And so, let the plug-in/counter-plug-in war commence! In the past week or so, there has been a lot said and written about FireSheep attacks in Cyberspace particularly in relation to public wireless networks which have generally been perceived as safe by most users in the past. When recently, it was announced that Google accidentally collected emails, usernames and passwords with its Street View cars, one would not have thought we would be talking about a similar incident so soon afterwards. Although stealing passwords is not exactly a new phenomenon, for example, ARP spoofing, which allows data to be surreptitiously routed through a rogue computer on a network has been known to be exploited for over a decade. However, what makes FireSheep different from these other point-and-click tools and login-hijackers is its simplicity and the fact that it does not require significant technical knowledge on the part of the user.
What is FireSheep?
FireSheep is a free, open-source Firefox add-on or plugin that was created by a Seattle-based software developer known as Eric Butler to allow anyone to scan unprotected/open WiFi networks and spy on activities of other users of that network who are logged into 26 major Web 2.0 Websites such as, Amazon, Facebook, Foursquare, The New York Times, Evernote, Dropbox, Windows Live, Twitter, Google, Bit.ly, Flickr, Amazon and so on. In other words, FireSheep, allows anybody to impersonate others by hijacking their session cookie.
Recently announced by Butler at the Toorcon 12 security conference, the plug-in is simple, user-friendly and works on Mac OS X, Windows with the Linux version reportedly on its way.
After installation, FireSheep adds a sidebar to the Firefox browser that captures login data and shows when anyone on an open network such as, an Airport or Coffee shop, visits an insecure site and consequently a simple double-click gives instant access to the logged-on sites.
How Does FireSheep Work?
FireSheep takes advantage of poor security on the part of the Websites that rely on cookies for authentication. While a user’s initial username and password details may be protected by means of SSL encryption, the cookie the site uses after a successful login is usually not protected or encrypted. This leaves the cookie vulnerable and as a result, in just a single click over an open WiFi connection, the unprotected cookie can be hijacked over the user account for that session.
A cookie consists of a small bits of information stored on a user’s computer by a Web browser that helps to keep login sessions going. It keeps the user logged in without having to identify him/herself again.
Therefore, it means that anybody with that cookie, from the same IP address such as a public WiFi hotspot at Airports and Coffee shops can pretend to be the user thus making it easy to intercept any session that is displayed in the FireSheep sidebar.
Limitations of FireSheep
Like every other HTTP session hijacking, while the hacker can access and use his victim’s cookies to browse a site such as Facebook, it is unlikely to expose the user-password. Thus, the account cannot be stolen by changing the user-password.
How Do You Know If You Have Been FireSheeped?
Simple answer is, you don’t. When sidejacking occurs, the attacker simply gets hold of the user’s cookie and is thus able to use the site as if it were his or her own. Even the person FireSheep user is not exempt from becoming a victim and neither are users of portable devices such as, the iPad, as long as there are operating on an open wireless network.
Is FireSheep Illegal?
Probably not. There are quite a few arguments for and against the legality of using FireSheep or similar sidejacking tools particularly in relation to building the add-on and its download and use by the general public. For example, the Council of Europe’s Convention on Cybercrime, contains an obligation to member states to have a legislation against the misuse of devices, in Article 6. Thus, Computer Misuse could be interpreted by some as intercepting data (cookie) without the user’s consent. Some, in the U.S., have also argued that the creation and distribution of FireSheep could be wire-tapping, which may be a criminal offense under U.S. law.
However, on the other side of the coin are those who stress the importance of intent when considering whether or not FireSheep is legal. According to its developer, FireSheep was released in order to educate users and encourage more Websites to use full end-to-end encryption such as, HTTPS or SSL for logins. The add-on is therefore expected to highlight the lack of security surrounding existing user-login systems and cookies that are used on popular Websites. This argument appears to be a valid one because,while it is already a well known fact that cookies that are sent over insecure network connections can be easily captured and used by hackers via HTTP session hijacking., what the FireSheep extension does is only to educate Internet users by making it simple to do so in a bid to persuade major Websites to create secure SSL connections between the server and user at all stages after logging in.
How Do You Protect Yourself From Firesheep?
Internet security experts have suggested various ways of protecting oneself against FireSheep and similar attacks. Some of the most popular methods are highlighted below.
- FireShepherd: While there are plenty of tools that offer protection against sidejacking, an engineering student at the University of Iceland, Gunnar Atli Sigurdsson, designed a desktop program that can periodically jam the local wireless network by using a string of random characters that will instantly crash FireSheep. Sigurdsson is quoted as saying that FireShepherd “pretty much floods the wireless network with packets that crush FireSheep and turns it off”. Download or Read More Here.
- Firefox Plug-ins: Alternatively, there are various free Firefox plugins that can be used to encrypt your traffic. For example, HTTPS Everywhere Firefox extension or Force-TLS which force popular sites to send data via the more secure HTTPS protocol.
- Set up SSH SOCKS proxy: By using a simple SSH command, one can encrypt all Web browsing traffic and redirect it through a trusted computer. To configure Firefox to use SOCKS proxy, once up and running, the browser has to be configured to use it in the Tools > Option > Advanced section of the Network tab.
- Avoid using public hotspots or WiFi networks altogether: This option however, appears to be a bit of an over-reaction because the vulnerability is due to a lack of security from the Websites concerned rather than the WiFi network.
- Use a virtual private network (VPN): There are a good number of private VPN service providers that could be used when connecting to public WiFi networks, some of which are available for as little as $5 per month. Examples include, Strong VPN, Road Warrior VPN and F-Secure.
- Connect through a MiFi device: This option is arguably the most expensive, for example, while Verizon is reported to give away the hardware while it charges between $40 and $60 per month for access to its 3G network, in America.
- Use Strict Transport Security (STS): The HTTP Strict Transport Security (HSTS) is still a relatively new security feature that is starting to appear in some Internet browsers. It automatically forces the browser to make a secure connection with every Web page that supports SSL encryption. The HSTS policy is currently supported in Chrome 4, while Firefox intends to adopt it in its next release.
Unfortunately, one cannot guarantee that the tool will not be misused with over half a million downloads made already. Inasmuch, as Mozilla have a blocklist mechanism that can be used to remove illegal and potentially-dangerous Firefox add-ons from its database, it appears that the organisation will not use it in this case. Thus, users can only hope that the likes of Twitter and Facebook will soon configure their Websites to use end-to-end encryption so as to prevent further harvesting of information from insecure WiFi networks.
[FIRESHEEP DOWNLOAD] : [FIRESHEEP SITE]
Talking Point
Is the development and subsequent release of FireSheep the best way to raise awareness of security issues and highlight the apparent lack of full encryption on popular Websites? What impact will it have on your browsing habits, if any?