How to protect against Firesheep attacks
Experts suggest
defensive measures to ward off Firefox add-on's hijacking of Facebook, Twitter
sessions via Wi-Fi
Computerworld - Security experts today suggested ways users can protect
themselves against Firesheep, the new Firefox browser add-on that lets amateurs
hijack users' access to Facebook, Twitter and other popular services.
Firesheep adds a sidebar to Mozilla's Firefox browser that shows
when anyone on an open network -- such as a coffee shop's Wi-Fi network --
visits an insecure site.
A simple double-click gives a hacker instant
access to logged-on sites ranging from Twitter and Facebook to bit.ly and
Flickr.
Since researcher Eric Butler released Firesheep on Sunday, the
add-on has been downloaded nearly 220,000 times.
"I was in a Peet's Coffee today, and someone was using
Firesheep," said Andrew Storms, director of security operations at San
Francisco-based nCircle Security. "There were only 10 people in there, and
one was using it!"
But users aren't defenseless, Storms and several other experts
maintained.
However, Ian Gallagher, a senior security engineer with Security
Innovation, argued that tosses out the baby with the bathwater. Gallagher is
one of the two researchers who debuted Firesheep last weekend at a San Diego
conference.
"While open Wi-Fi is the prime proving
ground for Firesheep, it's not the problem," Gallagher said in a blog post earlier on Tuesday. "This isn't a vulnerability in
Wi-Fi, it's the lack of security from the sites you're using."
Free, open Wi-Fi is not only taken for granted by many, but it's
not the problem. There are plenty of low-risk activities one can do on the
Internet at a public hotspot, including reading news or looking up the address
of a nearby eatery.
So if Wi-Fi stays, what's a user to do?
The best defense, said Chet Wisniewski, a senior security
adviser at antivirus vendor Sophos, is to use a VPN (virtual private network)
when connecting to public Wi-Fi networks at an airport or coffee shop, for
example.
While many business workers use a VPN to connect to their office
network while they're on the road, consumers typically lack that secure
"tunnel" to the Internet.
"But there are some VPN services that you can subscribe to
for $5 to $10 month that will prevent someone running Firesheep from
'sidejacking' your sessions," Wisniewski said.
A VPN encrypts all traffic
between a computer -- a laptop at the airport gate, for instance -- and the
Internet in general, including the sites vulnerable to Firesheep hijacking.
"It's as good a solution as there is," Wisniewski said, "and no
different, really, than using encrypted Wi-Fi."
One
provider, Strong VPN,
prices its service starting at $7 per month or $55 per year.
Gallagher, however, warned
that a VPN isn't a total solution. "That's just pushing the problem to
that VPN or SSH endpoint," he said. "Your traffic will then leave
that server just as it would when it was leaving your laptop, so anyone running
Firesheep or other tools could access your data in the same way."
"A blind suggestion of
'use a VPN' doesn't really solve the problem and may just provide a false sense
of security," he said.
Strong VPN disagreed.
"Our servers are in a secure datacenter, so no one's going to be able to
'sniff' the traffic coming in or going out," a company spokesman
countered. "All the traffic from, for example, your laptop in San
Francisco, is encrypted when it goes to one of our U.S. servers."
Storms echoed Strong VPN's
assertion. "I can see [Gallagher's point], that a VPN doesn't solve the
root problem, which is on the service end," he said. "But although
it's true that the traffic would be clear text when it leaves the VPN server
for the site, it's very unlikely that someone would snoop that traffic."
Sean
Sullivan, a security advisor with F-Secure, recommended Comodo'sTrustConnect as "a VPN in all but name
only." Comodo, a rival of F-Secure, sells the service for $7 per month or
$50 annually.
If free is the object,
there are options there, too, said Wisniewski, Sullivan and Gallagher, who
pointed to a pair of free Firefox add-ons that force the browser to use an
encrypted connection when it accesses certain sites.
One
of those Firefox add-ons, HTTPS-Everywhere,
provided by the Electronic Frontier Foundation (EFF), only works with a defined
list of sites, including Twitter, Facebook, PayPal and Google's
search engine.
The
other choice, Force-TLS,
serves the same purpose as the EFF's extension, but lets users specify which
sites on which to enforce encryption.
However,
other browsers, such as Microsoft's
Internet Explorer and Google's Chrome, lack similar add-ons, leaving their
users out in the cold.
"I expect that
[Firesheep] will spur the EFF or others, maybe in the open source community, to
some additional development [of such add-ons], maybe Chrome ports of those
extensions," Sullivan said.
That could take months. In
the meantime, Sullivan had another idea. "A MiFi device can encrypt
[traffic], so with one you're always carrying your own Wi-Fi hotspot with
you," he said.
MiFi isn't cheap, however.
Verizon, for example, gives away the hardware but charges between $40 and $60
per month for the access to its 3G network.
Ultimately, moves users
make to plug the holes Firesheep exposes are stop-gaps. The elephant in the
room, said Butler and Gallagher as they defended the release of the add-on, is
the lack of full encryption. And only the sites and services can fix that.
"The real story here
is not the success of Firesheep but the fact that something like it is even
possible," Butler wrote in his blog on Tuesday. "Going forward, the
metric of Firesheep's success will quickly change from amount of attention it
gains, to the number of sites that adopt proper security. True success will be
when Firesheep no longer works at all."
But
for the moment, even security professionals are worried. "I'm at the
airport right now," Wisniewski told Computerworld. "And I'm wondering if someone is
using Firesheep here. Maybe I should do a little 'shoulder browsing' to see if
anyone has it running."
