21 February 2011

Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots. But a free program called Firesheep, released in October, has made it simple to see what other users of an unsecured Wi-Fi network are doing and then log on as them at the sites they visited.

Without issuing any warnings of the possible threat, Web site administrators have since been scrambling to provide added protections.

“I released Firesheep to show that a core and widespread issue in Web site security is being ignored,” said Eric Butler, a freelance software developer in Seattle who created the program. “It points out the lack of end-to-end encryption.”

What he means is that while the password you initially enter on Web sites like Facebook,Twitter, Flickr, AmazoneBay and The New York Times is encrypted, the Web browser’s cookie, a bit of code that that identifies your computer, your settings on the site or other private information, is often not encrypted. Firesheep grabs that cookie, allowing nosy or malicious users to, in essence, be you on the site and have full access to your account.

via New Hacking Tools Pose Bigger Threats to Wi-Fi Users - NYTimes.com.

Well, better late than never.

Firesheep is really easy to use.  I’ve had some fun at home stealing my wife’s cookies and messaging myself back and forth in different browsers.  In seriousness, I haven’t logged in to public wifi since this came out.  I did install SheepSafe and ForceTLS, will try the EFF software though it is FireFox only, as is BlackSheep.

I’ll note, and this is important that Firesheep actually steals insecure session cookies, not passwords.  That is, if you access any website with an insecure session cookie in public wifi, someone with Firesheep can make use of your session (i.e. be logged in as you).  You don’t actually have to be logging in.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

Also see discussion on Slashdot when it came out in October 2010.

And for what it’s worth, the term “firesheep” comes from “Wall of Sheep” at a hacker conference called Defcon that posted information of all the hackers at the conference making insecure use of the public wifi.

blog comments powered by Disqus