WebSocial.ly Launch

Mark Your Calendar for WebSocial.ly Launch

FireSheep: A New Security Risk using Public WiFi

I’ve just come across a frightening security exploit that could many of my friends, family, and clients using free WiFi in public locations. This includes connecting to WiFi from a laptop, iPad, iPhone, Android, etc. After testing this for myself last night, I decided to write this post to raise awareness of this exploit. While the exploit itself isn’t a new concept, the ease of use and availability in a recently new program could compromise online accounts of unsuspecting consumers on a widespread level.

Specifically, this applies to YOU if you answer YES to ALL of the following:

  1. You have a laptop, smart phone (iPhone, Android, Blackberry, etc), iPad, iTouch, etc with WiFi (wireless internet) capabilities.
  2. You connect your device to public WiFi networks at locations such as Starbucks, airports, hotels, conference halls, libraries, restaurants, bookstores, schools, workany public place.
  3. The WiFi networks you connect to are unsecure – Meaning: They do NOT require WEP, WPA or WPA2 encryption settings.
    1. NOTE:
      1. Most public wireless networks are unsecure.
      2. Networks that require some sort of website login or payment to connect does not mean it is secure.
      3. You visit sites such as Facebook, Hotmail, webmail (Yahoo Mail, Gmail, AOL Mail, Charter, Comcast, ATT, etc), Amazon, Yelp, LinkedIn, Twitter, WordPress, and so many others from your phone or laptop while on the public WiFi network.

If you answered YES to all statements above, you are vulnerable to people having direct access to your online accounts from their computers.

The Problem:

A new program called Firesheep was created to demonstrate how vulnerable unsecure wireless networks are. The program intercepts unencrypted cookies from the wireless network for websites like those listed above in item #4. This means any random person could be hanging out at a place like Starbucks waiting for you to check your Facebook account or webmail and instantly have access to the accounts you visited. It’s scary how easy this was for me to do. It does not require any programming knowledge whatsoever.

What’s scary is Firesheep is FREE to anyone and was just released last month-October 2010. The Firesheep program is actually a plugin that runs in the Firefox web browser. Any middle school kid could set this up on their laptop within minutes and create massive havoc on unsuspecting people.

Depending on the compromised website, a random person could change your account password and permanently lock the owner out with the number of people who use public WiFi Hotspots to access email and many unsecure websites.

Although I haven’t heard much media press about this yet, this has the potential of being the worst security vulnerability I’ve ever seen to date.

Imagine the following scenario: A hacker intercepts some stranger’s Yahoo email account and changes the password. the hacker discovers the Yahoo account is the the primary email for a Bank of America account. If the hacker cannot locate the password, they may have enough information to request a password reset and wait for the email to arrive. At that time, they will change the password and gain full access to the bank account before the owner has any idea what’s going on. Granted, most banks have additional security measures in place to verify account ownership. However, the hacker is that much closer to breaking the system.

Some Protective Measures to Consider:

The best option is Not to use unsecure public WiFi Hotspots. The risk is too great. However, we live in a digital world where being connected is a way of life. therefore, I suggest other considerations for those who much stay connected:

  1. Only use the internet data plan provided by your cell phone company: (EDGE/G3/G4) or a trusted excrypted WiFi network.
  2. Only connect to public WiFi networks that have WPA2 encryption
  3. If you have to connect to an unsecure wireless network, use a VPN connections to access the internet with full encryption.
    1. Note: this is not an option for most people.
  4. Use a service like www.getcocoon.com if you don’t have a VPN option to work with.
  5. Only visit sites that use SSL encryption as identified by the HTTPS URL prefix. Notice the (S) in HTTPS.
    1. Note: Some websites only use HTTPS for pages used for login or collecting credit card payment information. For other pages, some sites revert back to the unsecure pages using the HTTP URL prefix. These sites are vulnerable since Firesheep will intercept the cookie when switching from HTTPS to HTTP, giving the hacker access the logged in account session.

At this point, I would caution anyone using an unsecure public WiFi to NOT use them unless you have a VPN connection for encryption.

Test Results:

Testing this is pretty straight forward for those who want to try this. I had two computers. The first played the role of the hacker. The second played the role of the victim. I used only my personal accounts for testing purposes. Both computers were on the same wireless network with WEP, WPA, WPA2 disabled. Therefore, the wireless network was not encrypted.

During my testing, I was able to compromise the following accounts from the victim computer with 30 seconds of starting the wireless scan on the hacker computer:

  • Yahoo Mail
  • Gmail
  • Hotmail
  • Custom Install of WordPress
  • Facebook
  • Twitter
  • Bit.ly
  • Amazon

Note: I did not have Yahoo Mail open in any browsers. The scanner from the hacker demo computer was able to pick up my account automatically because the browser on my victim computer had the Yahoo toolbar installed. I was not aware that the toolbar was even there. In fact, I was logged into Facebook on the victim computer and did not click on any links. The scanner picked up my Facebook account from the hacker computer instantly. Many sites like Facebook and webmail make automatic checks for new messages or wall posts. Those automatic checks will send session information to and from the website which can be intercepted by Firesheep to recreate and simulate the “logged in” account on the hacker computer. After compromising my Facebook account in my test, I could access all my information without the username and password.

To see this in action or read more about the early reviews of Firesheep, see the links listed below.

Quick Overview Videos:

- http://www.youtube.com/watch?v=eUyrMVkRTlI

- http://www.youtube.com/watch?v=psVODNtFOrM&NR

To Install Firesheep and Test:

- http://www.coolbuster.net/2010/10/how-to-install-firesheep.html

- Video: http://www.youtube.com/watch?v=_2_fG_Gut1s

Other Suggestions for Protecting Yourself: (Not really full proof)

- http://www.coolbuster.net/2010/10/protect-yourself-from-firesheep.html

- http://www.coolbuster.net/2010/10/firesheep-hacks-facebook-twitter.html

FireFox Plugins for Protecting from FireSheep and the like:

- https://www.eff.org/https-everywhere

- https://addons.mozilla.org/en-US/firefox/addon/12714/

- Article Review: http://techcrunch.com/2010/10/25/firesheep/

Google Chrome Plugin:

- https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof

Stay Safe,

David Carroll