Re: FireSheep

Having recently spent way too much time in an airport snarfing stuff out of the air, I think that the existence of a tool has no bearing on a vulnerability getting fixed when people will go against sanity and do everything they can to bypass security to get something done.

I'm sure others have noticed it as well, I'm calling it the facebook problem.

The two biggest threats to IT security and consumer level privacy in my mind right now are apathy and facebook. Lax security due to overworked/underpaid admins is an old problem that we understand. The insatiable desire for facebook access is something new.

People will violate any number of common sense rules about security in order to get their facebook fix. They will connect to any network they can (playing with Karma, almost always the first link they check is facebook) be it wired or wireless and try to get internet access. I've seen people unplug medical equipment from the wall to try and plug in and get access. On the wireless side they will connect to networks that are obviously meant for sensitive equipment and start pounding around the network, disrupting god only knows what.

I think that the issue is that we still undervalue crypto in the marketplace. I'm curious why major sites dont automatically force ssl connections for the whole session, rather than some lame attempt at logon. (I know the reason is bandwidth and CPU overhead, but still). However that can still be overridden with the 'click yes until tits' problem we all have seen.

Only by racheting up the noise we make about this sort of issue can we reach the common man. Slapping a GUI and some nice graphics makes it media friendly is one way to do that but when the CLI tool and underlying flaw are there for years, it's closing the barn door after the horse escaped.

</RANT>

Re: FireSheep

Slapping on a GUI to grab interest is older than that. Lopht Heavy Industries made a point of that back in Defcon 5 with their tool "Lopht Crack" to attack encrypted passwords sent over the wire between clients running on microsoft OS desktop machines trying to authenticate against microsoft OS server machines. In that presentation, Hobbit/Mudge said they mad a CLI tool that would do this, and showed it to the media, but they were not interested in covering their story.However, after they added a GUI, suddenly, it was newsworthy. The response from Microsoft took a while, but they made it possible for IT people to disable compatibility with other products, and force upgrade to a newer product, if network admins wanted to make it harder to crack credentials across the wire. That alone did not cause Microsoft to be more security conscious. Many failure like this one over many years which caused people's general opinion of their product to change, all contributed to Microsoft becoming more interested in designing products with security earlier instead of later.

It and many other cases highlight the history of security and business practices. Corporations take action based on what is perceived to be profitable. Expending money to fix a problem that is "not yet in the wild" has historically been viewed as a waste of resources because, "it isn't a problem for our customers yet." We say this is, "short sighted," because of our own experience. For them, there is little interest is fixing something that is not perceived as an issue. When an attack is finally made newsworthy enough for mainstream news to carry it, the public is made aware of it, and demonstrations show how "easy" it is to use. Then enough customers of the product are interested in the risk, which makes the corporation interested in the risk, leading to a fix, or claims of a fix.

Microsoft, as a whole, did a really good job of changing this. Back in the 90's, there were many gaping holes in many of their products, and these were published in the media, devaluing Microsoft's reputation as being able to build something that would not fall over when someone sneezed. Now, they have very good hardware detection, and their OS is much more stable than it once was. Their OS has many security features and controls. They have taken an approach to encourage automatic updates over the Internet, and tend to publish updates fairly quickly compared to other vendors. Many popular attacks today come as a result of users choosing to visit malicious sites which take advantage of web browser plugins, or enhancements (javascript, css, flash, acrobat reader, etc) or user failures to actually choose to download and run a binary file. Microsoft is not perfect, and there are issues they seem to ignore, or not make priorities for months, and then finally produce an update, but they have improved a great deal over the past 15 years.

Counter to Microsoft I offer Adobe with their Acrobat Reader, and flash plugins. Over the past 2 years (or longer) Adobe has been in the spotlight of security fail with these two products an awful lot. They have not learned the cost of failing to address security concerns from the core. Instead, they wait for someone to have an exploit, and "fix" against that exploit, which is later found to not be a fundamental fix, and is bypassed to allow a variation of the original attack to work. Why don't they learn like Microsoft did? What is Adobe's competition right now? Who will their customers turn to instead of Adobe for flash-like content satisfaction for watching things like hulu or other video, or sites that are stupidly written to only work with flash?

Shaming vendors into fixing their broken junk can work when the vendor perceives an immediate or future risk to lost profits. When there is little or no competition in the sector of the market a vendor owns, shame is not guaranteed to motivate a vendor to re-evaluate security in their product.

Now consider the history of social networks. The public is fickle. What is popular today is not what is popular tomorrow. Wise vendors of social network products will understand this about the public, and how quickly they can move away from your service. We also know there is still competition with these social networks.

I predict that tools like this getting publicity in mainstream news will shame these social networks like facebook, and other social networking sites to address this specific concern. However, it will likely take many of these failures, and a growing perception from the public at large that information and access that they want to keep safe is at risk because the product they use is fundamentally defective, and the processes designed to deliver enhancements to the product are also defective, before social network businesses will change their requirements and focus on security early in the design process.

These sites will have to evaluate the cost of paying for crypto for all user sessions that act on authorization with credential transmission or require authentication with credentials. Those that push this burden to their customers being educated enough to "only use secure networks" and "be security minded" will fail to see how customer education is not required for customers to complain strongly to their friends and family about how the vendor failed with vendor security; who as a consumer wants to admit they made a mistake by using an untrusted wireless network, or an open network with no encryption? If, "uneducated," how will they even be aware they are on an unecrypted/untrusted wireless network? Will then vendor choose to blame the victim, something which tends to cause people to identify with the victim more than the, "big old mean corporation?"

Firesheep is one of many bricks in the wall that consumers will build as a hurdle for businesses to jump or customers will divorce themselves from products that fail to deliver what consumers want. If more bricks are not added at regular frequency, the wall will not be built, but be eroded with time as people forget.