A few months old, but still interesting: Why it’s a bad idea to use Facebook, Twitter & some other sites on public networks.

Gary LosHuertos describes what he could do with a free browser plug-in:

‘Around half an hour later, I’d collected somewhere between 20 and 40 identities. . . .I decided to send the users messages from their own accounts to warn them of their accounts’ exposure. I drafted a friendly, generic message that stated the location of the Starbucks, what the vulnerability was, and how to avoid it. I sent messages to around 20 people.’

-Gary LosHuertos, “Herding Firesheep in New York City“, Technology Sufficiently Advanced, October 27 2010.

 

Not a lot I can add here, please go read the original posts. It’s some fairly hair-raising stuff.

 

Addendum and further explanation at “Herding Firesheep: An Addendum“, Technology Sufficiently Advanced, November 4 2010. Original article repeated on CNNMoney, “Herding Firesheep in New York City“, December 16 2010.

I originally heard about this from Bruce Schneier’s July Cryptogram newsletter. I really recommend Schneier’s writings. While he sometimes gets into minute details, he always emphasizes that security starts with the user first.

LosHuertos pointed out the same thing in his blog post too; of the 20 people whose Facebook accounts he was able to sidejack and send them a warning message to them from their own account, four continued to ignore him. He could look at their account page, see that yes, the message that they were using an unsafe connection had been received, yet they continued to keep Facebook running in the background while they looked at other webpages too.

(If you haven’t read the article, Facebook keeps track of what else you are browsing on the internet while you have Facebook open. All that information is forwarded to Facebook servers over the network in unencrypted form. So the writer was able not only to see other users’ Facebook pages and send messages from those Facebook accounts but he was also able to see what other websites & specific web pages they were browsing.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s