Firesheep plug-in underscores risk of Wi-Fi sidejacking

November 10th, 2010

Firesheep — a month-old Firefox plugin that anyone can use to sidejack your free Wi-Fi session — is gaining attention in tech security circles.

Any time you use a free public Wi-Fi hook up — such as those you find at Starbucks and many airports — your risk of having someone sitting nearby commandeer your session is imminent. That’s because most free Wi-Fi hook ups are unencrypted.

Sidejacking has been around since at least 2007. It’s considered an obscure attack vector. However, no one we know of has yet done a comprehensive study to measure how often sidejacking actually takes place

Firesheep was unveiled on Oct. 25 by Eric Butler, a Seattle-based Web application software developer and researcher. Good guy researchers like Butler are referred to as white hats. White hats try to beat black hats — bad guy hackers — to the punch finding fresh security flaws. White hats release their findings to start public discussions. Their goal is to prompt quick fixes and thus do their small part to improve overall security.

Sometimes the new flaw exposed by the white hat creates widespread hacking opportunities. That’s when black hat hackers race to take advantage before fixes get made. That’s precisely the concern with Firesheep. An intruder sitting nearby can use Firesheep to silently take over your Facebook session, gain access to all of your sensitive data, and send viral messages and wall posts to all of your friends.

On Monday, security firm Zscaler posted detailed instructions for detecting Firesheep and released a plug-in called BlackSheep designed to warn you if someone is using Firesheep in close proximity. But BlackSheep has its limitations — it does nothing to warn you about other sidejacking programs someone might be using nearby.

Most sidejacking tools are home-made network sniffers, says Julien Sobrier, senior security researcher at  Zscaler. Such tools can be created rather easily using another free tool called, Wireshark.

Firesheep is a bit more worrisome because it makes it child’s play for “for script-kiddies, or even curious people, to try session hijacking,” says Sobrier. “I’ve seen numerous reports of people who’ve tried Firesheep just for fun, to just put funny comments on somebody’s profile.”

Cybercriminals are nothing if not alert to new attack vectors. “Hijacked accounts are already being sold,” says Sobrier. ” It is now even easier to spend a day going from coffee shop to coffee shop gathering new accounts, and selling them at the end of the day.”

Wisniewski

Chester Wisniewski, Senior Security Advisor at Sophos, agrees. He says Firesheep is “dead simple to install and use, only a simple point and click to acquire other peoples online identity.”

In general, you should assume anything you type over unencrypted WiFi is vulnerable to interception.  “Always use a VPN when you must authenticate or communicate privately,” says Wisniewski. ” Firesheep has 100,000′s of downloads so there is a good chance someone may be watching.”

Wisniewski has put out a call for Starbucks – and all other entities that generously supply free public Wi-Fi connections — to encrypt their sessions and require patrons to type a simple password to get on line. My local pizza store, That’s A Some Pizza, here in sleepy Kingston, Wash., does just that. The password to use their free Wi-Fi, which I’ve done when power goes out at my home office, is “awesomepizza.”

It really doesn’t matter what the password is or who knows it. Wisniewski suggests that Starbucks use the password “free.” This is because modern Wi-Fi systems set unique encryption keys for every computer that connects to it. “This means you and I cannot spy on one another’s traffic even when sharing access on the same access point,” he says.

By Byron Acohido