FaceNiff is an Android application that lets users sniff and intercept web session profiles over Wi-Fi networks, stealing other users’ credentials from services such as Facebook, Twitter and others.
The app requires root access on the user’s Android smartphone, but other than that it’s fairly simple to use, which makes it perhaps even more dangerous than Firesheep, a Firefox extension that lets users hijack Facebook and Twitter sessions over Wi-Fi networks. FaceNiff also works on WPA-encrypted Wi-Fi networks, which Firesheep doesn’t support.
While we’re not suggesting that any of our readers should use the app to hack someone’s account (it might even be illegal depending where you live), the sheer fact that such an app exists and is very easy to use means that you should be extra cautious when connecting to public Wi-Fi networks.
Besides Facebook and Twitter, the latest version of FaceNiff also works with YouTube, Amazon and Polish social network Nasza-Klasa.
Here How to Prevent Such Attacks
1. Don’t use sites that stick to or revert to HTTP.
Sites that log you in over unencrypted HTTP (horrors!) or revert to HTTP after SSL login are prime targets. Anyone that can intercept that traffic can easily record and reuse the cookie, which identifies you on subsequent requests, thereby hijacking your authenticated session. Known-vulnerable sites include Amazon, Basecamp, bit.ly, CNET, Evernote, Facebook, Flickr, Foursquare, Google, PayPal, Twitter, Windows Live, WordPress, and Yahoo. But avoiding this list is nowhere good enough. Many other sites are vulnerable and can be imported into Firesheep to grab those cookies too.
2. Avoid leaking cookies over HTTP.
Some websites try to do the right thing, but fall short. Specifically, servers must set a Secure flag to tell browsers to only send cookies over SSL. But sites that don’t set this flag (such as Dropbox and Slicehost) let cookies “leak” over HTTP. For example, a URL entered without the https: prefix may cause your browser to send your cookie over HTTP before getting redirected to SSL. But users don’t know what sites make this mistake and have little control over cookie transmission. To determine whether a site you use is vulnerable, import a script for that domain into Firesheep and test it on yourself.
3. Log off websites when done.
There are many sound reasons to log off secure websites when done – such as when using a public PC. Logging off some websites could invalidate a session cookie grabbed by Firesheep. But there’s no guarantee – some cookies keep you logged in for days or weeks. And by the time you log off, your session may have already been sidejacked with consequent damage. This one’s worth a try for good Web hygiene, but don’t rely on it to stop Firesheep.
- Improve Your Wireless Security With the Right Routers
- How to: Protect Yourself at Public Wi-Fi Hotspots
- Top Ten Ways to Avoid an Evil Twin Attack
- 7 Bad Computing Habits You Should Break
- Being Secure on Public Wi-Fi: VPN, Firewalls, File Sharing
- How to: Protect Your Hotspot
Some partial solutions don’t stop sidejacking, but reduce your risk of being sidejacked. Firesheep works by scouring captured Web traffic for interesting cookies. Some access networks – open hotspots and hospitality LANs – elevate risk by making it easier to capture unencrypted HTTP. So how can you reduce (but not eliminate!) that risk?
4. Avoid unencrypted Wi-Fi.
:ncrypting everything over Wi-Fi – at work, at home, and in public – is an excellent idea. Although not many hotspots offer WPA2-Enterprise, using it can greatly reduce the risk of being hacked. WPA2-Personal also encrypts Wi-Fi, but starts with a shared passphrase known to everyone. As such, it does little to stop eavesdropping at public hotspots – except where vendor-specific solutions are used to issue unique per-user passphrase
5. Use only trustworthy hotspots.
WPA2-Enterprise lets you check the 802.1X server’s certificate, making it harder to impersonate a hotspot. But in an open hotspot, you have no way of knowing whether the access point (or login portal) is really trustworthy. Still, it’s a good idea to verify SSL portal certificates; don’t ignore browser warnings or you could find yourself sending traffic through an Evil Twin performing man-in-the-middle attacks – including Firesheep.
6. Stick to secure LANs.
Don’t fall for this one: Firesheep is not limited to Wi-Fi. Sidejacking may occur on Ethernet LANs and inside networks – anywhere a hacker can intercept unencrypted traffic. When you plug into a public LAN from a hotel room or business center, your traffic could well be intercepted by other guests. Network operators – wired and wireless – should take steps to stop eavesdropping, ARP spoofing, and inter-client communication. Unfortunately, users rarely know whether such steps have been taken.
7. Fight fire with fire.
Some suggest launching counter-attacks against Firesheep. For example, FireShepherd sends packet bursts every half second to crash Firesheep, preventing prolonged sidejacking. At best, this will discourage a casual attacker while slowing the entire LAN. At worst, this could become a DoS attack, preventing productive network use. Trying this is probably ill-advised unless the network belongs to you.
If none of these are prudent, foolproof, or practical in every situation, what can you really do to protect yourself uniformly from Firesheep with greater confidence?
Firesheep in action. Photo courtesy of codebutler.com
8. Roll your own secure Internet connection.
Steps that depend on the network used to reach the Internet are by definition incomplete. As an application layer attack, sidejacking is best addressed by network-independent solutions. Short of that, you could use the same secure Internet connection everywhere you roam. Try tethering your computer to your 3G smartphone or turning your phone into a secure mobile hotspot (guarded by a strong, unique passphrase). This approach could stop other public network users from intercepting your traffic and sidejacking your sessions. However, it still relies on the relative security of your cellular provider’s network.
9. Insist upon full-time SSL.
Another possibility is to enforce correct full-time use of SSL for all sensitive websites using HTTPS-Everywhere or Force-TLS. Note that both are Firefox extensions; if you use another browser, look elsewhere. Furthermore, these extensions only enforce a defined site list; you may need to add sensitive sites that you use.
10. Protect everything with VPN.
If you can’t be certain that sensitive websites use SSL correctly all the time, send your traffic through a properly-configured robustly-authenticated, encrypted VPN tunnel. These qualifiers are important – for example, make sure your VPN doesn’t leak HTTP if your tunnel goes down. But deployed correctly, a VPN tunnel can prevent sidejacking, no matter what network you use or websites you visit or how quickly their owners step up to the plate to fix underlying vulnerabilities.