You’re at Starbucks, busy working on your Facebook page. Bad news: The guy at the next table is a hacker, and he’s also working on your Facebook page. Sit tight, I have a few ways for you to make yourself invisible to hackers.
One Very Serious Threat
There’s a pervasive, serious Facebook and Twitter exploit that leaves you wide open to any and every hacker who can download a simple-to-use, free tool called Firesheep. It’s a threat if you’re using an unsecured, public Wi-Fi network, typically available at an Internet cafe, airport, hotel, or RV campground.
Last week TechBite paid subscribers got the first dispatch about this in the Extra newsletter; here’s a more detailed version.
The Hacking Tool
Firesheep is an HTTP session hijacker that runs as a Firefox extension and sniffs around for cookies on any unsecured Wi-Fi connection.
When you log onto Facebook, Twitter, or any of over 26 other social networking sites, your computer sets a session cookie. A person running Firesheep can read the cookie and log onto your Facebook page. Then he (okay, or she) can do anything from your Facebook account, such as send e-mail or write on a wall.
Every browser is vulnerable to the exploit.
The one saving grace is that Firesheep doesn’t have access to your password — that’s encrypted and safe. If the hacker tries to change it from within Facebook, you’ll get an e-mailed alert. But everything else on Facebook is fair game.
Download and try Firesheep if you don’t believe me. There’s nothing as shocking as reading a stranger’s Facebook or Twitter account without their knowledge or consent. It might actually motivate you to do something to protect yourself.
Who’s Behind Firesheep?
Firesheep’s author has an open agenda: to force social networking sites to make the entire online session secure, just as the online banking sites do. (When you’re on PayPal or your bank’s site, you’ll see an icon of a lock somewhere on your browser, and the link will start with “https” rather than just “http.”)
I think it’s a dang stupid way of getting people to see the problem, but what do I know?
Are You at Risk?
Sure, but you always were: HTTP and packet sniffers are nothing new. The first one I tried was in 1999. The problem now is that any knucklehead with a modicum of computing skills can sit at Starbucks, latte in hand, and poke around your Facebook account. (I know how boring your page is, and stay away from it, but hackers aren’t always so bright.)
Is it wiretapping? Kinda. Illegal? Yep. Has that stopped anyone from using Firesheep? Probably not.
Three Sure-Fire Solutions
It was difficult to find a product to defeat Firesheep that I liked and trusted. Most of the tools I tried — VPNs with proxy features — were either difficult to use or half-baked. I’ll get to those in a minute. But first, three recommendations for safer Wi-Fi journeys:
- Hide My Ass! Pro VPN (known in polite circles as HMA) creates an encrypted Internet connection, so Web browsing, using Skype, sending e-mail, chatting — whatever — is protected. HMA can change your IP address so you can browse anonymously (test it with WhatsMyIPAdress). The site has freebies, too – a file upload hosting service, Web proxies, anonymous e-mail, and search and link anonymizers.
Tech Note: There’s no bandwidth limitation; connection slowdown is minimal; and HMA’s servers are mostly in the U.S., with some in Europe, Canada, and elsewhere.
It met my criterion: It’s easy to use. After you download and install it, one click is all you need to start it cooking. And it provides all-inclusive, non-intrusive online protection.
Of course, it’s not free — but I think it’s a reasonable pay-as-you-go deal at $11.50 a month. If you don’t travel much, the month-to-month is appealing. If you’re out and about often, it makes sense to pop for the yearly payment of $79, just a little over $6 per month.
- If you have a PC at home and are on the road with your notebook, use LogMeIn Free. It’s a VPN, a program that lets you securely connect to your home computer. Once you log in, you’re using your home PC. Every application — including the browser — is on an encrypted connection. And with a fast connection at both ends, there’s minimal slowdown.
- Most important, if you travel often, don’t use public Wi-Fi. Bite the bullet and invest in a portable — and secure — Sprint or Verizon hotspot card. To date, there are a gazillion plans and providers, but they generally run about $40 to $60 per month with a set amount of bandwidth use. An neat alternative is Boingo, with 125,000 hotspots around the world, for about $10 per month.
Protection That Won’t Cost a Dime
I tried dozens of free tools, but rejected them because they were difficult to use or didn’t offer enough protection. (Well, except for LogMeIn Free.) The apps below — two are Firefox add-ons — offer protection, but have limitations.
- ForceTLS, a Firefox add-on, changes regular links to secure links (including Firefox and Twitter). The problem is convenience: You have to add each link you want changed to its database. It’s hit or miss because not all links can be made secure.
- HTTPS Everywhere forces about 30 sites into a secure https condition. For me, that’s half-baked, because to add a site you need to learn Bulgarian (well, okay, Rulesets).
- Hotspot Shield (an ad-supported freebie) failed the Bass International Sniff Test. It protected me, sure, but the intrusive toolbar was littered with ads.
[This post is excerpted from Steve's TechBite newsletter. If you liked it, head here to sign up--it's delivered on Wednesdays to your inbox, and it's free.]