Be wary of that free WiFi
02/22/2011
I don't know how many people who read this blog are in the habit of bringing their laptop or phone to places like Starbucks and using the free wireless Internet. But if you are one of them, you should read this. If you don't want to bother, here's the crucial part:
Firesheep is an incredibly easy to use add-on for the Firefox web browser that, when invoked while connected to any open and unencrypted WiFi hotspot, lists every active web session being conducted by anyone sharing the hotspot, and allows a snooping user to hijack any other user’s online web session logon with a simple double-click of the mouse. The snooper, then logged on and impersonating the victim, can do anything the original logged on user/victim might do.
"open and unencrypted WiFi hotspot" describes the services offered in many coffee shops and restaurants. If you're able to simply walk into the place and connect without any sort of password, this is probably what they have.
Here's a blog post by the author of the program explaining that he wrote it in hope of forcing web developers and providers to take the fairly elementary precautions required to prevent Firesheep from working. It includes a few screen shots that will make clear what he's talking about, in case you aren't sure.
There is an important exception to what it can do: if you're accessing a web site that encrypts all traffic, which you can ordinarily identify by the fact that the URL displayed in the browser begins with "https" rather than "http," intercepting the data doesn't accomplish anything for the would-be hijacker, because the data is heavily encrypted. So Firesheep is probably not a danger to your bank account, because financial data is almost universally handled with HTTPS now. But Facebook, for instance, does not. Your email provider may not. Etc. If you're just surfing around, reading the news and whatnot, not doing anything personal or embarrassing, on any site that doesn't require that you log in, this doesn't matter--there is no "session" to hijack.
(Hat tip to my wife, who is becoming quite the technologist.)
For every yin there's a yang, and for every firesheep there's a blacksheep:
http://www.zscaler.com/blacksheep.html
Posted by: John H | 03/02/2011 at 12:29 AM
I was saying that to Bill just this morning.
Posted by: Janet | 03/02/2011 at 08:29 AM
That's pretty cool. Although "black sheep" seems the wrong term--"shepherd" might be better. I took "firesheep" to be some sort of reference to "wolf in sheep's clothing" or maybe in this case "fox in sheep's clothing". So this is a shepherd skilled at detecting disguised wolves or foxes.
Anyway...if I were starting over in IT I would go into the security field. It's about the only thing in the biz that I might be able to muster up real interest in. I don't think I'm smart enough, though.
Switching my web services to SSL has been on my to-do list for a long time. It's now near the top. I'll probably do it this weekend.
Posted by: Mac | 03/02/2011 at 09:16 AM
Computer security doesn't come up very often around here, but the fact that it did now gives me an opportunity to draw attention to a paper I co-wrote a while ago on the topic: Course of action recommendations for practical network defence. (The link goes to a PDF file.) Another version of this work was presented a few months ago at a NATO scientific meeting.
Our basic idea was originally to build an analysis tool that would use detailed information about the configuration of the network to discover all the possible ways (within some defined scope) that it could be successfully attacked. With some help from collaborators at Princeton we did a first iteration of that tool, but then it turned out that there were lots of ways to attack a network of even modest size. The paper I link above is an attempt to automatically generate recommendations for the system administrator that will maximally improve the network's security using minimal (or at least limited) resources.
This has actually been implemented, and we got a few million dollars to test it on a live network. That's underway now. I don't work on these topics anymore, but I still find them interesting.
Posted by: Craig | 03/02/2011 at 02:04 PM
I'll have to look at that later, but it sounds interesting. Very few installations protect their networks as they should, partly because sysadmins have too much on their plates and security gets very arcane, partly because security often gets in the way of users.
Posted by: Mac | 03/02/2011 at 03:57 PM