If you guys haven't heard of Firesheep yet, you should look into it. It's a Firefox plug-in that was released at the TorCon security conference last week. If you go to an open WiFi hotspot, Firesheep will show you a list of all the people around you who are using various Net 2.0 sites (Facebook, Twitpic, Basecamp, etc) and allow you to hijack their login credentials with a double-click. It works because many of these Net 2.0 sites/services uses cookies sent of http for user authentication. Intercepting these cookies that are sent in the clear has been fairly trivial for any decent hacker for years, and this extension just put a very public face on it.
This is a good thing for security, because it is getting a huge amount of attention in the media and it will force all these sites to start using https for all their sessions. And that will bring about a huge increase in security. For those of you with friends/family who rely on you for computer advice, I would do a demonstration of Firesheep for them to show them exactly what the problem is with internet security and privacy. I would also suggest you head over to your local coffee shop or wherever that currently runs an open WiFi hotspot and do a demo for them. Tell them all they have to do is turn on WPA encryption and then hang a sign over the counter with the password. It doesn't matter that everyone shares the same WPA password - the WPA protocol encrypts each connection separately. The passphrase is only used to initiate the connection, after that each client negotiates their own key with the server. More info: http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/ http://www.twit.tv/sn272 You can get Firesheep here: http://codebutler.github.com/firesheep/ Slides from the TorCon talk: http://codebutler.github.com/firesheep/tc12/#1 Info on a Firefox extension that can protect you (it forces TLS connections): http://techcrunch.com/2010/10/25/firesheep/ --------------------------- Brian Weeden Technical Advisor Secure World Foundation <http://www.secureworldfoundation.org> +1 (514) 466-2756 Canada +1 (202) 683-8534 US
