Doing a demo about open wireless networks exploiting with Firesheep

Question

A collegue and I have been asked to do a demo where we show off stealing Facebook sessions with Firesheep. I've never used Firesheep before myself, but I reckon it should be a simple task.

I know the demo will raise a lot of eyebrows and many will be actually scared knowing they are using an open wireless network every day with their cellphones (won't go into any more details on this, but its a fact).

Does anyone have any recommendations on what types of questions I should be prepared to answer? Anything in particular I should show in the demo, except just showing I'm logged in as the demo user?

What about MSN traffic... Is it possible to demo sniffing a MSN conversation as well?

What about securing against this? The users will still be using the open wireless. Is the only way of securing yourself by using a VPN to a secure connection?

EDIT: I know firesheep does not capture MSN conversations. Anyone got any recommendations on a tool which could demonstrate this?

Answer 1

Firesheep just shows off cookie-based session attacks. MSN does not use cookies. However, MSN does send conversations in clear-text (just not the auth), but firesheep can't pick it up.

VPN is one way to secure the connection. Another is to only create sessions on websites that only run the full session through SSL.

Answer 2

I'm assuming the audience will be mostly end-users as IT professionals should have already heard of Firesheep and understand how it works. If not, they probably fall into my end-user category anyway. :)

In my opinion, when demonstrating an issue or vulnerability you should aim to talk about any workarounds or mitigating strategies available to users. For example, suggest users navigate to https://facebook.com before they login. Create a way to help users remember https, e.g. "S is for secure or safe".

The demonstration might be a good opportunity to educate users about security and the web in general; how certificates work, what to look out for (e.g. certificate errors), get them to think about where they are entering their password and whether it is safe. Additionally, what they should do if they believe someone else has their logon details; reset the account password, but also think about the other accounts where they have used the password, or accounts which could have been compromised as a result and change those too.

Some of these concepts aren't easy for end-users to understand, but if you can at least make them aware of some of the warning signs and risks, it's a good start.

Regarding MSN conversations, I don't think pulling wireshark out to capture conversations would be beneficial. Firesheep is good because it has a nice interface and provides instant results, it will show users how easy it can be.

Answer 3

Firesheep does not capture MSN conversations if you wanted to do that you would need to use Wireshark or a similar application with your WiFi card set to capture. MSN does not encrypt its communications so you'll be able to see the conversation text in the packets.

There is a question on here already covering ways to protect yourself against firesheep - Ways to secure yourself from Firesheep kiddies and other sniffing

Answer 4

Another great demo for security is the Wall O' Shame that was at DefCon a few years ago. It uses ettercap to capture passwords and then parses the log with PHP to give you a display. I used it a while back to get a few high school tours interested in security.

Answer 5

Funny enough, the guy who wrote Firesheep has a great post on how to protect yourself, and what not to do: From http://codebutler.com/firesheep-a-day-later

Suggestions to help protect yourself right now

While companies are implementing fixes (described below) you can do a few things to >increase your level of security, but there’s no silver bullet (aside from stopping use of >the services which you don’t want hijacked.)

HTTPS-Everywhere - This is a Firefox extension created by the Electronic Frontier Foundation which makes Firefox use only HTTPS connections for certain websites. Like Firesheep, it only works on a defined list of websites, so it won’t protect you if you use any websites that it doesn’t support. It does not appear to be immediately simple for users to add sites without some development experience. HTTPS-Everywhere is well respected for doing what it claims to do safely. Force-TLS - As mentioned earlier, some websites support SSL but don’t implement it properly, leaving you at risk. This Firefox extension is similar to HTTPS-Everywhere but allows you to specify your own list of domain names to force encryption on. VPN - In some situations a VPN (or something similar such as an SSH tunnel) can be great. All traffic sent through a VPN is likely secure from your computer to the VPN server. But be aware that this is not a silver bullet and there are potential problems. See below for our warnings on using a VPN.

Answer 6

I imagine Fiesheep can be extended to cover MSN, but I'm not positive that's a small task.

Yes, a FULL tunnel VPN can help, but so can SSH tunneling. I tunnel ALL of my browser traffic thru an SSH tunnel so it's almost like I'm browsing the web at home. The traffic is fully encrypted from your SSH client to your SSH server, which means even on a wireless network using a non-ssl site with poor cookie protection, you are safe