Firesheep Vs Blacksheep the new security threat
The primary attack vector is on open WiFi hotspots, like those in coffee shops, airports, and other public places. This is not an exploit in Firefox or your operating system, but rather the problem of open WiFi and the website your connecting to. Firesheep does nothing new and can not be patched. This can be done with any packet sniffing tool for your platform. What it does do is make it very easy for just about anyone to launch a Firesheep attack on an open WiFi hotspot.
The ultimate solution to end all Firesheep attacks is the use of SSL on more than just login pages. On most websites this is something that the the website must first make the internal changes and then the end user must implement with a setting change. This is not ideal (as it should be on by default but its better than nothing). Facebook says they are evaluating implementing this. The first major website that has made changes (Source) to protect its users from Firesheep is Microsoft with Hotmail and many of the other Live services. However this setting is not on by default; users must enable it in their settings. I hope that with time all websites with private, or user data will make this change a default, like Google has done with Gmail.
Many web companies cite the increased cost in implementing full time SSL connections for their users. While it is true that an SSL connection does increase the server load the difference is very small. Google was really the first major Internet service to move a very large service to be encrypted with SSL by default for the entire session with Gmail. A Google engineer has talked about the cost of switching over to full SSL for all Gmail users in this blog post here http://techie-buzz.com/tech-news/google-switch-ssl-cost.html
“all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.”
They concluded that there was not a significant increase in cost or server utilization by implementing this. That being said Google has a ton of servers and a lot of resources to work with so this may not be true for every website. However the myths of the past that this would be an incredibly expensive process and not worth it are simply not true anymore. Implementing SSL for the entire session (versus just at log-on now) is the only true solution to this problem. Many websites say they are working on this now and plan to implement it. This is a good thing.
Here are some solutions that you can do to prevent being a victim of a Firesheep attack.
Be aware of the network you are on.
Know that if you’re on a open hotspot that you’re vulnerable to attack. It’s probably not the best idea to be logging into sensitive websites, checking email, Facebook, paying bills, etc. If you do need to do these things consider some of the options below.
Use a minimum of WPA encryption.
While everyone in their homes should be running a minimum of WPA (preferibly WPA2) many businesses and other public places offer free WiFi that is unencrypted. Users need to put pressure on business owners and administrators to implement the WPA protocol to protect users. WPA offers an individualy encrypted session between the user and the router by default. This does not protect you 100% but protects you from local Firesheep attacks which are the main threat. Many businesses have in the past not wanted to do this because of not wanting to be asked thousands of times per day what the password is or dealing with any complications; however it must be done today because of this and other security risks. Listening to Security Now podcast #273 they came up with a great solution: put the password in the SSID. For example the SSID might be (Joe’s Coffee Free WiFi-Password = Joe) or something similar. This would allow a user who is browsing for the free WiFi to see the password and be secure. It was suggested that the best way to do this would be to demonstrate the attack to a shop owner; heck, maybe you would get a free drink out of it too.
Use SSL
Some websites that have the option to force SSL (Secured Socket Layer) through the entire session but do not have it turned on by default (Microsoft Hotmail for example) so enable it. This can be enabled on the security tab of the settings page. Regardless of if you’re on an open or encrypted hotspot, SSL protects you and is the ultimate solution.
Sign Out
Signing out is something everyone should be doing anyways. Since this tool exploits a session cookie, if you end your session, the cookie that the attacker may have caught becomes worthless. It is also just the proper way to close a session and is a must on any public computer.
HTTPS Everywhere
HTTPS Everywhere is a plugin for Firefox that is produced by the Electronic Frontier Foundation (EFF) that forces encryption with many major websites. The EFF is a foundation thats goal is to defend your digital rights. This includes Net Neutrality, privacy and security. Many websites support full HTTPS traffic but make it difficult to use. HTTPS Everywhere makes this process nearly seamless for the websites it supports. This is a project that is still in development but is stable and works well. I have been using it for a few weeks now and noticed no ill effects. It works on the following websites: Google Search, Wikipedia, Twitter, Facebook, bit.ly, GMX, WordPress.com Blogs, New York Times, Washington Post, Paypal, EFF, Tor, LXQuick, and others. You must install this plugin directly from the EFF’s website https://www.eff.org/https-everywhere as it is still in beta. Once the plugin goes to a 1. release I expect to see it on Mozila’s plugin page as well. I hope they will be coming out with a Chrome version soon as well.
