PETER SHANKMAN
| POSTED ON October 28th, 2010 | 100 COMMENTS | + ADD YOUR COMMENT |
Remember my post back in August about how it’s time to say goodbye to free WI-Fi in coffeehouses, in airports, etc?
I have never been more sure of something in my life – Today, I’ll prove it.
I’m on the 6:20am Amtrak from NYC to Boston right now. For a brief moment, I switched off my Sprint EVO 4G, and am using Amtrak’s free WiFi to prove a point.
I also installed a little Add-on to Firefox (I usually use Chrome, I switched to Firefox for this experiment,) called Firesheep.
If you haven’t heard of Firesheep, prepare to be really, really frightened.
I’m not a true tech geek, so please forgive me if I don’t totally speak Geek. Essentially, FireSheep allows you to see who’s connecting to various sites that don’t encrypt their HTTP login cookies, like Facebook, Evernote, Yahoo, Amazon, Dropbox, Gowalla, Twitter, WordPress, and others, to name a very limited few.
Once you see who’s connected, it’s a simple matter of double clicking on their name, and YOU ARE LOGGED INTO THEIR ACCOUNT, AS THEM.
No, I’m not bullshitting you.
Firesheep has garnered a LOT of press over the past week since it was released, and rightly so – This Firefox add-on scares the living HELL out of me.
Now keep in mind – I am NOT logging in as anyone else, or logging into anyone else’s websites or folders as anyone else during this experiment, I’m simply trying to prove a point:
FREE WI-FI HAS NEVER BEEN, AND NEVER TRULY WILL BE, SAFE. WE BELIEVE IT TO BE SAFE BECAUSE THE MAJORITY OF US HAVEN’T BEEN TOLD OTHERWISE. UNTIL NOW.
Right now, within TEN MINUTES of this train leaving Penn Station, NY, someone has just logged onto Evernote through Amtrak’s Wi-Fi, someone else has logged into Yahoo, and someone else has logged into Windows Live. I guarantee that if this wasn’t the 6:20am train and 90% of the people on it weren’t sleeping, I’d be seeing a LOT more accounts. And as the trip continues, and as more people wake up, I will.
Ooh – Two people just logged into Facebook.
Here’s the kicker: If I were to click on their name from the list RIGHT IN FRONT OF ME, I’d have access to every piece of data that B… has on Evernote, that J… has on Yahoo!, and that S… has on Facebook. Every photo. Every audio recording. Every conversation they thought was private. Every potential life-changing or relationship-ruining piece of data. Every company-crushing-if-public memo. I could download it, use it to my advantage, post it to a public place (like You-tube,) or even DELETE THEIR ACCOUNT if I felt like it.
Using free Wi-Fi is essentially the same thing as leaving your house with all the doors and windows open – But this takes it one step further: This posts a big sign up as soon as you leave, to anyone who happens to be looking, that says “I’M NOT HOME NOW, HERE’S WHERE ALL MY SECRET STUFF IS, AND HERE’S A MAP TO FIND IT. FEEL FREE TO TAKE, USE, OR DESTROY WHATEVER YOU WANT.”
The last time I wrote about sounding the death bell for Free Wi-Fi, it was from a business and corporate perspective. This time, it’s from the perspective of YOU.
IF YOU ARE USING FREE WI-FI, NOTHING YOU “DIGITALLY OWN” IS SAFE.
Companies who provide free Wi-Fi have NO incentive to protect it – It’ll lead to more questions from people that the workers there have no idea how to answer. And let’s face it – If you provide a secure password to your secure network to everyone who walks in, how secure is that network?
Answer? Not secure at ALL.
And if big companies put a fix in play to stop Firesheep, something else will come up. Free Wi-Fi networks will ALWAYS be the weakest link in your security chain.
For the safety of you – your business – your home – your friends – your relationships – your children – SPEND $50 A MONTH AND BUY A portable Hotspot card. I don’t care which one you buy – Sprint, Verizon, AT&T, whatever.
And no – a portable hotspot isn’t 100% safe, either – Nothing is – But if you’re using your own hotspot, and you have some level of security on it, then you at LEAST have a better chance of being safer – I.e., there are more inviting targets to go after, that can be accessed quicker, without having to hack a WEP password or the like.
Stop using free Wi-Fi. Please. It might be the best $50 a month you’ve ever spent.
