By Steve Bass | Wednesday, November 10, 2010 at 9:11 am
You’re at Starbucks, busy working on your Facebook page. Bad news: The guy at the next table is a hacker, and he’s also working on your Facebook page. Sit tight, I have a few ways for you to make yourself invisible to hackers.
There’s a pervasive, serious Facebook and Twitter exploit that leaves you wide open to any and every hacker who can download a simple-to-use, free tool called Firesheep. It’s a threat if you’re using an unsecured, public Wi-Fi network, typically available at an Internet cafe, airport, hotel, or RV campground.
Last week TechBite paid subscribers got the first dispatch about this in the Extra newsletter; here’s a more detailed version.
Firesheep is an HTTP session hijacker that runs as a Firefox extension and sniffs around for cookies on any unsecured Wi-Fi connection.
When you log onto Facebook, Twitter, or any of over 26 other social networking sites, your computer sets a session cookie. A person running Firesheep can read the cookie and log onto your Facebook page. Then he (okay, or she) can do anything from your Facebook account, such as send e-mail or write on a wall.
Every browser is vulnerable to the exploit.
The one saving grace is that Firesheep doesn’t have access to your password — that’s encrypted and safe. If the hacker tries to change it from within Facebook, you’ll get an e-mailed alert. But everything else on Facebook is fair game.
Download and try Firesheep if you don’t believe me. There’s nothing as shocking as reading a stranger’s Facebook or Twitter account without their knowledge or consent. It might actually motivate you to do something to protect yourself.
Firesheep’s author has an open agenda: to force social networking sites to make the entire online session secure, just as the online banking sites do. (When you’re on PayPal or your bank’s site, you’ll see an icon of a lock somewhere on your browser, and the link will start with “https” rather than just “http.”)
I think it’s a dang stupid way of getting people to see the problem, but what do I know?
Sure, but you always were: HTTP and packet sniffers are nothing new. The first one I tried was in 1999. The problem now is that any knucklehead with a modicum of computing skills can sit at Starbucks, latte in hand, and poke around your Facebook account. (I know how boring your page is, and stay away from it, but hackers aren’t always so bright.)
Is it wiretapping? Kinda. Illegal? Yep. Has that stopped anyone from using Firesheep? Probably not.
It was difficult to find a product to defeat Firesheep that I liked and trusted. Most of the tools I tried — VPNs with proxy features — were either difficult to use or half-baked. I’ll get to those in a minute. But first, three recommendations for safer Wi-Fi journeys:
Tech Note: There’s no bandwidth limitation; connection slowdown is minimal; and HMA’s servers are mostly in the U.S., with some in Europe, Canada, and elsewhere.
It met my criterion: It’s easy to use. After you download and install it, one click is all you need to start it cooking. And it provides all-inclusive, non-intrusive online protection.
Of course, it’s not free — but I think it’s a reasonable pay-as-you-go deal at $11.50 a month. If you don’t travel much, the month-to-month is appealing. If you’re out and about often, it makes sense to pop for the yearly payment of $79, just a little over $6 per month.
I tried dozens of free tools, but rejected them because they were difficult to use or didn’t offer enough protection. (Well, except for LogMeIn Free.) The apps below — two are Firefox add-ons — offer protection, but have limitations.
[This post is excerpted from Steve’s TechBite newsletter. If you liked it, head here to sign up–it’s delivered on Wednesdays to your inbox, and it’s free.]