Endpoint Protection

I'm assuming that Symantec will create a signature to detect the firesheep plug-in.  Anyone know when this will be released?

Have you submitted samples of firesheep ?

if not then do it now

http://www.symantec.com/business/security_response/submitsamples.jsp

Though if you think about how Firesheep works (an outside party intercepting communications to non-secure websites over unencrypted, insecure/open Wi-Fi connections), I'm not sure how the user could detect their session was being 'sidejacked' by Firesheep via AV definitions, since it's information that's being broadcast out that's being intercepted.  Intrusion Prevention signatures would be more apt, but then again, I don't know if Firesheep sends information back to the user who is being sidejacked.

There are some Firefox plugins that force an HTTPS connection.  May be worth looking into.

sandra

Not trying to alert end users when they get sidejacked, just want to make sure none of our devices and user are making the attempt.  If they are, I want to know who they are.  Like I want to know who is using Cain and Abel.

Sandra nailed it, there is nothing sent/received/etc. on the host machine. Because of this there is nothing we can place on the host machine to prevent this. Your best bet is to encrypt your traffic.

Create an application control policy to block the plug-in, then notify you about it.

Since this isnt a virus nor a vulnerability on your machines, I dont see any reason for a "signature," to be created IMO.  But I suspect in time there will be one.

You mean to get a detection added to, say, Commercial Applications List scanning in PTP?  Don't know if that's possible, since I don't think it poses a security risk to the person who has it installed.  Application/Device Control blocking may be the way to go.

sandra

So why does SEP detect Cain and Abel or rainbowcrack?  Not detecting this new tool does not seem consistent. 

It's a Firefox add-on that forces use of HTTPS on many sites - encrypting your sessions and preventing sniffers and tools like firesheep from from hyjacking your sessions.

I know it is hard to mandate firefox add-ons - esp since many corporations still use IE.  Another approach is to use a VPN.

Probably because Symantec has not had adequate time to look at the tool yet and make a determination on what to do with it. There are a lot of tools out there that can be used for good as well as evil.

As mentioned above, your better off creating an ADC policy for now until either defs are written or an IPS signature is created

For Cain & Abel there's an IPS Signature detecting Buffer Overflow traffic as well as a "Security Assessment Tool" (Security Risk) AV detection.  RainbowCrack is also defined as a Security Risk.

It's entirely possible then that a detection of some variety is yet to be added.

sandra

It is important to use SSL whenever possible. Most sites these days offer it. But, for sure with any personal sites such as banking etc...