Risk

11/6/2010
02:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Don't Be A Sheep

Thanks to the new Firefox plug-in dubbed Firesheep, snoops and attackers now have an easier shot at hijacking some of your Internet sessions. Don't let this opportunity go to waste.

Thanks to the new Firefox plug-in dubbed Firesheep, snoops and attackers now have an easier shot at hijacking some of your Internet sessions. Don't let this opportunity go to waste.As Jim Rapoza expressed in his post, Firesheep Simplifies Stealing Logins, the extension was created to "shine a light on the problem of unencrypted websites fails, because rather than offering a solution, it only makes it worse."

He clearly explains just what the plug-in achieves:

Firesheep was created by two developers who are hoping to shine a light on the problem of websites that don't use SSL encryption throughout an entire user session. It has always been easy for the bad guys to view and steal login information from users accessing non HTTPS-secured websites and Firesheep is just making that a whole lot easier.

To a certain degree this is a worthwhile cause. Too many sites put users at risk of giving away their login information by their failure to use secure connections. However, I wish the Firesheep developers could have made their point without putting this tool in the hands of bad guys, cranky teens, and disgruntled employees everywhere.

Rapoza's post does a great job at balancing out the pros and cons of such software. And make no mistake - these events always have created heated debates. Especially when exploit code, and as in this case, and attack software is released. But I disagree, as he states under the headline of his post that Firesheep makes the situation worse. And as he even points out later in his post, Firesheep could bring some welcomed long-term change.

But that is largely up to you, not Firesheep.

The situation is as bad as it is because certain providers have failed to provide secure internet sessions, thereby making it easier for attackers to snoop and hijack sessions. This isn't a new problem, it's been known for quite some time as side jacking or session hijacking.

It's just that Web service providers have chosen to ignore the threat. A threat that existed long before Firesheep, which only makes the attack marginally easier. Anyone who knows my position on these things knows that I don't take the release of attack or exploit code lightly. Only in the instances when software vendors fail to do the right thing and fix vulnerabilities in a reasonable amount of time do I think it's the right thing to do.

And that's the case here: vendors and service provides not encrypting sessions with SSL are placing their customers at risk. Because sites that don't use HTTPS such as Facebook, Flickr, Twitter, and many others don't use encryption place their users needlessly at risk.

That's the real source of the danger, and the clear continuing failure.

It's also human nature: people don't tend to think about security until they're pressed to think about security. We see it with software vendors who drag their feet when it comes to fixing the holes discovered by researchers all of the time. We see it in how enterprises take steps to tighten security only after they've been breached. And we've seen it in past events: e-mail security became vogue after the ILOVEU mass-mailer virus, while Code Red made worm fighting software famous for a couple of years after it struck.

And now we have many providers failing to take the security of their customers seriously. Well, hopefully now they will. Web mail providers such as Google and Microsoft are already offering SSL encryption, and computing power is so cheap now that there's really now excuse not to. However, when it really comes down to it, you don't have control over whether these vendors do, or don't, take your security seriously. You do have control, however, over what sites you choose to use, and where you use them and what data you share there. You can refuse to use insecure web sites (especially from Wi-Fi hotspots) altogether, or you can be very careful over what data and information you share.

And you also have control over whether you tell these sites how you feel about the level of insecurity they create. Tell them that you'd like the option to have fully-encrypted HTTPS sessions to keep your data and identity safe.

If more of us take these actions, and it pressures more sites to take session security seriously, Firesheep won't have been a failure at all. But that's largely up to how you react. So don't waste the moment. Tell lazy Web service providers how you feel.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.