Case Project 9-7: Community Site Activity The Information Security Community Sit

Question

Case Project 9-7: Community Site Activity
The Information Security Community Site is an online companion to this textbook.
It contains a wide variety of tools, information, discussion boards, and
other features to assist learners. Go to community.cengage.com/infosec. Sign
in with the login name and password that you created in Chapter 1.
Unencrypted wireless data is a treasure trove for attackers, who can capture
virtually anything you transmit. Even if you visit a website that says it is protected,
often only the username and password are protected. Once you get
past the authentication, it reverts to unprotected transmissions. The website
then sends a cookie to your computer that your web browser uses for all
subsequent requests. If an attacker can get that cookie, called session hijacking
or “sidejacking,” then she can impersonate you and access your account.
Grabbing this cookie is fairly easy if you are on an unencrypted wireless
network.
To illustrate just how vulnerable one can be to session hijacking using a
WLAN, two researchers created Firesheep, a free open-source Firefox browser
extension. Anyone can install this add-on and then connect to an unencrypted
wireless network. If the person clicks “Start Capturing,” then when anyone on
the WLAN visits a site that is known by Firesheep, like Facebook, Twitter,

Amazon, Dropbox, Wordpress, or Flickr, you will see his name and probably
his photo displayed. Double-click the name and you will be logged in as that
person to that account. Although the antidote is to use only WPA2 encrypted
WLAN sites, this is generally not possible in a public Wi-Fi hotspot.
Is this type of application illegal? Would the ability to hijack accounts violate
federal wiretapping laws? Would the creators of Firesheep be liable for prosecution?
Are the researchers making software that enables unauthorized access
to other users’ accounts with the intention of facilitating that crime? Or
because they are not actively engaged in committing a crime, should they not
be prosecuted? Post your thoughts about free speech, censorship, and privacy
over Firesheep on the discussion board.

Explanation / Answer

=> Firesheep in my opinion should be removed from the internet becouse its just to easy to go to any open Wifi and connect to it and
start gathering packets about all the other user's on that network!
=> Firesheep was developed to prove a point that websites just encrypt the log in page and not the cookies so intern it is not illegal!
=> I tried using firesheep myself and I was just in shock how easy it was to get into someone else's accounts like facebook or twitter.
=> In my opinion the developers should not be liable for prosecution becouse they just created a add-on for firefox.
The person who is using the application should be punished.
=>This type of application can kinda be considered a violation of federal wiretapping laws to to the fact that you can record
what other user's on the network are doing But the other persons that connected to the open Signal so they took the risk of being hijacked.
Firesheep is a very bad application and should be removed from the internet.

Is the app illegal?   
=> No, no more so than any other packet-sniffing or penetration testing software already available.
=> The applications themselves aren’t the problem, the malicious or criminal intent of the user is.

Does the ability to hijack accounts violate federal wiretapping laws?   
=> Having the ability and/or software to hijack accounts in itself doesn’t violate the law (yet),
and most of the software capable of this has very legitimate uses in network security assessment.
=> Again, if you use it for illegal or unauthorized access (the same thing, actually), then you are in all probability
in violation of some federal law (or a bunch of them).

Would the creators be liable?
=> No, and if they were, they probably would have been charged by now.
=> They are no more liable for the illegal use of their product than the maker of bolt cutters would be if they were used to break into a bank.
=> Liability isn’t usually, and shouldn’t be, based simply on a product’s ability to cause harm if used improperly or illegally,
especially if it has legitimate and legal uses.

Are the researchers making the software with the intention of facilitating a crime?
=> I don’t believe they made it with the intention of it being used for illegal purposes, although at first I felt maybe they were ignorant
or at least a bit naïve in releasing the actual program code to the public.
=> After reading a bit more about it, I realized it’s no more or less a malicious program then others like fern, xirrus or wireshark;
they all have legit and valuable uses, and it’s simply a matter of the end user having total responsibility for using the program
legally and ethically.

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.