Make Yourself Invisible to Wi-Fi Hackers

By  |  Wednesday, November 10, 2010 at 9:11 am

You’re at Starbucks, busy working on your Facebook page. Bad news: The guy at the next table is a hacker, and he’s also working on your Facebook page. Sit tight, I have a few ways for you to make yourself invisible to hackers.

One Very Serious Threat

There’s a pervasive, serious Facebook and Twitter exploit that leaves you wide open to any and every hacker who can download a simple-to-use, free tool called Firesheep. It’s a threat if you’re using an unsecured, public Wi-Fi network, typically available at an Internet cafe, airport, hotel, or RV campground.

Last week TechBite paid subscribers got the first dispatch about this in the Extra newsletter; here’s a more detailed version.

The Hacking Tool

Firesheep is an HTTP session hijacker that runs as a Firefox extension and sniffs around for cookies on any unsecured Wi-Fi connection.

When you log onto Facebook, Twitter, or any of over 26 other social networking sites, your computer sets a session cookie. A person running Firesheep can read the cookie and log onto your Facebook page. Then he (okay, or she) can do anything from your Facebook account, such as send e-mail or write on a wall.

Every browser is vulnerable to the exploit.

The one saving grace is that Firesheep doesn’t have access to your password — that’s encrypted and safe. If the hacker tries to change it from within Facebook, you’ll get an e-mailed alert. But everything else on Facebook is fair game.

Download and try Firesheep if you don’t believe me. There’s nothing as shocking as reading a stranger’s Facebook or Twitter account without their knowledge or consent. It might actually motivate you to do something to protect yourself.

Who’s Behind Firesheep?

Firesheep’s author has an open agenda: to force social networking sites to make the entire online session secure, just as the online banking sites do. (When you’re on PayPal or your bank’s site, you’ll see an icon of a lock somewhere on your browser, and the link will start with “https” rather than just “http.”)

I think it’s a dang stupid way of getting people to see the problem, but what do I know?

Are You at Risk?

Sure, but you always were: HTTP and packet sniffers are nothing new. The first one I tried was in 1999. The problem now is that any knucklehead with a modicum of computing skills can sit at Starbucks, latte in hand, and poke around your Facebook account. (I know how boring your page is, and stay away from it, but hackers aren’t always so bright.)

Is it wiretapping? Kinda. Illegal? Yep. Has that stopped anyone from using Firesheep? Probably not.

Three Sure-Fire Solutions

It was difficult to find a product to defeat Firesheep that I liked and trusted. Most of the tools I tried — VPNs with proxy features — were either difficult to use or half-baked. I’ll get to those in a minute. But first, three recommendations for safer Wi-Fi journeys:

  • Hide My Ass! Pro VPN (known in polite circles as HMA) creates an encrypted Internet connection, so Web browsing, using Skype, sending e-mail, chatting — whatever — is protected. HMA can change your IP address so you can browse anonymously (test it with WhatsMyIPAdress). The site has freebies, too – a file upload hosting service, Web proxies, anonymous e-mail, and search and link anonymizers.

Hide My Ass Pro VPN protecting me

Hide My Ass Pro VPN protecting me

Tech Note: There’s no bandwidth limitation; connection slowdown is minimal; and HMA’s servers are mostly in the U.S., with some in Europe, Canada, and elsewhere.

It met my criterion: It’s easy to use. After you download and install it, one click is all you need to start it cooking. And it provides all-inclusive, non-intrusive online protection.

Of course, it’s not free — but I think it’s a reasonable pay-as-you-go deal at $11.50 a month. If you don’t travel much, the month-to-month is appealing. If you’re out and about often, it makes sense to pop for the yearly payment of $79, just a little over $6 per month.

  • If you have a PC at home and are on the road with your notebook, use LogMeIn Free. It’s a VPN, a program that lets you securely connect to your home computer. Once you log in, you’re using your home PC. Every application — including the browser — is on an encrypted connection. And with a fast connection at both ends, there’s minimal slowdown.
  • Most important, if you travel often, don’t use public Wi-Fi. Bite the bullet and invest in a portable — and secure — Sprint or Verizon hotspot card. To date, there are a gazillion plans and providers, but they generally run about $40 to $60 per month with a set amount of bandwidth use. An neat alternative is Boingo, with 125,000 hotspots around the world, for about $10 per month.

