Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firesheep/Cain& Able

From: Matt Giannetto <MGiannetto () MC3 EDU>
Date: Wed, 3 Nov 2010 14:42:32 -0400
...and the false sense of security.

I'm struggling with this as well as one of my network admins suggested this.  Technically it limits the effect of 
Firesheep alone, but to me it seems like fixing the threat and not the vulnerability.  Nothing stops someone from using 
Cain & Abel once they connect to the password-protected network.  Sure it's  better than being wide open, but telling 
someone "we did it to protect from Firesheep" when it only kinda protects from Firesheep in certain situations is hard 
to message properly and leaves users exposed.  It's a false sense of security.

And it could be useless against the next attack tool, leaving us to explain to our users, "Well, the password works for 
'Firesheep', but it doesn't really help with 'Firegoat', so now you have to be careful on password-protected public 
networks...".  Again-- hard to message.

Which brings up the question, how would we educate users that distinguish a password-protected public wireless network 
from a trusted wireless network?  Users have a clear understanding of what a public, untrusted network is (well, in 
general), but throwing a password on it muddies the water.  Another question-- if you password-protect your public 
wireless by using the SSID as the password because its "more secure", are your users going to incorrectly think that's 
sufficient for their home networks?

One of the worst part of this solution is that once you put a password on it to thwart Firesheep now, it's hard to go 
back after its hype and popularity dies down.

I'm not saying it's a bad solution as much as I'm saying it's a dangerous solution.  Unfortunately, telling users that 
they shouldn't use social networking sites on public Wi-Fi is as well, because its (arguably) unreasonable/no one 
listens.

Thanks,

Matt Giannetto
Director of IT Security
Montgomery County Community College
mgiannetto () mc3 edu | (215) 619-7442

-----Original Message-----
From: John Ladwig [mailto:John.Ladwig () CSU MNSCU EDU]
Sent: Monday, November 01, 2010 10:55 AM
Subject: Re: Firesheep/Cain& Able

I'm wrestling again with the wisdom of turning WPA2-PSK on for all currently-unencrypted captive-portal type WLANs, 
using the SSID as the PSK, in order to get radio-side client-client isolation.

There's just that nagging question of user experience, and helpdesk calls...

    -jml


-----Original Message-----
From: Hudson, Edward
Sent: 2010-11-01 09:41:33
To: Hudson, Edward;The EDUCAUSE Security Constituent Group Listserv
Cc:
Subject: [SECURITY] Firesheep/Cain& Able


In light of the recent attention to "Firesheep" I am wondering if anyone is having issues and how they are addressing?
When used in conjunction with "Cain&Able" it appears able to sniff both wired and wireless traffic for login 
credentials and execute ARP Poisoning.
TIA
EH

Ed Hudson, CISM
Information Security Office
California State University, Chico
www.csuchico.edu/ires/security<http://www.csuchico.edu/ires/security>
Office: (530) 898-6307
Cell: 707-799-3250
ewhudson () csuchico edu

Montgomery County Community College is proud to be
the #1 ranked technology-savvy community college in the nation,
as determined by the Center for Digital Education and Converge magazine.
Previous By Date Next
Previous By Thread Next

Current thread: