A new Firefox add-on lets "pretty much anyone" scan a Wi-Fi network and hijack others’ access to Facebook, Twitter and a host of other services, a security researcher warned today.

The add-on, dubbed "Firesheep," was released Sunday by Eric Butler, a Seattle-based freelance Web application developer, at the ToorCon security conference, which took place Oct. 22-24 in San Diego.

Butler said he created Firesheep to show the danger of accessing unencrypted Web sites from public Wi-Fi spots.

Although it’s common for sites to encrypt user log-ons with HTTPS or SSL, few encrypt the actual traffic. "This leaves the cookie, and the user, vulnerable," said Butler in a post to his personal blog. "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."

With a user’s cookie in hand, a criminal can do anything the user can do on a site, Butler noted. Among the sites that Firesheep can hijack are Facebook,Twitter, Flickr, bit.ly, Google and Amazon.

New Firefox add-on hijacks Facebook, Twitter sessions

It still requires some know-how to use the extension properly.  However, it does highlight the need for proper wireless security practices.

• Avoid the use of unsecured public wireless networks.
• If you do have to use a public wireless hotspot, seriously consider the use of a VPN (Virtual Private Network) to encrypt all traffic between your computer and the internet. Many paid and free VPN options exist.
• Use certain additional Firefox extensions to protect your surfing sessions. This will not work with Internet Explorer or Google Chrome

Feel free to contact us if you need assistance in evaluating your wireless security setup.

You can find the following new features added to Ubuntu 10.10.

• A revamped installer. Now you can continue performing other installation tasks while the installer is copying files to your machine.
• A redesigned "Software Center" which allows a user to search for, and install applications in Ubuntu. This is far more intuitive and user friendly than its previous version.
• A new image management software – Shotwell has been included in place of F-Spot, which was used in 10.04.
• Ubuntu 10.10 Netbook Edition now sports a new interface called Unity. This interface arranges all the commonly used applications in a launcher on the left side of the screen. 
• Ubuntu 10.10 has full multi-touch support. This means, if you own a tablet on similar lines as Apple’s iPad, you can install Ubuntu Netbook Edition on it, and it will respond to your touches and gestures.

Ubuntu 10.10 Unveiled – Supports Multi-Touch

Mozilla has issued a warning that its popular Firefox browser contains a critical vulnerability that is being actively exploited by cybercriminals to distribute malware.

The vulnerability, which was previously unknown, is said to affect versions 3.5 and 3.6 of Firefox.

Security firm Norman reported that the Nobel Peace Prize website was distributing a Trojan horse via the exploit yesterday, although it’s obviously possible that other websites may also be serving up the vulnerability in an attempt to infect visiting users.

Sophos is issuing protection against the malware as Troj/Belmoo-A.

Mozilla says it is working on a fix, but in the meantime Firefox users might be wise to turn JavaScript off and use the popular NoScript addon.

Firefox hit by critical zero-day vulnerability

You may have seen some headlines today about a New Java Trojan that attacks Macs. It turns out that it also attacks Windows and Linux users as well. The Trojan pretends to be a video on Facebook. A user gets a message asking “is this you in this video” with a link. Upon clicking the link the user is prompted to install software. At this point an educated user should suspect that there is something wrong. It is not usual to need to install software to view a video. An educated user would abort and avoid infection.

…

It doesn’t matter if you have a Mac, Windows, or Linux computer, you will be attacked by cybercriminals and it is your good judgment that will afford you the most protection. Education is the equalizer in the fight against malicious software and cybercrime. The more you learn about safe Internet behaviors the better protected you will be. Your computer is the vehicle, don’t drive it into a brick wall.

Your Computer Won’t Protect You

Third-party ads are the cause of a lot of problems. It does not matter how legitimate a site is, as long as it is referencing dynamic ads, it can expose its users to malware.

