How to Spy on Open Wifi Hotspots: A Security Warning!

BlogHer Original Post

A new Firefox extension, Firesheep, has been released that makes it much easier to spy casually on other people's network activity over open wifi. Here's what you need to know as a blogger and social media user to protect your privacy!

Birds of Prey

If you work or blog from a cafe, school, library, or conference with open wifi, your network traffic isn't secure. Firesheep makes it easier for another person on the same open wifi network to log in as you to various social networks and services, including WordPress, Facebook, and Amazon. It doesn't reveal your passwords; it uses cookies and your browser to sidejack a browsing session.

You can avoid this, though:

1) Only use https:// urls to log in to web pages when using open wifi. If the login url doesn't say "https://" then it is not secure.

2) You can install HTTPs Everywhere and the Force-TLS Firefox extensions to force your browser to use an https connection for many popular sites, such as Google Search, Wordpress.com blogs, Facebook, Twitter, and Paypal.

3) There are various complicated ways to do SSH tunnelling from the command line. Here's a good explanation with instructions on how to set up SSH tunnels for secure network access.

More serious identity theft is already easy over open wifi using other tools, and slightly harder but still possible on password-protected wifi. That could be exposed more widely if someone takes the Firesheep code and extends it to add in password capturing and logging capabilities.

The new thing that Firesheep has done is simply to make a very easy user interface. It opens a sidebar in Firefox that shows you icons for all the other users on your open wifi network. Double click on a person's icon, and you'll be logged into the page they're using - as them.

So, please take a little care. If you have high school/college students in your life you should warn them especially. There will be some epic pranks pulled this week at colleges - and probably some of them will be cruel and harmful.

You may want to download and install Firesheep yourselves! It's very interesting. Download it and then drag it onto an open browser window in Firefox. Go to an open wifi hotspot, and see what you can see. (Don't do anything illegal of course!) That will give you a realistic picture of the seriousness of the security hole and how easy it is to exploit it.

As is usual with bad journalism on computer issues, articles and posts on Firesheep display some interesting misogyny. Firesheep is yet another computer thing "so easy your mom could do it". Apparently, for women, parenting destroys their techno-ganglions. Also, never forget that women, especially mothers and grandmothers, are the go-to comparison when you want to convey "ignorant." When guys 20 years younger than me say that something's so easy even Mom can do it, I like to point out that I used my vagina to push a human being into the world - YET MY BRAIN STILL WORKS. Amazing! The other bit of misogyny (and often, homophobia) pervasive in security geek culture is using rape as an analogy for hacking. That's ridiculous and offensive! People who say stuff like that need to check themselves!

Firesheep was written as a white hat (good guys) method to raise public awareness of web security issues and to force Facebook, Amazon, and other big sites to fix some obvious security flaws. Eric Butler, author of Firesheep, says,

The attack that Firesheep demonstrates is easy to do using tools that have been available for years. Criminals already knew this, and I reject the notion that something like Firesheep turns otherwise innocent people evil.

The motivations behind hacking are often about knowledge, education, and exploration. The issues underlying the principles of full disclosure come into play here with Firesheep. "Responsible" or partial disclosure would be telling someone "Hey, you lock your door, but I can pick the lock in 10 seconds, so you might want to change that!" Full disclosure tells the public as widely and quickly as possible, "Here's how to pick this lock." That puts pressure on everyone to create better locks or to fix the problem as quickly as possible.

If you think hacking and security are interesting, or just want to be scared into changing your passwords, please read the liveblog of my talk about BlogHer 10, Fight Spam and Hackers, along with the awesome Fight Spam and Hackers slides featuring tough women with passwords like diamonds. The point of this talk is that knowledge about the technology we use is crucial to us as womem. Be cautious about being "protected." We have a right to privacy and security. We need to know the tools that enable us to speak freely in public and have unfiltered access to public information. Knowledge is a good way to help to make sure we keep those rights! Don't let fearmongering about hackers keep you from doing stuff on the Internet.

Here are some links on Firesheep for reference, for the curious:

  • What is SSL? - a brief and straightforward explanation of SSL, a standard protocol used for making secure web connections.

The next few weeks of pranking and hacking, online debates about security practices, will be quite lively. I'm very curious to see how big companies like Amazon and Facebook will respond to this increased pressure from the public.

If you have questions about these issues please feel free to ask!

 

-----------------
Liz Henry
Composite: Tech & Poetics
Badgermama

Comments

In order to comment on BlogHer.com, you'll need to be logged in. You'll be given the option to log in or create an account when you publish your comment. If you do not log in or create an account, your comment will not be displayed.