Tweet|
|
This is NOT a matter of insecure networks. It’s a matter of cavalier handling of information by WEBSITES. There’s an extension that can, in large part, prevent Firesheep from getting your info: https://www.eff.org/https-everywhere But the wireless networks are not to blame. This, from the author of Firesheep: “It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy. This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room. Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win. ” So don’t blame the wi-fi. Blame the site. :) |
|
|
Crazy how easy that is. Imagine what could happen at conferences. That’s why my lil Sprint hotspot is my best friend in the mobile world. |
|
|
If we use apps, instead of browsers, to access information on wi-fi networks will that protect us? |
|
|
Peter, Your points about the extra costs to FB and others is at the heart of the issue. For Firefox users – Force-TLS http://bit.ly/9CzNPE For Chrome users – KB SSL Enforcer http://bit.ly/d5thKD I’m actually in Dallas shooting a news segment for this very subject! |
|
|
Question – you are talking about Firefox. What about Chrome? Any extra protections? |
|
|
Hey… just a quick update: since I installed that EFF extension – the Google search page automatically resorts to full SSL!!!! Unfortunately, Images and maps aren’t part of Google SSL – yet. |
|
|
Last pipe-up from me: 1: Mozilla refuses to put the brakes on Firesheep: http://www.computerworld.com/s.....geNumber=1 And… Liz – as far as I know – the vulnerability has nothing to do with Firefox… the hacking tool is a Firefox add-on. |
|
|
Wow, this is mind blowing! Thanks for doing this Peter. I know you’re busy, but do you know if hotel internet is just as unsecured? |
|
|
So I am guessing that you are not a big fan of Wi-Fi on airplanes either? |
|
|
@ Vince Stross – thanks for the update – I was not aware that iPhones could legally tether now. It’s a great feature – perfect for the occasional traveller like me. |
|
|
Rick: I’m defining free wifi as “Coffee shop” wifi. Airports, planes, trains, lounges, etc. I’m NOT saying corporate networks are as bad. |
|
|
hrmm.. looks like i spoke too soon. The apps cannot save you(us?) unless the RESTful/WS api support secure connections. |
|
|
As someone whos Gmail & twitter was just hacked into, this has taken my security paranoia to a new level. Crap. |
|
|
This is seriously intense stuff… I’m glad I typically tether off of my iPhone… Thanks for this post! |
|
|
The folks over at Fox25 in Boston had me on about this very issue this morning. I demo’ed it on the air – it’s 100% real. |
|
|
Pete – thanks for the warning, and memories of Amtrak trips up/down the East coast. I think the “scare” factor is in direct proportion to how sensitive the data you’re accessing really is, but that said there are some less expensive and easily accessible options available. For those who can’t afford the data card (hence why they drove to the coffee shop for free WiFi to begin with) there are free and for-cost encrypted proxy options. “A what?” you ask? Here is a great lifehacker article on what it is and how to “hack” it and do it yourself for free: There are also proxy sites you start from that provide secure browsing as a service. They range from free (read: slow browsing experience) to typically $8 – $10/month (read: faster browsing, cheaper than data card). Some examples are below (note: I am not recommending any in particular), but you can search for more and try them out on your laptop at your favorite WiFi spot for speed, features and usability. http://www.the-cloak.com Surf more, fear less and save the questionable activities for live interactions. ;) |
|
|
Thanks for the info! Very eye opening…I plan to share with my network and friends. |
|
|
Thanks for the warning, you’re doing a great service Peter! Not that any of us are that surprised but it’s definitely a wakeup call. Now, must get my Verizon hotspot immediately. |
|
|
Those web sites are now fixing that security breach. |
|
|
Electronic Frontier Foundation (http://eff.org) has done their homework on this and it’s not so much a problem with Firesheep as it is with sites not using secure http (those websites that start with https:// instead of http://) You really wouldn’t need a $50 a month card and could keep on using free wifi if sites understood & implemented proper security. |
|
|
I would like to link to Douglas Paul’s comment a few above mine, but I don’t know how to do so as there is no permalink for it. That’s a real shame. |
|
|
This is really scary. And to think a lot of people have been using free wifi without knowing these things. Thanks for sharing this info! I hope many would read this so they will be aware. |
|
|
Totally shocking, are all sites covered all just selected social networking sites like facebook, twitter, etc… |
|
|
There is now a BlackSheep add-on that detects anyone using FireSheep on the same network. What do you guys think? |
|
|
Amazing how easy it is. Imagine what could happen at conferences. Therefore, my access point Lil Sprint is my best friend in the mobile world. |
PETER TO SPEAK
FOR THE NEWSLETTER





