Feeds

Software engineer blogs own Starbucks wiretap

Firesheep theatre

Protecting against web application threats using SSL

Firesheep – the Firefox extension that lets you nab people's cookies over insecure networks and hijack their web accounts – doesn't do anything that hasn't been done for years. But it makes for good theatre.

Last week, in an effort to "spread the word" about the dangers of sidejacking, New York-based software engineer Gary LosHuertos fired up Firesheep at his local Starbucks and started nabbing identities.

"I thought I'd spread the word and help some laymen out after work since there's a large Starbucks near my apartment. I dropped in, bought some unhealthy food, opened my laptop and turned on Firesheep. Less than one minute later, there were five or six identities sitting in the sidebar," he writes on his personal blog. "Around half an hour later, I'd collected somewhere between 20 and 40 identities."

Most were Facebook identities. So Gary started sending people messages from their own Facebook accounts warning them he had just hijacked their Facebook accounts. "Since Facebook was by far the most prevalent (and contains more personal information than Twitter), I decided to send the users messages from their own accounts to warn them of their accounts' exposure," he says.

After a few minutes, he decided he had done some good. Some names disappeared from Firesheep. Then the names appeared again. So he logged into their Facebook accounts a second time. "Did they receive the first message?" he says. "Surely enough, they had."

So then he sidejacked somebody's Amazon account. "One of them was even on Amazon.com, which I had warned about in my first message. I targeted him first: I opened up his Amazon homepage, identified something he had recently looked at, and then sent him a 'no, seriously' message on Facebook from his account including the fun fact about his music choices."

The Amazon man vanished. So Gary logged back into more Facebook accounts. "I drafted a very short message (perhaps the first was too long?) and sent it to the four, once again from their own accounts," he writes. After twenty minutes, he wasn't sure if they had gotten his second message, so he logged into their accounts again.

They had.

Then he left. But he gave one final lesson for his fellow coffee drinkers. "I packed my things, I walked around the store, and recognized several of the people I'd just introduced to their own vulnerability. I included no clues as to my identity, less because of fear of retribution, and more because invasion of privacy is all the more frightening when it is committed by an absolute stranger with no chance of discovering their identity."

When he got home, he realized his pants were unzipped. "Back at my apartment, I began to settle in – only to realize that throughout the entire night, my fly had been wide open. Just another demonstration: we're all walking around with vulnerabilities we have yet to discover."

Yet another demonstration: if you blog about Firesheeping people in your local Starbucks, you're publically admitting to a felony.

Bootnote

A tip of the hat to privacy guru Chris Soghoian.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.