Firesheep Add-on Underscores Dangers of Unprotected Wireless Networks


You might have already heard about the Firesheep add-on for the Mozilla Web browser, which was released onto the Internet less than two weeks ago. Written by freelance Web application developer Eric Butler, the extension software looks for users who access certain social-networking sites such as Facebook and Twitter over an unprotected wireless network.


Once found, Web sessions of recognized sites are listed in a handy sidebar, where a double-click of the mouse is all it takes for the intruder to take over. Depending on actual security controls in place, the hacker might even go ahead to cement his hijack by changing the login password.


An Unprotected Wireless Network is Spelled Insecure'


It must be made clear that there is nothing revolutionary or even particularly clever about Firesheep. The free software essentially tunes in on unencrypted data streams to track down the relevant session cookies and data for its work. While conveniently disregarded, it is a known fact that unprotected wireless networks broadcast network data "in the clear." This makes it easy to intercept and view such traffic.


More concerning though, is that the software, which is hosted directly on the author's page, has been downloaded more than 500,000 times since it was released. As you can imagine, the tool makes it possible for novices to try their hand at intercepting the social-networking sessions of unwitting victims, at the same time tempting them to explore other tools that tap into the rich data stream of places with free (and unprotected) wireless connections.


Ultimately, there is greatly increased awareness of the security risks inherent to an unprotected wireless access point, exactly what Butler wanted to achieve when he created Firesheep.


Unclear Legal Grounds


For now, the legal implications of a busybody using Firesheep at the local Starbucks cafe remain unclear. Speaking to Computerworld, Phil Malone, who is a clinical professor of law at Harvard Law School professed, "I honestly don't know the answer." There appears to be two different schools of thoughts on this matter: One holds that accessing the Internet at an insecure hotspot is tantamount to making one's electronic communication readily accessible to the public, effectively rendering the argument of illegal interception a moot point.


The counter argument is that users accessing their social-networking accounts on an unprotected wireless network have an expectation that their use is being governed by the privacy policy of that network. Regardless of where you stand though, experts agree that the entire situation represents a legal issue that has no precedent.


What Can SMBs Do?


Regardless of the legal side of things, I do not want strangers taking over any of my social-networking accounts or even passively sniffing at my Web and e-mail data. Fortunately, there are a number of steps that small and mid-sized businesses can take to protect employees from unwittingly divulging company secrets.


I shall cover some of these suggestions in my next blog