Unless you’ve been living under a rock without wifi, you probably know that transmitting sensitive information while using a wifi hotspot is dangerous. It not only jeopardizes your Internet privacy, it can lead to online identity theft and credit fraud.
If that’s not enough to faze some intrepid wifi warriors, there’s a new easy-to-use attack tool to worry about. It’s an extension of Firefox called Firesheep. The new plug-in may sound warm and cuddly. But Firesheep is really a wolf in sheep’s clothing.
Firesheep Makes Hacking WiFi Hotspot Sessions Easy
The Firesheep attack is called HTTP session hijacking or sidejacking. Sidejacking is nothing new. But Firesheep put it on the map by bringing sidejacking to the masses.
Firesheep currently comes with built-in sidejacking attacks against 26 popular sites websites like Facebook, Twitter, Amazon, Windows Live, Yahoo and PayPal that only encrypt their login pages, not the rest of their sites. As your browser exchanges login information with a partially secured or unsecured website, Firesheep listens in on that traffic traveling over open wifi networks. Then it saves your session cookie information, letting a hacker reuse it to gain access to the sites you’ve visited. For example, once a hacker has logged into your vulnerable email or social network accounts, he can send out emails or posts in your name and access your friends’ email addresses or profiles.
Who Created Firesheep and Why?
So who are the hackers responsible for Firesheep? This summer, a Seattle software developer named Eric Butler decided to add fuel to the sidejacking security problem. (You may recall that he’s the white hat hacker who exposed the vulnerability of social networks to hacking.) Butler says that experienced hackers were already exploiting websites vulnerable to sidejacking. Frustrated by the failure of major websites to address the problem, he and his colleague Ian Gallagher decided to take action. By making Firesheep free and easy to use, they hope to draw attention to the issue and pressure websites into upgrading their security.
That’s the good news. The bad news is that Firesheep’s range isn’t limited to the two dozen or so sites currently being targeted. It’s a versatile plug-in predator that can be modified to attack other websites with login dialogs that are not secure. Since it first appeared on the scene, Firesheep has been downloaded 500,000 times. Here’s what you can do to protect yourself.
How to Fight Off Firesheep
- To reduce your risk of being sidejacked, avoid using unencrypted wifi at public hotspots. You might still get sidejacked elsewhere. But Firesheep thrives on unencrypted hotspot traffic.
- Watch out for websites that log you in over unencrypted HTTP or revert to HTTP after SSL login. They are prime targets according to Lisa Phifer, network security consultant and author of eSecurityPlanet’s “Top Ten Ways to stop Firesheep.”
This is what Phifer recommends:
- Use HTTP-Everywhere. This Firefox extension forces Firefox to only use HTTPS connections for a specific list of websites. But it won’t protect you on other sites. If you don’t use Firefox, look elsewhere.
- Use Force TLS. This is another Firefox extension that lets you create your own list of domain names to force encryption on.
- Avoid leaking cookies over HTTP. “Some sites try to do the right thing, but they fall short,”says Phifer. “Unfortunately, users don’t know which ones they are.” She recommends testing whether a site is vulnerable by importing a script from that domain into Firesheep and testing it yourself.
- Log off websites when you are finished. “This could invalidate a session cookie after it’s been grabbed by Firesheep,” says Phifer. “But it’s no guarantee.” It’s just a good practice for your Internet privacy.
- Don’t think that staying on a secure LANs means you’re safe. Firesheep is not limited to wifi. “Sidejacking may occur on Ethernet LANs and inside networks – anywhere a hacker can intercept unencrypted traffic,” says Phifer. That includes hotel rooms and business centers.
- Use a VPN (virtual private network) like PRIVATE WiFi™ to encrypt your online traffic. That makes your logins and your Internet communication invisible to sidejackers and hackers, even when it’s on vulnerable websites.
We’d like to know what you think of Firesheep’s creators. Are they heroes for highlighting a serious online security problem? Or are they villains for bringing a major sidejacking tool to the masses?