Firesheep: A Valid Reason to Fear WiFi or How To Hack Your Wife’s Facebook

Just in time for Halloween, a developer by the name of Eric Butler has released Firesheep – a truly terrifying security tool. It’s so simple to use it makes script kiddies look like rocket surgeons. All you have to do is install the Firefox extension, that’s it. With the extension installed at the click of a single button you can collect any session cookies floating around the WiFi network you’re connected to and use those cookies to browse any website the victim logs in to. To reiterate, if you’re on a public (or unsecured) wifi hotspot anyone else on the network has the ability to view your Facebook account, without any technical knowledge at all.

As you can see in the screenshot. Firesheep gives you a nice list of all user logins you’ve collected, including their profile pictures for your convience; clicking one logins you in to the social network as that user, giving you full access to everything they have access to.

While this type of attack has always been a vague hypothetical possibility and there have always been tools available to take advantage of this sort of exploit, it is has never been this simple. It’s the equivalent of putting a “give me money” button on the side of an ATM. Facebook, Twitter and friends are going to have to take notice.

What Not To Worry About

  • Private WiFi. If you know and trust everyone on the WiFi network you’re connected to at home or at work, you probably shouldn’t worry too much. You’re still just as vulnerable to the attack on a private or encrypted WiFi connection. But without open access to the general public, it’s a lot easier to catch the person messing with your account.
  • Passwords. This exploit works without ever knowing your password. No respectable website stores your password in plain text and even if someone gets into your account, most websites will not allow a user to change the password without entering the current password.

How To Protect Yourself

Firesheep is taking advantage of the fact that your session data is being sent over wifi in plain unencrypted text. The only effective protection against this is full end-to-end encryption using HTTPS aka SSL. A lot of websites like banks or government services enforce HTTPS connections due to the sensitive nature of the transactions. Most social networks may offer HTTPS if you type it into the address bar (ex. https://facebook.com/ or https://twitter.com/), but since encryption slows down connections somewhat and is a little more taxing on server hardware, no social networks require you to connect with HTTPS. I suspect this will change within the next couple of weeks, if not sooner. In the mean time there are some steps you can take to make your browser use https.

  • If you use gmail, they provide a handy setting to force gmail to always use a secure connection. Details here. Enable this if you haven’t already. This is not necessary, gmail went 100% SSL earlier this year.
  • For other sites always include the ‘s’ after https when logging on to a website. This should work with any major website. Update your bookmarks now.
  • Right now, I’m serious…
  • ….
  • Unfortunately, updating your bookmarks is not enough. Even when you log in via a secured connection Facebook and many others do not continue to send your traffic over secured links as you click around the site. Meaning, as soon as you leave that first httpS page, your may begin to expose your session details.
  • If you use Firefox, Techcrunch has an article on configuring Force-TLS an add-on that forces sites to use HTTPS. Details Here.
  • If you use Chrome or Safari, there are a few Greasemonkey extensions you can install that do similar things. This one covers a lot of sites. Take a look at the directory for more.
  • Do not user Internet Explorer.

That said…

If you’re wondering who that neighbour with open WiFi has been messaging on Facebook, it’s never been easier to find out. Download the extension (disclaimer: don’t actually do this, it might be illegal).

Security? Why Bother

I’ve been working on an internal information delivery system for an unnamed multi-national.

I just logged in to their production database to set up some new features. One of which involved updating their user database. While poking around, I noticed that all but 62 of their roughly 400 users had the same password hash (meaning they all had the same password)!

Seriously!

Thoughts on Online Privacy & How to Protect Yourself [OR How Facebook Can Save Your Identity]

The following is an excerpt of an email I wrote in response to this article Facebook can ruin your life. And so can MySpace, Bebo

A lot of the current batch of social networks have very poorly designed privacy controls. On facebook for instance, it’s very hard to tell which of your contacts have access to different which areas of your profile and it’s not entirely clear how much of this information is accessible via google. In fact, there is a bug in Facebooks’ architecture that will allow any of your friends to see a newsfeed item (not the full post) for all of your activities via the official Facebook API, even if you have set up your account to block certain users from seeing this. Also, facebook is also more closed off then some of the old social networks, so it might not even be clear to most users that their profiles show up on google. Combine all of these factors; bugs, security holes, phishing attacks, user ignorance/naivety and you’ve got a shitstorm waiting to happen. I wouldn’t be surprised if in the next couple of years a big player is completely knocked out of the game by a major attack and the bad press that follows. Not too long ago a file containing nearly 1 million myspace usernames and passwords was making it’s rounds; it went largely unreported, but if a major news outlet had picked it up it would’ve been very bad for myspace.

That said, I think a lot of the people mentioned in this article probably didn’t have great legal representation. Writing a journal entry about how much you hate your job, doesn’t neccessarily mean you’re a bad idea. Making a drunken post about how much of a drunk you are, doesn’t mean much if that’s the only time you’ve had a drink in 6 months. Accidentally adding someone to your friends list on a social network because you didn’t know how to use the interface, is not nearly the same thing as banging on someone’s front door demanding to speak with them.

Interestingly, I’ve found that using my real name on websites/networks is a good way of protecting my online reputation. Social networking and similar sites will generally have much higher weighting in google then the average site – networking type sites are built with search engine optimization in mind. So if you are a member of a number of these types of sites and you post content that you are proud of on a every once in awhile, when someone does a search for your name they will almost always find content that you can vouch for. Additionally, if there is any kind of negative content about you somewhere on the web – say someone has posted something mean about you in their blog, or even worse if articles about your latest criminal conviction in show up in a local newspaper’s website – it is very likely that when a potential employer does a search for your name, your profiles on larger websites will show up before these negative articles on smaller websites.