I've debate for several days now about whether and how to discuss this, and I've decided that a demonstration of how vulnerable popular web sites are to hacking may be the best thing.
It is common knowledge among internet security professionals, and many savvy users, that the most popular websites - Facebook, Twitter, Flickr, etc. - are especially vulnerable because they do not force secure sessions. Basically what happens is that your initial login is encrypted, but then a session certificate ("cookie") is sent, often through unencrypted web space. If you are connecting to the service through an open, unsecured WiFi network, its like shouting your ATM PIN number across the cafeteria.
To demonstrate how easily this information can be snagged from the air, Eric Butler developed a "demonstration" application called "Firesheep." The Firefox plug-in takes only a minute or so to download and install, and then you are a hacker. No pesky terminal code or anything to worry about.
I have installed Firesheep on my desktop computer, which normally does not use WiFi, and I will be capturing my own accounts. Otherwise, what I am about to do technically violates the terms of service of about every service I am using. Be it known, though, that I am capturing only my own account data, and only for demonstration purposes.
Here is what Firesheep looks like when installed:
Now, I am going to connect my iPad to the same unsecured WiFi network ("Open Edison") and connect to my Facebook account using the Safari Mobile web browser (more about this in a minute). Here goes....
Pop. Almost instantly my account name and service appears. It even shows my profile picture.
If I double-click the entry in the Firesheep pane, I am instantly logged into Facebook using those credentials. From there I have complete account access.
Logging into other services adds them to the Firesheep pane:
And presumably they will stay there as long as I want them. There is no warning from any of the services that my account has been "hacked," because as far as they know, I am the owner of the accounts and nothing is amiss.
Now, interestingly, a few experiments show that logging onto those same services on the same unsecured network, but using an iPad app rather than the generic web browser, hides the account session cookie from Firesheep. For example, if I use the "Facebook app" Firesheep detects the account, because it is just a web app and launches the Safari Mobile browser. But connecting to my Facebook stream through Flipboard hides the session from Firesheep. And on a secured WiFi network (basically one that you have to log into) Firesheep is unable to detect the account cookies.
I'm not sharing this to turn you all into hackers. I'm doing it to make you think about how and where you use your online accounts. While Firesheep comes preloaded with scripts for detecting about a dozen of the most popular web services, "developers" can write their own (again, presumably to test the security of their own services, but then who knows?).
For more about Firesheep and a discussion about implications of web security go to Eric Butler's website http://codebutler.com/firesheep.
No comments:
Post a Comment