Life In The Time Of FireSheep

A couple of weeks ago at Toorcon security researcher Eric Butler released a curious new plug-in for the the popular Firefox web browser. Known as FireSheep this plug-in allows even an unskilled person to monitor traffic on an open wifi network. It further allows its users to capture the login data exposed as web browsers of other people on that WLAN perform logins to sites like Facebook, Twitter, FourSquare, etc.

I won’t go into how it works since others had done a nice job of that already. Suffice it to say that this is scary stuff given how common it is for people to use open wifi networks at public places, usually without giving it a second thought..

FireSheep was not intended as a tool for criminal or malicious activity. It’s release was intended to expose a security issue in the way web browsers handle cookies arising from login. While the login process itself is secure, the handling of the resulting cookies usually is not.

Whatever the intent, it’s certain that some less scrupulous people will use it or the lessons learned from it for illicit purposes such as identity theft.

Continue reading “Life In The Time Of FireSheep”

Nerd Uno Dishes Out Advice on SIP Security

Ward Mundy over at Nerd Vittles has a great post today about SIP security. It’s entitled The Incredible PBX: Adding Remotes, Preserving Security. If you run an Asterisk based PBX you should probably read this. Now!

Ward’s advice really rings true (sorry for the telecom geek pun, it couldn’t be helped!)  His “Baker’s Dozen SIP Security Checklist” makes perfect sense. That doesn’t mean that I can’t add my own two cents.

Continue reading “Nerd Uno Dishes Out Advice on SIP Security”