This week the Chupacabra mystery was exposed as being a mangy coyote that attacks goats. But there is another scarier creature out there which is frightening herds of innocent sheep on internet sites such as Facebook and Twitter– Firesheep.
It is a new extension from Mozilla in which you can hack into your friends Twitter and Facebook accounts. This is done by a replay attack in which information is intercepted and retransmitted. In the case of Firesheep, cookies are stolen in real time from Internet surfers browsing on the same public WiFi network. As the Internet surfers log into Facebook, Twitter or even email accounts, the Firesheep will stream links with their passwords and enable a real time log in. And it doesn’t really matter if the cookies are encrypted or not. Some users report that Firesheep will attack them regardless.
Freelance programmer, Eric Butler, who created Firesheep believes that the add-on- program will expose security flaws in social networking sites. A Computer World blogger put it to the test and proudly hacked into a colleagues account. So far the program has been downloaded close to 380,000 times by users.
Is this program legal?
According to an interview with John De Marco, former assistant U.S. attorney for the Southern District of New York and founder of the Computer Hacking and Intellectual Property (CHIPs) Program, it might not be legal to data tap your neighbor.
“The actual use of Firesheep may or may not be unlawful, depending on the facts. For example, many system administrators may have legitimate reasons to use the software,” says DeMarco. “However, individuals who use the extension to access the accounts of others without those persons’ knowledge or consent are almost certainly violating the computer trespass provisions of the Computer Fraud and Abuse Act and are also potentially engaging in an unlawful data tap.”
At this time, Mozilla has not banned Firesheep although, it has the ability to blacklist add-ons but this is reserved usually to those that cause web crashes. Most add-ons with security problems were called out by Microsoft which requested them to be blocked.
How can you protect yourself from Firesheep?
Ø Use https:// everywhere instead of http:// to safeguard yourself. This is not entirely a perfect system since you might run into the encrypted cookie issue.
Ø Tech Crunch’s Steve Manuel recommends using Force TLS, another Firefox program which allows you to log in by using the https protocol. Https encrypts user data during a live session.
Ø Run it in a secure VPN (Virtual Private Network). Your information will be tunneled and secured.
Hill, Kashmir. Firesheep Users May Be Breaking The Law. Forbes.
Machlis, Sharon. I hijacked a Facebook Account with Firesheep. Computer World.
Than, Ker. Chupacabra Science How Evolution Made A Mystical Monster. National Geographic.
Tsotis, Alexis. How To Protect Your Login Information From Firesheep. Tech Crunch.