Feeds

Software engineer blogs own Starbucks wiretap

Firesheep theatre

Beginner's guide to SSL certificates

Firesheep – the Firefox extension that lets you nab people's cookies over insecure networks and hijack their web accounts – doesn't do anything that hasn't been done for years. But it makes for good theatre.

Last week, in an effort to "spread the word" about the dangers of sidejacking, New York-based software engineer Gary LosHuertos fired up Firesheep at his local Starbucks and started nabbing identities.

"I thought I'd spread the word and help some laymen out after work since there's a large Starbucks near my apartment. I dropped in, bought some unhealthy food, opened my laptop and turned on Firesheep. Less than one minute later, there were five or six identities sitting in the sidebar," he writes on his personal blog. "Around half an hour later, I'd collected somewhere between 20 and 40 identities."

Most were Facebook identities. So Gary started sending people messages from their own Facebook accounts warning them he had just hijacked their Facebook accounts. "Since Facebook was by far the most prevalent (and contains more personal information than Twitter), I decided to send the users messages from their own accounts to warn them of their accounts' exposure," he says.

After a few minutes, he decided he had done some good. Some names disappeared from Firesheep. Then the names appeared again. So he logged into their Facebook accounts a second time. "Did they receive the first message?" he says. "Surely enough, they had."

So then he sidejacked somebody's Amazon account. "One of them was even on Amazon.com, which I had warned about in my first message. I targeted him first: I opened up his Amazon homepage, identified something he had recently looked at, and then sent him a 'no, seriously' message on Facebook from his account including the fun fact about his music choices."

The Amazon man vanished. So Gary logged back into more Facebook accounts. "I drafted a very short message (perhaps the first was too long?) and sent it to the four, once again from their own accounts," he writes. After twenty minutes, he wasn't sure if they had gotten his second message, so he logged into their accounts again.

They had.

Then he left. But he gave one final lesson for his fellow coffee drinkers. "I packed my things, I walked around the store, and recognized several of the people I'd just introduced to their own vulnerability. I included no clues as to my identity, less because of fear of retribution, and more because invasion of privacy is all the more frightening when it is committed by an absolute stranger with no chance of discovering their identity."

When he got home, he realized his pants were unzipped. "Back at my apartment, I began to settle in – only to realize that throughout the entire night, my fly had been wide open. Just another demonstration: we're all walking around with vulnerabilities we have yet to discover."

Yet another demonstration: if you blog about Firesheeping people in your local Starbucks, you're publically admitting to a felony.

Bootnote

A tip of the hat to privacy guru Chris Soghoian.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.