Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/6/2010
02:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Don't Be A Sheep

Thanks to the new Firefox plug-in dubbed Firesheep, snoops and attackers now have an easier shot at hijacking some of your Internet sessions. Don't let this opportunity go to waste.

Thanks to the new Firefox plug-in dubbed Firesheep, snoops and attackers now have an easier shot at hijacking some of your Internet sessions. Don't let this opportunity go to waste.As Jim Rapoza expressed in his post, Firesheep Simplifies Stealing Logins, the extension was created to "shine a light on the problem of unencrypted websites fails, because rather than offering a solution, it only makes it worse."

He clearly explains just what the plug-in achieves:

Firesheep was created by two developers who are hoping to shine a light on the problem of websites that don't use SSL encryption throughout an entire user session. It has always been easy for the bad guys to view and steal login information from users accessing non HTTPS-secured websites and Firesheep is just making that a whole lot easier.

To a certain degree this is a worthwhile cause. Too many sites put users at risk of giving away their login information by their failure to use secure connections. However, I wish the Firesheep developers could have made their point without putting this tool in the hands of bad guys, cranky teens, and disgruntled employees everywhere.

Rapoza's post does a great job at balancing out the pros and cons of such software. And make no mistake - these events always have created heated debates. Especially when exploit code, and as in this case, and attack software is released. But I disagree, as he states under the headline of his post that Firesheep makes the situation worse. And as he even points out later in his post, Firesheep could bring some welcomed long-term change.

But that is largely up to you, not Firesheep.

The situation is as bad as it is because certain providers have failed to provide secure internet sessions, thereby making it easier for attackers to snoop and hijack sessions. This isn't a new problem, it's been known for quite some time as side jacking or session hijacking.

It's just that Web service providers have chosen to ignore the threat. A threat that existed long before Firesheep, which only makes the attack marginally easier. Anyone who knows my position on these things knows that I don't take the release of attack or exploit code lightly. Only in the instances when software vendors fail to do the right thing and fix vulnerabilities in a reasonable amount of time do I think it's the right thing to do.

And that's the case here: vendors and service provides not encrypting sessions with SSL are placing their customers at risk. Because sites that don't use HTTPS such as Facebook, Flickr, Twitter, and many others don't use encryption place their users needlessly at risk.

That's the real source of the danger, and the clear continuing failure.

It's also human nature: people don't tend to think about security until they're pressed to think about security. We see it with software vendors who drag their feet when it comes to fixing the holes discovered by researchers all of the time. We see it in how enterprises take steps to tighten security only after they've been breached. And we've seen it in past events: e-mail security became vogue after the ILOVEU mass-mailer virus, while Code Red made worm fighting software famous for a couple of years after it struck.

And now we have many providers failing to take the security of their customers seriously. Well, hopefully now they will. Web mail providers such as Google and Microsoft are already offering SSL encryption, and computing power is so cheap now that there's really now excuse not to. However, when it really comes down to it, you don't have control over whether these vendors do, or don't, take your security seriously. You do have control, however, over what sites you choose to use, and where you use them and what data you share there. You can refuse to use insecure web sites (especially from Wi-Fi hotspots) altogether, or you can be very careful over what data and information you share.

And you also have control over whether you tell these sites how you feel about the level of insecurity they create. Tell them that you'd like the option to have fully-encrypted HTTPS sessions to keep your data and identity safe.

If more of us take these actions, and it pressures more sites to take session security seriously, Firesheep won't have been a failure at all. But that's largely up to how you react. So don't waste the moment. Tell lazy Web service providers how you feel.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32823
PUBLISHED: 2021-06-24
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with &lt...
CVE-2021-35041
PUBLISHED: 2021-06-24
The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainabl...
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.