Halloween tech scare fun
Wanna see something scary? Meet Firesheep. It’s a simple, straightforward Firefox extension that sniffs out packets of information on open networks.
What that means, in English, is that anytime someone on your network (for example, the guy sitting next to you in Starbucks with his shiny new iPad), goes to a Web site, you can collect his login name and see it right there at the side of your Firefox browser window.
Before you rage at the creator of this extension, there is a motive here that’s not really as nefarious as it looks at first blush. Many of the Web sites we so cavalierly feed our sensitive data – including e-mail addresses, credit card numbers and more – to use an unsecure Internet protocol (http – you can see it at the beginning of any Web address). There is a secure option out there; it’s the https protocol. Gmail is one example of a service that uses that more secure method. The creator of this extension is trying to send a message to Web services that they need to pay more attention to security. After all, while Firesheep just came out last week, packet sniffing has been around for ages. All the extension does is make it easy for people who haven’t really looked into cracking this kind of information to see just how easy it is to gather user data.
Also, it’s worth pointing out that this extension only gathers information sent via browser cookies. While that often includes user names, it typically doesn’t include passwords or credit card numbers. Sites vulnerable to this exploit – and indeed included as standard options in the extension – include Facebook, Twitter, Amazon and more.
Finally, it really needs to be reiterated that this isn’t a problem caused by the network host. It’s the type of setup used by the affected Web site itself. So, for example, while Firesheep does find information on the library’s wireless network, it’s not a security hole on our end.
Here’s an excellent article on the Firefox extension and the background story over at PCWorld.
And some notes from our systems administrator here at TPL:
So what can you do to protect yourself from exploits such as this?
• Always be aware if the website you are visiting is loaded in HTTP (unsecured) or HTTPS (secured) mode. HTTPS mode is signified by the https:// prefix, or by a gold lock icon in your browser.
• Visit the HTTPS version of the website you are accessing, if provided. A Firefox extension, HTTP Everywhere, will automatically switch you to an HTTPS version of sites and offer the option.
• Whenever you are on an untrusted or unsecured network, NEVER provide secure personal information such as credit card or other financial information, addresses, phone numbers, etc. if the website you are visiting does not use HTTPS.
• When at home or at work, always use an encrypted wireless network. When in public, most wireless networks are unsecured, but if an encrypted network is available, take advantage of it. Remember though, a public network is still untrusted, and you should always use HTTPS to transfer personal information.
• If you find yourself on a public network, using a site that does not offer HTTPS access, think twice before transmitting any personal information or even about logging into the site at all. If you must, make sure you use a username and/or password that is different than your others. This is good practice anyhow.