Correct,

and just adding that, in principle and practice, it is not sufficient to use an encrypted network. Ýou need to use encrypted ACCESS (https://facebook.com instead of http) to the website, i.e. Facebook, all the time, not only when logging in.

If you are using Firefox, you can secure it by installing the add-on "https-everywhere", for example - look through the browser preferences and see if you can force it to always use https for Facebook, Gmail, etc. Enabling it for all sites will cause some sites not to load and can be manually disabled for those. No free lunch yet.

This threat is real and extremely easy to use and will hijack your Facebook account. Remember to disable your Facebook app in your phone, until there's a fix.

I would install a firewall (many are free like www.comodo.com) and I would disable all shares in my laptop. Also use ccleaner from http://www.piriform.com/  to clean all the temp mess and internet traces. Also, don't let internet explorer or firefox retain your login info.

This article here answers some questions: http://www.pcworld.com/article/130330/how_to_secure_your_wireless_network.html

stay safe

B

If you use a recent version of Windows, you can just make sure Windows Firewall is ON, for when you are on a WiFi hotspot, and in general. Your home router is normally a firewall in itself. Installing a more complicated firewall.. is more complicated, all in all.

CCleaner is just for maintenance and is not a security tool (although Piriform's free programs are all excellent). Get the free Microsoft Security Essentials and an antivirus, like AVG. Consider paying for it to get the advanced protection. They work fine together.

Different opinions for Mac and Linux, of course.

Here are a few other countermeasures, such as BlackSheep, suggested in this article:

Tools Gut Firesheep Cookie Hijacking Attack -- Internet Security -- InformationWeek   http://bit.ly/budy6o

My experience as a IT network 'pro' tells me that Windows firewall is useless. The proof is the thousands of PC infected with malware and trojan horses with the firewall on. Good free firewall like Comodo, watches all traffic in and out and prevents those mean wares from coming in but also  blocks the hundreds of applications on your PCs from sending out information to their companies. You'de be amazed how much info is being sent out of your PC. Put Comodo in stealth mode and watch it lock down unwanted traffic.

As for Ccleaner, cleaning cookies and temporary files after each browsing session is a security measure, not just simple cleaning.

Microsoft security essentials is a good product and it's lighter and more effective than AVG. No need to buy an anti-virus product. For a list of good free products go to www.ninite.com.

B 

That limits your ability to install sofware etc. I would go for the firewall and ms security essentials. Also, use common sense. At work I let everybody be admins on their own PCs but limited righs on the network.

Whatever works for you... I like Windows 7. It's zippy and stable and while you can be logged in as admin, it has a user control system that, if turned on max, will warn you before anything messes with your system.

Again, for wi-fi parannoiacs out there, it's important to turn off hard disk shares and network browsing while having a strong password for your log in.

Nice post, Bizhan.  Just some correction on my part.

> and just adding that, in principle and practice, it is not sufficient to use an encrypted network.

Yes, it is.  A hacker cannot capture your data if it passes through an encrypted channel.  So the defense against this attack is to either

1) connect only to an encrypted (WPA2) wi-fi network, so that the radio connection between your computer and the Access Point is encrypted.  (Of course, this won't work if the hacker hooks directly a cable into the Access Point and start sniffing on the wired LAN, but this is a different problem altogether.)

or

2) use HTTPS, so the connection between your computer and the website is encrypted.  Unfortunately, as pointed out, this works only if the website uses HTTPS for the whole session and not just for the login.  Therefore this is not a suitable solution so far.

> Remember to disable your Facebook app in your phone, until there's a fix.

It is worth noting that the target of this attack are wi-fi networks.  So if you connect to Facebook through the 3G or HSDPA cell phone network, you're safe.

> I would install a firewall (many are free like www.comodo.com) and I would disable all shares in my laptop. Also use ccleaner from http://www.piriform.com/  to clean all the temp mess and internet traces. Also, don't let internet explorer or firefox retain your login info.

These security solutions are completely useless against Firesheep.

> If you use a recent version of Windows, you can just make sure Windows Firewall is ON, for when you are on a WiFi hotspot, and in general.

Again, this won't protect you at all against Firesheep or any other kind of sniffing.

