Attack Vector: Wireless Session Hijacking

Using an open wireless network to access Facebook or MySpace or Twitter? Stop. Now.

My students will recognize wireless session hijacking (sidejacking) as one of the most significant attack vectors, though frankly almost no one in the corporate world of social networking has been much worried about it. Until now. Because hacker/security proponent Eric Butler has done them a favor by releasing a Firefox plugin, Firesheep, that demonstrates the concept with horrifying clarity.

Security consultant Ronald Thomas sent me a link to one of the more user-friendly discussions of the Butler’s motivations, and Butler’s success in motivating an embarrassed Facebook to tighten up security, at http://www.smh.com.au/technology/security/how-anyone-can-pointandclick-to-hijack-your-online-accounts-20101101-179rg.htm, “How anyone can ‘point-and-click’ to hijack your online accounts.”

That ought to scare you.

From a security architecture side, the problem is that many social networking sites mix http: and https: pages in their applications. This ain’t good, because as soon as you step outside of the safe room of https:, your credentials are exposed. Voila, they’ve got your session cookies, they’re in! The solution is using pure https: end-to-end once you’re logged in.

From a corporate perspective, the problem is that https: uses TLS, Transport Layer Security, which eats up a lot of processor cycles. This makes their sites slower. The executive suite has recognized, we hope, that their sites will be *really* slow if nobody uses them because we know they’re not safe. In theory.

From Intel’s perspective, this is all great because it’ll sell more processors and encryption chipsets. Woo hoo.

It’s up to the Facebooks to pay coders and buy faster servers. It’s up to us, you and me, to make sure those who trust their security to us know about this issue. Sounds like one for the Hacker High School, doesn’t it?

I’d also consider it near mandatory for security researchers to download and try Firesheep at http://codebutler.github.com/firesheep/. I’ll bet very few audiences will need to see it demonstrated more than once.

Leave a Reply