Q: What is this Firesheep I’ve heard about in the news and should I be concerned?
– submitted by Doug Dial, Hometown Comics
A: There has been a lot of media coverage lately about a very recently released hacking software called “Firesheep”. The reports state that hackers using the Firesheep software can steal a user’s logon information to sites like Facebook or Twitter while that user is connected to a public wireless (Wi-Fi) network. Obviously, this has stirred up quite a bit of concern. I’ve spent some time researching this and can offer some advice regarding the severity of this threat and what you can do to protect yourself.
Just so you know, I’m going to skip over a lot of the technical details of Firesheep. I think this is best so as to not confuse the readers of this article. If you have more technical questions, please contact me know and I’ll be happy to discuss them with you.
First off, Firesheep does not actually pose an entirely new threat. The vulnerabilities that it exploits have been a problem for a long time. What Firesheep does is make it very easy for non-technical people to take advantage of the vulnerabilities and break into peoples’ accounts. Prior to Firesheep, only a dedicated technical user would have had the capability to carry out this exploit. This greatly reduced the probability of the vulnerabilities being exploited. Now Firesheep gives almost anyone to ability to easily gain access to others’ accounts. This elevates the probability of being compromised significantly.
Honestly, I must state that this threat is very real and is something to be taken seriously. However, let’s be clear on what situations you are and are not at risk. You are only vulnerable if you are on an unencrypted wireless network and using a non-secured website such as Facebook or Twitter (which do not at the time of this writing encrypt the particular login information that Firesheep exploits). You are NOT at risk if you are on an encrypted wireless network (one which requires a password), are using most wired networks, or are using a secure website (such as PayPal or bank web sites).
Unfortunately, the best fix for this problem is for the services that are being exploited to encrypt certain user information at all times. Currently, most non-secure sites only encrypt this particular information at the time of login. Until these services do this, users will continue to be at risk. There are a few ways that users can encrypt all their data (primarily via the use of a VPN), but these methods are beyond the feasibility of most users. Therefore, at this time, I am recommending that you avoid the use of Facebook and Twitter (and other similar non-secure sites) on public, non-encrypted wireless networks. Yes, this may seem quite drastic, but the threat truly is that real. It does not matter what type of device, operating system or web browser you use, you are at risk if you are using a non-encrypted, public network. Again, if you are on a secure network, you are fine.
If it wasn’t already critical enough, now is the time to make sure your home or office wireless network is secured. If you are not sure, please contact me and we can discuss what can be done to make sure you are safe.
Also, those who operate public Wi-Fi networks have some options to help protect their users. If you operate a public wireless network, please get in contact with me to discuss what steps can be taken to protect your users.