Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/6/2010
02:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Don't Be A Sheep

Thanks to the new Firefox plug-in dubbed Firesheep, snoops and attackers now have an easier shot at hijacking some of your Internet sessions. Don't let this opportunity go to waste.

Thanks to the new Firefox plug-in dubbed Firesheep, snoops and attackers now have an easier shot at hijacking some of your Internet sessions. Don't let this opportunity go to waste.As Jim Rapoza expressed in his post, Firesheep Simplifies Stealing Logins, the extension was created to "shine a light on the problem of unencrypted websites fails, because rather than offering a solution, it only makes it worse."

He clearly explains just what the plug-in achieves:

Firesheep was created by two developers who are hoping to shine a light on the problem of websites that don't use SSL encryption throughout an entire user session. It has always been easy for the bad guys to view and steal login information from users accessing non HTTPS-secured websites and Firesheep is just making that a whole lot easier.

To a certain degree this is a worthwhile cause. Too many sites put users at risk of giving away their login information by their failure to use secure connections. However, I wish the Firesheep developers could have made their point without putting this tool in the hands of bad guys, cranky teens, and disgruntled employees everywhere.

Rapoza's post does a great job at balancing out the pros and cons of such software. And make no mistake - these events always have created heated debates. Especially when exploit code, and as in this case, and attack software is released. But I disagree, as he states under the headline of his post that Firesheep makes the situation worse. And as he even points out later in his post, Firesheep could bring some welcomed long-term change.

But that is largely up to you, not Firesheep.

The situation is as bad as it is because certain providers have failed to provide secure internet sessions, thereby making it easier for attackers to snoop and hijack sessions. This isn't a new problem, it's been known for quite some time as side jacking or session hijacking.

It's just that Web service providers have chosen to ignore the threat. A threat that existed long before Firesheep, which only makes the attack marginally easier. Anyone who knows my position on these things knows that I don't take the release of attack or exploit code lightly. Only in the instances when software vendors fail to do the right thing and fix vulnerabilities in a reasonable amount of time do I think it's the right thing to do.

And that's the case here: vendors and service provides not encrypting sessions with SSL are placing their customers at risk. Because sites that don't use HTTPS such as Facebook, Flickr, Twitter, and many others don't use encryption place their users needlessly at risk.

That's the real source of the danger, and the clear continuing failure.

It's also human nature: people don't tend to think about security until they're pressed to think about security. We see it with software vendors who drag their feet when it comes to fixing the holes discovered by researchers all of the time. We see it in how enterprises take steps to tighten security only after they've been breached. And we've seen it in past events: e-mail security became vogue after the ILOVEU mass-mailer virus, while Code Red made worm fighting software famous for a couple of years after it struck.

And now we have many providers failing to take the security of their customers seriously. Well, hopefully now they will. Web mail providers such as Google and Microsoft are already offering SSL encryption, and computing power is so cheap now that there's really now excuse not to. However, when it really comes down to it, you don't have control over whether these vendors do, or don't, take your security seriously. You do have control, however, over what sites you choose to use, and where you use them and what data you share there. You can refuse to use insecure web sites (especially from Wi-Fi hotspots) altogether, or you can be very careful over what data and information you share.

And you also have control over whether you tell these sites how you feel about the level of insecurity they create. Tell them that you'd like the option to have fully-encrypted HTTPS sessions to keep your data and identity safe.

If more of us take these actions, and it pressures more sites to take session security seriously, Firesheep won't have been a failure at all. But that's largely up to how you react. So don't waste the moment. Tell lazy Web service providers how you feel.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...