I have a riddle for this week's column. How many mouse clicks does it take the average user to hijack your Facebook session on an open WiFi network like at an airport? The answer: one. Okay, technically one double-click.
You'll notice I said the average user, not your average international technology spy. All you need is the right software on your computer and anyone using that WiFi network on an unsecured ("http://" instead of "https://" in the browser address bar, e.g. http://www.thewesternstar.com) connection is at risk.
In our last article about WiFi security, we talked about the risks of leaving your home network unsecured or, almost as bad, secured with WEP. This time, we'll look at the other angle. How safe is your computer when logged onto someone else's network?
The short answer to that question is — as safe as you decide it to be. There are countermeasures to any attack. I'm going to show you one way to intercept traffic on an unsecured network. Then I will show you how to make sure it never happens to you.
The attacker, Firesheep, is an extension for the Firefox web browser that uses a packet sniffer to intercept unencrypted cookies from websites such as Facebook and Twitter. A packet is a piece of information going to your computer from the network or vice versa. Firesheep has been around for several years, but is still an active threat. There are plenty of other options when it comes to packet sniffing.
WARNING: While installing the add-on Firesheep is not illegal, analyzing Internet traffic on an unsecured network could be. I would not suggest trying this for fun.
If a person downloaded and installed the add-on they only need to open the Firesheep sidebar to start capturing packets. When it has enough packets an account appears on the list. If double-clicked this account now appears in the browser, giving the ability to see all friends, private messages and issue status updates.
The defence: An extension called HTTPS Everywhere for both Firefox and Chrome that encrypts your communications with many major websites. It protects many websites like Facebook and Twitter, but not all.
Another defence option is to use a Virtual Private Network (VPN). A VPN allows you to connect your machine to a virtual network which in turn encrypts the data you send, hiding everything from the public domain. It is essentially your own personal tunnel to the Internet. Again, there are plenty of free and paid VPN options out there. Choose carefully. Also, a VPN should keep no records of your browsing history.
A couple of final tips:
— Do not use online banking on open WiFi networks. There are some supposedly secure methods, but I see no reason to chance it. Do your banking at home.
— Turn off WiFi, Bluetooth and NFC when you're not using them
— Turn on data encryption, either through an application like HTTPS Everywhere or through your device settings.
— If you don't recognize the WiFi network you are trying to connect to, then don't connect to it. Hackers leave open WiFi networks in large centres hoping someone will log in unsecured.
— Keep in mind also, this is not a flaw in the WiFi network you are using. The fault lies in the websites themselves. If they share private information then they should also force web traffic to be encrypted.
Jon Reid is an IT professional working in Corner Brook. His column appears every other Tuesday in The Western Star.