A Wolf in Firesheep's Clothing?

A new Firefox plugin makes it dangerous to use an open wireless network

View Comments (
)
|
Email
|
Print

    NEWSLETTERS

    AP

    For even web-savvy users, the best protection against hacking is the simple fact that hackers are rare.

    But a new Firefox plugin called Firesheep that launched last week vastly increased their number. And at the same time, it turns any open wireless network into an arena for mayhem.

    Firesheep is a plugin that allows people with zero hacking knowledge to access, update, and view other users' accounts and information on unsecured websites when those users share open WiFi networks -- a hack called "sidejacking."
     
    So users at the new free WiFi network in the Bloomingdale neighborhood of D.C., for example, could be susceptible to sidejacking. A person with Firesheep installed could see every other user browsing any one of 26 sites at the time -- a list including Facebook, Twitter, Gmail, Wordpress, Amazon and Yahoo.

    From there, a Firesheep-enabled hacker could update those accounts. The person sitting next to you at the coffeeshop, using the same network as you, could be sending email as you.
     
    There are limits to what Firesheep can hack. Most banking and financial transaction websites are secure (https://) and Firesheep users can't hack those. The login pages for websites like Google and Amazon are usually secured, too, and in any case, Firesheep users cannot very easily change someone's passwords without knowing the old ones.

    Open networks are rarer today than they were when sidejacking first appeared (in 2007), but cities and other municipalities (like Bloomingdale) still pursue them. Even still, some tools exist to turn open WiFi networks into safe ones. HTTPS Everywhere, a tool made by the Electronic Frontier Foundation, extends the secure SSL protocol for the login page to the entire browsing session. And Strict Transport Security (STS), though new and not yet available for all browsers, ensures secure connections when users try to access sites like Amazon.

    In the meantime, though, websites are doing surprisingly little to protect themselves. Security and privacy analyst Christopher Soghoian reported on Twitter that Microsoft, Yahoo and Facebook have not yet deployed defenses or warned their users about Firesheep -- despite the fact that nearly 500,000 people downloaded the plugin in one week.

    That means users must take steps to protect themselves. Firesheep takes sophisticated hacking tools and puts them in the hands of any user -- so users will need to become equally adept security admins.