BEWARE public WIFI users!

[Sam]

I read on Google News yesterday that a programmer wrote a free Firefox browser add-on called FireSheep that hijacks browser cookies on open wifi networks. Abigail and I tested it on our network and it works exactly as described. This is truly frightening.

A person with this add-on installed in a Firefox browser sees your photo appear on a side panel when you're on Facebook or Twitter, Amazon.com, etc in a coffee shop or other public (open) wifi. He then clicks on your photo, your browser cookie is hijacked, and his browser opens into YOUR facebook (or other) account. From there he's got complete access to all of your private info, including photos, email, etc. In other words, it's just like you opened your account on a public computer and then walked away leaving it wide open. He's into your account and can do anything you can do, include change your password and lock you out.

Bottom line: Browse and enjoy public wifi, but think twice before signing into social networks. The rule of thumb is that if the url begins with HTTPS (the S is for "secure") then it's safe, but there's still no guarantee that every site is 100% safe from a hacker on a public wifi.

I would assume open hotel wifi is just as risky.

~Sam

 

[mhgjewel]

i hate technology, you chip an engraver you sharpen it life is great, someone gets this software they ruin your life.

life was so much simpler 10 years ago, you only needed to deal with the phone solicitors

 

[theresamarieus]

Thanks for the warning

 

[diandwill]

It's even worse if you use WIFI to do online banking or shopping. One of the things that can be done to counter this (I'm no expert so am not sure how to configure it) is to run your laptop through your cell phone. Cell phones have a much higher encryption rate, although they are not impervious to being intercepted. WIFI hangs it out for that guy down the block, in the non-descript Brown Van, to record everything that everybody in the WIFI cafe is doing, then go back over it and pick out passwords to bank accounts etc.
Thanks Sam

Will

 

[flyingmedwards]

Hi ,
I take it that you tested it on your home network? My Nephews and nieces regularly use their wifi capable computers in my home neighbor hood despite the fact that I've do not own a wireless router... they' re connecting with neighboring wifi systems that do not seem to have any protection (I suppose pass word) to prevent unauthorized log on. This would seem to indicate that private wifi systems are vulnerable as well! I am unfamiliar with wifi protocol and use but I've been considering getting a new router. Your warning really gives me qualms about wifi. How do you insulate a wireless system from unauthorized use?

thanks in advance ,
mike

 

[DakotaDocMartin]

My son is a computer guru / "whitehat" hacker that works for Verizon Corporate and formerly for IBM. He says about FireSheep:

"Ya it just automates stuff you could have done with wireshark and other tools. I've been on airplanes and sniffed all sorts of traffic on aircraft wifi."

So... that brings up another popular place where people connect to public wifi... on airplanes. Luckily my son isn't a "blackhat"... guys like that can be dangerous.

You can partially secure yourself from FireSheep by using the ForceTLS add-on:
https://addons.mozilla.org/en-US/firefox/addon/12714/

Even better yet, do what the big corporations do for their employee's laptops... purchase and use Virtual Private Network (VPN). Supposedly, they are available for about $10 per month.

My son uses that on his business laptop and uses his own wireless data card on his personal laptop.

 

[DakotaDocMartin]

they' re connecting with neighboring wifi systems that do not seem to have any protection (I suppose pass word) to prevent unauthorized log on.

Most people don't set a password and network key so their network is open to anyone. There are well known factory default passwords and anyone can find those out with a Google search.

One time my son set up a GPS mapping program and combined it with a directional antenna. He drove around town and automatically found and mapped over 300 open wifi networks in about an hour.

So yes... it's commonly done that way.

 

[Sam]

I don't know much about network security either, but this FireSheep thing surfaced just as we're setting up a wireless connection from our home wifi to our studio house across the street. During the setup I hadn't implemented security so it was wide open for a short time, and that was what we used to test FireSheep on each other's facebook accounts.

I've gotten a rudimentary network education the past few days and what I have read is that wifi networks with WEP security are relatively easy to defeat. WAP is supposedly much more difficult and perhaps impossible if you use random letters and characters. Using a word in a dictionary as the passcode is easily defeated.

You're right...the majority of home networks are wide open without passcode protection. There are a few in my neighborhood that I can see from our computers. We have AT&T U-verse internet which supposedly has very strong protection.

