AMERICA

AMERICA
ONE NATION UNDER GOD!

Tuesday, June 7, 2011

HOW TO HACK A FACEBOOK ACCOUNT

FIRESHEEP

FIRESHEEP
POINT & CLICK HACKING OF FACEBOOK AND TWITTER
NOW AVAILABLE AS AN EXTENSION
TO
FIREFOX

Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.







 The extension was created as a demonstration of the security risk to users of web sites that only encrypt the login process and not the cookie(s) created during the login process.


It has been warned that the use of the extension to capture login details without permission would violate wiretapping laws and/or computer security laws in some countries. Despite the security threat surrounding Firesheep, representatives for Mozilla Add-ons have stated that it would not use the browser's internal add-on blacklist to disable use of Firesheep, as the blacklist has only been used to disable spyware or add-ons which inadvertently create security vulnerabilities, as opposed to attack tools (which may legitimately be used to test the security of one's own systems).



A MANAGING EDITOR AT
PC WORLD
SAYS:

How to Hijack Facebook Using Firesheep

I hijacked a Facebook account with Firesheep; it was easy, and here's what you should do to avoid falling victim.

I hijacked someone's Facebook account with Firesheep. It was incredibly easy.
Before you call the authorities on me, the "hijack" was an experiment with a colleague's account while we were waiting for a plane, and she gave me permission. But let me tell you: Firesheep, the Firefox add-on designed to show the security holes in sites that don't use encryption for all their traffic, works as advertised.
All I had to do was download and install the add-on, open the Firesheep sidebar and click "Start Capturing." When her account appeared on the list, I double-clicked on it. Once I made sure that I wasn't logged into the same site myself with my own account, her account appeared in my browser.
Happily, I couldn't change her account information without knowing her password. But I could see all her friends, read her private messages and even issue a status update that went to all her friends.
Also good news: Google and Yahoo mail both appeared secure, even if logged into other portions of those sites.
However, sitting at the Online News Association conference this morning -- a conference of journalists who are very Web-savvy but perhaps less so on latest security issues -- I see a steady stream of accounts show up (see a sample below). Facebook. Twitter. Tumblr. I saw someone's Wordpress blog account (but no, I don't know if I could have clicked through and posted an item).
I was also alarmed to see my own accounts showing up. I hadn't remembered that I'd left my work laptop logged into my Google account, but there was my Gmail address popping up on the Firesheep sidebar when I surfed to Google to do a search.
So here's what I'm doing about Firesheep. Even though I'm not interested in seizing control of strangers' accounts, I'm keeping Firesheep loaded on my system and firing it up whenever I'm using public Wi-Fi: to make sure none of my own accounts pop up. Firesheep has been downloaded hundreds of thousands of times. I can't count on the fact that I'm the only one on the network who knows about it.
If I was in charge of IT and/or IT security at an organization, I'd be giving Firesheep demonstrations to managers to drive the point home that it's just not safe to use public Wi-Fi connections without using proper safeguards.


Sharon Machlis is online managing editor at Computerworld. Her e-mail address is smachlis@computerworld.com. You can follow her on Twitter TwitterTwitter @sharon000, on Facebook or by subscribing to her RSS feeds:
articles Machlis RSSMachlis RSS | blogs Machlis RSSMachlis RSS.


##########WTF##########

MANY SECURITY PUNDITS WARN THAT TO PROTECT YOURSELF, YOU SHOULD NEVER USE FREE WI-FI ACCESS POINTS. 
THAT'S THROWING THE SHEEP OUT WITH THE DIP.
FREE WI-FI IS NOT THE PROBLEM.
IT'S A FAILURE BY THE SITES YOU VISIT (facebook, twitter, google, etc) TO USE PROPER SECURITY MEASURES (ie, https encrypted sessions beyond the login).

ANOTHER RECOMMENDATION, USE A VPN (Virtual Private Network) TUNNEL TO ACCESS YOUR FACEBOOK ACCOUNT. GOOD ADVICE, BUT VPN SERVICES ARE NOT FREE AND WHILE THE MAY BE CHEAP ($5.00-$10.00/MONTH) NOW YOU'VE JUST NEGATED THE FREE PART OF FREE WI-FI.


