McAfee Labs

Ill take the Firesheep with a side order of ARP Poisoning please…

0
By on Oct 25, 2010

I read with great relish about the release of Firesheep over the weekend at ToorCon. Firesheep, written by Eric Butler, is a FireFox plugin that allows for the capturing of “insecure” login information. From the Firesheep website:

“When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.”

What Eric is essentially saying (and he is correct) is that if websites are not enforcing at least SSL encrypted logins, their users account info is at risk of capture and replay. More from Firesheep:

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.”

The Firesheep plugin allows those who install it on their local machines to capture the login information (cookie) of any user that accesses a set of website that do NOT use SSL encryption for its logins. Just a few of the websites that Firesheep targets are shown here on the config page:

What does this mean? It means that anyone that visits one of these websites from that machine will have their name and photo displayed because their cookie will be captured:

At this point all the account information for these various sites are compromised. All an attacker then has to do is click any of the picture on the left and they are immediately logged in AS THAT USER. Identity theft made easy my friends.

Let us be clear here – this plugin is not the issue. Insecure login procedures are the issue. Websites that do not require SSL logins or enforce strong encrytion are the problem. Most users are unaware of this. Consider what an attacker could do by combining classic ARP poisoning with this…. From Wikipedia:

“ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. The attack can only be used on networks that actually make use of ARP and not another method of address resolution. The principle of ARP spoofing is to send fake, or “spoofed”, ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker’s MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim’s default gateway.

ARP spoofing attacks can be run from a compromised host, or from an attacker’s machine that is connected directly to the target Ethernet segment.”

Classic man-in-the-middle attacking. Any traffic meant for the desired address is routed to the attacker instead allowing them to capture, sniff or modify it as they see fit. Quite a tidy way to sniff, intercept or capture cookies methinks….. or just install this plugin (Firefox only) on a shared or public machine. However all is not lost or dim. Users can take control so that Firesheep can be defeated. Enter HTTPS-Everywhere from our friends at the Electronic Freedom Foundation – the great EFF.

HTTPS-Everywhere encrypts user communication with a number of websites, hence defeating what Firesheep does. It rewrites all requests to a number of sites as HTTPS. It is a Firefox extension that ALL users should install and use anyway (I have been a user of it since it first came out).

Configuration is very straightforward and adding your own websites and customizations is quite easy as well.

Once HTTPS-Everywhere is installed and running users will be protected from this type of credential attack as well as the added benefit of the rest of the session to those websites being encrypted as well.

So where does this leave most users? It leaves their logins as exposed and vulnerable as ever, the Firesheep extension only makes it easy to demonstrate. Users need to look for tools like HTTPS-Everywhere from the EFF and take their identity protection into their own hands as they cannot depend on most websites to enforce or require encrypted logins. Download both Firesheep and HTTPS-Everywhere. Use them wisely on your own machines to educate yourself and your peers. The only way to change behavior is to demonstarte these types of issues responsibly.

Stay Safe and Hack The Gibson.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>