Blacksheep
Is a Firefox addon that monitors for Firesheep activity on the network . It does this by broadcasting fake credentials to sites that are know to be targeted by Firesheep and then when someone does try logging into these fake sites it alerts you with a drop down box in the browser. It is little more than a notification and offers no real protection to your personal information. You can download it here if you are interested http://www.zscaler.com/blacksheep.html
VPN
VPN’s offer secure tunnels back to a connection that you trust such as your home or office. All traffic will flow through this connection so you avoid someone who might be spying on the open hotspot at the airport your on. They require some setup but are what enterprises use to securely connect users back to the office. They work just as well for the average user as well. There are many free and paid ways to do this so here are a free ways to do it. OpenVPN Other options compiled by Lifehacker http://lifehacker.com/5487500/five-best-vpn-tools
In conclusion this is a big deal. Everyone should be aware of it as you travel this holiday season. Often times travelers hunt out free WiFi connection anywhere they can. Open WiFi is dangerous, it always has been but with Firesheep it becomes much easier for someone to exploit for nefarious reasons. To protect yourself, consider setting up a VPN connection to your home, if you must use open WiFi connections to check sensitive email or social media websites.
Other Sources not specifically listed in the article but used
http://www.grc.com/sn/sn-273.txt
http://techie-buzz.com/tech-news/google-switch-ssl-cost.html
http://codebutler.com/firesheep
http://www.slate.com/id/2275850/pagenum/all/
Hijinksinc – Nothing to See Here: Starcraft 2 is NOT killing graphics cards
I recently started to blog for Hijinks Inc a local technology & gadget blog. I am excited to start doing this and have several ideas of stuff to write on focusing on photograph & computer security. I hope this gives me a good reason to produce new content as well. I will be reposting articles with the permission of Hijinks Inc. Be sure to follow them on Twitter at @HijinksInc
Originially published on August 4, 2010 at Hijinks Inc
With the launch of Starcraft 2 on July 27th, 2010 people were excited to get their hands on this long awaited game. Development of the game started in 2003 and had been delayed or postponed several times due to other games Blizzard was producing at the time.
Since the launch minor issues have been growing, and today Blizzard Confirms an overheating issue. However, this story has been spun by the technology community even to the point where Slashdot picked up on it. It has been given menacing sounding titles such as “Is Starcraft II bad for your graphics card?” by ZDnet and “Is Starcraft II Killing Graphics Cards” by Slashdot. A much more appropriate title to the actual problem is one given by OverClockersClub “Starcraft 2 causing some GPU’s to Overheat”The problem is that during some of the in-between mission screens, cut screens and menu screens are not frame capped like the actual game play is. This causes the GPU to render these screens as fast as possible. Since these screens are simple and, for the most part, static, the computer has an easy time and is able to render these very quickly causing the GPU to heat up. This increased heat and power consumption exposes flaws in Starcraft II players’ computers, causing crashes, reboots, and even some claimed GPU failures.
Now, is this Blizzard’s fault? No, it’s really not. Gamers should expect games to tax their computers; this means heat. Blizzard and other game/program publishers should expect their customers’ computers are free of dust and have adequate cooling. This supposed bug in Starcraft II only exposes existing issues with the hardware of gamers computers. The same overheating issues would be exposed with any other game or program that stresses the system, and especially the GPU. A GPU with proper cooling should be able to handle 100% load for extended periods of time with no problems. Blizzard’s fix (below) is a setting users add to a configuration file to limit the frame rate in the areas of the game where there currently isn’t one. Since Starcraft II development period was so long and the public beta was so large, I would have expected this issue to have been found and fixed in the beta. This setting should have been enabled as a global setting in the game by default. For this I hold Blizzard accountable. There is no good reason that a gamer would disable vsync unless they are running benchmarks.
Blizzard support team has issued instructions for a temporary fix and says a more permanent fix is in the works.
A temporary workaround is to go to your Documents\StarCraft II Beta\variables.txt file and add these lines:
frameratecapglue=30
frameratecap=60
You may replace these numbers if you want to.Other good practices to fix this problem and to avoid this issue in the future are the following:
Update your graphics drivers. Graphics manufactures are constantly improving their drivers, fixing issues with new games and improving performance. ATI for example has issued a beta version of drivers 10.7 that fixes a few specific issues with StarCraft II.
Make sure your computer’s insides are clean and have adequate airflow. For a desktop PC I recommend opening up the side of the case and using compressed air to blow out all the dust. Do this at least twice a year, if not more often. Take the computer outside to do this because it creates a mess and it gets rid of the dust so the computer does not suck it up again. Doing this can easily make your computer run several degrees cooler.
If you are overclocking or are running a very high end graphics card make sure you have more than adequate cooling. During these hot summer months the ambient temperature of many homes is at its highest, causing more stress to be placed on your computer hardware. Run temperature monitoring software if you continue to have problems or want to monitor your hardware before damage occurs.
