Security Corner

Nov 5 2010   3:31AM GMT

Baa Baa, Firesheep, Have You Any Wool?

Ken Harthun Ken Harthun Profile: Ken Harthun

Yes sir, yes sir,
Networks full.
One for the socials,
One for the tweets,
And one for the hacker boy
Who pwns all the peeps.

Sorry. I just had to do that. Firesheep is taking the ‘net by storm, it seems. Surely, you’ve heard about it by now; it has been around for nearly a week and has been downloaded more than 600,000 times. In case you haven’t hear about it, here’s the scoop from Bruce Schneier:

Firesheep is a new Firefox plugin that makes it easy for you to hijack other people’s social network connections. Basically, Facebook authenticates clients with cookies. If someone is using a public WiFi connection, the cookies are sniffable. Firesheep uses wincap to capture and display the authentication information for accounts it sees, allowing you to hijack the connection.

In other words, if I sniff your cookies, I can hijack your session and be you. I can do anything that you could do, see anything that you could see. So, if you’re using public (unencrypted, open) WiFi you’re in trouble.  Personally, I think this is a good thing: It may force the public hotspots to tighten security. After all, it’s not rocket science; you just implement WPA2 on your wireless router and give everyone the password. Steve Gibson explains:

Now that this concept is out, we’re going to see it go like crazy. And so…the remediation for the wireless access providers [is] simply bring up encryption… Again, it doesn’t have to be a secret password, just Starbucks can make it “Starbucks.” And that solves the problem. However, the providers of these services, the Facebook, the Twitter, the MySpace and so forth, they can’t rely on that. They have to simply enforce SSL, just like Google did.

Yes, there’s no reason not to just enforce SSL. On every website. Everywhere, all the time. It’s simple to do. End-to-end encryption and who the heck cares who’s sniffing? It’s all random noise to anyone looking at the data stream.

Complexity is the enemy of security; simplicity is the ultimate weapon. The solution to this problem is a simple one. We can only hope that the release of Firesheep is the wake up call we need.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: