Log in

No account? Create an account

Previous Entry | Next Entry

Hacking For Dummies. Literally.

I haven't complained about Firefox since the socket exploit that took down a bunch of IRC servers.  But now, there's a bigger problem, one that affects everyone, not just servers.  There's a Firefox extension called Firesheep.  What it does is it uses a sniffer to detect unencrypted cookies over wifi networks.  It then displays a list of them on a sidebar.  All the hacker has to do is double-click whichever identity, and they gain the log-in privileges of whoever and can access their accounts.  In other words, you don't have to know shit about computers to make this work.  And if you do know anything about computers, extending this with Javascript is so easy, it's criminal.  This was initially for Facebook and Twitter, but because the code is open source (it was released as a proof of concept and others have run with it), there are now variants that target all kinds of web sites.  Over 80K downloads, and it hasn't even been a week.

What is Mozilla doing?  Nothing.  According to them, it does not utilize any security vulnerabilities in Firefox itself.  Admittedly, I'm not sure there's much they can do, the source code is out there, but still, they aren't showing any concern.

Which means it's up to us to protect ourselves.

How can you defend against this?  Wired connections as much as possible.  Out and about?  If you can't use a Virtual Private Network or can't rent one, you could either use MiFi (turns a 3G or 4G connection on your own mobile device into your own wifi AP (Access Point), but given how expensive data plans are, if you can afford this, you can probably afford your own VPN anyway, and if too many do it, it could bog down the cellular broadband, as iPhone owners know too well) or INSIST on Transport Layer Security (TLS), Secure Sockets Layer (SSL), or both over HTTP (HTTPS).

But, Peter, some of you are asking, many sites authenticate you securely, but then your regular traffic is unencrypted and can be intercepted.  How can we possibly prevent this from happening?  I'm glad you asked!  There are at least three Firefox extension that will force sites to keep you secure instead of dumping you to an unencrypted stream.  I would personally recommend HTTPS Everywhere.  Why?  Because it's endorsed and hosted by those fine, upstanding folks at the Electronic Frontier Foundation.  In other words, this is the real shit.  Another alternative is Force TLS, an add-on hosted at Mozilla.  What's that?  You want something broader than that?  Here ya go, NoScript.  These three are the cream of the crop and will keep Firesheep users at bay.

We must look out for each other.


( 2 comments — Leave a comment )
Nov. 1st, 2010 02:16 am (UTC)
Are Safari users safe or can iPad/iMac/iPhone users defend themselves?
Nov. 1st, 2010 10:42 am (UTC)
As far as the extensions go, no. The extensions only work with Firefox. But as long as you are using the secure log-ins and watching what you send over unencrypted connections, you SHOULD be fine. LJ, for example, has a secure log-in, you just have to jump through a hoop to get to it.

For the Mac specifically, there are programs that let you either create an SSL tunnel. Meerkat is $20, and the programmer behind it is highly recommended for knowing his stuff and answering questions. He even has a page on his site specifically dealing with Firesheep.


There's also Slinkware, which, for $25 for two licenses, turns your home Mac into an access port. I don't know how well it works, but it also comes highly recommended.
( 2 comments — Leave a comment )

Latest Month

June 2019


Page Summary

Powered by LiveJournal.com