Several months ago I wrote an entry about Facebook Security, if you haven’t I suggest you read it. As the security whiz that I am, it’s my duty to get the word out about a new feature Facebook quietly rolled out that you need to be aware of.
First off a very serious user behavior has been exploited to the max and I bet you probably we not aware of it. Look up at the browser address bar and you will see the site http://binaryblogger.com this is an open, unsecured site. But thats perfectly fine because you are now transmitting anything into me and I to you. You bank and other financial institutions are using HTTPS://www.yourbank.com, this is a secure connection, blocked from eavesdroppers and hackers.
There is an extension for the Firefox browser called Firesheep that has been released to expose the dangers of unsecured web browsing. Primarily targeting Facebook, Flickr, and any other social networking site that is highly popular but does not require HTTPS. In fact, most if not all websites, if you change the address to https you can still access it.
What Firesheep does is it can sniff the network that it’s on and captures all the cookies and sessions for a user. Then with a click, can login to the unsecured site as you. That’s it. So if you are browsing Facebook in a coffee shop on their WiFi, one person could be grabbing your cookie info and logging as you and seeing everything. It’s very powerful and very scary if you think about it, but that’s what the creators of Firesheep wanted… you to think about it.
FYI – If you find Firesheep and use it, it is Illegal to use. You have been warned.
But to stop Firesheep and other sniffers there is a very simple solution, access sites with HTTPS. In Facebook here’s how you force it to always go through HTTPS. This is something I highly recommend you do.
– Go into your Account Settings in Facebook.
– Right on the main tab about 3/4 of the way down you will see Account Security, click Change on that line and you will see something like this.
– Just check the box and you are protected. That’s it.
Most security is very simple to implement. It’s getting the people to move on it that’s the difficult part.
End of Line
Twitter – @binaryblogger
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.