Posts tagged as:

Firesheep

Tuesday Tech Tips: FTC Wi-Fi Tips Edition

by Michael Krupa on February 22, 2011

I wrote a couple of blog posts about Firesheep and safe browsing habits using public Wi-Fi hotspots here and here.  I received a nice email from the FTC as they noticed I had been blogging about Firesheep. (side note: The FTC is reading my blog! The FTC is reading my blog! Yeah baby)  Anyway my new best friend at the FTC wanted to let us know:

As you know, public Wi-Fi hotspots — like the ones in coffee shops, hotels or airports — are convenient, but they often aren’t secure. Most don’t use encryption, so your personal messages, contacts, family photos, and even login credentials could be accessed by others.

In fact, new hacking tools – freely available online – make it easy to access unencrypted information, which could be used to scam you or someone you care about. That’s why the Federal Trade Commission, the nation’s consumer protection agency, has developed tips for using Wi-Fi hotspots.

You can find the FTC tips at http://www.onguardonline.gov/topics/hotspots.aspx.

Go read the entire page. It’s not long and I will still be here when you return.  Go on now. Go.  Back already?  You sure do read fast. Let review a couple of key tips:

  • When using a Wi-Fi hotspot, only log in or send personal information to websites that you know are fully encrypted. And keep in mind that your entire visit to each site should be encrypted – from the time you log in to the site until you log out. If you think you’re logged in to an encrypted site but find yourself on an unencrypted page, log out right away.
  • Don’t stay permanently signed in to accounts. When you’ve finished using an account, log out.
  • Do not use the same password on different websites. It could give someone who gains access to one of your accounts access to many of your accounts.
  • Many web browsers alert users who try to visit fraudulent websites or download malicious programs. Pay attention to these warnings, and take the extra minute or so to keep your browser and security software up-to-date.

Thanks for reading and thanks to Nicole from the FTC for pointing me to their website. Now go forth and continue to practice safe browsing.

{ 0 comments }

From Firesheep comes FireShepherd and a Facebook Bonus

by Michael Krupa on January 30, 2011

I wrote a blog post last week about the dangers of a new Firefox browser extension called Firesheep.  My good buddy Lee (aka @JustaSunGod on Twitter) immediately brought to my attention a program that was created to render Firesheep unusable by flooding the local Wi-Fi network with packets designed to turn off Firesheep.  The program was created by Gunnar Atli Sigurdsson, a 21-year old student at the University of Iceland.  Here is how he describes FireShepherd:

“FireShepherd, a small console program that floods the nearby wireless network with packets designed to turn off FireSheep, effectively shutting down nearby FireSheep programs every 0.5 sec or so, making you and the people around you secure from most people using FireSheep.”

You can read more about FireShepherd on the gigaom.com website here and on the forbes.com website here.   Please use these types of utilities with caution.  The best solution is to only use Wi-Fi hotspots that require a password for their WPA connection and/or only access websites that are secure (with a URL that starts with https://).

Fortunately one of the heaviest used websites (and the one most often exploited via Firesheep) is now rolling out secure access.  That’s right, the big daddy of Social Media known as Facebook is implementing HTTPS access to their site.  The roll-out started a few days ago and may take a couple of weeks to show up in everyone’s security settings.   Please read their blog post on the topic and learn how to turn on secure access to Facebook.   On their page you might find this little gem of a paragraph:

“There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We’ll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.”

Don’t be scared off by this. It’s not likely you will notice the performance difference accessing Facebook using HTTPS.  The benefits of using HTTPS greatly outweigh the risks so please turn on “Secure Browsing” access to Facebook.  If you run into issues with third-party applications accessed inside Facebook, you can always go back and turn it off.

Remember to always practice safe browsing.  FireShepherd and HTTPS access to Facebook can now be a part of your safe browsing toolkit.

{ 0 comments }

Firesheep: You Need To Read This

by Michael Krupa on January 23, 2011

Pay attention my fellow readers.  I know many of you travel or spend time in coffee shops and access free Wi-Fi hotspots but there is a danger lurking out there.   Developer Eric Butler has created a Firefox extension called Firesheep. This free Firefox extension collects cookies that have been broadcast over an unprotected Wi-Fi network without using SSL. Say what?  This means that Firesheep essentially eavesdrops on an unprotected (open) Wi-Fi connection and will capture cookies for sites such as Facebook and Twitter and allow the Firesheep user to sidejack the session. Yes I know this is old news from last October but it is still an important problem.

Let developer Eric Butler explain from his blog post:

“As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed.”

All you have to do is double click on their name in the Firesheep window and open sesame, you will be able to log into that user’s site with their credentials.

Open sesame.  Yikes.

Fortunately there are limitations to the extension.  It only works on an open/unsecured Wi-Fi connection. So let’s say you are sitting at Starbucks and checking your Facebook account.  Someone else at that same Starbucks starts up Firesheep and scans the network.  Firesheep sees your unprotected session, grabs the cookies that Facebook uses to store identifying information about you and lets the Firesheep user masquerade as you.  Did I mention that you will have no idea that someone else just accessed your Facebook account?

Which sites are vulnerable? Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Foursquare, Github, Google, Gowalla, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp and probably many many other sites.

How do you deal with this?  Don’t use any unprotected Wi-Fi connection.  Find another coffee shop that uses a password for their WPA connection or convince your existing shop to start using a password.

{ 2 comments }