What you need to know about the evils of Firesheep (a gateway drug to more evil hacking)

October 27, 2010

Firesheep is a great new plugin that works in the Firefox browser.  It is easy for you to install, easy to run, and gives you, and just about anyone else, the power to do pure evil using just your browser and a laptop.

With this post I’ll explain some of this evil and offer some thoughts on what it means for CTOs.

First a bit about the code itself, from the author:

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

The author of this code has done the entire community a service.  Sites like Facebook can build in better ways to secure user login information and can also do a better job of educating users on the dangers of passing their login info in the clear.

Here is my experience with Firesheep:

  • Like many others I learned of this through my social media friends (Thanks Chris and Kirby).
  • I downloaded it and installed it on my home computer and tested it on my own encrypted LAN to see what it could see from computers on my own network.  It was incredibly easy to load and use and I saw results almost instantly.  Websites that were open in other windows on other computers that needed to authenticate for any reason caused events where login info was captured.  When it is captured, you just click on an icon and the system logs you into the captured account.
  • I put it on my laptop and took it to a Virtualization, Cloud Computing and Green IT conference.  When I joined the open LAN at the Hyatt.  A couple logins were returned.
  • Testing the environment at Barnes and Noble returned far more results.  Dozens of logins of my fellow coffee drinkers were returned.  All it would take would be one click of my mouse and I would be in their Facebook accounts, reading messages, sending messages, changing photos and doing other evil.  I didn’t, of course, but the fact is I could have.

So, what should CTOs know about Firesheep?

  • I recommend any techie or security professional download it yourself. It will be good to see how it works.
  • Review of the site of Eric Butler at: http://codebutler.com/firesheep It is very educational and worth a review.
  • I would also recommend every reader of this blog think through what non techies you should tell about this and what you should say.  We should all warn our families and friends not to use public wifi without protection.  There are ways to protect yourself using proxy, for example, but the best way is probably to travel with your own comms (I use a MiFi).



Firesheep screengrab from http://codebutler.com/firesheep