Educause Security Discussion mailing list archives

Re: Firesheep/Cain& Able

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Tue, 2 Nov 2010 15:34:18 -0500

Not all packet-capture progams work in promiscuous mode on all WLAN chipsets.  You may have one that's operating in 
normal mode.

ARP (or NDP in the v6 world) games will put you into the traffic stream without promiscuous sniffing, as was pointed 
out.

   -jml


-----Original Message-----
From: Foerst, Daniel P.
Sent: 2010-11-02 13:10:13
To: Foerst, Daniel P.;The EDUCAUSE Security Constituent Group Listserv
Cc: 
Subject: Re: [SECURITY] Firesheep/Cain& Able


Hey all,

Has anyone run Firesheep to see that it does what it claims? I have run it both on a Windows XP box (with WinPCAP) and 
OS X and in each case I have not gathered any data outside of sites that I have visited myself. Perhaps I am 
misunderstanding what this application does. I am connected to an open network, heck both laptops are on the same 
network, same ssid, same AP even.

Thanks!

-dan

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Isac 
Balder
Sent: Monday, November 01, 2010 12:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firesheep/Cain& Able


If you like to fight fire with fire there is fireshepherd.

http://notendur.hi.is/~gas15/FireShepherd/





What should be routing best practices, disable arp poisoning.  (or at least detect and mitigate against)

On Cisco 'ip arp inspection vlan 1'

http://www.enterprisenetworkingplanet.com/netsecur/article.php/3462211/Configure-Your-Catalyst-for-a-More-Secure-Layer-2.htm





Inform and educate users of sites that allow CSRF, XSS, etc.



I.B.

"top posting cause yahoo makes me..."

--- On Mon, 11/1/10, Hudson, Edward <ewhudson () CSUCHICO EDU<mailto:ewhudson () CSUCHICO EDU>> wrote:

From: Hudson, Edward <ewhudson () CSUCHICO EDU<mailto:ewhudson () CSUCHICO EDU>>
Subject: [SECURITY] Firesheep/Cain& Able
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, November 1, 2010, 10:40 AM
In light of the recent attention to Firesheep I am wondering if anyone is having issues and how they are addressing?
When used in conjunction with Cain&Able it appears able to sniff both wired and wireless traffic for login 
credentials and execute ARP Poisoning.
TIA
EH

Ed Hudson, CISM
Information Security Office
California State University, Chico
www.csuchico.edu/ires/security<http://www.csuchico.edu/ires/security>
Office: (530) 898-6307
Cell: 707-799-3250
ewhudson () csuchico edu<mailto:ewhudson () csuchico edu>

Current thread:

Re: Firesheep/Cain& Able, (continued)
- Re: Firesheep/Cain& Able SCHALIP, MICHAEL (Nov 01)
- Re: Firesheep/Cain& Able Michael Horne (Nov 01)
- Re: Firesheep/Cain& Able Isac Balder (Nov 01)
  - Re: Firesheep/Cain& Able Valdis Kletnieks (Nov 01)
    - Re: Firesheep/Cain& Able David Gillett (Nov 03)
  - Re: Firesheep/Cain& Able Foerst, Daniel P. (Nov 02)
    - Re: Firesheep/Cain& Able Webb, Justin (Nov 02)
    - Re: Firesheep/Cain& Able Greg Williams (Nov 02)
    - Re: Firesheep/Cain& Able Alex Keller (Nov 02)
- Re: Firesheep/Cain& Able John Ladwig (Nov 01)
- Re: Firesheep/Cain& Able John Ladwig (Nov 02)
- Re: Firesheep/Cain& Able Matt Giannetto (Nov 03)