Ornoth

A world-changing piece of software was released recently, and you need to know about it. It’s called Firesheep, and it makes stealing your login information for the web sites you visit as easy as: point, click, done. I strongly urge you to Google it and educate yourself about it.

It shouldn’t surprise anyone that your login credentials have never been secure. After all, email, the world wide web, and the underlying packet switching protocols: none of them were designed to carry encrypted communications. And it’s not in the interest of commercial web sites to spend more time and effort than the absolute minimum necessary to convince you that that their sites are “secure”.

Still, up til now you’ve been able to reassure yourself with the belief that only people with very specialized knowledge and tools had the ability to hijack your web sessions.

Firesheep has changed that forever by putting those techniques behind a point-and-click interface that anyone from a four year old child to an eighty year old grandmother could operate.

All someone needs to do is (1) download the Firefox plugin, (2) connect to a public network, and (3) when presented with a list of other users’ sessions on that network, click the one they want to log in as. With no more skill or effort that that, they’ve got instant access to your account on Amazon, Twitter, Facebook, Gmail, Yahoo, Foursquare, Wordpress, and so forth. The rest, as we say, is YFN.

This is doubly bad news for anyone with a smartphone, because most of those devices automatically and indiscriminately connect to public WiFi networks, then send your login credentials to any sites you regularly monitor, without your knowledge or involvement.

There are solutions to this problem, and the people who create and maintain web sites have known about them for years, but balked at putting the extra security measures into practice. Firesheep was actually intended to bring this vulnerability to everyone’s attention, so that the problem might finally be addressed. How quickly do you think that’ll happen?

So here we are. After decades of playing fast and loose on the web, keeping your head in the sand about the risks, it’s finally time to get serious about securing the information you send over the public channel.

If you’re like most people, you probably don’t even take your username and password seriously. How often do you change it? How hard would it be for a human to guess? How long would it take a password guessing computer to crack? Do you use the same username and password for several sites?

The username/password security that we’ve gotten used to is largely just a placebo. It wrongly makes people think they’ve taken an effective security measure. But if your network traffic isn’t encrypted, Firesheep makes it easy for everyone else on the network to hijack your login.

Ideally, all public web sites would immediately transition to sending all web traffic via SSL. But deployment will certainly be extremely slow and spotty.

So what are your options? The first is obviously to carefully regulate your use of public networks. Another is to use a tool like Blacksheep, which might alert you when someone on the network is running Firesheep.

You can also ensure that all your traffic is encrypted by setting up a virtual private network (VPN). The problem there is that you need a trusted host to serve as a gateway, and if you use someone like your workplace, you might discover that they block the sites you want to visit on your personal time, like Facebook and YouTube.

In the meantime, it also makes sense to review your password policy.

I’ll admit my own culpability there: up til now, I’ve only had two passwords. I had one password that never changed, that I used for dozens of sites I didn’t consider that important; and I had another that I changed annually for sites that needed an extra level of “security”, like brokerage and bank accounts.

Needless to say, I’ve decided to fix that. My first change is to start using purely random generated passwords, making use of the full gamut of permitted characters (e.g. mixed case letters and special characters). I’m also using as long a password as each site allows (many allow passwords to be 15, 20, 40 or more characters). These measures are all designed to make my passwords harder to break.

The second change I’m making is that I’m assigning a different password for every single site I use. That ensures that if someone does break one of my passwords, they can only use it for one site, containing any possible damage they can cause.

My third change: turn off all password caching in my web browsers, and remove the existing memorized passwords. This has always been a huge, gaping security hole, and one that should never be used in the first place.

You might think those sound like a big pain in the ass. While it is some extra effort, it’s a lot better than handing a fifteen year old Russian hacker unlimited access to my bank accounts, yanno?

And actually, it’s not that much of an inconvenience if you use one of the many specialized password database managers that are out there. I started using KeePass, which—now that I’ve got it set up—seems like a no-brainer. Look into it.

For years, you’ve gotten away with not putting any serious thought or effort into your internet security. Like the companies that run the world’s major web sites, you did the bare minimum, and, like an ostrich, buried your head in the sand.

That was then, but this is now. Armed with weapons like Firesheep, there are lots of ostrich hunters out there now. People who continue to keep their heads in the sand will soon be meat on the table.

Don’t be one of them. Start taking care of your shit.