Firesheep was released to an enthusiastic community this week, quickly becoming a Top 10 trending search term on Google (which is an amazing feat for anything, and astounding for a security tool). Firesheep easily allows browser jockeys to become “hackers”, stealing the sessions of unsuspecting web application users through a simple point and click interface. Read the excellent and informative post from the developers here to learn more about Firesheep and, more importantly, what can be done to thwart it: http://codebutler.com/firesheep-a-day-later
Firesheep has hammered the point home – web security is not just about protecting login info – it’s also about protecting the session. Many have thought it was good enough to protect only login credentials. Countless apps use SSL to prevent userids and passwords from being stolen. Those same apps then revert back to plain old HTTP for everything else, taking away the benefits of end-to-end SSL for protecting truly sensitive data. I’ll bet the companies profiled in Firesheep are scrambling to address the problem and that IT organizations in general are figuring out just what they should tell their users about this phenominon.
I’ll also bet many are missing a key point – these same session stealing attacks work on enterprise web and cloud applications. It’s not just social media applications like Facebook, Twitter, etc. that are open to session stealing ala Firesheep. Think of the implications to modifying Firesheep to steal sessions from the company’s financial, HR, sales, legal and other applications that house truly sensitive data. Seeing someone’s Facebook page is cool (don’t most users ignore the privacy settings and show everything anyway?), but seeing what your manager is secretly punching into the HR system to determine your fate at work is even more interesting, isn’t it? Or, covertly following a competitor into a coffee shop and monitoring their activities as they update sales forecasts and prospects, giving the electronic peeping tom a key advantage.
Call the attacks what you want – session stealing, sidejacking, session mirroring or session hijacking – sessions that access sensitive data must be adequately protected. Session protection is a PCI DSS requirement and the audit rigors of PCI would show vulnerability in affected apps. Do you know whether your other critical enterprise apps are open to session stealing?
Don’t miss the point. Look beyond the default apps named in Firesheep and ensure that your critical apps are protected against session-based attacks. And talk to your developers, architects, vendors and trusted advisors about the options for protecting your organization’s most sensitive data.