Free wi-fi: be careful out there!

6 Dec

December 6, 2010

By Geoff Meeker

That free wi-fi connection you use at the coffee shop, airport, or even mooch from the people next door? It could be real bad news.

There’s a new piece of software out there that hacks into your Facebook, Yahoo and other password-protected sites. It’s called Firesheep, it’s open source – in other words, free – and was developed ostensibly to expose how easily popular web sites can be hacked.

But it’s also an effective tool for techno-skeets, who want to steal your online identity.  There are conflicting accounts about how dangerous Firesheep really is, but even the best-case scenario is pretty alarming.

Firesheep is a simple extension to the Firefox web browser, that goes to work wherever there are insecure wireless networks. You can install it, go to the local coffee shop, and click ‘Start Capturing’. The program pulls down packets of data, or “cookies”, that fly through the air at free wi-fi locations, and displays them. Within seconds, a list of usernames and web sites will appear in the Firesheep window. That is, you will see ‘Joe Schmoe’ next to the Facebook icon.

If you double-click on Joe’s mug shot, you can become that person. You have full access to his Facebook profile. You can read private messages, live chat, profile information, and even send messages. You can’t access passwords, because these are not displayed onscreen, but that’s small consolation. Chances are, you can look around the room and spot Joe, sipping his latte as he updates his profile, totally unaware that you are reading his messages.

You can gain similar access to Twitter, Yahoo, Flickr and any site that doesn’t have continuous ‘https’ security.

I first learned about this through social media guru Peter Shankman, who runs the Help A Reporter Out online service. Writing on his web site, Shankman said he uploaded the program before catching the early morning train.

“Right now, within 10 minutes of this train leaving Penn Station, NY, someone has just logged onto Evernote through Amtrak’s Wi-Fi, someone else has logged into Yahoo, and someone else has logged into Windows Live. I guarantee that if this wasn’t the 6:20 am train and 90 percent of the people on it weren’t sleeping, I’d be seeing a LOT more accounts. And as the trip continues, and as more people wake up, I will. Oh – Two people just logged into Facebook.

“Here’s the kicker,” he continues. “If I were to click on their name from the list right in front of me, I’d have access to every piece of data that B… has on Evernote, that J… has on Yahoo!, and that S… has on Facebook. Every photo. Every audio recording. Every conversation they thought was private. Every potential life-changing or relationship-ruining piece of data. Every company-crushing-if-public memo. I could download it, use it to my advantage, post it to a public place… or even delete their account if I felt like it.”

The technique is known as “packet sniffing” and it’s not exactly new – skilled hackers have been doing it for years, but in far fewer numbers. Firesheep makes it easy for everyone, even the technologically challenged, to become serious hackers. The danger is real. And it’s out there, right now.

If you use wireless Internet at home, the same situation applies. Insecure signals sent from various computers in your house, to the wireless modem, may be intercepted by your neighbour – or someone parked in the street – as long as they have this plug-in.

Part of the blame for this mess can be laid at the feet of Internet giants, like Facebook and Yahoo, who offer a safe, encrypted login, but leave the rest of your signal totally insecure. However, these sites are not likely to change their ways without a lot of public pressure, so it’s up to you to protect yourself.

What can you do about it? For starters, make sure your home wireless router is password-protected. Seriously. Get at that.

Already, software developers are offering plug-ins that alert you when Firesheep is scanning your signal, but these can be complex to use and offer little in the way of protection.

You can subscribe to wireless Internet through your cellular service provider, using one of those USB sticks, but it’s not a cheap solution. However, you will never need to use another Internet café.

The safest approach is to stop using free wireless networks. Just cut it out. If you must use your laptop out in public, stay offline. Disable your smartphone’s ‘find network’ function when outside, and use the cellular data connections instead.

If you fail to act, and continue to log-on at the local coffee shop, you are courting disaster. The wi-fi seems free, but it may exact a terrible hidden cost.

One final thing. If you want to download Firesheep, perhaps with less than honourable intentions, beware: there are a lot of sites offering it, they ALL look pretty sketchy, and the serious hackers are one step ahead of you. Think hard before hitting that download button…

Geoff Meeker is a communications consultant with a soft spot for technology. He also writes a blog about the local media scene, which is hosted at www.thetelegram.com.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: