Friday, October 29, 2010

Beware of Firesheep Lurking in WiFi Hotspots

When you think of RAM, it’s generally along the lines of wishing you could afford more for your laptop or desktop computer. But there’s another type of ram out there that you want nothing to do with. It’s the Firesheep - a serious, serious threat to your privacy.

Firesheep is a WiFi wolf in sheep's clothing. Beware!What’s a Firesheep? It’s a plug-in for the Firefox browser. Fox... Sheep... Get it? Sounds like a joke, but this malicious software is anything but. Download it free, install it on your computer and you can break into other people’s computers running on the same WiFi network.

That wooly looking guy over in the corner of the coffee shop? He could be reading your email right now. He might even be canceling your Facebook account just for fun. Oh, wait, he’s just playing Farmville. It’s the petite blonde sipping her latte and appearing to be tweeting something who’s the real culprit. What she’s tweeting is your passwords to her criminal boyfriend in the car outside.

Be afraid. Be very afraid. You’re the one about to get sheared by this sheep gone bad. Where are you vulnerable? Anywhere you are on an unprotected wireless network. That pretty much includes all coffee shop and restaurant WiFi hotspots. The airport, the car repair shop and the bookstore are suspect too. Unless a hotspot is running encryption on their wireless signal, it’s as open and transparent as a CB radio. Too young to remember “break-one-nine, good buddy”? OK, think about a conversation among friends in a crowded bar. Are you really that sure someone isn’t eavesdropping?

Here’s an even bigger horror story. You never did enjoy privacy on your WiFi connected sessions. Dedicated hackers have had the tools to listen-in on data going over the air from the hotspot access point to user computers for years. You could have been compromised months ago, but for the fortuitous lack of hardcore troublemakers where you happen to frequent. What’s changed is that Firesheep enables even the least talented curiosity seekers and wannabe pranksters to engage in vandalism, identity theft and espionage. Something like 200,000 copies of the Firesheep plugin have been downloaded since it was introduced less than a week ago. Probably more by the time you read this. It’s a baaaaaad situation.

Now that you’ve got a case of the chills that could really use a good hot cup of coffee, let’s talk about how to keep the evil sheep from grazing the green green grass of your computer. The way this thing works is that it lets network snoops sniff packets going between computers and hotspot routers. It also let’s them copy cookies set by the websites you visit. That’s right, they steal your cookies in the coffee shop right off your plate. Since they are only monitoring and copying, you won’t even notice a crumb is missing.

What you need is a way to scramble the messages so that anyone watching will just see gibberish.That kind of scrambling is generally provided as part of a VPN or Virtual Private Network. The IT people at your company may have installed VPN software on your computer before they let you access the company servers. Now you know why. VPN software encrypts any data going to or from your computer so that it makes no sense to anyone who doesn’t have the key. That includes malicious sheep.

But you don’t have a VPN of your own. Well, perhaps you can use your company’s. It depends on how they feel about personal use of their network. Better check and see if they’ll allow it, considering the threat. If not, there are pay VPN services available. Some possibilities are AlwaysVPN, AceVPN and StrongVPN, as suggested by Steven J. Vaughan-Nichols in his post “Five Ways to Shear Firesheep.”

There is some security built into your browser. SSL or Secure Socket Layer is a VPN technology used for online shopping and banking. The problem is that only sites with https addresses rather than http use SSL. Don’t be fooled into thinking that just because a site requires you to log in that your session is secure. Once the log-in process is complete, the cookies being used to store information on your browser may not be encrypted. They’re like fresh grass waiting to be nibbled by the Firesheep.

What’s better than a WiFi hotspot for broadband on the go? Those 3G and 4G wireless modem aircards that use the cellular towers aren’t subject to WiFi snooping. It’s a completely different transmission system. Cellular wireless also has the advantage of enormous coverage areas, so you can use your computer while parked in your car, on a bench in the park or anywhere else you need to be. The only drawback of this service is that it isn’t free or even cheap. It’s about the price of cellular service and typically has the same coverage area.

There’s an interesting aircard device called the MiFi that works to connect cellular broadband with WiFi so that you can get broadband Internet for all your WiFi enabled devices. You can have a couple of computers, a game, an iPad or iPod Touch or even a camera with an Eye-Fi memory card all communicating through the MiFi as your personal hotspot. Just be sure to turn on the WiFi security feature to keep it as your private personal hotspot.

By the way, you are just as vulnerable at home as you are on the road if you aren’t using WiFi security on your home router. It isn’t generally turned on by default because it’s easier to get the network up and running when it is wide open to the world. Take a few minutes, check the manual and make sure you have WEP or WPA security turned on. The peace of mind should more than make up for the inconvenience of dealing with security codes. It addition to thwarting Firesheep, you’ll keep neighborhood hackers and bandwidth moochers off your network. Don’t be surprised if you suddenly seem to have more bandwidth once the security is activated.

Firesheep is a clear and present danger to anyone using wireless Internet access. I’d suggest keeping up with news, blog posts and tweets until it can be proven that this threat has died in the wool. In addition to the Networking blog post mentioned earlier, Peter Shankman’s “Why It’s Time to Say Goodbye to Free Wi-Fi – Part Two” is a good read. It will make your hair, er, wool curl.

No comments: