Wednesday, November 24, 2010

Secure your cookies

In light of the publicity created by Firesheep, HTTPS Everywhere has been updated to force websites to activate a secure flag in cookies used to authenticate their users.
I finally tested Firesheep. It is painfully easy to use for hijacking sessions. Here I start Firesheep on a Windows machine (via RDP) and I log into Facebook on a Ubuntu system. As seen in the screenshot, Firesheep quickly captures the cookie of that session and permits easy access to the active account.

Tuesday, November 9, 2010

Blacksheep

Security vendor, Zscaler, unleashes a tool named Blacksheep to warn users of the presence of a machine running Firesheep. It doesn't mitigate session hijacking but sounds an alarm to alert of a malicious party in close proximity.

Monday, November 8, 2010

Firesheep

Session hijacking is nothing new with early tools such as Ferret supporting this attack. This Firefox extension, Firesheep, has simplied the attack.
I can't wait for the Linux version to be released so that I can play with it. Ways of avoiding becoming a victim of session hijacking are:
  1. Using encrypted wireless networks.
  2. Using a VPN tunnel over insecure wireless networks.
  3. Use full HTTPS sessions. HTTPS Everywhere is one tool that automates the use of HTTPS for popular websites like Facebook.
  4. Be wary of links sent via email or instant messaging.