Tales from Room 641A

Firesheep: http://codebutler.com/firesheep

Firesheep is a Firefox addin that makes sidejacking a session easy as clicking a button. Sidejacking, or session hijacking is essentially sniffing someone’s session cookies from a connection and replaying them. This allows you to access their authenticated sessions, as if you were that individual.

There are two “mitigation” programs that are being touted around the internet:
We tested each program this past evening at a Black Lodge Research (www.blacklodgeresearch.org).

Fireshepard:

http://downloadsquad.switched.com/2010/10/29/fight-firesheep-with-fireshepherd/

This program in essence, floods a network with nonsense packets designed to crash firesheep.
The packets hit the wire with the following headers:

request+=”GET /packetSniffingKillsKittens HTTP/1.1\r\n”;
request+=”Host: www.facebook.com\r\n”;
request+=”User-Agent: Mozilla\r\n”;
request+=”Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n”;
request+=”Accept-Language: is,en;q=0.7,en-us;q=0.3\r\n”;
request+=”Accept-Encoding: gzip,deflate\r\n”;
request+=”Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n”;
request+=”Keep-Alive: 115\r\n”;
request+=”Connection: keep-alive\r\n”;
request+=”Referer: http://www.facebook.com/\r\n”;
request+=”Cookie: lsd=spsse; c_user=666660000; sct=01010101; sid=0; xs=3randomhashyes666666666;

Firesheep had no issue with functioning while fireshepard did it’s worst. It did begin to fill firesheep’s buffer, but the sheep never crashed. Firesheep could avoid this mitigation attempt by filtering out c_user=666660000 .

Blacksheep

http://www.zscaler.com/blacksheep.html

Blacksheep seems to work off a similar idea, but takes it a step further. It will drop fake credentials onto the network, and attempt to check for someone trying to use those credentials to log in. It is an interesting concept, but seems to us that you would have to sniff packets to see if others were trying to log in with the fake credentials. In other words, to defend your login, you need to sniff traffic.

We implemented Blacksheep, and it was quite easy to differentiate between real and fake credentials on the wireless.

In summary:

Both mitigation strategies provide no further protection from firesheep. Why were they released? Simple:
“They released them to be first to release a mitigation. It doesn’t have to be great when you are first. Much like virginity.”

We explored real mitigation strategies:

1. Utilize SSL. HTTPs everywhere is a nice plugin for Firefox that will help enforce that: https://www.eff.org/https-everywhere/
2. Utilize VPN tunnels/SSH proxies to securely tunnel the traffic out of the wifi.

As you can see, mitigation really depends on wrapping the cookies in some form of encryption. This seemed to be the best mitigation strategy we could devise.

Take a moment and check out:    ISC SANS PORT 5060

It appears that the sources/day was on the rise again.  I recently ran into a situation where it appears that someone was using wunderbar_emporium root kit to own a system. Then the system started attempting traffic out on 5060.

So, apparently wunderbar_emporium was mitigated by a kernel update : http://serverfault.com/questions/72986/how-to-prevent-wunderbar-emporium-rootkit    , but of course a lot of enterprise systems do not do frequent kernel updates. It’s not practical, cost effective, or even possible in most of the HA environments.  You have to fight to get an hour Change window at times.

It appears that the code takes advantage of CVE-2009-2692

Now the fun begins, I get to peer into the source code of wunderbar and see if I can figure out what makes it tick.  Probably not, but hey, maybe I get lucky.

Youtube of exploit

Dark reading: Ford Firewall

I remember a day when it used to be firebirds on the road.. not firewalls. I do wonder.. and hope dearly, that there is an air gap separation between the in car wifi systems and the actual vehicle systems. One can just envision driving down the road, and suddenly, your car speeds up, slows down, and a voice comes over the in car phone ” Credit card number or the car won’t stop!”

Ok.. Ok.. a wee bit movie plot threat, but there are so many vectors and threats this could open. Anyone have a new ford I can play with?

Nothing we can do about it….

Nothing we can do about this vulnerability… sorry to all you who get hacked!
Love,

Time warner!

— If you find anywhere on their site where they disclose the issue to clients, or have heard about notifications being sent, please let me know.