Risk
11/6/2010
02:59 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Don't Be A Sheep

Thanks to the new Firefox plug-in dubbed Firesheep, snoops and attackers now have an easier shot at hijacking some of your Internet sessions. Don't let this opportunity go to waste.

Thanks to the new Firefox plug-in dubbed Firesheep, snoops and attackers now have an easier shot at hijacking some of your Internet sessions. Don't let this opportunity go to waste.As Jim Rapoza expressed in his post, Firesheep Simplifies Stealing Logins, the extension was created to "shine a light on the problem of unencrypted websites fails, because rather than offering a solution, it only makes it worse."

He clearly explains just what the plug-in achieves:

Firesheep was created by two developers who are hoping to shine a light on the problem of websites that don't use SSL encryption throughout an entire user session. It has always been easy for the bad guys to view and steal login information from users accessing non HTTPS-secured websites and Firesheep is just making that a whole lot easier.

To a certain degree this is a worthwhile cause. Too many sites put users at risk of giving away their login information by their failure to use secure connections. However, I wish the Firesheep developers could have made their point without putting this tool in the hands of bad guys, cranky teens, and disgruntled employees everywhere.

Rapoza's post does a great job at balancing out the pros and cons of such software. And make no mistake - these events always have created heated debates. Especially when exploit code, and as in this case, and attack software is released. But I disagree, as he states under the headline of his post that Firesheep makes the situation worse. And as he even points out later in his post, Firesheep could bring some welcomed long-term change.

But that is largely up to you, not Firesheep.

The situation is as bad as it is because certain providers have failed to provide secure internet sessions, thereby making it easier for attackers to snoop and hijack sessions. This isn't a new problem, it's been known for quite some time as side jacking or session hijacking.

It's just that Web service providers have chosen to ignore the threat. A threat that existed long before Firesheep, which only makes the attack marginally easier. Anyone who knows my position on these things knows that I don't take the release of attack or exploit code lightly. Only in the instances when software vendors fail to do the right thing and fix vulnerabilities in a reasonable amount of time do I think it's the right thing to do.

And that's the case here: vendors and service provides not encrypting sessions with SSL are placing their customers at risk. Because sites that don't use HTTPS such as Facebook, Flickr, Twitter, and many others don't use encryption place their users needlessly at risk.

That's the real source of the danger, and the clear continuing failure.

It's also human nature: people don't tend to think about security until they're pressed to think about security. We see it with software vendors who drag their feet when it comes to fixing the holes discovered by researchers all of the time. We see it in how enterprises take steps to tighten security only after they've been breached. And we've seen it in past events: e-mail security became vogue after the ILOVEU mass-mailer virus, while Code Red made worm fighting software famous for a couple of years after it struck.

And now we have many providers failing to take the security of their customers seriously. Well, hopefully now they will. Web mail providers such as Google and Microsoft are already offering SSL encryption, and computing power is so cheap now that there's really now excuse not to. However, when it really comes down to it, you don't have control over whether these vendors do, or don't, take your security seriously. You do have control, however, over what sites you choose to use, and where you use them and what data you share there. You can refuse to use insecure web sites (especially from Wi-Fi hotspots) altogether, or you can be very careful over what data and information you share.

And you also have control over whether you tell these sites how you feel about the level of insecurity they create. Tell them that you'd like the option to have fully-encrypted HTTPS sessions to keep your data and identity safe.

If more of us take these actions, and it pressures more sites to take session security seriously, Firesheep won't have been a failure at all. But that's largely up to how you react. So don't waste the moment. Tell lazy Web service providers how you feel.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3594
Published: 2014-08-22
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.