Feeds

Software engineer blogs own Starbucks wiretap

Firesheep theatre

Top three mobile application threats

Firesheep – the Firefox extension that lets you nab people's cookies over insecure networks and hijack their web accounts – doesn't do anything that hasn't been done for years. But it makes for good theatre.

Last week, in an effort to "spread the word" about the dangers of sidejacking, New York-based software engineer Gary LosHuertos fired up Firesheep at his local Starbucks and started nabbing identities.

"I thought I'd spread the word and help some laymen out after work since there's a large Starbucks near my apartment. I dropped in, bought some unhealthy food, opened my laptop and turned on Firesheep. Less than one minute later, there were five or six identities sitting in the sidebar," he writes on his personal blog. "Around half an hour later, I'd collected somewhere between 20 and 40 identities."

Most were Facebook identities. So Gary started sending people messages from their own Facebook accounts warning them he had just hijacked their Facebook accounts. "Since Facebook was by far the most prevalent (and contains more personal information than Twitter), I decided to send the users messages from their own accounts to warn them of their accounts' exposure," he says.

After a few minutes, he decided he had done some good. Some names disappeared from Firesheep. Then the names appeared again. So he logged into their Facebook accounts a second time. "Did they receive the first message?" he says. "Surely enough, they had."

So then he sidejacked somebody's Amazon account. "One of them was even on Amazon.com, which I had warned about in my first message. I targeted him first: I opened up his Amazon homepage, identified something he had recently looked at, and then sent him a 'no, seriously' message on Facebook from his account including the fun fact about his music choices."

The Amazon man vanished. So Gary logged back into more Facebook accounts. "I drafted a very short message (perhaps the first was too long?) and sent it to the four, once again from their own accounts," he writes. After twenty minutes, he wasn't sure if they had gotten his second message, so he logged into their accounts again.

They had.

Then he left. But he gave one final lesson for his fellow coffee drinkers. "I packed my things, I walked around the store, and recognized several of the people I'd just introduced to their own vulnerability. I included no clues as to my identity, less because of fear of retribution, and more because invasion of privacy is all the more frightening when it is committed by an absolute stranger with no chance of discovering their identity."

When he got home, he realized his pants were unzipped. "Back at my apartment, I began to settle in – only to realize that throughout the entire night, my fly had been wide open. Just another demonstration: we're all walking around with vulnerabilities we have yet to discover."

Yet another demonstration: if you blog about Firesheeping people in your local Starbucks, you're publically admitting to a felony.

Bootnote

A tip of the hat to privacy guru Chris Soghoian.

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.