Account theft made easy

[evilneko]

So you're up at your favorite coffee shop, or even McDonalds, and you pop open your laptop and hop onto their free, wide open wifi. You browse your favorite sites--the nexus included, of course--and later, you head home.

 

Then you try to log on, only to find out you've been banned! Wait, what? What happened? You didn't troll any upload threads or upload nekkid pics to the image share. What gives?

 

You've been hit by Firesheep. When you logged on from the coffee shop, some smug little punk swiped your cookie and pretended to be you.

 

But wait, one of the sites you logged into uses https for the login, and you're banned there too!

 

Sorry, bud, the entire session is not encrypted. The cookie got delivered to you in the clear and that punk snatched that one too. This is true of most sites that have an encrypted login because of the resources required to encrypt entire sessions. The Nexus, for one, will likely never have complete-session encryption. Even giants like Facebook will likely never have it. Good news though: GMail does. Just type https instead of http, and the session will remain encrypted throughout.

 

By no means is this scenario new. This possibility has in fact always existed for users of open wifi. Firesheep just makes it dead simple, accessible to even the dullest of sqript qiddies.

 

So what can you do to protect yourself?

 

Use tools like HTTPS Everywhere which is a Firefox extension that forces https usage on sites that support it.

 

Presumably your computer at home is connected via ethernet to the router, so:

 

Use a VPN: home routers with VPN capabilities are fairly common these days, and VPN software for PCs is not hard to come by either. Hamachi is a free, simple to use VPN solution. You'll also need a proxy server (such as the simplistic AnalogX Proxy, or fancier filtering proxies like Privoxy and Proxomitron) running on the PC running hamachi.

 

For the more technically inclined, there's SSH tunneling (which is pretty fun to play with, btw). You need a linux box running an sshd and a forwarded port. And a proxy server running either on the linux box or another computer on the network.

 

In sum, always bear in mind what kind of connection you're using!

 

 

For further info on Firesheep, see:

 

http://www.dslreports.com/forum/r24977800-Firesheep-In-Wolves-Clothing-Extension-Lets-You-.

 

http://techcrunch.com/2010/10/25/firesheep/

[TheTerminator2004]

For a VPN, I'd strongly recommend using a proper VPN provider rather than trying to use TOR or Hamachi. You don't normally manage to get much more than 10-20KB/s speeds from these P2P solutions.

 

For a small monthly fee however, you can have a fast, secure connection to a remote VPN server (I use a particularly cheap one - usually comes to around £3 a month, depending on the exchange rate - , and get consistent speeds of 5-600KB/s, which is plenty for me). It also has the advantage of hiding your IP address from the websites you visit, which adds an extra layer of security. I personally recommend SwissVPN, but there are other equally good ones out there such as IPredator

 

Windows has built-in support for certain types of VPN - PPTP and L2P. However, theses have extremely poor security, and may not provide adequate protection. Ideally, you want a provider who uses OpenVPN - this requires installing some extra software on your machine, but provides strong encryption through a secure tunnel.