The Workpapers.com Weblog

Essays, articles, news, and recipes for auditors from the team at Workpapers.com.

Firesheep... a problem that shouldn't have been a problem 07 Dec 2010

Author:  Dan Zitting, CPA, CISA

Filed under Information Security and Workpapers.com News

If you're a Facebook user, you probably recently saw in your feed a post by someone like me telling you to watch out using Facebook because Firesheep was coming to get you, steal your profile, and wreak havoc across your online computing life. This post is to dispel some inaccuracy and explain that none of our web-based apps were ever in danger of being "Firesheep-ed".

What is Firesheep?

A nice little tool that makes what has been easy for real hackers to do for years, easy for anyone with basic computer savvy and a local Starbucks to do. It is basically a "point and click" way to steal someone's session with a website if the connection to that website is not consistently secured with HTTPS throughout the site. Everyone in our business uses a computer enough to know not to login to websites if you are not on an https:// address. If you were on an open wifi network and did so, anyone in the vicinity might be able to grab your password out of the air. So we are pretty careful about that and Firesheep DOES NOT allow an intruder to steal your password (or anything else) when you are an HTTPS page.

The problem arises when a web site redirects you back to a regular http page AFTER you login. Many websites do this, Facebook being the one that garnered the majority of attention. When that is the case, the Firesheep user can steal your session cookie out of the air. This is a technical way of saying they are able to get logged in as you. They can then do anything you could do in your account. However, once you click log out in the site, that session cookie is destroyed which means neither you OR the Firesheep user can use it any more. You have effectively just logged out yourself as well as the Firesheep user.

Overall, no doubt... a bad deal.

How to avoid a problem.

There are basically two ways to avoid being "Firesheep-ed", one that sucks and one that doesn't suck.

Way that sucks - Don't ever use open wifi points. Use only encrypted wifi networks that require some kind of WPA encryption. Fixes the problem but means you will no longer be surfing the net while drinking soy chai latte.

Way that doesn't suck - Wifi it up... but only use websites that use HTTPS encryption on ALL pages once you are logged in. Implementing this protection is the responsibility of the website owner but there really isn't much excuse for not doing it. For instance, each of our products including workpapers.com and sas70registry.com use HTTPS during your entire session with the site every single time. So, while your Facebook profile might end up with elicit posts made by the shady guy at the corner table in the coffee shop, your audit data is happy and secure.

The bottom line is watch out for the Firesheep.... but the online world is still not quite the crazy dangerous place that many of the reports on Firesheep made it seem.

Related Articles