it's not safe to use public wifi without a vpn

anyone can steal your information, and doing it just got a lot easier:

http://codebutler.com/firesheep

use a vpn.

holy!

yah ok thanks DAD

heard about vpn's for awhile now. i am fairly good with computers, but have no idea what that wiki is talking about. anybody have some starting points/advice for someone who isn't a computer engineer?

could one use this after cracking someone's wifi?

  On 10/25/2010 at 4:42 AM, GORDO said:

could one use this after cracking someone's wifi?

sure. or you could pwn everyone at the local starbucks. which is what's going to be happening all around the world, starting tomorrow, thanks to this release...

  On 10/25/2010 at 4:24 AM, mistymountainhop said:

heard about vpn's for awhile now. i am fairly good with computers, but have no idea what that wiki is talking about. anybody have some starting points/advice for someone who isn't a computer engineer?

for the purposes of this thread, a vpn is basically just a way to secure your connection. like an encrypted proxy.

normally, when you're using wifi, your traffic goes like this:

your computer --> unencrypted connection --> facebook

because the connection is insecure, everyone on the network can see it (with the right tools), so everything you send to facebook can be seen, and anyone can grab your session information and log in as you.

with a vpn, it goes like this:

your computer --> encrypted connection --> your vpn server --> facebook

everyone can still see your connection, but the contents are encrypted, so they can't tell what you're doing, and they can't hijack your session.

  Quote

The Fire Sheep is sure-footed; he is more courageous about following his intuitions and he will take the initiative in his work.

 

His creativity lies in his ability to dramatize rather than invent. He can highlight strong points and play down weaknesses. Even experimenting with vivid colors, he can still produce restful and pleasant compositions.

 

He would like to own a stately home if possible, because he is indulgent where his personal comforts are concerned and he likes to entertain lavishly. Consequently, he is likely to overextend himself financially and mismanage his own affairs.

 

Fire makes him very energetic and aggressive. He is outspoken when offended. He will exhibit an enticing personal grace but his emotionalism could, at times, defy logic.

 

When the Fire Sheep is negative, he is given to wistful thinking without realizing the benefits of his present situation. He reaches for the proverbial pie in the sky and will be sullen and spiteful when discouraged by reality.

you know, i was beginning to wonder about this myself, ESPECIALLY when connecting to unsecure wifi networks via droid.

edit: lol

but this only applies to unsecured wi-fi right?

ok so which/how do we use a vpn for the people that don't drupal their balls every day or summat

  On 10/25/2010 at 5:15 AM, chenGOD said:

but this only applies to unsecured wi-fi right?

no, it would apply to any WiFi connection.

so, if you're paying a monthly fee for access to WiFi or something like that. or if your brother wanted to see what you were up to on your own home network.

as long as someone else has access to the same WiFi connection you're on, that same person could use this firefox extension to sniff your data. unless you're using VPN

  On 10/25/2010 at 5:15 AM, chenGOD said:

but this only applies to unsecured wi-fi right?

no. if someone else is connected to the network (aka they know or found the key), you're still vulnerable.

edit: actually, it depends on how the wifi is secured:

  Quote

Wireshark can decrypt WEP and WPA/WPA2 in pre-shared (or personal) mode. WPA/WPA2 enterprise mode decryption is not yet supported.

Also firesheep just asked for my password. How do I know this isn't a clever bit of malware?

I was just looking for something like this. I loves me some session hijacking.

THIS IS!!!!! AWESOME!!!!!!

No one share this anywhere else! Keep it as down low as possible hehe.

  On 10/25/2010 at 5:28 AM, chenGOD said:

Also firesheep just asked for my password. How do I know this isn't a clever bit of malware?

probably because it has to turn you wifi's card promiscuous mode on so that you can grab packets that are not destined to your computer (but i'm still wondering how it works as i've never been able to sniff wifi packets (=hub) without setting up a mitm).

But i doubt it would work at starbuck's : here, macdonalds offer free wifi in their restaurants, but you cannot communicate with someone else in the LAN. I don't know how it works, -the router could create a new virtual interface for each client or it could filter out packets that are destined from LAN to LAN.

But i suppose you could still intercept packets with WifiTap, a tool that allows injection of frames in a wifi connection without being authenticated and without needing that datas are redirected by the AP(router).

________________________,--------------b

________________________|_Access_point_|

________________________`---=----------'

_________________________,oOOb

_______________________,dOOOP____,,'''`-.___wifitap's_output

_____________________oOOOP'___,.'________\._looks_like_it_is_produced

__________________,oOOOP'___,'_____________\._by_the_AP.

________________,dOOOP____,'________________`.

______________oOOOP'____.'____________________\

___________,oOOOP'___/'________________________\

___________OOOP'___/'___________________________\

_____,''''''''''''''|__________________........OUT......

_____|_Poor_innocent|................IN|_____Hacker____|

_____|___victim_____|___wifitap_can____|_using_wifitap_|

_____'`''''''''''''''____catch_the______---------------'

______________________victim's_output

_____________________as_it_is_broadcast

___________

dOOOOOOOOOOO_:__authenticated_connection

_`"""""""""'

------------_:_unauthenticated_connection_(sniffed_or_injected)

this is just purely theoretical though, i've never used wifitap, but this is what it seems to do from what i can read.

you can tell that Babar is leet because he used ASCII to depict what happens, rather than using MSPaint

doing some testing on my own network, i was able to capture sessions from my phone no problem. it's scary how easy this is now. i wouldn't be surprised to see this in the news soon. every 13 year old kid who's smart enough to run firefox will be using this... it's going to be bigger than netbus or sub7 was in the late 90s.

is there anyway to protect oneself from this when on a VPN...not particularly privy to my roommates stealing all my best porn

the VPN protects you

  On 10/25/2010 at 5:21 AM, chaosmachine said:

no. if someone else is connected to the network (aka they know or found the key), you're still vulnerable.

 

edit: actually, it depends on how the wifi is secured:

 

  Quote

Wireshark can decrypt WEP and WPA/WPA2 in pre-shared (or personal) mode. WPA/WPA2 enterprise mode decryption is not yet supported.

dont know much about this but i thought the point of this post was that one is not safe from other users on a VPN or anyone who is able to decrypt your network key or maybe i am misunderstanding

  On 10/25/2010 at 3:32 PM, Scrambled Ears said:

  On 10/25/2010 at 5:21 AM, chaosmachine said:

no. if someone else is connected to the network (aka they know or found the key), you're still vulnerable.

 

edit: actually, it depends on how the wifi is secured:

 

  Quote

Wireshark can decrypt WEP and WPA/WPA2 in pre-shared (or personal) mode. WPA/WPA2 enterprise mode decryption is not yet supported.

 

dont know much about this but i thought the point of this post was that one is not safe from other users on a VPN or anyone who is able to decrypt your network key or maybe i am misunderstanding

you're not safe from other users on wifi. if you use a vpn when you're on wifi, you will be safe.

  On 10/25/2010 at 10:37 AM, ZiggomaticV17 said:

THIS IS!!!!! AWESOME!!!!!!

 

 

No one share this anywhere else! Keep it as down low as possible hehe.

lol yeah. this is the internet.

it's on lifehacker today, haven't checked /. yet.