Have you ever wondered how the script kiddies who often can barely read & write manage to hijack your Facebook or Hotmail account?
Well, it turns out that it's shockingly easy: in fact, I managed to learn how to gobble up someone else's cookie and hack their account by following just three links! No brute force or dictionary attacks necessary - all that's required is a laptop, a public WiFi hotspot, Firefox, and a copy of Firesheep.
The irony is that it is (or, at least should be) easy to foil such attacks. All three of the links that I followed are essentially arguing for the same thing - end-to-end encryption between server and browser that protects users from identity theft. Indeed, Eric Butler (the author of Firesheep) even claims that he only released his hacking tool to demonstrate the extent of the sidejacking problem.
"Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web."
Eric Butler via { codebutler }
The message should be obvious: whether you're using Facebook, Google, Hotmail, or a myriad of other services on the web, if you would rather that no-one else had access to your data, make sure that you are using a secure (https or ssl) link.
Sadly, I expect few people to heed this warning. After all, no-one bothered to turn on the security features released by Microsoft for its Hotmail service!
"For example, in July, eight months after Microsoft first offered HTTPS protection, the company revealed that only 2 million of the 500 million users of Hotmail had enabled the option."
Christopher Soghoian via Ars Technica
Sources & References:
- Schneier on Security: Security by Default
- Ars Technia: Not an Option: time for companies to embrace security by default - Christopher Soghoian
- { codebutler } Firesheep
- Wikipedia: Script kiddie
No comments:
Post a Comment