Protection That Won’t Cost a Dime

I tried dozens of free tools, but rejected them because they were difficult to use or didn’t offer enough protection. (Well, except for LogMeIn Free.) The apps below — two are Firefox add-ons — offer protection, but have limitations.

  • ForceTLS, a Firefox add-on, changes regular links to secure links (including Firefox and Twitter). The problem is convenience: You have to add each link you want changed to its database. It’s hit or miss because not all links can be made secure.
  • HTTPS Everywhere forces about 30 sites into a secure https condition. For me, that’s half-baked, because to add a site you need to learn Bulgarian (well, okay, Rulesets).

HTTPS Everywhere forces sites to be secure

HTTPS Everywhere forces sites to be secure

  • Hotspot Shield (an ad-supported freebie) failed the Bass International Sniff Test. It protected me, sure, but the intrusive toolbar was littered with ads.
Hotspot Shield's toolbar is loaded with ads--and intrudes on my browser

Hotspot Shield's toolbar is loaded with ads--and intrudes on my browser

Even if I didn’t use the toolbar, the product tried to change my home page and attempted to switch my search engine. And I wasn’t keen on the product’s cozy relationship with advertisers. (Privacy Notice: “third-party ad servers or ad networks use technology to send, directly to your browser, the advertisements and links that appear on the Hotspot Shield …[including the use of] cookies, JavaScript, or web beacons”.) No thanks.

Hotspot Shield's behind-the-scenes shenanigans

Hotspot Shield's behind-the-scenes shenanigans

[This post is excerpted from Steve’s TechBite newsletter. If you liked it, head here to sign up–it’s delivered on Wednesdays to your inbox, and it’s free.]



11 Comments For This Post

  1. Pierce Nichols Says:

    The security exploit Firesheep uses, session hijacking, has been a known issue for a decade or so. So far, no-one has fixed it and few people outside of the security cognoscenti even knew what it was. Pleas to site operators to fix the problem have fallen of deaf ears for years, other than at Google. Thanks to Firesheep, nearly everyone now know what it is and is talking about ways to fix it.

    As a result, Firesheep is well on its way to accomplishing its goal… and if the thing works, it isn't stupid.

  2. davezatz Says:

    The real solution is to not use free, public WiFi. You get what you "pay" for. Hm, then again I don't imagine Boingo creates a secure connection either ($10/mo). Aircards for all!

  3. Collins Says:

    "Aircards for all!"

    You mean wireless (GPRS, EDGE, UMTS, HSPA/HSDPA) modem?

    Yeah, they're much more secure than Wi-Fi. But the high latency and NAT — because your computer/modem gets a private IP from the provider; a single public IP is shared accross thousands of users — could be a huge problem for some applications.

  4. HD Boy Says:

    Or you can save a boatload of money and NOT LOG INTO FACEBOOK when using public WiFi or just use your carrier’s 3G signal in those public places. Sheesh.

  5. KingFeanor Says:

    Why were we so stupid to allow public wifi to be unencrypted wifi? Ignoring things like Radius and other corporate oriented wifi technologies, wifi has 2 options: preshared key (or passphrase) and unencrypted. It seems like what we really need are 2 different options: authenticated and public.

    Authenticated would be for home or business networks which only want allowed users to connect and thus require them to authenticate with some kind of info (user/pass, key, passphrase, etc).

    Public would allow anyone to connect but would use the same kind of technology used in browsers to allow secure connections. It would trade a session key using a public key system, just like when you log into your bank. This way every wifi connection is encrypted (no one can sniff your traffic).

    Now we just need an IEEE standard for this and we could move into a world with secure public wifi.

  6. Miles Says:

    Question: If a WiFi network is WPA2-protected, can its authenticated users still sniff each other's packets?

  7. KingFeanor Says:

    Yes. Not as easily as in an unsecured network, but it isn't hard. WPA/WPA2 just try to make the wifi as secure as a wired network (where you can sniff traffic if you are plugged in).

  8. Mike Says:

    The answer is yes. WPA-2 is a mechanism for authentication but has nothing to do with encryption.

  9. d9ping Says:

    I would setup my own VPN server, wired connected to the accesspoint.

    I would rather use my own VPN because this is something I can trust more then any other company.

  10. Boctorbill Says:

    For Firefox users, the answer is Blacksheep:

  11. daz Says:

    I have a VPN subscription with Internet Proxy and would not connect to the internet without it.

    You are especially vulnerable when using free public wifi access points. You are essentially trusting all your traffic to an unknown 3rd party.