PDA

View Full Version : Do you use free unsecured wi-fi while you're out and about?


Keir_Eidos
04-11-10, 13:25
I apologise in advance if this has already been discussed. I'm sure some of you guys are already aware but it interested me so I thought I'd share. Hope that's OK.

I recently got a smexy new Galaxy S (http://www.droiddog.com/wp-content/uploads/2010/07/samsung-galaxy-s_1.jpg) Android phone. It's great. When I'm sitting in a coffee shop or I'm having a cheeky pint I often switch to the establishment's wi-fi so I can surf facebook, twitter or tombraiderforums.com without eating up my bandwidth.

I probably shouldn't do that.... and here's why:

There's an add-on for Firefox called Firesheep that makes it easy peasy to 'sidejack' people's accounts. "The free Firefox extension collects cookies that have been broadcast over an unprotected WiFi network without using SSL. You turn it on, it collects cookies for Facebook, Twitter, and 24 other sites (by default). Then, you can sidejack the account and gain access under the acquired identity."

Check this somewhat alarming article for more info:

http://technologysufficientlyadvanced.blogspot.com/2010/10/herding-firesheep-in-new-york-city.html



Herding Firesheep in New York City

There's been a lot of talk about Firesheep over the last few days. The free Firefox extension collects cookies that have been broadcast over an unprotected WiFi network without using SSL. You turn it on, it collects cookies for Facebook, Twitter, and 24 other sites (by default). Then, you can sidejack the account and gain access under the acquired identity.
This extension isn't shocking. If you're worth your weight as a developer, you've known this flaw has existed for a long time, right? But what about the rest of the world? What about the people who haven't heard about the newly accessible threat through their friends, through Engadget, through Slashdot, or through ABC ProNews7 in Amarillo?

I thought I'd spread the word and help some laymen out after work since there's a large Starbucks near my apartment. I dropped in, bought some unhealthy food, opened my laptop and turned on Firesheep. Less than one minute later, there were five or six identities sitting in the sidebar. Three of them were from Facebook.

This wasn't at all surprising; Firesheep is not magical, and anyone that's been to a Starbucks knows that a lot of people mindlessly refresh Facebook while sipping on their lattes. I thought I'd give it more time, so I listened to some music, talked to a few friends, and most importantly (and difficultly) did not navigate to anything sent over vanilla HTTP (including, of course, Facebook).

Around half an hour later, I'd collected somewhere between 20 and 40 identities. Since Facebook was by far the most prevalent (and contains more personal information than Twitter) I decided to send the users messages from their own accounts to warn them of their accounts' exposure. I drafted a friendly, generic message that stated the location of the Starbucks, what the vulnerability was, and how to avoid it. I sent messages to around 20 people.

I cleared the sidebar, took off my headphones, and waited. I heard one expletive muttered a few feet away, and wondered if my message was the cause. Over the next 15 minutes, I didn't hear anyone talk about what had happened (and folks at Starbucks are usually not ones to keep their conversations private). However, what I did see happen was a sharp decline in the number of identities I was collecting when I restarted Firesheep.

This was relieving -- these people got the message. Hopefully they'll tell their friends, hide their kids, hide their wives. I cleared the sidebar once again, and after another twenty minutes of mindless conversation I saw five familiar names had returned to my herd.

This was somewhat puzzling. Did they receive the first message? I logged into their accounts, and surely enough, they had. One of them was even on Amazon.com, which I had warned about in my first message. I targeted him first: I opened up his Amazon homepage, identified something he had recently looked at, and then sent him a "no, seriously" message on Facebook from his account including the fun fact about his music choices.

I cleared again, waited for ten minutes, and after resuming Firesheep's collection it appeared that he was gone. Yet the other four remained persistent. Perhaps, I thought, they thought the message was automatically generated and randomly targeted (despite mentioning their location within 100 feet). So, one last message was in order.

I drafted a very short message (perhaps the first was too long?) and sent it to the four, once again from their own accounts:

Really wasn't kidding about the insecurity thing. I won't send another message after this -- it's up to you to take your security seriously. You're at the [XYZ Street] Starbucks on an insecure connection, and absolutely anyone here can access your account with the right (free) tool.
Twenty minutes passed, and all four were still actively using Facebook. Again, I considered that they may not have received the second message, but after viewing their accounts it was clear that they had.

This is the most shocking thing about Internet security: not that we are all on a worldwide system held together with duct tape that has appalling security vulnerabilities; not that a freely available tool could collect authentication cookies; and certainly not that there are people unaware of either. What's absolutely incomprehensible is that after someone has been alerted to the danger (from their own account!) that they would casually ignore the warning, and continue about their day.

But, I kept my word and did not send another message. I packed my things, I walked around the store, and recognized several of the people I'd just introduced to their own vulnerability. I included no clues as to my identity, less because of fear of retribution, and more because invasion of privacy is all the more frightening when it is committed by an absolute stranger with no chance of discovering their identity.

On my way home, I considered what the experience meant about our society. No matter how many security measures we provide to the world, there will always be people who leave the door open, even after they've had an intruder. The weakest link in security has been, and always will be, the user's judgement.

