For more stories like this, sign up for the PLANADVISERdash daily newsletter.
Diversions February 24, 2011
I’ll Have a Latte, One Sugar, and No Hacker, Please
Open Wi-Fi networks, available at many cafes, airports, and other public places, have become more susceptible to cyber “hijacking” than ever before.
Reported by Nicole Bliman
Eric Butler was merely trying to prove a point when he created “Firesheep” last year, as he’s told several media outlets. He saw how loosely-guarded many Web sites were, and how easy it would be for a hacker to do some damage to an individual’s account on any number of profile-driven sites (think Facebook, Twitter, Amazon, etc.). He created this easy-to-use hacker program to simply encourage Web sites to beef up their security.
In the meantime, more than a million people have downloaded the program, according to The New York Times.
So what is it, exactly? Firesheep is a program that can be downloaded for free and “attached” to Mozilla Firefox, a popular Internet browser. According to Steven Hoffer, a contributor to AOL News: “Firesheep works by collecting information from Internet “cookies” — the temporary Internet file containing your username and password that a website like Facebook or Twitter will send back to a computer so users can enjoy the Web site without logging in each time they click on a new a page. Firesheep simply sends a notification each time a new user name and password is available, and entering their Facebook account is just a double-click away.”
It may sound complicated for some–but it is alarmingly simple for many.
Butler has stood by his invention. “Websites have a responsibility to protect the people who depend on their services,” he wrote in his blog. “They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure Web. My hope is that Firesheep will help the users win.”
And there is a solution. Web sites, specifically account-driven sites that require usernames and passwords, need to be designed using “https” code instead of the standard “http.” This design adds layers of encryption to all the pages on a site, beyond the log-in page (which is usually the only part of a site to be encrypted). A site that has “https” code throughout its pages will have a URL address that starts with https:// instead of http://.
Some sites are making the changes, but not all, and not fast enough. Gmail, Google’s e-mail service, has “https” code from the log-in page to any other part of the site. Facebook, on the other hand, is “rolling out” its “https” code in phases, according to PCWorld. So far, users have to opt-in to having the more secure code activated when using a public Wi-Fi network. Some worry that using “https” code throughout a Web site would slow it down too noticeably.
Whether you see an “https” or “http” URL address on the site you’re using–open Wi-Fi networks are no longer as convenient–or safe–as the public hoped they would be.