Monday, November 01, 2010

GreenBkk Tech | Using Wi-Fi? Firesheep may endanger your security

Using Wi-Fi? Firesheep may endanger your security

"Most internet users hear -- and dismiss -- warnings about security problems on open Wi-Fi networks," says Amy Gahran.
"Most internet users hear -- and dismiss -- warnings about security problems on open Wi-Fi networks," says Amy Gahran.

I'm sitting in a coffee shop. At a table against the opposite wall is a guy named Michael C. I've never seen him before. However, I know his name (including his last name, which I'm deliberately not saying here) because right now we're using the same Wi-Fi network and he's logged in to his Facebook and Google accounts.

This means I'm also logged into his Facebook and Google accounts, although he probably doesn't know that. If I chose to, right now I could read and delete his private messages -- or send out messages from his accounts. I could even edit his account profiles, alter his privacy settings or forward all his mail somewhere else.

He's very lucky I'm not that kind of person. But rest assured, there are plenty of malicious, mean or merely curious or clumsy Web surfers out there who are now using a new Firefox extension called Firesheep to "sidejack" into the online accounts of nearby internet users.

Most internet users hear -- and dismiss -- warnings about security problems on open Wi-Fi networks. The advent of Firesheep, coupled with the booming popularity of account-based online services such as Twitter, means that no one can afford to continue to ignore online security.

According to Webopedia, sidejacking is "the malicious act of hijacking an engaged Web session with a remote service by intercepting and using the credentials that identified the user/victim to that specific server. Typically, SideJacking is most common on sites that require authentication through a username and password, such as online Web mail accounts as well as social networking sites."

If you go online via open Wi-Fi networks (such as at cafes, libraries, schools, hotels, conference centers and more), Firesheep has made this a far riskier choice.

This is true even for networks that are password-protected. If you're on the same network with a Firesheep user or other sidejacker, you're at risk. Period.

Here's what I've learned about Firesheep, and how you might be able to protect yourself against it -- and sidejacking.

Eric Butler, the Seattle, Washington-based programmer who created Firesheep, claims that he did this not to put internet users at risk, but to prove a point.

"It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else," Butler wrote. "[Firesheep is] designed to demonstrate just how serious this problem is."

Despite these intentions, the reality is that Firesheep is remarkably easy for any user of the popular free web browser Firefox to download, install and use. Sidejacking once was primarily the domain of skilled hackers, but Firesheep is a sidejacking tool for the masses -- a dangerous one.

I'd heard about Firesheep on Marketplace Tech Report and then saw that tech sites and bloggers have been posting advice on how to protect yourself from Firesheep.

I travel a lot, so I often use open Wi-Fi networks. Therefore, I immediately took a few minutes to implement some of the security measures mentioned by TUAW, ZDnet and TechCrunch.

To check whether these measures were indeed helping me protect myself, I downloaded and installed Firesheep. (It allows you to spy on yourself as well as fellow network users.)

When you install Firesheep, it requests the admin password for your computer, because this software needs modify how your computer's network card interacts with network traffic. If entering your password concerns you, don't install Firesheep.

Once I installed Firesheep, I was able to open a sidebar in Firefox and tell it to "start capturing" data. Slowly, the sidebar starts to fill with icons, usernames, and service names (Google, Facebook, Yahoo, etc.) from other current users on your Wi-Fi network.

If you click on one of these users, Firesheep automatically logs you into that account as that user. So as far as Facebook, etc., is concerned, you have become that other user -- and can do anything they can do with their account.

I did click on one Facebook user, just to confirm that I was indeed logged in as her. Having verified that, I logged out of her account. Afterward, I noticed that I could no longer log into my own Facebook account via Firefox. Clearing my browser cache and all cookies, then restarting Firefox, fixed that login problem.

I don't generally use Twitter via the Twitter web site. Rather, I use the third-party software TweetDeck. As far as I could tell, Firesheep only detects network traffic that passes through web browsers. When I had TweetDeck running, my Twitter account did not show up in Firesheep.

Also, Firesheep appears to focus on a defined list of services. I use Diigo for social bookmarking, and when I logged in to that account it didn't show up in Firesheep. Likewise for my account on Wordpress.com, a popular free blogging service.

However, more sophisticated sidejacking tools and techniques can detect these kinds of traffic, and potentially compromise those accounts. Firesheep only reveals a portion of your online vulnerabilities.

While I had Firesheep open in Firefox, I launched a different browser: Chrome. My home page for that browser is Google.com, which automatically logged me into my Google account. I then watched my own Google account pop up in Firesheep -- which would yield access to my Gmail, Google Calendar, Google Docs, and all the Google services that I use. I immediately shut down Chrome and a few seconds later saw my account disappear from the Firesheep list.

Later, at home on my own secured Wi-Fi network, I changed the home page on all my browsers to a news site that does not log me in to any account. I also plan to implement security measures for all my browsers. But for now, on open Wi-Fi, I'll only use Firefox since I've been able to secure that browser at least somewhat.

Wi-Fi-enabled mobile phones are especially at risk because it's usually much harder (or sometimes impossible) to secure mobile browsers against Firesheep in particular, or sidejacking in general. GigaOm recommends relying on your wireless carrier's 3G or 4G access, rather than jumping on a Wi-Fi hot spot -- even if the Wi-Fi option might save you money or perform better.

What's the best way to stay safe? Don't use open or shared Wi-Fi networks unless you absolutely must, or unless you absolutely trust all other users on those networks. (Think: How much do you really trust your co-workers, or housemates?)

If you can, while out and about, use your wireless carrier's network (via phone tethering, Wi-Fi card or Mifi-style router) -- and make sure you turn off your device's Wi-Fi modem to make sure you don't default to that network.

If you must use open Wi-Fi, implement the security measures recommended by the sites I listed above. Do this in advance, so it's ready when you need it.

Also, get in the habit of logging out of your online services (including your Google account) whenever you're about to leave your computer. That way you reduce your risk of being automatically logged in when you launch your browser on a Wi-Fi network. And check to see whether the services you use offer secure (HTTPS or SSL) access.

The best solution would be if all account-based online services implemented full end-to-end encryption for user sessions, such as online banking and e-commerce sites generally do. However, this requires additional overhead in terms of servers and energy, which makes it more challenging to offer free or cheap access.

I don't expect to see more secure access to popular free online services happening anytime soon. So in the meantime, your best bet is to use open Wi-Fi carefully, if at all, and to take steps to reduce your risk.

Credit: CNN

No comments:

Post a Comment