I have seen no mention of a fix on the mac platform so right now we can assume this is a PC related problem.
Website Update
Just a quick update about the website. I recently changed hosts and am in the process of changing the site around. Two major changes have already happened. I changed the design of the main page here and made it the homepage of the domain. Splash pages are so year 2000. As a result of this the link to the lightshow page is gone. I plan on implementing some type of permanent link in the header of this site to the page but until then here is a standard link. http://www.liquidretro.net/lightshow/
The other big change is that I will have to redo all the photos on the blog here. Because of how the photos were coded in the pages when I switched directories the links are no longer valid. I may end up with a quick fix for this or I might just do it the right way. Everything should work by the end of this weekend I hope.
2008 Animated Christmas Light Show
The 2008 Animated Christmas Light Show has officially started. This weekend we got the show up and running. Right now we only have one show running but we expect the second song to be added this week with others coming soon. For updates check out www.liquidretro.net/lightshow
Here is a link to the first song post and video on the lightshow's website http://www.liquidretro.net/lightshow/2008/11/29/2008-show-is-up-and-running/
Carol Of The Bell - Mannheim Steamroller
Great Plains Photos
I recently joined my universities photo club and this week theme was "Great Plains" We were suppose to go out and take some pics then bring them to the meeting later in the week for comments. Because the weather the rest of the week is going to suck (Possible Snow ) I drove a short distance out of town last night and took a few photos. I was lucky enough to find a farmer who was still harvesting at sunset which was exactly what I was hoping for.
For more images check out the gallery here http://jbmphoto.com/gallery1/GreatPlains/
Newegg Customer Service Experience
Thursday night I got an
email from Newegg
advertising an upcoming
promotion. I looked
through it and found
that they were advertising a portable hard drive for $23.99. As I looked further it
appeared it was a
price error so I got onto their live customer service chat and the
following
occurred. All names have been changed to protect identieis.
The Problem
Chat Information
Please wait while we connect you to a Newegg
representative. You are number 24 in the queue.
Chat Information
Thank you for contacting Newegg. My name is -----. How
may
I assist you today?
LiquidRetro: Hi, I noticed
in the email promotion you just sent out that you have a product that
is miss
linked. I
would
like the typed product
for the advertised price on this website
http://promotions.newegg.com/NEemail/promo013007in/Networking/index.html?CMP=EMC-PR-MKT-I-013007&ATT=Networking.
NeweggCSRep: Well can I
have the item number of the one you desire?
LiquidRetro: the item
number is on that promotions page it is WDXMS1600TN
NeweggCSRep: Let me
check into the promo code you provided. One moment please...
LiquidRetro: ok
NeweggCSRep: Yes the
item is indeed $23.99. But the advertised one is for item #
N82E16833130111.
Please add this item to cart and you will see the price of $23.99.
LiquidRetro:No you
misunderstood me. I
want the item that
is described the Western Digital Hard drive for 23.99
NeweggCSRep: I see. But
the hard drive you mentioned is currently sold as $140.99.
http://www.newegg.com/Product/Product.asp?Item=N82E16822136060
LiquidRetro: The email I
just received states that item Western Digital Passport 2.5" External
Hard
Drive Model #: WDXMS1600TN · 160GB, 5400 RPM ·
USB 2.0 Price: $23.99. I would
like this advertisement honored.
NeweggCSRep: There might
be a description error on the webpage you provided. I have already
forwarded
your email to our Product Support department for review. Once we
investigate
this issue we will make any changes necessary to the item description
and/or
photos in order to rectify this situation. Sorry for the inconvenience.
LiquidRetro: You are not
understanding me. I WANT THE HARD DRIVE AS ADVERTISED FOR $23.99
NeweggCSRep: I do
understand you. The advertised item is for item # N82E16833130111.
Please click
http://promotions.newegg.com/NEemail/promo013007in/Networking/index.html?CMP=EMC-PR-MKT-I-013007&ATT=Networking
and add it to cart, the item will then shows item # N82E16833130111.
Well, at this point I decided that since I am not
getting the hard drive
for 23.99.
I
decided to be cocky and see
how far I could go before I got kicked off the chat helpline.
During this part I was
talking with a friend
and we both came up with what I said
The Hit
LiquidRetro: Hey your name
is cute? Are you from
NeweggCSRep: I am so
sorry \LiquidRetro. I will contact our related dept to correct the
error. Please
always
refers to the price on the item description webpage.
http://www.newegg.com/Product/Product.asp?Item=N82E16822136060
NeweggCSRep: By the way
I am not from
LiquidRetro: Oh too bad its
a great city. The
women their are so Hot. Especially
the butt.
