27 May 2011

Beware Firesheep, the Web's latest wolf in sheep's clothing

The name "Firesheep" may sound meek and mild, but think again. It's the new buzzword being bandied about as the latest online security risk.
It's a new program that makes it easy for anyone to hack into your Facebook session, e-mail account, Twitter feed and other sites if you and the hacker are using the same unsecured wireless network, such as a free coffee shop wifi signal or even UCLA wifi.
What can happen? It's as though you left your laptop alone with your favorite pages open on a café table and someone sat down at your computer to pretend they were you. They won't get your passwords, but they can post bogus Facebook or Twitter updates, use your email and even drop items into your Amazon shopping cart.
The difference is that Firesheep allows people to do those things without touching your computer or being in the same room. They just need to be on the same wireless network for their computer to snatch it out of the air, and you won't even realize it.
Fortunately, there are ways for people to protect themselves from this "sidejacking," campus IT experts explained.
How to protect your data
Many open wireless networks are unencrypted, which is what allows Firesheep to eavesdrop so readily. By encrypting your data – that is, by putting it in a secret code, like James Bond sending a spy-worthy message – you can thwart Firesheep, explained Ross Bollens, director of UCLA IT Security. UCLA's Virtual Private Network (VPN) will code your data automatically, no matter where you are — on campus or at home, Bollens said.
Go here to load UCLA's VPN onto your laptop, iPhone or other wifi-using device. You'll see options for Macs, Windows, iPhones and more, and each one leads to an illustrated guide walking you through the process. All you'll need is your UCLA Login to configure the UCLA VPN. Once you have access to UCLA's VPN, just turn it on when you use wifi, and it will encrypt your data and stymie Firesheep, Bollens said.
It's important that everyone protect his or her own data, Bollens added.
"People want us to just fix it so they don't have to think about it, but I can't fix this one," he said. "Firesheep exposed a vulnerability that's been around since the beginning of the Web, but before, it required a hacker mentality. Firesheep made it so grandma can do it."
Using the VPN is perhaps the simplest way to protect against Firesheep, but there are other alternatives, Bollens said. While using wifi on campus, UCLA_SECURE and UCLA_SECURE_RES will also protect your data. However, wireless signals without "UCLA secure" in the name – UCLA_WIFI, UCLA_WEB and UCLAWLAN – are unsecured, so users should turn on their VPN while accessing them.
Many websites are already secure, and therefore protected against Firesheep. You can tell by looking at the Web address in your browser. A Web address, or URL, that starts "http" is a normal, unsecure site, but an "s" at the end – https – means it's designed to be secure, said Alice Planas, who manages Web strategies and communication for Center X in the Graduate School of Education & Information Studies.
"I teach users I work with to pay attention to the URL prefix when they log in and on the webpages after they log in. Ask yourself, does it say http or https?" Planas said. "Many popular websites are not fully secured."
While you may log in under a secure "https" Web address, which does protect your password, if you move to an "http" page, you can get burned by Firesheep, Planas said. Most banking websites are "https" all the time, but sites like Yahoo or Hotmail webmail, Facebook, Twitter and others revert back to plain http after you log in. Instead of using your user ID and password to keep you logged in, most websites assign you a "cookie," or a session ID that acts like a key to your account, Planas explained.
"This 'key' is what the Firesheep sidejacker needs to gain access to your account," she said. "They may not know what your user ID/password is, but they have access to your account by stealing your session ID. This could mean snooping for information, but it could also mean 'spoofing you' or posting or masquerading as you, or changing your account settings."
After Firesheep came on the scene and spread like wildfire, Bollens required Web-based UCLA applications that use UCLA log-ons to switch from http to https. Anyone using the UCLA VPN doesn't need the extra protection, but adding that layer of security addresses the very vulnerability that Firesheep was designed to highlight, Bollens said.
"The creator said he was trying to demonstrate the 'soft underbelly' of the Internet to encourage better security practices," Bollens said. "But some people say that's the moral equivalent to running over a bunch of pedestrians in order to get a stop sign installed."
Like Bollens, Planas has seen users who just want her to provide a one-time fix so they don't have to worry about it anymore, but that's not an option, she said.
"I'm happy to give quick and simple practical steps, but I also think it's really about self-education," Planas said. "The tools and the hacks will change. Security will always need to be a concern on the part of Web users."
Here's how you can thwart Firesheep:
  • Load UCLA's VPN onto your laptop, iPhone or other wifi-using device. To load it, you need your UCLA Login. Turn on the VPN whenever you use an unsecured wifi signal, such as UCLA_WIFI, or at a coffee shop, hotel or airport.
  • If the UCLA VPN is not an option, you can download the free, ad-based "Hotspot Shield" VPN for your laptop or iPhone, or you can browse many websites safely through Firefox's browser by installing https everywhere, or search safely on Google using https.www.google.com (note the "s" on https).
  • For on-campus wireless, use UCLA_SECURE or UCLA_SECURE_RES instead of UCLA_WIFI or UCLA_WEB if you can't turn on your VPN.
  • If you're not using the UCLA VPN, check whether a website address is using https. If the address starts with "http" instead of "https," it's vulnerable to Firesheep.
  • If you're on unsecure wifi without a VPN, log out of any applications when you leave a wifi hotspot. Even when your browser window is closed, your session ID — the "key" that Firesheep copies — is active until you sign out.
What Firesheep users see:
This screengrab comes from the website of Firesheep creator Eric Butler. Firesheep users can see a list of everyone on the same wireless network as them and what common websites they are logged into, unless the wireless network is secured, the website is secure, or the user is on a VPN.

AbhiShek SinGh
Founder of 'TheHackingArticles'. Cyber Security Analyst, Cyber Security Researcher, and Software Engineer. Follow 'AbhiShek SinGh' on Facebook , Twitter or Google+ or via Email

Subscribe to stay up to date