Tweet
Tweet

Slide 1

Slide 1 text

Firesheep: Intentions, Responses, and What's Next Eric Butler Ian Gallagher December 2010 iSEC Open Security Forum

Slide 2

Slide 2 text

What is Firesheep?

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

HTTP Session Hijacking Tool

Slide 5

Slide 5 text

(put video here)

Slide 6

Slide 6 text

Why write Firesheep?

Slide 7

Slide 7 text

Problem known and ignored by companies for years

Slide 8

Slide 8 text

HTTPS (ok, SSL) invented in 1994 for this reason.

Slide 9

Slide 9 text

Firesheep: Released in October at ToorCon San Diego

Slide 10

Slide 10 text

Posted to HackerNews, picked up by TechCrunch

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

(hours later)

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

"Firesheep Highlights Web Privacy Problem" - Wall Street Journal "Digits" Blog "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"" - EFF Deeplinks BLog "Firesheep Exposes Need For Encryption" - InformationWeek

Slide 16

Slide 16 text

For a moment, hundreds of thousands of people were thinking about security!

Slide 17

Slide 17 text

but... there's been plenty of misinformation too.

Slide 18

Slide 18 text

"Using Wi-Fi? Firesheep may endanger your security" - CNN.com "Firesheep: Why You May Never Want to Use an Open Wi-Fi Network Again" - forbes.com

Slide 19

Slide 19 text

Insecure WiFi: Not the problem

Slide 20

Slide 20 text

Not only facebook!

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

"New Firefox Add-On Detects Firesheep, Protects You on Open Networks" - Mashable

Slide 24

Slide 24 text

"New Firefox Add-On Detects Firesheep, Protects You on Open Networks" - Mashable

Slide 25

Slide 25 text

Anti-virus starts targeting Firesheep

Slide 26

Slide 26 text

Fallout

Slide 27

Slide 27 text

amazon • bitly • enom • flickr • gowalla live • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

Slide 28

Slide 28 text

amazon • bitly • enom • flickr • gowalla live • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

Slide 29

Slide 29 text

Access campaign

Slide 30

Slide 30 text

How to correctly fix problem?

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

Best: Site-wide HTTPS Secure cookies HSTS (Strict-Transport-Security) No mixed-content SSL Session resumption Design with security from the start EFF and OWASP have great guides on how to properly deploy HTTPS

Slide 33

Slide 33 text

Good: HTTPS for sensitive pages Secure cookies required for those pages No mixed content on secure pages ..still susceptible to determined active attackers (MiTM, SSLStrip)

Slide 34

Slide 34 text

919,997 downloads to date

Slide 35

Slide 35 text

What's next?

Slide 36

Slide 36 text

Linux support, 802.11 monitor mode

Slide 37

Slide 37 text

Still a huge problem...

Slide 38

Slide 38 text

Keep demanding SSL!