Peter G (sinetimore) wrote,
Peter G

Hacking For Dummies. Literally.

I haven't complained about Firefox since the socket exploit that took down a bunch of IRC servers.  But now, there's a bigger problem, one that affects everyone, not just servers.  There's a Firefox extension called Firesheep.  What it does is it uses a sniffer to detect unencrypted cookies over wifi networks.  It then displays a list of them on a sidebar.  All the hacker has to do is double-click whichever identity, and they gain the log-in privileges of whoever and can access their accounts.  In other words, you don't have to know shit about computers to make this work.  And if you do know anything about computers, extending this with Javascript is so easy, it's criminal.  This was initially for Facebook and Twitter, but because the code is open source (it was released as a proof of concept and others have run with it), there are now variants that target all kinds of web sites.  Over 80K downloads, and it hasn't even been a week.

What is Mozilla doing?  Nothing.  According to them, it does not utilize any security vulnerabilities in Firefox itself.  Admittedly, I'm not sure there's much they can do, the source code is out there, but still, they aren't showing any concern.

Which means it's up to us to protect ourselves.

How can you defend against this?  Wired connections as much as possible.  Out and about?  If you can't use a Virtual Private Network or can't rent one, you could either use MiFi (turns a 3G or 4G connection on your own mobile device into your own wifi AP (Access Point), but given how expensive data plans are, if you can afford this, you can probably afford your own VPN anyway, and if too many do it, it could bog down the cellular broadband, as iPhone owners know too well) or INSIST on Transport Layer Security (TLS), Secure Sockets Layer (SSL), or both over HTTP (HTTPS).

But, Peter, some of you are asking, many sites authenticate you securely, but then your regular traffic is unencrypted and can be intercepted.  How can we possibly prevent this from happening?  I'm glad you asked!  There are at least three Firefox extension that will force sites to keep you secure instead of dumping you to an unencrypted stream.  I would personally recommend HTTPS Everywhere.  Why?  Because it's endorsed and hosted by those fine, upstanding folks at the Electronic Frontier Foundation.  In other words, this is the real shit.  Another alternative is Force TLS, an add-on hosted at Mozilla.  What's that?  You want something broader than that?  Here ya go, NoScript.  These three are the cream of the crop and will keep Firesheep users at bay.

We must look out for each other.
Tags: computers, foss, important life lessons, technology is a beautiful thing
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded