HED: New Tool, FireSheep, Lays Open Web 2.0 Insecurity
DEK: The Browser Plug In Offers One Click Session Hijacking for Popular Social Networking Apps. Creators call for better session security.
It’s no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What’s less clear is  how much information is floating out there in the either, especially with the rise of “Web 2.0″ and rich social networking applications and other Web based sharing tools.
But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed “Firesheep,” was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in “one-click” session hijacking feature.
Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP.
The researchers, Ian Gallagher of Security Innovation in Seattle Washington, and Eric Butler, an independent security consultant, also of Seattle, demonstrated Firesheep before an audience at ToorCon on Sunday: surveying and then hijacking audience members’ Facebook and iGoogle sesions. They warned that, without wider use of secure transaction tools for end-to-end Web encryption like SSL, more users were likely to fall victim to such attacks.
The problem isn’t new, Butler said, but has been the “elephant in the room” since the birth of the Web and the HTTP protocol that is its lingua franca. While technologies like virtual private networking tools (VPN) can help deter snooping, but don’t provide end to end encryption of Web sessions and, thus, just “move the problem around,” Butler said.
Concerns about the ability to scale session encryption to the level needed to support traffic on  massive social networks like Facebook is a likely obstacle, but both Gallagher and Butler argued that security and scalability can both be achieved. Search giant Google implemented SSL for its Gmail Web based e-mail service without any noticeable change in service and without having to deploy massive new infrastructure to support it, the two noted. Other Web mail and software as a service vendors should do the same.
The two posted a version of the Firesheep tool for Mac OS X and Windows for download (http://github.com/codebutler/firesheep/downloads) and encouraged others to download and try it out. The tool is also extensible, allowing users to add additional Web services to those detected by Firesheep with a few lines of Javascript.

It’s no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What’s less clear is  how much information is floating out there in the ether, especially with the rise of “Web 2.0″ and rich social networking applications and other Web based sharing tools. 

But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed “Firesheep,” was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in “one-click” session hijacking feature.

Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP.

The researchers, Ian Gallagher of Security Innovation in Seattle Washington, and Eric Butler, an independent security consultant, also of Seattle, demonstrated Firesheep before an audience at ToorCon on Sunday: surveying and then hijacking audience members’ Facebook and iGoogle sessions. They warned that, without wider use of secure transaction tools for end-to-end Web encryption like SSL, more users were likely to fall victim to such attacks.

The problem isn’t new, Butler said, but has been the “elephant in the room” since the birth of the Web and the HTTP protocol that is its lingua franca. While technologies like virtual private networking tools (VPN) can help deter snooping, but don’t provide end to end encryption of Web sessions and, thus, just “move the problem around,” Butler said.

Concerns about the ability to scale session encryption to the level needed to support traffic on  massive social networks like Facebook is a likely obstacle, but both Gallagher and Butler argued that security and scalability can both be achieved. Search giant Google implemented SSL for its Gmail Web based e-mail service without any noticeable change in service and without having to deploy massive new infrastructure to support it, the two noted. Other Web mail and software as a service vendors should do the same.

The two posted a version of the Firesheep tool for Mac OS X and Windows for download and encouraged others to download and try it out. The tool is also extensible, allowing users to add additional Web services to those detected by Firesheep with a few lines of Javascript.

Categories: Web Security

Comment (1)

Comments are closed.