NeweggCSRep: Haha...
The
Score
NeweggCSRep: Well in
this case I would like to offer you $15.00 credit upon your next order
on item
# N82E16822136060 as an exception for this inconvenience.
NeweggCSRep: Thanks for
your kind reminding.
LiquidRetro: Ok. That will
be sufficient. Will
the credit only
be
on the hard drive or can i use it on other newegg purchases?
NeweggCSRep: The credit
will be offer upon your next order on the mentioned hard drive.
NeweggCSRep: You may
simply contact us back with the new order number and I will then remove
$15.00
from your new order.
LiquidRetro: Oh I am not
really interested in purchasing that hard drive at that price. Could it possibly
become a general credit?
NeweggCSRep: Ok. Since
you are really a kind guy I would like to offer you $15.00 upon your
next order
on either of the item you desire.
NeweggCSRep: Can I have
your login email address?
LiquidRetro: Myemail@email.Com Thanks
LiquidRetro: Could you just
credit this product
http://www.newegg.com/Product/Product.asp?Item=N82E16820134215&CMP=EMC-PR-MKT-I-013007&ATT=N82E16820134215
LiquidRetro: I am looking
at purchasing it
NeweggCSRep: Well this
item is $13.99 and is offered free 3Day shipping. If you order right
now I can
remove the item price for you directly from your new order.
LiquidRetro: So it would
them cost me nothing correct?
NeweggCSRep: Yes. I can
wait here for your order number if you do it right now...
LiquidRetro: Your order#
is: xxxxxxxx
NeweggCSRep: Let me take
a look into that. One moment please...
LiquidRetro: no problem
take your time
NeweggCSRep: I have
already removed the item price from this order. It is a free order at
the
moment. You may verify this information online.
LiquidRetro: Ok
It looks like it is $0.00 Thanks very much
Now I decide to be even more cocky because I
already got a free microSD
card out of it. I
reverted back to the
discussion on the French
LiquidRetro: I appreciate
it very much. I told you The French were good looking. Here is a french
news anchor
that is so HOT! http://www.fresh99.com/news-anchor-melissa-theuriau.htm
NeweggCSRep: You are so
welcome LiquidRetro. It is really interesting talking with you. I agree with you. The
French is good looking.
LiquidRetro: Thanks you
have been an excellent CS rep. How do you compare to her?
NeweggCSRep: Of course
she is prettier than me...
LiquidRetro: How would I
know. You sound very nice and your very helpful and accommodating
NeweggCSRep: )))))))
You know, I am not a confident girl. Anyway thanks for your kind words.
LiquidRetro: Well again
Thanks and you have my email if you ever want to chat
NeweggCSRep: Sure. Is
the email your MSN account?
LiquidRetro: no My MSN is MyMSNAccount@Hotmail.Com
NeweggCSRep: 
. I see.
Will chat with you after work if I have time.
NeweggCSRep: HerMSNAddress@MSN.Com
NeweggCSRep: Yeah..
There are still 16 customers waiting to be served. Have a good night.
LiquidRetro: You too
NeweggCSRep: Bye LiquidRetro.
It all ends well, I get a free 1gb micrSD card, and
she wants to talk
to me afterwork... very strange. This
goes to show you that being cocky can get you free stuff, sometimes.
My advice to anyone who is going to deal with a CS rep is
to act cocky
and if your lucky, and get a chick you might score free stuff!
Note: For those having a Super Bowl Party no T.V. over 55†Allowed
Just a quick word of caution for people planning to have a Super Bowl party Sunday. The way the current United States copywrite laws are written it is illegal to have a TV over 55 inches and show the game.
According to Title 17 Chapter 1 § 110 Limitations on exclusive rights: Exemption of certain performances and displays
(II) if the performance or display is by audiovisual means, any visual portion of the performance or display is communicated by means of a total of not more than 4 audiovisual devices, of which not more than one audiovisual device is located in any 1 room, and no such audiovisual device has a diagonal screen size greater than 55 inches, and any audio portion of the performance or display is communicated by means of a total of not more than 6 loudspeakers, of which not more than 4 loudspeakers are located in any 1 room or adjoining outdoor space;
This law is such a joke especially today with people having new giant TV’s I guess the friend who I helped install a new 71" Samsung DLP tv is probably going to be breaking this joke of a law.
Sources
http://www.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000110----000-.html
http://techdirt.com/articles/20070201/140812.shtml
On a side note the blog has been updated to WordPress 2.1
Top Gear Is Back Sunday Jan 28th
In celebration of Top Gear returning to the air I have posted a small trailer for the new season.
On a side note I figured out how to post videos on the blog. YEA!!
