The programme, called Firesheep, was created by Eric Butler in an attempt to highlight how easy it is to hack into websites such as these using the simplest of software.
Butler said on his website: “It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. My hope is that Firesheep will help the users win.”
The Firesheep add-on effectively simplifies the process of hacking into someone’s account but only works with certain websites. “The Firesheep tool enables script kiddies and wannabe newbie hackers to sidejack a user’s authenticated session with web servers run by many household named services. It is a well known problem that with many websites only the authentication information may be sent through SSL. Once a user has logged into the site, the session may revert to vanilla HTTP. For example this is the case for Facebook and Twitter – two of the web’s most popular sites,” Hon Lau, senior security response manager – Dublin, Symantec explains to AMEinfo.com.
“One possible reason why these sites behave the way they do may be because supporting full SSL sessions all the time for a large number of users can tax the server hardware which leads to more cost for the service providers. Heavy use of SSL also taxes the client PC too as now the client browser has more work to do each time anything is sent/received from the browser,” he adds.
Security experts have urged users to be cautious when using any type of WiFi service. “No matter of the type of the public WiFi service, encrypted or not, the users are exposed to all sorts of dangers, but mainly information leaks and sessions hijacking,” Costin G. Raiu, director, Global Research and Analysis Team, Kaspersky Labs, tells AMEinfo.com.
“Information hijacking has been with us for quite a while and a lot of tools have been made available freely to assist the attackers. Session hijacking on the other side is a bit newer. Both these attacks can be easily made obsolete through the use of a VPN connection. These can be either to your company network, or, by installing a computer at home and tunneling all the traffic through there,” he adds.
Users should also look to ensure that HTTPS is enabled for as many websites as possible, as these are more secure. Raiu explains that Gmail is one example where HTTPS can be turned on via the settings panel, while the Noscript Firefox plug in can force HTTPS connections for some websites.
The dangers associated with someone hacking into a social networking account are severe, as an attacker can quite easily take over someone’s identity. “This can be leveraged into infecting more users by spamming malicious links, spamvertising, blackmailing the user or accessing confidential information. At the moment, there are a number of viruses that spread through social networks by posting infected messages and their number has been growing steadily during the past year. Coupled with this new attack, this could result in a surge of new threats targeting social networks,” reveals Raiu.
However, despite the recent attention drawn to the Firesheep tool, Lau doesn’t believe this is something which should be overplayed, as it doesn’t affect the sites which really hold our critical information.
“Let’s not get too carried away with the hype on FireSheep. While the risks of anybody actually getting their session compromised in this manner has gone up a notch or two, the odds of this actually happening to any single individual is still very small. What’s more, practice of usual WiFi related security hygiene will go a long way towards reducing this risk close to zero.”
“For the likes of Facebook and Twitter, it could be argued that the data being sent and the sessions even if they are hijacked are of limited value and are not immediately detrimental to your health or your wealth. On the other hand you’d want to make sure that your bank, stock broker or online shop uses SSL throughout the session, otherwise you may want to consider taking your business elsewhere,” Lau concludes.
Thursday, October 28- 2010 @ 15:33 UAE local time (GMT+4) Replication or redistribution in whole or in part is expressly prohibited without the prior written consent of Mediaquest FZ LLC.