 

[Christopher Malouf]

Hey Doc ... you can have a lot of fun those cheap UHF security cameras people hook up too.


A brute force password attack takes only a few hours these days .... back in the day it took me about 48 hours to break admin passwords on Windoze NT machines.

With all you've got going on Sam .... you're nuts to use any kind of wifi on your home network. Poorly encrypted or not. (I say poorly because anything 128bit and under is poor)


A VPN capable firewall appliance on each local network connected to your ISP. The only thing extra you need to pay for is the second Internet connection and you basically use the Net to hardwire your two separate local networks into an encrypted, wide area network.

Piece of mind is in creating as closed a circuit as possible. If you can't, then surfing the Net will still be there when you get home. The more complex you make your network, the more likely a hacker will move on to easier prey.

-----

A few tips for folks ....

If you use any kind of credit card or check card to pay for stuff online, have a secondary credit card with a low limit or a check card associated with a secondary checking account. Transfer funds into that account from you main account only when needed.

Request a new card every 12 months.

Your virtual identity is really only useful if it can be tied to something physical. Either info used to ransack your home when you are away or to create a physical identity which a perpetrator can use to conduct illegal activity.

Use mis-information where ever possible. Incorrect date of birth, bogus address or phone number for store convenience cards.

Having immaculate credit makes you a prime target.

Stay away from Ancestry.com .... your mother's maiden name is already public record but why make easily accessible.

also .... living in a bunker is optional.

 

[fegarex]

Having immaculate credit makes you a prime target.

I had my identity stolen and my credit score increased!!

 

[vilts]

Or, you can open up your wifi for "honeypot" to do some blackhat stuff yourself to the users. Or you can turn upside down all the photos they're viewing online. Lots of fun...

But indeed, unfortunately the default setting for non tech savvy computer users are often quite insecure. Always use HTTPS for sensitive stuff, VPN is a plus and all that Chris said

 

[fegarex]

I was kidding about stolen identity but as you say the extra debit or credit card is a good idea.
I have been melted down twice in the last year with virues and kept things up to date. Once was my stupidity, the other I'm not sure. My geek says Malwarebytes (sp) is a good program and is free too. Not sure why he likes it better than spybot but I suppose its like a 90 or a 100 graver... I don't know so I go by what he says. Some of the new ones are trickier than the antivirus software however. They trick it into thinking it is a required file and won't allow a delete.

 

[Christopher Malouf]

I agree completely. Anti-virus software written by companies keep the source code private. If there is a security hole, you may never know about it. Symantec is just horrendous if it doesn't crash your computer all by itself. Freeware is usually Open Source software which means any programmer out there can review the code and make recommendations. The recommendations are then double checked and updates are released quickly. As they rely on donations mostly, the integrity of the code is more important than sales profit.

Spybot has a small applet called "TeaTimer" bundled with it which runs in the background and alerts you to anything that attempts to modify your registry. You can either deny the change or allow it. Even if something does download to your computer, it usually requires a registry change which modify permissions to gain systemwide access. By denying the registry change, the spyware can be rendered benign.

I have had that scenario happen .... files install that look like system files. Tough to get rid of. On occasion, I will go through the list of "Services" running on the computer. If there's usually 26 services running and for no reason there's now 27 and the PC is running slow, something's up and the culprit is in the list.

I've thought about getting back into computer work a lot lately but being out of the biz for a decade is like trying to start a trucking company with a horse drawn wagon.......forgetaboutit

 

[DakotaDocMartin]

Here's an awesome program which I run constantly ...

http://www.spybot.org

Yep... I've used that one for years too. Also, Ad-Aware Pro

 

[west]

I use Malwarebytes, has a free version if it is helpful here is the link http://www.malwarebytes.org/

 

[david bain]

thanks for all the good info.time to look into my computer

 

[Gargoyle]

Maybe I'm paranoid, but I wouldn't trust the dude who wrote this FireSheep plugin. If it can do everything you say, it could also have a back door, and either feed all that private info to him, or capture your private data and feed that to him. Sam, make sure he's not malware'ing your test machine.

(I'm not paranoid, it's just that the conspirators who are out to get me are spreading nasty rumors that I'm paranoid)