Back at my apartment, I began to settle in -- only to realize that throughout the entire night, my fly had been wide open. Just another demonstration: we're all walking around with vulnerabilities we have yet to discover.

Posted by Gary LosHuertos at 6:50 PM

Cochrane
04-11-10, 14:04
I mostly browse via secured WLANs or 3G, but still, Firesheep is scary. I'll now use my university's VPN to get an encrypted connection even on unsecured Wifi. Of course, none of this is new. Firesheep just made it a lot easier. And it shows why we all should move towards HTTPS.

I also think that this shows a weakness in modern WLAN standards. WLANs that everyone can join, but which still use encryption, seem like an obvious gap in the standards.

Clara [CA]
04-11-10, 14:46
Two years ago I logged once into a Gmail account (not my main one) from an unsecured network. Few days later, the account was hacked. I'm not sure it was linked since Google logging page is https, but if it's possible to collect cookies from other computers using the 'open' network, then I don't see why it wouldn't be the case...

Since then, when I use those kinds of network, I use a Netbook on which I never ever log on any website and on which cookies aren't activated. I use other computers on the secured networks at work or home for the personal stuff. I'm planning on buying a smartphone next month and only planning on using my own secured 3G network but nothing else. More bandwith vs. Identity theft... it's really not worth it.

tampi
04-11-10, 15:15
It seems that Galaxy S is having many supporters here and there.


In home I use a secured(WPA/WPA2 PSK)(?) wi-fi connection for my mobile. It's faster than my 3G connection.
I've noticed that having active recognition for Wi-Fi networks, the HTC Desire itself is connected to these networks.
I know nothing (edited sorry) on the App you mentioned and how works this whole issue of cookies. I just know they are small files between computers.

Something that seems to have not yet solved in Android, or so I hear, the problem is that some applications remain open after they are used.
Myself, the other day, I was connected and logged in to this site on my phone without knowing it. I hope not to be bothered.

I installed an app called "Advance Task Killer" to stop running opened applications after use them.

voltz
04-11-10, 15:37
I've read up on this from Mozilla and they posted a statement that they have no way of getting rid of this extension from anyone's browser even if someone manages to install if from a 3rd party website.

It's a guess, but this is probably what's delaying FF 4.0.

digitizedboy
04-11-10, 16:07
I used one of my neighbours unsecured wi-fi networks once, but I guess that doesn't count as out and about.

Still, it was free though. :)

The Great Chi
04-11-10, 16:11
Why anyone wants to use Facebook or twitter and give away all their personal details is up to them. I never deal with sites like that.

We all know it is unprotected in certain ways, and can be easily accessed by accident or by deliberate hacking. Non-encripted Wi-fi is even less protected.

I once googled my oldest niece's name, and up came a whole chunk about her personal life at university via facebook, including some startling pictures of her when drunk :p

When I showed her the pictures she was shocked that I had found them on the internet. That taught her a lesson :D

Chocola teapot
04-11-10, 16:16
D:

Oh dear.

Cochrane
04-11-10, 17:14
I've read up on this from Mozilla and they posted a statement that they have no way of getting rid of this extension from anyone's browser even if someone manages to install if from a 3rd party website.

It's a guess, but this is probably what's delaying FF 4.0.

Itís a wrong guess. A Firefox extension is similar to a normal program for Windows, with the main difference being that it requires Firefox to run. Mozilla canít remove it remotely, just like Microsoft canít uninstall programs you have on your computer without consent. But this is not about a problem with Firefox, the author of that tool just used Firefox because it was convenient. The safety problem is not in the browser, but in the sites you visit.

tampi
04-11-10, 17:21
I recommend only installing applications from Market Place for Android.
They are secure and apparently reviewed.

The Android's default browser works pretty well, and there are other recommended applications (Apps) for feeds and all that stuff.

Sir Croft
04-11-10, 17:26
I've never used public wi-fi networks so I guess I'm safe for now. :p
And Keir, :tmb: for getting a Galaxy S!

xXhayleyroxXx
04-11-10, 17:45
I don't use public wi-fi often but I'll be sure to be more careful now ^_^

TombRaider4444
04-11-10, 17:54
When ever i'm on my iPhone, iPad or Laptop where ever I never leave home without a MiFi 2352. WPA2 security. I did buy a pineapple though to monitor everyones bandwith :jmp: Also everyone ehhem "VPNs..."

Neteru
04-11-10, 23:14
No, I don't use unsecured wi-fi ... because I couldn't connect to any I found in the vicinity. Probably good as I wouldn't normally anyway, just got a bit desperate without my usual internet connection.

larafan25
04-11-10, 23:56
Holly crap, that is wild, hopefully none of Keir's secret TR9 facebook pictures got exposed.:pi:

Legend of Lara
05-11-10, 00:21
Holly crap, that is wild, hopefully none of Keir's secret TR9 facebook pictures got exposed.:pi:

Now, why would he put them there? :p

larafan25
05-11-10, 00:22
Now, why would he put them there? :p

I don't know.:pi: