The press and blogosphere seems to have quieted down lately regarding the Firesheep exploit. However the downloads continue to grow and now exceed 850,000. To recall Firesheep is a Firefox plug-in that takes advantage of the existing exposure in unencrypted traffic used by any browser accessing web servers. The plug-in just expanded the base of hackers from a few high skilled wrong doers to hundreds of thousands of problem makers ranging from curiosity seekers to mischief to thief’s. Facebook got most of the press but this by far is not the only site exposed and the implications could effect any business.
A security evaluation should consider the impact both from the perspective of a user of a service and the provider of a service. if your employees use any of the effected services for business purposes they need to take precautions to avoid a hijacked account. For example your support organization could be monitoring twitter for issues, or your marketing department broadcasting messages or specials on a Facebook page. Imagine the impact to a companies reputation as well as just the wasted resource if a companies account was misappropriated and vandalized. There are a number methods that any employee who manages an account for the company should understand and acknowledge.
For companies providing a service, you need to look beyond the ecommerce sites or employee web apps which may already have proper SSL encryption. Secondary sites like forums and blogs could easily be exposed to firesheep and the consequences impact-full. For example one of the ready made targets of Firesheep is the popular WordPress blog platform, with Firesheep it’s now simple for anyone to hijack the account of any author who happens to be on a public network. A defaced company blog site is not something you want to explain as a secondary site.
One solution that does not require an configuration changes to a WordPress site is to simply put a Netscaler VPX virtual appliance in front of the WordPress site. For low traffic sites this may not cost anything but the resources of a VM. A step by step guide is available here.
If you haven’y done your Firesheep security audit yet, add it to the list. The problem has not gone away.