Educause Security Discussion mailing list archives

Re: Firesheep/Cain& Able

From: Greg Williams <gwillia5 () UCCS EDU>
Date: Tue, 2 Nov 2010 12:27:54 -0600

Dan, I’ve also used it and yes it does what it says it does.  It is basically a dumbed down sniffer that will only show 
you HTTP session cookies.  You could do the same thing with Wireshark by capturing packets and weeding through the 
data, however Firesheep is dangerous since it is a very specific very easy way to get at the data.  To see if it 
actually is working on your machine, just run a span port off one of your switches, and you’ll probably see hundreds of 
sessions.  Like Justin said, if your network is switched or you have security measures in place to prevent ARP 
poisoning across your wireless network, you won’t get much.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Foerst, 
Daniel P.
Sent: Tuesday, November 02, 2010 12:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firesheep/Cain& Able

 

Hey all,

 

Has anyone run Firesheep to see that it does what it claims? I have run it both on a Windows XP box (with WinPCAP) and 
OS X and in each case I have not gathered any data outside of sites that I have visited myself. Perhaps I am 
misunderstanding what this application does. I am connected to an open network, heck both laptops are on the same 
network, same ssid, same AP even.

 

Thanks!

 

-dan

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Isac 
Balder
Sent: Monday, November 01, 2010 12:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firesheep/Cain& Able

 


If you like to fight fire with fire there is fireshepherd.

http://notendur.hi.is/~gas15/FireShepherd/

 

 

What should be routing best practices, disable arp poisoning.  (or at least detect and mitigate against)

On Cisco 'ip arp inspection vlan 1'

http://www.enterprisenetworkingplanet.com/netsecur/article.php/3462211/Configure-Your-Catalyst-for-a-More-Secure-Layer-2.htm

 

 

Inform and educate users of sites that allow CSRF, XSS, etc.

 


I.B.

"top posting cause yahoo makes me..."

--- On Mon, 11/1/10, Hudson, Edward <ewhudson () CSUCHICO EDU> wrote:


From: Hudson, Edward <ewhudson () CSUCHICO EDU>
Subject: [SECURITY] Firesheep/Cain& Able
To: SECURITY () LISTSERV EDUCAUSE EDU
Date: Monday, November 1, 2010, 10:40 AM

In light of the recent attention to “Firesheep” I am wondering if anyone is having issues and how they are addressing?

When used in conjunction with “Cain&Able” it appears able to sniff both wired and wireless traffic for login 
credentials and execute ARP Poisoning.

TIA

EH

 

Ed Hudson, CISM

Information Security Office 
California State University, Chico 
www.csuchico.edu/ires/security 
Office: (530) 898-6307

Cell: 707-799-3250

ewhudson () csuchico edu

Current thread:

Firesheep/Cain& Able Hudson, Edward (Nov 01)
- Re: Firesheep/Cain& Able SCHALIP, MICHAEL (Nov 01)
- Re: Firesheep/Cain& Able Michael Horne (Nov 01)
- Re: Firesheep/Cain& Able Isac Balder (Nov 01)
  - Re: Firesheep/Cain& Able Valdis Kletnieks (Nov 01)
    - Re: Firesheep/Cain& Able David Gillett (Nov 03)
  - Re: Firesheep/Cain& Able Foerst, Daniel P. (Nov 02)
    - Re: Firesheep/Cain& Able Webb, Justin (Nov 02)
    - Re: Firesheep/Cain& Able Greg Williams (Nov 02)
    - Re: Firesheep/Cain& Able Alex Keller (Nov 02)
- <Possible follow-ups>
- Re: Firesheep/Cain& Able John Ladwig (Nov 01)
- Re: Firesheep/Cain& Able John Ladwig (Nov 02)
- Re: Firesheep/Cain& Able Matt Giannetto (Nov 03)