A developer named Eric Butler has released a new Firefox extension called Firesheep, the Telegraph reported yesterday. Firesheep has one purpose only – to allow users to steal account information from users who are browsing unencrypted websites over unsecured Wi-Fi networks.
Firesheep is a proof-of-concept extension that Mr. Butler hopes will cause a little bit of panic and force users and website owners to think more about online security. Firesheep works like this – when a user opens Firefox and browses the Internet on an unsecured Wi-Fi network at, say, a cafe, the extension can sniff out other browsing sessions by other users on the same network. By using the data obtained from those sessions, the extension allows for the user who captured the information to log as those other users and steal their information. Firesheep exploits the exact same loopholes as Google did when it ‘accidentally’ mined data with its Street View cars.
Developers and users seem to be getting lazy when it comes to ensuring security on websites and gaining access on unsecured Wi-Fi networks. This is a gross generalisation to be sure, but there does seem to be more and more stories about obtaining private information from easily accessing Wi-Fi networks to intelligent data mining through online advertising. The bottom line is that we need to make sure that we access our sensitive information on secured networks through known providers with strong security policies. If you have any worries, though, you can always try installing an extra level of personal encryption.
Useful info and I have set up 'HTTPS Everywhere' in my browser ... only problem is that 'bigbrotherwatch' isn't (yet?) compatible !
Posted by: vervet | 26/10/2010 at 11:36 AM
I propose a vote of thanks to Mr Butler for making it abundantly clear how easy is is to monitor & hijack sessions on an insecure networks and to Google for inadvertently publicising just how widespread such networks are.
Such things are not news to any moderately security aware IT person and are most certainly not news to any malicious hacker. The hackers rely on the ignorance of their victims and anything that reduces that ignorance is a good thing.
Whilst I'm sure HTTPS Everywhere is a useful addon it can only enforce encrypted sessions where the server at the other end already provides for encryption.
Posted by: keith | 26/10/2010 at 12:20 PM