the OP's quote. Getting hold of *cookies* in this
sense must not be quite the same as getting hold of *cookie files* stored on
a computer on the affected network - or else SSL/TLS wouldn't have any
effect on it.

Site Timeline