Firesheep, A Brief Insider.

David Pita

Firesheep is one of the newest plugins for Mozilla's Firefox and it's receiving widespread attention. IT Management departments are bracing for impact, so to speak, especially those with open public wireless networks. However, let's analyze Firesheep carefully so that we may understand the dangers.

Our preferences, shopping carts, and authentication data are stored on cookies which reside locally on our computers and are created by browsers as needed. These cookies are intended to reflect the aforementioned attributes of a single user on a per-website basis. Where am I going with this, you ask? Well, over an open unsecured and unencrypted wireless medium, all information exchanged between the access point and the clients are readable by anyone! With the proper knowledge, a user can easily intercept these packets and use them for malicious intents. This type of activity is known as "session hijacking" and it has been around for a while!

 Image by: Frank Sassone. © 2010 - Industry Tech Talk

So why are we hearing of Firesheep as if it's the next biggest threat to network security? The issue with Firesheep is that it now provides a convenient, easy to use graphical user interface (GUI) for session hijacking. With all requirements met Firesheep will allow a user to start sniffing the airwaves for cookies with a simple click of their mouse. There is a whole list of websites that are known for not offering any security after the authentication process which makes them ideal targets for hijacking.

Now for the more technically-inclined amongst our readers:

What are the requirements to run Firesheep?

Well it's not as easy as adding the plugin for Firefox, especially for Windows users. The main requirement is a wireless network card that supports monitor/promiscuous mode. An interface with this capability is able to receive all frames on the medium instead of the frames destined to itself. On a wired/switched network a node will only receive frames destined to itself since the switch will forward frames based on it's CAM table and each switch port is it's own collision domain. On a wireless medium, nodes are connected on more of a hub-type network, where all users are in the same collision domain and therefore all frames can be seen by all nodes.

A second requirement is WinPCAP (For Windows users), which is the Windows version of the unix library libpcap. Mac OS X brings a packet analyzer known as tcpdump which natively works with FireSheep. It's imperative that we understand that not all chipsets support promiscuous mode and that not all FireSheep installs will work effortlessly, or at all for that matter. However it is quite a powerful demonstration on how easy session hijacking is.

So this is FireSheep in a nutshell and, while it is alarming, it's nothing new. Hopefully this article gives you an understanding of the dangers pertaining to open wireless networks.