Homeland Secure IT Alert for Saturday, October 30, 2010
FireSheep add-on for Firefox browser is proof-of-concept why you should NOT use public / unencrypted Wi-Fi to access without extreme caution.
Last week, a tool was released that makes it possible for anyone to easily hijack your web sessions from within a browser view. When I say anyone, that means anyone. It has always been possible to do this, but this tool is so easy to use, a child could do it, or is that a caveman could do it? Either way, once the browser extension is installed, the hacker can see a list of everyone using the public unencrypted Wi-Fi network he/she is on and what sites they are on.
The person can see in a browser sidebar WHO is logged into Facebook, Google, Twiter, Dropbox, WordPress, Evernote, Amazon, Flickr, etc, and then they simply click on your session to be logged in as you. Yes, they become YOU… It works because it hijacks your cookie which is sent in the clear.
So think twice before you log into some site via public enencrypted Wi-Fi!!!
What can you do about this? Good quesiton.
Option 1: Avoid public unencrypted Wi-Fi, defeating the purpose of having easy access, but offering you the highest level of protection.
Option 2: Only use sites that offer SSL/Secure logons – Actually this is sketchy because to sign into the “secure” section of most sites, the session info is still sent in the clear, so be careful.
Option 3: Use a VPN back to a gateway at your office. This insures all your traffic is encrypted.
Option 4: Try information that is available here: Force TLS
It doesn’t matter whether you are using Microsoft Windows, Apple Mac OS X, Linux, etc, this is not a *bug*, it is the nature of the beast.
Be careful out there…. If you have any questions or need assistance, please call us at 864.990.4748 or email firstname.lastname@example.org.