Domain: codebutler.com
Stories and comments across the archive that link to codebutler.com.
Comments · 8
-
Firesheep and Botnets
I almost wanted to stop reading after the first point the developer made. Amazon rejected his application because it used an insecure communication channel over the internet. Cry me a river. I actually applaud Amazon for doing that.
You realize that slashdot uses an insecure communication channel over the internet? The developer used http to deliver game levels to the customer. No personal data, no need for security.
You do realize that Facebook uses an insecure communication channel over Wifi, which has allowed users of FireSheep to hijack any public wifi users session and steal their account? And you do realize that the store is for a device that relies entirely on wireless (3G/LTE/WiFi) technology? Demanding that all apps use only secure communication channels to protect devices most likely on unpassworded wifi is a good thing. A man-in-the-middle attack could easily hit a popular game like Angry Birds, corrupting levels with a payload. That payload could start a wifi tether and spread from device to device via MITM attack.
But, you say, would hackers hang out at Starbucks to start this? Nope, they'd start with an app. As I've said before smartphones are the new untapped and largely unprotected botnets.
Just because it hasn't happened on a large scale yet doesn't mean you don't take reasonable precautions to prevent against it.
-
Re:Firesheep?
Isn't this more or less the same thing that Firesheep does, and why the EFF is urging everyone to use HTTPS wherever possible?
Yes it is, except that in the case of FireSheep, the user could have simply connected to HTTPS://facebook.com and been protected from attack. Also, the user had to initiate the connection; very few people probably have facebook.com set to load up on any wifi connection available, as soon as their laptop is opened up. Lastly, it's *facebook*. If your account is compromised you might have a few awkward messages sent to your friends on your behalf, but the damage is limited. We have seen time and time again in the past few weeks just how much damage a compromised gmail account can cause.
-
Firesheep?
Isn't this more or less the same thing that Firesheep does, and why the EFF is urging everyone to use HTTPS wherever possible?
-
this malware is same idea as firesheep
Do you remember FireSheep, a firefox addon that went public late last year? slashdot thread firesheep homepage
They ride your session, basically that means that once the malware authors have access to your session cookie, they're logged in as you, and can perform any operation you could do. I also expect that the malware will log your username and password anyway, so you're screwed anyway even in case that you could really log out of your banking session.
-
Re:Secure login
If you were aware of the purpose of Firesheep, you'd know that it is quite effective, since so many large sites don't require the use of HTTPS.
-
Re:A better explaination
here: http://codebutler.com/firesheep.
Steve Manuel of TechCrunch claims that the Force-TLS 2.0 Firefox extension can defeat Firesheep. (You have to configure it manually for each site you want to protect, though, so it's somewhat of a PITA.)
Another option is the HTTPS Everywhere Firefox extension from EFF and the Tor Project. Although HTTPS Everywhere has a predefined ruleset that includes some of the most popular Web sites, you'll still have to write your own ruleset for any site not on their default list.
-
How does it work?
The article is extremely light on details. The plugin's page doesn't tell much either. I'm curious how does it capture the WIFI packets. Is it possible to capture them when not in monitor mode?
-
A better explaination
here: http://codebutler.com/firesheep
They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.