Personal Accounts Vulnerable Over Claremont Wireless Networks
October 25, 2010
Kevin Burke
Yesterday at a hacker security conference Eric Butler demoed Firesheep, a new Firefox extension that points out how easy it is to steal user information over an open wireless connection. Within about ten minutes of downloading it, I was one click away from reading my roommate's Facebook news feed, updating his status and commenting (as him) on his friends' Walls. This means that if you are browsing Facebook, Twitter, Google, Amazon, or various other sites over an open wireless connection, your data is vulnerable to anyone using this extension. The CINE and Claremont wireless networks are vulnerable to this attack, but CMCNet is safe for the moment. Here's how it works:
1. I open the Firesheep extension and connect to an open wireless network.
2. You connect to the wireless network and check your Facebook. So that you don't have to enter your password every time you go to a new page, Facebook stores a piece of data called a "cookie" on your computer.
3. That cookie gets passed through the air from the wireless hub to your laptop without getting encrypted. I use Firesheep to steal the cookie and double click on your name to log in to your Facebook, Flickr, Google, LinkedIn or other account with one click.
I tested this out on my laptop while connected to the CINE wireless network. Within about four minutes, the extension let me hack into my Google Account, my fake Facebook, my Twitter and my CMC Forum account without logging in to any of those sites. I was then able to log into each of these sites and post messages.
This vulnerability has been known for a long time, but usually required fairly advanced knowledge about networks and some technical tools. Now, however, it's easy enough for even the Microsoft Office-proficient to steal a user's session. Most of the affected sites are taking this seriously, and implementing steps to improve their security, but for the time being, your data is extraordinarily vulnerable. Here are some ways you can protect yourself:
#1. Don't access Google, Facebook, Twitter, Flickr, LinkedIn, or any site you care about, over an open wireless network, or in an Internet cafe. On campus, this means that you shouldn't be using the CINE or the Claremont networks. As a rule of thumb, if you can access the network for free without providing a password (Starbucks, etc), you shouldn't use it to access any data that you care about. What's more, don't leave these sites open in open tabs while you're on those networks, because the connection is still open even though you're not refreshing the page.
#2. There is a way to securely access your data on open networks. It's called HTTPS, and it's the system that online banks and credit card companies use. You can tell if a site is using HTTPS if you see this in the URL in your browser:
There are some extensions for Firefox that force sites to use HTTPS for your information; check out the HTTPS Everywhere extension, which will force Facebook, Google, Twitter and others to use the HTTPS connection for every link between your computer and the network. In your GMail Settings, click on the "Always use HTTPS" option. You can get more information about counter-measures here.
#3. Read the emails that Bruce Frost and Jeremy Whaley, CMC's technology security experts, send out, and don't hesitate to email them if you have questions about your online security.
Please note that using any application to browse other people's information is at best highly unethical, and at worst, illegal, and that you should not use this tool for pretty much any reason. I received my roommate's permission before snooping his laptop, and even then I did not open any of his accounts on my computer. If you want to be safe on the Internet, you need to know what evil people can do while you're on it.