A MILLIESECOND: _Firesheep brings out the hacker in us all_

Let’s be clear: I do not know how to hack a computer.

However, with the release of a new Firefox extension, any schmo like myself could access your information stored as “cookies” fairly easily.

And I did ““ I put my hand in the cookie jar, kind of.

There were clear ethical dilemmas, but sans malice and for the sake of research, I was ready to try and hack my peers. I downloaded Firesheep, which was not difficult, and tested it on two Wi-Fi networks on campus: UCLA_WIFI and UCLA_WEB.

Eric Butler, the programmer of Firesheep, introduced the extension last month at ToorCon, a hacker conference for security experts.

Firesheep is Butler’s attempt to push sites such as Facebook, Twitter and even Google to protect their users against one of the oldest and simplest ways of hacking ““ session hijacking.

But after trying the application on both UCLA networks, the only login information I was able to capture was my own. The short answer about my self-hacking exercise is that I needed to be on a local insecure network.

While my attempts at hacking were unsuccessful, it was useful to see which social networking accounts of mine could be sidejacked, from Amazon and Facebook to Twitter and Yelp.

Session hijacking, or sidejacking, is not a new problem. Firesheep just makes it accessible to everyone in a graphical way.
“If you can download music, you can install this,” said Peter Schultze, systems administrator in the computer science department.

That said, I would hesitate to say that anyone who can use a computer can automatically make sense of the extension. Because Firesheep is not endorsed by Mozilla, it is only available from a third-party site, making it less convenient to add to Firefox.

Most online services use a process of encryption indicated by “https://” to protect your user name and password upon log-in.

But social networking sites such as Facebook and Twitter send data exchanges in unencrypted, plain text.

The post-log-in text data, called “cookies,” signal that you have logged in and allow you to continue using the site without asking for your information again. Because the data is being sent back and forth unencrypted post-log-in, the information is readily available to anyone looking for it.

“It requires more server capacity (to encrypt post-log-in), which would require more money,” Schultze said.

Butler may be trying his hand at “hacktivism,” or hacking for a presumably good cause, according to his blog.

“This approach to exposing vulnerabilities has a very old history in computer science and engineering,” said Leah Lievrouw, a professor in the UCLA Graduate School of Education & Information Studies.

Hacktivists attempt to privately expose the security holes in software and notify the vendor to create updates or patches to fix the vulnerability.

While hacktivism usually has political ends, it’s important to distinguish that goal from a market-driven approach to bug-finding, Lievrouw said.

“The responsible ones first contact the vendor and give them a certain amount of time for a response before publishing the exposure. The bigger idea is that, in the long term, it’s better for the common good,” Schultze said. “However, (Firesheep) goes a bit beyond the common hacktivism. Here, someone brings out a very easy-to-use tool for many people to expose a known vulnerability.”

While Butler’s approach may seem unethical, the alternative may be worse.

“In a situation like this one, I don’t think it’s more ethical to wait. It’s very fair if there’s a segment of the public that is vulnerable to this and may not be as sophisticated to protect themselves, “ Lievrouw said.

There are various ways to protect yourself. On campus, there are three basic solutions: use a counter extension, connect to the UCLA_SECURE Wi-Fi network or use UCLA’s virtual private network.
Using another Firefox extension such as Blacksheep will notify you when someone is accessing your cookie information. However, that’s the extent of protection.

Connecting to UCLA’s only secure Wi-Fi network on campus will require you, in both Mac OS X and Windows 7, to go into your network preferences and set up an account with your Bruin OnLine user name and password.

Finally, to connect via UCLA’s VPN, you will need to download two things: a program to use to connect, most likely Cisco’s VPN client, and a configuration file.

“It may seem like scaremongering, but to demand change, especially in the market, you do it with public demand,” Lievrouw said. “Firesheep was aimed at a dozen or so of the most popular sites. If you want to make a big demonstration, you choose the biggest target.”

Leave a comment

Your email address will not be published. Required fields are marked *