25 February 2011

A warning for anyone using public Wi-Fi hot spots

Excerpts from an eye-opening article in the New York Times:
Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots. But a free program called Firesheep, released in October, has made it simple to see what other users of an unsecured Wi-Fi network are doing and then log on as them at the sites they visited...

...while the password you initially enter on Web sites like Facebook, Twitter, Flickr, Amazon, eBay and The New York Times is encrypted, the Web browser’s cookie, a bit of code that that identifies your computer, your settings on the site or other private information, is often not encrypted. Firesheep grabs that cookie, allowing nosy or malicious users to, in essence, be you on the site and have full access to your account.

More than a million people have downloaded the program in the last three months (including this reporter, who is not exactly a computer genius). And it is easy to use.

The only sites that are safe from snoopers are those that employ the cryptographic protocol Transport Layer Security or its predecessor, Secure Sockets Layer, throughout your session. PayPal and many banks do this, but a startling number of sites that people trust to safeguard their privacy do not. You know you are shielded from prying eyes if a little lock appears in the corner of your browser or the Web address starts with “https” rather than “http.”..

Since not all Web sites have “https” capability, Bill Pennington, chief strategy officer with the Web site risk management firm WhiteHat Security in Santa Clara, Calif., said: “I tell people that if you’re doing things with sensitive data, don’t do it at a Wi-Fi hot spot. Do it at home.” ..

A WEP-encrypted password (for wired equivalent privacy) is not as strong as a WPA (or Wi-Fi protected access) password, so it’s best to use a WPA password instead. Even so, hackers can use the same free software programs to get on WPA password-protected networks as well. It just takes much longer (think weeks) and more computer expertise.

Using such programs along with high-powered Wi-Fi antennas that cost less than $90, hackers can pull in signals from home networks two to three miles away...
More at the link.

5 comments:

  1. Computer nerd moment: Firesheep isn't really anything new. It's basic packet sniffing, with a friendly GUI so that even the completely computer illiterate can use it. I'm not sure why people are suddenly acting shocked that if you're using an unsecured wireless point, anyone and everyone can eavesdrop on what you're doing, including grabbing passwords! This is the nature of unsecured wireless networks. If you didn't know that already, you shouldn't be doing your banking online.

    /computer nerd

    ReplyDelete
  2. HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites.

    http://www.eff.org/https-everywhere

    ReplyDelete
  3. Also, using Firesheep is illegal, and when you get into the realm of how your data can be hacked illegally, there is very little that the layperson can do to protect themselves.

    ReplyDelete
  4. James: Using it per se is not illegal in most countries. Using it without the express consent of everyone on the network is another thing, though.

    The layperson can do a _lot_. HTTPS should be used every single time, if possible. All IMAP/POP/SMTP connections must be encrypted (usually trivial to do). Never enter any passwords on public computers.

    And get a VPN when you need to use public networks a lot. Basic VPN services start at a few Euro per month.

    ReplyDelete
  5. And use something stronger than WEP to encrypt your personal home network. It literally takes 3-5 minutes to crack a WEP key with software easier to obtain than this one.

    Restrict by MAC address (never including 00:11:22:33:44:55) and/or move up to WPA.

    ReplyDelete

Related Posts Plugin for WordPress, Blogger...