> Here are a few other countermeasures, such as BlackSheep

BlackSheep works by sending to the network a special session cookie and checking whether it is captured by Firesheep.  If it is, BlackSheep just warns the user that a hacker is nearby.  It can't do much else.

A better protection is FireSheperd, which floods the network with data that will make Firesheep crash. 

OmegaMan

For some reason I feel insulted when you call my proposed solutions 'useless.' Did I fail to mention that I am a networking IT expert and that none of the companies that use my services ever got hit...

Anyway, you may want to read this before you rush to discount my post:

http://www.itbusinessnet.com/articles/viewarticle.jsp?id=1254699

B

I still maintain, that everybody should use antivirus/antimalware software. No amount of common sense will detect the trojan in a compromised download, nor protect the browser from drive-by downloads and other attacks. The browsers may be better now, than they were, but I believe in a multifaceted defense.

On an unrelated note, I see that Comodo claims to make use of software patents.. I think, we all have an opinion on this concept.

I believe that technically OmegaMan is correct. On a side note, I think the odds that a service never got hit are rather small and would rather indicate that nobody has detected the breach yet.

Jeez. This place is full of experts. I'll just take my real life experience and go away.

Just a last word for those who want to stay out of trouble : disable file sharing and install Comodo firewall. And if you have time on your hands, make a couple of images of your hard disk and always keep your data safe in an encrypted hard disk, or more.

I am out of here.

> For some reason I feel insulted when you call my proposed solutions 'useless.'

That's what they are.  They are good security advices (I already implement them on my machines) but offer no protection whatsoever against Firesheep or any other kind of packet sniffing attack.

> Did I fail to mention that I am a networking IT expert

This is not an argument. 

> Anyway, you may want to read this before you rush to discount my post:
> http://www.itbusinessnet.com/articles/viewarticle.jsp?id=1254699

The article is about a (paying) VPN tunneling and proxy service offered by Comodo, which effectively protects from Firesheep.  The user establishes a Virtual Private Network between his machine and the Comodo servers, which then relay the connection to any website the user wants to visit.  The user is safe because the wireless connection from the user's machine to the Access Point (and, accessorily, the Internet segment from the Access Point to the Comodo servers) is encrypted.

What you suggest instead is to put a Comodo firewall on the user's machine, which is a completely different thing -- and completely irrelevant for the sake of our discussion.

My bad. I wrongly assumed wer'e talking about protecting against hacking into our laptops while connecting to wi-fi hotspots, while in fact you're talking about packet sniffing and data intercepts.

A decent remedy then is a firefox add-on called 'HTTPS Everywhere' which forces encryted communications with web sites. You can get that on https://www.eff.org/https-everywhere

 But then again, what do I know...

>> and just adding that, in principle and practice, it is not sufficient to use an encrypted network. 
>Yes, it is. A hacker cannot capture your data if it passes through an encrypted channel. So the defense against this attack is to either

Once the signal has reached the access point, it's decrypted again and can potentially be sniffed on the WLAN.

 >> Remember to disable your Facebook app in your phone, until there's a fix.
>It is worth noting that the target of this attack are wi-fi networks. So if you connect to Facebook through the 3G or HSDPA cell phone network, you're safe.
Yes, until you wander into range of a hotspot and the phone uses it to save packet data charges. As you say, if it stays on the mobile data network, then all is fine regarding FireSheep.

Disclaimer: I'm no expert, but a regular user with 20+ years of experience. If this takes me out of kittenhood or not, I'll let others judge, if they so wish :)

> Once the signal has reached the access point, it's decrypted again and can potentially be sniffed on the WLAN.

The Access Point is where the WLAN ends.  Beyond the Access Point, the data is routed through the wire and is safe from Wi-Fi sniffing.

A word of warning about HTTPS Everywhere, since it has been mentioned twice.  This Firefox add-on forces HTTPS only for those websites who implement it.  If a site makes its content available only through HTTP, the add-on cannot automagically secure the communication.  Even the sites that use HTTPS may transmit part of the information in unencrypted (insecure) format.  Hence, be careful.  It's still a great add-on, though, and works well with Google, Wikipedia, Twitter, Facebook (without the chat feature), and Wordpress, amongst others.

Check out a firefox plugin called "Blacksheep".  It detects the use of Firesheep using it's own code.

Download it before the white Swiss sheep kick it out of the country. ;)