Think twice before joining an unsecured wireless network. It just became ridiculously easy to hijack confidential information from your agency and co-workers.
If I was on the same open WiFi network as you – sitting outside your home, at your office (if you still didn’t put a password on your router), a Starbucks, an airport, whatever – I could steal your Facebook, Twitter, Google, GovLoop and possibly your agency system logins in seconds.
How? Most websites protect your information with an initial username and password login, but surprisingly they don’t secure everything else once you’re inside. For instance, after signing into GovLoop, they use something called a session cookie to remember who you are as you navigate from page to page. If that cookie hasn’t expired (it’s still alive and well), GovLoop keeps you signed in. If it can’t find it, you’re prompted to sign in again.
HTTPS (the protocol/lock icon you typically see when using your credit card online) could be used for your entire visit to protect these session cookies, but most sites foolishly don’t spend the time to implement this.
Bottom line: If I get a hold of your session cookie, I can sign in as you. To demonstrate how easy that is to do, a hacker created a free tool named Firesheep that takes just minutes to set up.
Take a look at the picture below. After I installed Firesheep and temporarily removed the password on our router, the left pane of my web browser began “detecting” every time one of these session cookies was passed over our company WiFi network. As I would visit various websites, those logins would begin popping up on the left. Simply double-clicking any entry gave me full access to those accounts.
Why do I say Firesheep could be your WikiLeak?
- Until sites force HTTPS for your entire visit, the next time you connect to a WiFi network at an airport, on an airplane, train, at a coffee shop, hotel, or anywhere that doesn’t ask for a password, someone else on that same network can easily steal your information – including access to your web-based e-mail.
- While Firesheep comes with scripts to access the most common services (like Facebook), it can be easily adapted to access your private agency systems if they do not secure their session cookies.
- If I’m a hacker up to no good, I’ll be sitting in the hotel lobby of your next conference waiting to steal as much information as I can from you and your co-workers.
What can I do to protect myself?
- The best solution is to carry a mobile broadband card (those USB sticks or a MiFi card), keeping you off the public network.
- If you don’t have one, use Firefox with the “HTTPS Everywhere” installed while browsing on open networks. This extension forces HTTPS with many common services to better protect you.
- Ask the hotel/coffee shop/airport/etc to put a password on their WiFi! Those web-based “I Agree to Terms” won’t do. I’m talking a regular password as you connect to the network. It can be simple and freely shared. The point is that a password secures the traffic going over that network with WEP/WPA encryption, making it difficult to steal those session cookies.
- Ask your IT department if HTTPS is used for the entire session (not just the login) when accessing agency systems, starting with web-based email.
List of sites Firesheep can hijack your login from out of the box: Amazon.com, Basecamp, Bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Foursquare, GitHub, Google, Gowalla, Hacker News, Harvest, house windows Live, New York Times, Pivotal Tracker, ToorCon: San Diego, Slicehost SliceManager, Tumblr, Twitter, WordPress, Yahoo, Yelp
Disclaimer: I’m not a hacker or a security expert, so chime in on the comments if you have additional tips to add or correct me where I may be wrong!
Read Last Week’s CB2: Hey 311, Let’s ChaCha!
About Chris Bennett (Jump to Online Resume)
Chris Bennett is a self-proclaimed emergency management innovator who is trying to make government better by improving citizen preparedness and crisis communications. He’s a graduate of Wharton with a master’s from Harvard with in “Technology, Innovation, Education.” His portfolio of companies and former projects include OneStorm Hurricane Preparedness, ReadyTown, GovLive, TexasPrepares and America’s Emergency Network. Chris was the recipient of FL Governor Crist’s 2008 Public Information Award. He lives in St. Petersburg, FL, loves to fish, and has been spotted sharing a pint with GovLoop Founder Steve Ressler in Tampa.
What does CB2 Mean? “Chris Bennett’s Crisis Blog.” It was originally CB Squared but the superscript 2 never took, so now we’re rocking the big 2.
Chris… You never cease to creep me out (in a good knowledgeable way) with these posts. I wonder what this does mean as far as potentially prosecuting people who have participated in wikileaks…. it makes the burden of prove much harder.
That’s crazy…I do that all the time
Good tips here. I also recommend securing your laptop with PGP Whole Disk Encryption and then using VMWare Player to set up a virtual PC so you can run a browsing session and then discard the virtual PC after your session. That takes care of tracking cookies and the like.
Thank you for posting this useful information, Chris.
Happy Holidays!
Mike