Unless you've been living under a rock without WiFi, you in all likelihood know that sending sensitive information while using a WiFi connection is risky. It not only threatens your online privacy, it can result in online identity theft and credit fraud. If that's not enough to faze some intrepid WiFi warriors, there's a new easy -to-use attack tool to fret about. It's an extension of Firefox named Firesheep. The new plug-in may appear harmless. But Firesheep is truly a wolf in sheep's clothing.
Firesheep Makes Hacking WiFi Connections Easy
The Firesheep attack is called HTTP session hijacking or sidejacking. Sidejacking is nothing new. But Firesheep put it on the map by providing sidejacking to the masses.
Firesheep now comes with built-in sidejacking attacks against 26 popular websites like Facebook, Twitter, Amazon, Windows Live, Yahoo and Paypal that only encrypt their home pages, not the entirety of their sites. As your browser exchanges login information with a partially secured or unprotected website, Firesheep listens in on that traffic traveling over open WiFi connections. Then it saves your session cookie details, letting a hacker repurpose it to obtain access to the sites you've logged into. For example, once a internet pirate has logged into your unprotected email or social network accounts, he can send emails or posts in your name and access your contacts' email addresses or profiles.
Who Invented Firesheep and Why?
So who are the hackers responsible for Firesheep? This summer, a Seattle software creator named Eric Butler resolved to add fuel to the sidejacking security issue. (You may remember that he's the white hat hacker who exposed the vulnerability of social networks to hacking.) Butler says that expert hackers were already exploiting websites vulnerable to sidejacking. Frustrated by the negligence of popular websites to stop the problem, he and his colleague Ian Gallagher decided to do something. By making Firesheep free and simple to utilize, they aspire to draw attention to the issue and pressure websites into bettering their security.
That's the good news. The bad news is that Firesheep's range isn't limited to the two dozen or so websites currently being targeted. It's an adaptable plug-in predator that can be modified to strike against other websites with login dialogs that are not protected. Since it initially appeared on the scene, Firesheep has been downloaded 500,000 times. Here's what you can do to secure yourself.
How to Fight Off Firesheep
- To reduce your risk of being sidejacked, avoid using unencrypted WiFi at public connections. You might still get sidejacked somewhere else. But Firesheep thrives on unencrypted hotspot traffic.
- Watch out for sites that log you in over unencrypted HTTP or revert to HTTP after SSL login. They are popular marks according to Lisa Phifer, network security consultant and author of eSecurityPlanet's "Top Ten Ways to stop Firesheep."
- Use HTTP-Everywhere. This Firefox extension forces Firefox to only use HTTPS connections for a certain list of websites. But it won't secure you on other sites. If you don't utilize Firefox, look elsewhere.
- Use Force TLS. This is another Firefox extension that allows you to create your own list of domain names to force encryption on.
- Avoid leaking cookies over HTTP. "Some sites try to do the right thing, but they fall short," states Phifer. "Unfortunately, users don't know which ones they are." She recommends testing whether a site is vulnerable by importing a script from that domain into Firesheep and testing it on your own.
- Log off websites when you are done. "This could invalidate a session cookie after it's been grabbed by Firesheep," states Phifer. "But it's no guarantee." It's just a good practice for your Internet privacy.
- Don't think that staying on a secure LANs means you're safe. Firesheep is not limited to WiFi. "Sidejacking may occur on Ethernet LANs and inside networks - anywhere a hacker can intercept unencrypted traffic,"says Phifer. That means hotel rooms and business centers.
- Use a VPN (virtual private network) like Private WiFi to secure your online traffic. That makes your log-ins and your Internet communication hidden to sidejackers and hackers, even when it's on unprotected websites.
No comments:
Post a Comment