It almost sounds innocent, cute even … Firesheep, conjuring a cute little sheep with the typical Firefox swirl around it. In reality, Firesheep is possibly the first script kiddie hacker exploit ever made that is so quickly and vastly available as this one has been.
What is Firesheep?
According to the plug-in author and publisher, Seattle-based software developer Eric Butler, the program was created and is being distributed solely to expose a serious security vulnerability present in most popular websites including Facebook and Twitter – literally allowing a hacker to access your information being sent across the web, hijack it, and gain access to your accounts … essentially, stealing your identity.
How Firesheep Works
First of all, let me be clear: Most financial institution websites (banks, PayPal, and others that always begin with https://) keep your information safe the entire time you’re online. Don’t panic on that account.
The way that Firesheep works is pretty simple: every time you log in to a website, that website will store a cookie. This cookie holds a variety of information about you depending on what you’ve provided the website. Ecommerce stores do this often, allowing you to access pages more quickly, to store things like your session time and IP address, and even information like mailing addresses if you’ve provided one.
When the cookies are sent, they’re generally sent across an unsecure “open space” connection which anyone can pull information from. “On an open wireless network [the only way this hack will work], cookies are basically shouted through the air, making these attacks extremely easy,” Eric Butler wrote when he released the program at a San Diego conference to draw attention to security vulnerabilities.
In other words, Firesheep works because most web developers have not taken the time to properly secure their websites – thus putting their viewers’ identity out in the open. This is not a Firefox problem, per se, but a website designer’s one.
Why is this so different from every other hack out there? It is arguably the first program to ever be widely made available to even the laziest script kiddie hackers out there.
Firesheep Victim Prevention
Lucky for all of us who love the internet and can’t imagine not spending time surfing around, there are several things we can do to prevent becoming a victim of a Firesheep user.
1. Avoid WiFi Hotspots: As ESET’s Abrams wrote, “Starbucks just became a more dangerous place. This tool will be used extensively in places such as coffee shops and airports.” Using your laptop in a WiFi hotspot can greatly increase your chances of being snooped on by a Firesheep user.
2. Look for Encryption: Not all websites are created equally. Many websites encrypt your actual login using HTTPS/SSL, but revert to regular HTML/HTTP as soon as you’ve finished the login process. Some websites, like Gmail, encrypt the entire session – from the moment you log on until you log out. Social media sites are the most vulnerable, allowing a Firesheep user to actually log in as you at a site like Facebook or Twitter.
3. Install HTTPS Everywhere: Another Firefox plug-in, this one encrypts your communications with many websites that offer at least limited support for encryption over HTTPS. This extension will actually rewrite all communications and requests to these websites so that you’re more secure – a direct block against Firesheep.
4. Change Up Your Passwords: Don’t use the same password for every website. Make sure that the passwords you use for your bank and financial log-ins are different from any other password you ever use – this will prevent any hacker from being able to “guess” your password based on the log-in you’ve made at another website. If necessary, keep a little notebook (don’t store it on your computer – another safety issue altogether) that lists your website URL’s, usernames, and passwords.
5. Hold On: Andrew Noyes, a spokesman for Facebook, has stated that it has been testing a new technology that will close out this loophole which should be available to Firefox users within the next few months. As more websites recognize the security risk they’re putting their users becomes more clear and people stand up for their right to privacy.