The OpSec Blog

Security and privacy information and advice at home and abroad.

Wi-Fi Hacking

leave a comment »

An article was published on Wednesday about Wi-Fi “hacking” in the New York Times, “New Hacking Tools Pose Bigger Threats To Wi-Fi Users“. Never mind that none of the software tools mentioned in the article like Firesheep (October 2010), Gerix Wifi Cracker (June 2009), Aircrack-ng (July 2009), or Wifite (September 2010) are “new” and several of them don’t do any active “hacking”- the article is good in that it brings to a popular audience some of the major drawbacks of using Wi-Fi, often referred to as “wireless”, technologies.

When you plug your ethernet cable into your ethernet jack on your computer, your “link” to the outside world and any potential eavesdroppers is (for the purposes of this discussion) localized to a very small volume around that cable. Data has a discrete path to and from your machine. In a wireless system operating at radio frequencies (RF), the link is the free space between you and the wireless access point. This makes it easy for an eavesdropper to insert themselves in the area in which you are exchanging data with the access point, because RF waves are not localized like signals in an ethernet cable. The defensive mechanism in a cable is limiting physical access. For a wireless system, a different defensive mechanism is required.

Enter encryption. Encryption scrambles your data in a unique way such that only your machine and whatever service you’re interacting with on the other end can read the data. Unfortunately the website must offer the option in the form of SSL or TLS to encrypt your session and protect your credentials. When a URL starts with https, you can be reasonably assured your credentials are safe (note that anyone concurrently on the same network as you will still be able to capture the data you’re sending via the access point; this is why you’re not necessarily safe even if the public WiFi network you’re on is protected by a password when logging into unprotected websites).

Firesheep is technically a packet sniffer. It has no capacity to actively try to “guess” or “crack” your password- it just monitors traffic and captures unencrypted session cookies (small bits of text that contain details about the session… like your login credentials) for use on the machine with Firesheep installed. So if you log into facebook via the unencrypted login page http://www.facebook.com , Firesheep grabs that bit of text and passes it to Firefox on my machine, allowing me to log into your facebook account. If you used the encrypted login portal, https://www.facebook.com , your session cookie would be encrypted and unreadable by me.

How can I protect myself? The best mitigation strategy in this situation is to never pass login credentials over wireless networks in which you do not control who accesses it. Starbucks, McDonalds, Boingo hotspots in the airport… if there’s a bunch of people you don’t know connecting to the same access point you are, don’t connect in the first place. If you simply must connect to an unprotected hotspot, don’t pass login credentials over sites that do not begin with https. A login site with only the http prefix should automatically be avoided. The article also lists subscribing to a Virtual Private Network (VPN) which usually provides automatic end-to-end encryption. I think that’s a bit overkill for the less technically adept; smart browsing habits are free and always at your disposal.

Tip: Replace your old, unsecured “http” bookmarks with their “https” equivalents. Below are some common websites with their “https” login portal.

Find any major websites that don’t offer an https login option, or have a site you’d like added to the list?  Leave it in a comment.

Advertisements

Written by OSB

19/02/2011 at 20:02

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: