Side-Jacking
Its been in the news, you've heard about people
being side-jacked. This is one of the things you need to
understand and defend against when using unsecured wifi.
Sidejacking used to be the stuff for only the most
serious hackers, but in October 2010 Eric
Butler released a browser add-in called Firesheep that allows
users on a public Wi-Fi network to effectively spy on others.
All a spy has to do download and install a few pieces of software.
The instructions are all over the internet and the procedure takes
less than 5 minutes, and requires no technical knowledge.
When I looked at it, the sidejacking software had been downloaded
more than two million times! So its pretty widely used.
Firesheep grabs sensitive
information (via cookies) that was tranmitted using HTTP.
Websites that you login to, use cookies to know who you are.
Session Data (cookie information) is passed with each each transmission
between your computer and the website that issued the cookie.
The side-jacking vulnerability
happens when a site flips you from https to http. As you
should know HTTP travels between your computer and the destination
web site in plain text. HTTPS travels over the internet
scrambled on unsecured wifi.
Side Jacking with firesheep
Video: http://www.youtube.com/watch?v=hIwfgnUGOys
So how can you protect yourself from side-jacking?
First of all, secure
your private wifi. Many Vista Royale residents have not
taken the time to secure their wireless routers so they run these
same risks at home as they do on public wifi. Wireless routers
often come with security disabled, or with the security set to
WEP which is very weak security and easily broken.
Securing your router with WPA2 or WPA and a strong pass word protects
your data from prying eyes by scrambling all your air born network
traffic traveling from your computer to your router.
If you must use public wifi many sites will allow
you to use HTTPS all the time, but will revert to HTTP if you
didn't specify. For example google.com will allow
you to use HTTPS all the time, and never force you into HTTP.
By bookmarking the HTTPS version of the site you can avoid any
HTTP portion. The video also talked about using "HTTPS
everywhere" an extension for the Mozilla Firefox browser,
that keeps you in HTTPS on servers that allow it.
Being well informed can keep you safe.
|