Herd the Firesheep
The internet has been a in a frenzy over Firesheep this last week, and for good reason. This tiny little firefox add-on makes session-hijacking (side-jacking) available to the masses from the script kiddies, to the trouble-making high schoolers, and adventurous college students. Strike that. Anyone with firefox can now wreak havoc.
So what is Firesheep and why might it be the best thing that has happened in terms of security?
To put it simply, firesheep is merely a firefox add-on that allows anyone who has it installed on a mac (for windows users you need to install WinPcap first) to instantly login onto someone’s twitter / facebook and a few other sites that are supported.
The way it does this is something called session hijacking which exploits the way these sites handle their secure logins. In order to protect your user credentials, facebook uses https through SSL/TLS in order to encrypt your password so that after you fill out the login form and click login, your password isn’t just sent out as text across the internet. Which, if it did, means that someone could “sniff” those packets and steal your password.
This is the first step in security and most, if not, all sites should be using this. Especially popular sites or sites that do banking or commerce.
Where this falls short, however lies in how the site recognizes who you are after you login. The website creates a cookie on your computer with an assigned key so that as long as you have it, the website knows that you are connected and logged in from your computer. The problem is, that this cookie is NOT encrypted, and all traffic to these sites afterward is done in the clear, through http.
Session hijacking grabs this cookie and basically uses it to access the website. With that credential, the site assumes that it is the original user and you instantly have complete access to the account. This is what firesheep does, now written into a nice gui application that anyone can install and utilize.
Surprisingly for many, this issue is nothing new. As early as 2003 the issue was mentioned and basically ignored. Hackers have used this technique for some time now with a lot of success. What firesheep has done, quite well in my opinion, has brought to light the large security flaw that is inherent in most websites today.
Steve Gibson of grc and the “Security Now!” podcast is understandably excited about this plugin. It takes a lot to motivate companies to change, and when user security/privacy is involved it is definitely an important issue. Because this tool brings the vulnerability to light and places it in the hands of even the most uneducated of users, it will help push these companies to change their security policies.
So when and where are you vulnerable? For the home user you will usually be safe from this particular exploit. The ones most affected are those who use open wifi such as unprotected WiFi hotspots like Starbucks. Also, users of WEP enabled networks can be attacked by other users on the SAME WEP network as seen in tests by Derek Schauland and posted on Tech Republic. WPA and WPA2 users remain safe, and I want to remind anyone reading that WPA/WPA2 encryption is the minimum you can do to secure your network. In fact it should be required.
Now that you have been sufficiently scared by the implications of all this, what can you do to protect yourself?
The best thing to do is to NOT use unsecured wireless networks such as at Starbucks or any other free wifi spot that does not password protect their networks. If you absolutely need to use WiFi at Starbucks, there are three measures you can take to protect yourself.
- Setup a secure VPN (Virtual Private Network) that you can connect to which
will act as a secure proxy from you to the internet. There are numerous guides on the internet on how to setup one, and perhaps I will one day write an article on that. But it requires another computer for you to connect to, usually a server, but can be your home computer, or even your home router if it supports it (utilizing dd-wrt firmware can give you that option on supported routers).
- You can setup remote desktop using LogMeIn’s remote tool. Their connection is secured by SSL. This will require you using a computer at home with the LogMeIn tool installed.
- Use “HTTPS Everywhere” which is a firefox plugin that will force sites to use https the entire session. The one caveat, the site must be configured to use https or it will not work. Fortunately most large sites should work.
These three tips apply to both Open and WEP secured networks.
So, what needs to be done? The large social sites, as well as large e-commerce sites, should enforce complete https sessions while logged in to protect user’s security. There have been complaints that this would create too much overhead and cost more money and energy. However, google did this very thing with gmail with no additional machines.
One problem with google though. If you sign in via gmail through https, then start using google.com, you are no longer secured by https and thus can be exposed to session hijacking.
What WiFi hotspot operators need to do: Secure your networks with the minimum of WPA and preferably WPA2! This is the best thing any network admin can do. Even with a shared password WPA/WPA2 users will be more protected and will be completely protected from this iteration of Firesheep.
Well that was a long post. To re-iterate.
Firesheep makes hacking easier.
Open networks = BAD
WEP networks = just as bad
WPA/WPA2 = better
https = best
Finally, I will point out that the real hackers will be able to use workarounds to some of the things I mentioned, but at the very least it raises the bar in terms of protecting you and your connection.
Security Now! with Steve Gibson – Firestorm
Security Now! with Steve Gibson – Listener Feedback & Firestorm
Session Hijacking @ Wikipedia