Uncle FireSheep and Auntie FaceNiff

.

In-depth look on FaceNiff and Session Hijack from the blog that cares and shares !


Now days , even a ”uncle/auntie” (its a term used in Malaysia to describe someone who is older , its just like how you would address your neighbour , Smith as Mrs Smith who is 50 years old. Here in Malaysia , we would call her “auntie”) with a smartphone is able to hack other person’s Facebook/Twitter and easily do anything with it. That’s right , folks the 2nd generation of FireSheep is born and this time its for Android. In this article , I’ll be explaining to you the basics of this and how you can protect yourself !

Introduction

I am quite sure that number of you have already heard about FireSheep. Basically FireSheep is an add-on for Firefox which does HTTP Session Hijacking . In other words easy Facebook/Twitter hacking. Thankfully Facebook/Twitter have patched this up and now its no longer possible to use FireSheep to hack those stuff. However it still works with a lot of different sites.

Now extending to this idea , FaceNiff (yes thats what its call) does that exactly , – except its from your Android phone. All you have to do is root your phone (if you have not) and install this application and spend an hour at Starbucks – voila you are able to get that pretty lady’s name that you are eyeing for the past year. Its creepy and imagine stalkers stalking you. I am not going to bore you with how its going to work and how you can hack your Facebook password and stuff. For details just check out the site and bear in mind you’ll have to pay for the application if you want to unlock the entire thing , otherwise you are only limited to Facebook and only with the first 3 session that it captures. The software costs $5 USD

How does it work ?

Just think of as how eavesdropping works ? Have you eavesdropped before ? The concept of this application works in the same way as how you’ve eavesdropped someone’s conversation.This is provided that you are within the hearing range and if you are able to comprehend what the other person is saying. Again , the same concept applies here as well.

This application simply works by “eavesdropping” your connection. As you know that Public WiFi is not secure , as anyone can able to eavesdrop on what you are doing. This tool just makes it easier. All a person now has to do is run this and he is able to capture your Facebook session , which means that he is able to login as you and do some nasty things. However bear in mind that he is not able to capture your Facebook password , just your “login thingy” (or session).

Session works this way , it basically stores who you are . So facebook knows that oh its you and I shall display your wall instead of X’s wall. Its just to identify. This application works by hijacking HTTP Session , again think of it as an established connection between you and the server. I wouldn’t really go into details on how Session works. A simpler example would be your online banking service , remember how if you have left your PC unattended for 1minute , the system would automatically log you off ? Its the same thing . The only different is your bank uses a secure session while facebook does not (by default)

How do I secure it ?

Simply enable HTTPS in your Facebook and in your Twitter by reading here (Facebook) or here (for Twitter) . Alternatively you may want to get HTTPS Everywhere , its a beautiful add-on for Firefox , which forces HTTPS for Facebook , Twitter and a lot of other sites by default. This way it would prevent people who are using FaceNiff to get your information soo easily , but it would still not stop hackers from hacking into your PC , especially if you are using a Public WiFi such at a cafe or at airport

HTTPS Everywhere, EFF This plugin currently works for: Google Search Wikipedia Twitter Facebook bit.ly GMX Wordpress.com blogs The New York Times Paypal EFF Tor Ixquick and many other sites! TTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS. Firefox users can get it by clicking here. Sadly, many sites still include a lot of content from third party domains that is not available over HTTPS. As always, if the browser's lock icon is broken or carries an exclamation mark, you may remain vulnerable to some adversaries that use active attacks or traffic analysis. However, the effort that would be required to eavesdrop on your browsing should still be usefully increased. Answers to common questions may be on the frequently asked questions page. HTTPS Everywhere can protect you only when you're using sites that support HTTPS and for which HTTPS Everywhere includes rules. If sites you use don't support HTTPS, ask the site operators to add it; only the site operator is able to enable HTTPS. There is more information and instruction on how server operators can do that in the EFF article How to Deploy HTTPS Correctly. Development And Writing your own Rulesets You can help us test forthcoming site support and new features by installing the development branch of the extension. HTTPS Everywhere uses small ruleset files to define which domains are redirected to https, and how. If you'd like to write your own ruleset, you can find out how to do that here. Information about how to access the project's Git repository and get involved in development is here. Send feedback on this project to the https-everywhere AT eff.org mailing list. Note that this is a public and publicly-archived mailing list. You can also subscribe. Send new rewrite rules or fixes to existing rewrite rules to the https-everywhere-rules AT eff.org mailing list. Note that this is a public and publicly-archived mailing list. You can also subscribe. Related Projects Our code is partially based on the STS implementation from the groundbreaking NoScript project (there are other STS implementations out there, too). HTTPS Everywhere aims to have a simpler user experience than NoScript, and to support complex rewriting rules that allow services like Google Search and Wikipedia to be redirected to HTTPS without breaking anything. It also handles situations like https:// pages that redirect back to http:// in a reasonable manner. In an ideal world, every web request could be defaulted to HTTPS. Unfortunately, there's no way to know that what you get from requesting https://www.domain.com/page is the same as what you get from requesting http://www.domain.com/page. So the only way to switch every page to https is to fetch the page insecurely first. There is a Chrome extension called KB SSL Enforcer which attempts to take that approach, but it does not appear to be implemented securely; when we tested it, it seemed to always use http before https, which means that your surfing habits and authentication cookies are not protected (this may be a limitation of the Chrome Extensions framework). License HTTPS Everywhere is licensed under the GNU General Public License, version 2 or later. To get the source code, see the development page. Attachment Size https-everywhere-0.9.9.development.4.xpi 224.91 KB https-everywhere-0.9.5.xpi 56.82 KB https-everywhere-0.9.6.xpi 56.91 KB https-everywhere-0.9.9.development.5.xpi 271.8 KB Changelog.txt 6.82 KB http://www.eff.org/https-everywhere

So how do I fully secure it ?

By using VPN of course. This is how big corporations do it for their staffs who work from their home. A secure connection is established between the client and the server , and all information will be routed securely to the server. A good example would be to use Hotspot Shield whenever you are on Public WiFi , as this would prevent hacker from even sniffing what are you doing , as the connection would be routed securely to Hotspot Shield’s server. If you do not trust Hotspot Shield , you may use any other paid VPN providers out there.

To be on the safer side , never ever use Public WiFi to check your personal things such as bank account balance. If you must , use a VPN otherwise use your home/trusted connection.

One more thing , be sure to different passwords for each of your services

Conclusion

The Internet is not a safe place, the moment you are connected to the Internet – there is a risk of you getting hacked in one way or another. You may start practice safe browsing habits when you are using Public WiFi. I strongly urge you to spread this message to your friends especially those who like to spend long hours in Starbucks for the Free WiFi !