If free is the object, there are options there, too, said Wisniewski, Sullivan and Gallagher, who pointed to a pair of free Firefox add-ons that force the browser to use an encrypted connection when it accesses certain sites.
One of those Firefox add-ons, HTTPS-Everywhere, provided by the Electronic Frontier Foundation (EFF), only works with a defined list of sites, including Twitter, Facebook, PayPal and Google's search engine.
The other choice, Force-TLS, serves the same purpose as the EFF's extension, but lets users specify which sites on which to enforce encryption.
  
AND "BLACK SHEEP"  IS FIREFOX PLUGIN DESIGNED TO COMBAT FIRESHEEP, BY DROPPING  "FAKE" SESSION INFORMATION ON THE WIRE AND MONITORING TO SEE IF IT GETS HIJACKED.

 x#x#x#x#x#x#x#x#x#x

WHILE IT IS TRUE THAT FIRESHEEP GIVES HACKING ABILITIES TO USERS
OF
FIREFOX 3.5 AND NEWER, 32bit only.
IT IS NOT TRUE THAT USERS OF OTHER BROWSERS WOULD BE SAFE
FROM A ROGUE FIRESHEEP USER.

Microsoft Internet Explorer, Google Chrome, Apple Safari, Opera are all VULNERABLE, REGARDLESS OF THE OPERATING SYSTEM BEHIND YOUR BROWSER.

FOR THOSE BROWSERS, THE ONLY WAY TO PREVENT A FIRESHEEP SNOOP IS TO USE A VPN CONNECTION, SHIFT TO AND INSTALL THE EXTENSION MENTIONED ABOVE, TO FIREFOX. OR CONTACT THE TECH SUP WEENIES AT FACEBOOK AND GET INSTRUCTIONS ON HOW TO CONFIGURE YOUR ACCOUNT TO USE ONLY HTTPS SESSIONS...

12 comments:

Ms. A said...

I'm sending this my cousin, who just got hacked. Thanks!

Auntie sezzzzzz... said...

-sigh- More of the why-computer-stuff-isn't-secure.

But doesn't everyone know that, to start with? ,-)

Anyway, my comment is OT. Just read 'A Majority Of One's' blog... About a tree being choked to death by common ivy. You said you'd never heard of common Ivy doing this.

In my comment, I told of our Quest to rid back of yard, of Binder Weed (Vine). Which comes over (and under) our fence, from neighbor's "jungle." :-(

Wondering if that common Ivy, which killed off the lovely Rowan Tree, was a form of my horrrrrible Binder Weed {Vine}??

~♥~

red.neck chic said...

Uhmmmmm...

I'm just going to send you my username and password and whatever else you need (i'll even send the computer) and uh... will you keep the sheep out in the pasture for me?

;-D
seriously - i printed this out and am going to open the lap top and re-read... i'll get back to you on how good of a sheep farmer i turn out to be.

xoxoxoxo
robelyn

Betty Manousos said...

thanks for sharing!
great. that's what made me delete my FB account.
the fear of getting hacked.

have a great rest of your day!
betty

Heff said...

Thank God Facebook SUCKS, and I don't use it in the first place !

samurai said...

Many thanks KW. I've shared this my Facebook lists. Both your blog entry and the ComputerWorld article.

God bless

Cocaine Princess said...

I don't use Facebook for that simple reason-- not enough security and there's no way around anonymity.

Anonymous said...

I don't use Facebook myself but I'll be sure and pass on this info to the Facebookies I know. Thanks :-)

Marnie said...

Thanks for the info. I like how you explained this. I don't have any apps for this purpose, but reading this just confirms everything. xo

Spiky Zora Jones said...

oh my...it's so wird to me that people would wats etheir time doing things like that.

I don't think people want to hack me...cause it's just more of me and peeps can't take me as it is.

plus there's nothing there...I'm just plain boring.

zzzzzzzz

see...I dozed off. :)

thanks for the info honey. xxx

A Daft Scots Lass said...

I'm not on FB but if I was, I'd be worried.

My ADHD Me said...

OK, it has been a while. I was just reading the comments on my last post. The one from you was dated April 23 and said to come and look at a picture you posted.

One Word..."WOW"!!

OK, I;m kidding. Not about the "WOW" but about the "one word". After all, have you EVER known me to say ANYTHING in one word????

As for the picture. Truly Truly impressive. Not to mention exciting. I hope you are proud of yourself! Not to sound patronizing but I am SO proud of you. Really.
(quite handsome too!) :)