Wednesday, October 27, 2010

Firesheep

There's a new Firefox plugin called Firesheep which helps people hack your social network accounts. Here's some information about what it does and how you can react to it.

What it does

Firesheep configures your network connection to monitor the traffic your neighbors are generating. Looking at their network traffic, the plugin can find any "cookies" transferred between your browser and the social networking site. Once it's grabbed the cookie, it can implant their cookie into your browser, giving you access to their account. Social network sites which are vulnerable include Facebook and Twitter.

When are you vulnerable?

Although the plugin sounds pretty powerful, it's only dangerous in a particular environment - one in which your machine can see the network traffic of your neighbors (and they can see yours). So if you are connected to the network via an open WiFi hot spot, you can see the traffic of other people. If you're at work but they use an old security mechanism called WEP then others can pretty easily see your network traffic; I don't think the current Firesheep plugin handles this case, but it wouldn't be too difficult to add.

Wired networks are pretty safe. Modern switches and routers keep you from seeing the traffic of other machines on the network, even on your local network segment.

What can you do to be safe?

  • Contact your social network vendor and insist they encrypt your entire session (not just the login sequence) via SSL. Google has already configured Gmail to do this by default. And then while you're waiting:
  • Don't connect to your social networking site over public networks. Don't use Twitter or Facebook at a coffee shop, or frankly even on your phone, unless you don't mind someone having access to your account. Make sure your WiFi at home has a WPA2 password configured.
  • Don't let it matter. Make sure no other sites will trust your credentials from your social networking site; this is an issue if you use OpenID at the other sites, and those sites trust your social network identity. You should also make sure you don't mind losing any items or value you might have stored up in a game or other application in your account, email or photographs stored there, etc.
Posted by Luigi at 10/27/2010 08:00:00 AM
Labels: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
Creative Commons LicenseThe copyrights in this material are held by Luigi Bai. The contents are licensed to you under a Creative Commons Attribution 3.0 United States License.