firesheep
Latest
Hotspot Shield adds iOS connection protection with inexpensive VPN
If you're a security-conscious web surfer -- or an international traveler who likes to maintain access to US-based video streaming or voice services -- you may already be one of the millions of users of AnchorFree's Hotspot Shield, one of the leading consumer virtual private network (VPN) services. VPNs have been a mainstay of distributed corporate workforces for years, but recently they've gained traction with everyday folk as well. This week, the company launched an iOS app that streamlines the connection process and adds bandwidth-saving compression on top of that, with a modest $9.99 yearly fee. The principles of a VPN are pretty straightforward. Normally, when you connect your computer to an unfamiliar network (wired or wireless), all your traffic back and forth is readily visible to anyone sitting on the same network segment; in the case of a public hotspot in a coffee shop, library or hotel, you might be sharing way more than you mean to. While many websites guard against snoopers by digitally protecting the login process with SSL encryption (that's the "S" in https://, indicating that the conversation between you and the remote site is protected), even that may not be enough to cover the bases. Last year, the Firesheep extension for Firefox demonstrated quite convincingly that on 'open' WiFi networks, even a secure web login might not be secure if the site drops the SSL encryption after the login process is done. VPNs protect against Firesheep and other eavesdropping as a side effect of their original intended purpose: creating a secure 'tunnel' between corporate or institutional networks and machines on outside networks like the Internet. The 'virtual private' part of VPN means that when you launch a VPN client, your computer is setting up an end-to-end encrypted connection with another computer someplace else, so you can access resources on that computer's remote network (printers, servers and such). All the traffic between point A and point B is incomprehensible to any other computers on those network segments, and assuming your VPN client is set up to route all your traffic through the remote server, you're protected from prying eyes at the next Starbucks table. While you might take a slight network performance hit from running a VPN, there are benefits beyond the security improvements. Since your tunnel is carrying all the Internet traffic to and from your machine, your VPN is acting like a network ventriloquist; it makes your 'voice' appear to be coming from somewhere else (in this case, the location of the remote VPN host). The advantages of this relocation range from the entertaining -- enabling sites like Hulu or Netflix to work for non-US users, or unlocking access to social sites like Facebook or MySpace from academic/business networks that block them -- to life-and-death, change-history important. If you're living in a country where control of the Internet is used as a tool of political repression, the opportunity to get access to the outside world via a VPN may make a huge difference. There's already a VPN client connection tool built into both iOS and OS X, so you're free to use most available VPN services with your Mac or your iPhone/iPad. The relevant acronyms are IPSec, PPTP and L2TP over IPSec; if your VPN host supports one of these protocols, you should be fine. You can check with your employer or school IT department to see if you already have VPN access that you can use for free. Going with a service like Hotspot Shield, however, means you don't need to think about that alphabet soup when you want to connect securely. Hotspot Shield's desktop offering is known for being dead easy to set up and use, so no surprise that the iOS app would aim for the same simplicity. Pick your plan (free seven-day trial, $0.99 monthly or $9.99 annual) and connect -- you can also adjust the image compression level that the app will apply to your browsing sessions, saving you room on your data plan in similar fashion to Onavo's app. The app runs gracefully in the background, protecting all your traffic (the app press release even cites iMessage exchanges as being guarded, but those already are covered by TLS encryption). If you're concerned about your mobile network security while using possibly un-guarded apps or websites, or you need to virtually relocate your connection, the seven-day trial of Hotspot Shield may be just the thing for you.
FaceNiff makes Facebook hacking a portable, one-tap affair (video)
Remember Firesheep? Well, the cookie snatching Firefox extension now has a more portable cousin called FaceNiff. This Android app listens in on WiFi networks (even ones encrypted with WEP, WPA, or WPA2) and lets you hop on to the accounts of anyone sharing the wireless connection with you. Right now it works with Facebook, Twitter, YouTube, and Nasza-Klasa (a Polish Facebook clone), but developer Bartosz Ponurkiewicz promises more are coming. You'll need to be rooted to run FaceNiff -- luckily, we had such a device laying around and gave the tap-to-hack app a try. Within 30 seconds it identified the Facebook account we had open on our laptop and had us posting updates from the phone. At least with Firesheep you had to sit down and open up a laptop, now you can hijack Twitter profiles as you stroll by Starbucks and it'll just look like you're sending a text message (but you wouldn't do that... would you?). One more image and a video are after the break.
How to guard yourself and your Mac from Firesheep and Wi-Fi snooping
The prevalence of free/cheap and open Wi-Fi networks in coffee shops, airports, offices and hotels is a great boon to the traveling Mac or iPad user; it makes connectivity and remote work much easier than it used to be. Unfortunately, since most of those networks don't employ WEP or WPA passwords to secure the connection between device and hotspot, every byte and packet that's transmitted back and forth is visible to all the computers on the wireless LAN, all the time. While certain sites and services use full-time browser encryption (the ones that have URLs beginning with https:// and that show a lock in the browser status bar), many only encrypt the login session to hide your username and password from prying eyes. This, as it turns out, is the digital equivalent of locking the door but leaving the windows wide open. Firesheep is a Firefox extension which makes it trivially easy to impersonate someone to the websites they log in to while on the same open Wi-Fi network. It kicks in when you login to a website (usually in a secure fashion, via HTTPS) and then the site redirects you to a non-secured page after login. Most sites that operate this way will save your login information in a browser cookie, which can be 'sniffed' by a nogoodnik on the same network segment; that's what Firesheep does automatically. With the cookie in hand, it's simple to present it to the remote site and proceed to do bad things with the logged-in account. Bad things could range from sending fake Twitter or Facebook messages all the way up to, potentially, buying things on ecommerce sites. That process is known as "HTTP session hijacking" (informally, "sidejacking") and has been a known problem for several years, but many sites have not changed to protect their users. Firesheep has made this process of sidejacking very easy, and a reported 104,000+ people have downloaded it. It is important to realize that the security problem exists for users of all browsers. Firesheep is available only for Firefox, but that's just the exploit side; it will gladly harvest cookies from Safari, Chrome, IE or anything else. Unfortunately, you've got to assume that any unencrypted site you go to while on an open Wi-Fi network is susceptible to compromise by this attack. Read on for some suggested ways to combat this security challenge. Photo by adactio | flickr cc
Firesheep makes stealing your cookies, accessing your Facebook account laughably easy
A software developer called Eric Butler doesn't just want to make you aware of the lax security of most social networking sites, he wants to force you to do something about it! To that end, he's developed Firesheep, a Firefox add-on that even the least technically inclined among us can use to eavesdrop on open WiFi networks and capture your fellow users' cookies. Any time a site recognized by Firesheep (including Twitter, Flickr, Facebook, and Dropbox) is accessed by a user on your network, Firesheep provides you with an icon and a link to access that account. Sure, had these sites used SSL to begin with this would be nigh in impossible; but they don't, so it is possible. And easy! And fun! Keep in mind, we're not suggesting that you give this a try yourself (far from it!) but we do hope you look into the larger issues involved here, and take the appropriate steps to force sites to use SSL, and protect yourself in the process (we hear that HTTPS Everywhere and Force-TLS are good places to start). Because, really -- Internet security is enough of a problem without giving everybody at the Coffee Bean your Facebook credentials.
