Herding Firesheep in Starbucks





(CNNMoney.com) -- Gary LosHuertos is a New York City-based software engineer. A version of this essay first appeared in his blog, Technology Sufficiently Advanced.

There's been a lot of talk about Firesheep, a free Firefox extension that collects data broadcast over an unprotected Wi-Fi network without using SSL. You turn it on, and by default it collects cookies for Facebook, Twitter and 24 other sites. Then you can sidejack the account and gain access under the acquired identity.

This extension isn't shocking. If you're worth your weight as a developer, you've known this flaw has existed for a long time. But what about the rest of the world? What about the people who haven't heard about the newly accessible threat through their friends, or through Engadget or Slashdot?

I thought I'd spread the word and help some laymen out after work. There's a large Starbucks (SBUX, Fortune 500) near my apartment. I dropped in, bought some unhealthy food, opened my laptop and turned on Firesheep.

Less than one minute later, there were five or six identities sitting in the sidebar. Three of them were from Facebook.

This wasn't at all surprising. Firesheep isn't magical, and anyone that's been to a Starbucks knows that a lot of people mindlessly refresh Facebook while sipping their lattés. I thought I'd give it more time, so I listened to some music, talked to a few friends -- and, most importantly (and difficultly) did not navigate to anything sent over vanilla HTTP (including, of course, Facebook).

Aside from avoiding vulnerable services in the open, there isn't really any way for users to protect themselves from these attacks. While Firesheep runs within Firefox, all browsers are vulnerable to it. Logging on to https://www.facebook.com just redirects to an unsecured connection. And while a VPN would create a secure tunnel through the unprotected connection, most users don't have access to one.

The best thing to do is to log out of Facebook and Twitter when using one of these connections.

Half an hour later, I'd collected somewhere between 20 and 40 identities. Since Facebook was by far the most prevalent (and contains more personal information than Twitter), I decided to send the users messages from their own accounts to warn them of their exposure. I drafted a friendly, generic message that stated the location of the Starbucks, what the vulnerability was, and how to avoid it. I sent messages to around 20 people.

I cleared the Firesheep sidebar, took off my headphones, and waited.

I heard one expletive muttered a few feet away, and wondered if my message was the cause. Over the next 15 minutes, I didn't hear anyone talk about what had happened -- and folks at Starbucks are usually not ones to keep their conversations private. However, what I did see happen was a sharp decline in the number of identities I was collecting when I restarted Firesheep.

This was relieving -- these people got the message. Hopefully they'll tell their friends. I cleared the sidebar once again, and after another 20 minutes of mindless conversation I saw five familiar names had returned to my herd.

This was puzzling. Didn't they receive the first message?

I logged into their accounts, and sure enough, they had. One of them was even on Amazon.com, which I had warned about in my first message.

I targeted him first: I opened up his Amazon (AMZN, Fortune 500) homepage, identified something he had recently looked at, and then sent him a "no, seriously" message on Facebook from his account -- including the fun fact about his music choices.

I cleared again the sidebar again and waited for 10 minutes. After I resumed Firesheep's collection, it appeared that he was gone. Yet the other four remained, persistently.

A compromised Facebook account doesn't just mean someone can view your photos, likes and wall posts. A compromised Facebook account gives someone access to an identity, from which they can perform social engineering attacks and potentially ruin relationships -- both out of boredom and for gain.

While much of this can be corrected, the time and energy it takes to do so is significant. Someone sending a fake message to one of your friends may not seem like a big deal, but someone sending a fake message to 500 of them is -- especially when that 500 may include colleagues, family, and clients.

So I didn't understand why my sheep were still grazing, unprotected. Perhaps, I reasoned, they thought the message was automatically generated and randomly targeted -- even though I'd mentioned their precise location. So, one last message was in order.

I drafted a very short message (perhaps the first was too long?) and sent it to the four, once again from their own accounts: Really wasn't kidding about the insecurity thing. I won't send another message after this -- it's up to you to take your security seriously. You're at the [XYZ Street] Starbucks on an insecure connection, and absolutely anyone here can access your account with the right (free) tool.

Twenty minutes passed, and all four were still actively using Facebook.

Again, I considered that they may not have received the second message, but after viewing their accounts it was clear that they had.

This is the most shocking thing about Internet security. Not that we are all on a worldwide system held together with duct tape that has appalling security vulnerabilities; not that a freely available tool could collect authentication cookies; and certainly not that there are people unaware of either of those.

What's absolutely incomprehensible is that after someone has been alerted to the danger -- from their own account! -- they would casually ignore the warning and continue about their day.

But, I kept my word and did not send another message. I packed my things, I walked around the store, and recognized several of the people I'd just introduced to their own vulnerability.

On my way home, I considered what the experience meant about our society. No matter how many security measures we provide to the world, there will always be people who leave the door open, even after they've had an intruder. The weakest link in security has been, and always will be, the user's judgment.

Back at my apartment, I began to settle in -- only to realize that throughout the entire night, my fly had been wide open. Just another demonstration: we're all walking around with vulnerabilities we have yet to discover.