It’s never been easier to steal information from web surfers. Eric Butler, a software developer has created a Firefox plugin called Firesheep, which allows anyone to hack into a Facebook account, with an automated process. He presented it at the ToorCon (a hacker conference in San Diego, USA) to demonstrate how fragile our security on the Net. It’s easy and fast. To do this, it takes advantage of specific weakness, for example when cookies are not encrypted.
All you need to do is to install the plugin, connect to a WiFi network and wait for a victim to join the same network, for example, to access Facebook or other social networks. It is so easy that anyone can do it.
Firesheep is a free, open source app that runs on any system where Firefox works. On Windows you may also need to install WinPcap library to capture traffic information.
Without doubt, Firesheep is a wake up call for major social network sites like Twitter and Facebook and it emphasizes the need for proper encryption of cookies, just like what Google does with Gmail and its other services. Until encryption becomes a standard in the Internet, there is no guarantee users can be protected from similar plugins.
In response to this development, Facebook claims that they have made progress in SSL testing in the entire Facebook system and basic security guidelines can be found in Facebook Security Page.
These are five possible ways users can protect themselves against Firesheep.
- Use Corporate VPN. All data that is transmitted through VPN is usually authenticated and encrypted reliably. Your personal information should be safe with VPN, although it is possible that you will experience poor performance, especially when there are many users accessing the Internet from the same network. Many offices also set a policy to restrict access to social network sites. Simply put, your employer doesn’t pay you to play Farmville.
- Set up a personal to securely access the Internet from home. Facebook users can use OpenSwan to set up VPN at home, although ordinary computer users may find that using OpenSwan a little bit challenging. OpenVPN is a well-known application for Linux, while many Windows users use VMware Virtual Appliance. Although VMware could be the easiest application to set up, it still isn’t a walk in the park.
- Paid VPN Service. If you can spare some money, you may get a complete control by renting a VPN service. Services like StrongVPN and AceVPN offer monthly rates while AlwaysVPN is charged based on bandwidth usage. There are some free VPNs available, but they may not be secure or reliable.
- Create Wi-Fi AP with MiFi. This technology allows you to turn any 3G and 4G device into a portable Wi-Fi AP (Access Point). It could be a practical solution, however 3G/4G data is still somewhat expensive for extended usages.
- SSL or TLDS. Many sites today offer full TLS (Transport Layer Security) and SSL (Secure Sockets Layer) supports. With proper encryption and authentication your data traffic should be safe from Firesheep.