Firesheep Raises the Risk Level at WiFi Hotspots: How You Can Secure Yourself
Unless you’ve been living under a rock without wireless internet, you probably know that transmitting sensitive information while using a WiFi connection is treacherous . It not only threatens your Internet privacy, it can result in online identity theft and credit fraud.
If that’s not enough to faze some undaunted WiFi warriors, there’s a new simple-to-use attack tool to worry about. It’s an extension of Firefox named Firesheep. The new plug-in may appear warm and cuddly . But Firesheep is truly a wolf in sheep’s clothing.
Firesheep Makes Hacking WiFi Connections Simple
The Firesheep attack is called HTTP session hijacking or sidejacking. Sidejacking is nothing innovative. But Firesheep put it on the map by providing sidejacking to all.
Firesheep currently comes with built-in sidejacking attacks against 26 popular websites like Facebook, Twitter, Amazon, Windows Live, Yahoo and Paypal that only encrypt their login pages, not the rest of their sites. As your browser exchanges login information with a partially secured or unprotected website, Firesheep listens in on that traffic going over open WiFi networks . Then it stores your session cookie information , allowing a hacker reuse it to gain access to the sites you’ve logged into. For example , once a hacker has accessed your vulnerable email or social media accounts, he can send emails or updates in your name and access your friends’ email addresses or profiles.
Who Invented Firesheep and Why?
So who are the hackers responsible for Firesheep? This summer, a Seattle software developer named Eric Butler decided to add fuel to the sidejacking security issue. (You may recall that he’s the white hat hacker who revealed the vulnerability of social networks to hacking.) Butler says that expert hackers were already exploiting websites easy to sidejacking. Frustrated by the negligence of popular websites to stop the problem, he and his colleague Ian Gallagher decided to do something. By creating Firesheep free and easy to utilize, they aspire to bring light to the issue and pressure websites into bettering their security.
That’s the positive news. The negative news is that Firesheep’s scope isn’t limited to the two dozen or so sites currently being targeted. It’s an adaptable plug-in predator that can be altered to attack other websites with login dialogs that are not protected. Since it first came out, Firesheep has been downloaded 500,000 times. Here’s what you can do to protect yourself.
How to Fight Off Firesheep
– To lessen your risk of being sidejacked, keep away from using unencrypted WiFi at public connections. You might still get sidejacked somewhere else. But Firesheep does best with unencrypted hotspot traffic.
– Lookout out for sites that log you in over unencrypted HTTP or revert to HTTP after SSL login. They are popular marks according to Lisa Phifer, network security consultant and author of eSecurityPlanet\’s \”Top Ten Ways to stop Firesheep\”.
This is what Phifer recommends :
– Use HTTP-Everywhere. This Firefox add-on forces Firefox to only use HTTPS connections for a certain list of websites. But it won’t secure you on other sites. If you don’t utilize Firefox, look elsewhere.
– Use Force TLS. This is an additional Firefox extension that lets you create your own list of domain names to force encryption on.
– Avoid leaking cookies over HTTP. \”Some sites try to do the right thing, but they fall short\”, says Phifer. \”Unfortunately, users don’t know which ones they are\”. She advocates testing whether a site is vulnerable by importing a script from that domain into Firesheep and testing it yourself.
– Log off websites when you are finished . \”This could invalidate a session cookie after it’s been grabbed by Firesheep,\” says Phifer. \”But it’s no guarantee\”. It’s just a good practice for your online safety.
– Don’t believe that staying on a secure LANs means you’re protected. Firesheep is not limited to WiFi. \”Sidejacking may occur on Ethernet LANs and inside networks – anywhere a hacker can intercept unencrypted traffic\”,says Phifer. That includes hotel rooms and business centers.
– Use a VPN (virtual private network) like Private WiFi to secure your online traffic. That makes your log-ins and your online communication invisible to sidejackers and hackers, even when it’s on vulnerable websites.
We’d like to know what you think of Firesheep’s creators . Are they good for highlighting a serious online security problem ? Or are they villains for bringing a major sidejacking tool to the public?
Author Bio: Jan Legnitto is an investigative journalist and documentary producer who write about criminal justice and intelligence issues. Jan is also a frequent contributor to the Private I blogs on Firesheep, Internet privacy, online identity theft, credit fraud
Category: Internet
Keywords: WiFi hotspots, Internet privacy, online identity theft, credit fraud, WiFi, VPN, Private WiFi