Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/6/2010
02:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Don't Be A Sheep

Thanks to the new Firefox plug-in dubbed Firesheep, snoops and attackers now have an easier shot at hijacking some of your Internet sessions. Don't let this opportunity go to waste.

Thanks to the new Firefox plug-in dubbed Firesheep, snoops and attackers now have an easier shot at hijacking some of your Internet sessions. Don't let this opportunity go to waste.As Jim Rapoza expressed in his post, Firesheep Simplifies Stealing Logins, the extension was created to "shine a light on the problem of unencrypted websites fails, because rather than offering a solution, it only makes it worse."

He clearly explains just what the plug-in achieves:

Firesheep was created by two developers who are hoping to shine a light on the problem of websites that don't use SSL encryption throughout an entire user session. It has always been easy for the bad guys to view and steal login information from users accessing non HTTPS-secured websites and Firesheep is just making that a whole lot easier.

To a certain degree this is a worthwhile cause. Too many sites put users at risk of giving away their login information by their failure to use secure connections. However, I wish the Firesheep developers could have made their point without putting this tool in the hands of bad guys, cranky teens, and disgruntled employees everywhere.

Rapoza's post does a great job at balancing out the pros and cons of such software. And make no mistake - these events always have created heated debates. Especially when exploit code, and as in this case, and attack software is released. But I disagree, as he states under the headline of his post that Firesheep makes the situation worse. And as he even points out later in his post, Firesheep could bring some welcomed long-term change.

But that is largely up to you, not Firesheep.

The situation is as bad as it is because certain providers have failed to provide secure internet sessions, thereby making it easier for attackers to snoop and hijack sessions. This isn't a new problem, it's been known for quite some time as side jacking or session hijacking.

It's just that Web service providers have chosen to ignore the threat. A threat that existed long before Firesheep, which only makes the attack marginally easier. Anyone who knows my position on these things knows that I don't take the release of attack or exploit code lightly. Only in the instances when software vendors fail to do the right thing and fix vulnerabilities in a reasonable amount of time do I think it's the right thing to do.

And that's the case here: vendors and service provides not encrypting sessions with SSL are placing their customers at risk. Because sites that don't use HTTPS such as Facebook, Flickr, Twitter, and many others don't use encryption place their users needlessly at risk.

That's the real source of the danger, and the clear continuing failure.

It's also human nature: people don't tend to think about security until they're pressed to think about security. We see it with software vendors who drag their feet when it comes to fixing the holes discovered by researchers all of the time. We see it in how enterprises take steps to tighten security only after they've been breached. And we've seen it in past events: e-mail security became vogue after the ILOVEU mass-mailer virus, while Code Red made worm fighting software famous for a couple of years after it struck.

And now we have many providers failing to take the security of their customers seriously. Well, hopefully now they will. Web mail providers such as Google and Microsoft are already offering SSL encryption, and computing power is so cheap now that there's really now excuse not to. However, when it really comes down to it, you don't have control over whether these vendors do, or don't, take your security seriously. You do have control, however, over what sites you choose to use, and where you use them and what data you share there. You can refuse to use insecure web sites (especially from Wi-Fi hotspots) altogether, or you can be very careful over what data and information you share.

And you also have control over whether you tell these sites how you feel about the level of insecurity they create. Tell them that you'd like the option to have fully-encrypted HTTPS sessions to keep your data and identity safe.

If more of us take these actions, and it pressures more sites to take session security seriously, Firesheep won't have been a failure at all. But that's largely up to how you react. So don't waste the moment. Tell lazy Web service providers how you feel.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.