I usually never click on “Sponsored links” as I’m most likely not interested in such or such product. But a lot of people do because those links are relevant to the article (or the search). For every click, the website hosting the ad will receive some money, and more if the user “converts” (the user ends up buying whatever was promoted).

As a general rule, I would advise never to click on “Sponsored links” or ads that you see on a website. There is big debate about marketing: Does it fulfill a need people already had and never knew or does it create a need that never existed? I believe in the latter.

Then again, you may click on one by accident!

PCWorld links to scareware

The user ID is the number associated with every user on the site. Before Facebook allowed customized URLs for profile pages, it was easy for anyone to find this number. The user ID is not a private part of a person’s Facebook profile. Knowing someone’s UID will only grant access to the information that user has set to share with “everyone,” which is usually very basic pieces of data like pictures, hometown, age, job, musical preferences, etc. However, when given in bulk, these numbers can provide a database of track-able information to advertisers.

Facebook’s Mike Vernal publicly responded to the controversy on the company’s developer blog, claiming that many publishers have, in fact, violated its privacy policy by sharing UIDs with ad networks, but added that most companies “did not intend to pass this information, but did so because of the technical details of how browsers work.”

Major Facebook apps have been leaking user IDs, including Farmville

For the past 70 years, the Social Security number has become our de facto national ID. The numbers were first issued in the 1930s to track income for Social Security benefits. But functionality creep, which occurs when an item, process, or procedure ends up serving a purpose that it was never intended to perform, soon took effect.

Here we are, decades later, and the Social Security number has become the key to the kingdom. You’re forced to disclose your Social Security number regularly, and it appears in hundreds or even thousands of files, records, and databases, accessible to an untold number of people.

What’s the danger of it getting into the wrong hands? Anyone who does access your Social Security number can use it to impersonate you in a hospital, bank, or just about anywhere else.

Top Ten Dangerous Places to Leave Your Social Security Number

Tips to protect your Social Security number:

1. In honor of National Protect Your Identity Week (October 17-23, 2010), check your credit report this week using a reputable firm such as, Experian, and set reminders every three months to review it again.

2. You can refuse to provide your Social Security number.

3. Invest in an identity protection service. Because there are times you cannot withhold your Social Security number, an identity protection service can monitor your bank information and your personal ID.  McAfee® Identity Protection (CounterIdentityTheft.com) will alert you, help prevent loss of personal information, allows unlimited checks of your credit, credit monitoring, scanning of the internet and identity fraud resolution.

4. Securely dispose of mail. The standard advice is to thoroughly shred preapproved credit card offers and anything that includes any account information. While this is good advice and should be heeded, it’s not going to protect you when your bank or mortgage company or utility provider tosses your information in a dumpster that is subsequently raided by identity thieves.

5. Opt out of junk mail and preapproved credit card offers. This is good advice and can be done at OptOutPrescreen.com. However, even if you opt out of new offers, others will still arrive. It’s inevitable. You also need to get a locking mailbox, but that still won’t fully protect you.

6. Lock down your PC. McAfee Total Protection™ software is the most comprehensive security tool to protect your computers data.

You can refuse to give out your Social Security number, but businesses requesting it can then erect a number of hurdles to make it more difficult to obtain the service you are seeking.

It apparently masquerades as a media player for porn:

Be careful with downloading apps, especially through the Android Market, where many of these fake programs reside.

Gmail’s support site has a security checklist that’s useful if you want to make sure that your Gmail account is secure. There are some obvious tips like updating your operating system and your browser, but Google also posted some advanced tricks

Gmail’s Security Checklist

In simple terms, Cloud computer [sic] refers to having programs and data reside on an outside network device instead of permanently on your local hard drive. In theory it turns your browser into a flexible smart terminal and the main program you execute. The program you run and data you store is somewhere else on the planet similar to the old concept of a main frame.

What on Earth is Cloud Computing

Check out Bill’s posts and his great HIPS program WinPatrol!