Collegiate Times

Many people logging in to public Wi-Fi networks aren’t as safe as they think they are.

A new program called “Firesheep” allows anybody to intercept cookies being sent over unsecured networks. A cookie is a small file containing identifying data that websites store on a user’s computer, which allows you to move from one page to the next without logging in again.

This type of attack, a form of packet sniffing, used to be something that only networking experts could do. But with Firesheep, anybody can hijack accounts such as Facebook, Twitter, Amazon and most other sites with a single click.

“The tools have always been around, for almost 25 years,” said Randy Marchany, Virginia Tech’s information technology security officer and director of IT.

“But they never had that nice graphical interface, ‘Oh look, there’s a picture of the person,’ then you click on it and become them,” Marchany said. “It’s a stalker’s heaven.”

So how do you protect yourself?

“Go to encryption,” Marchany said.

Any network that doesn’t require a WPA password or a security certificate is unencrypted. WEP, an older form of encryption, can be easily cracked. This includes free Wi-Fi networks such as those at Starbucks or McDonalds.

When connecting to Tech’s wireless Internet, users have a choice between VT-Wireless and VT_WLAN. The former is encrypted and the latter isn’t, making VT_WLAN vulnerable to this exploit.

Many opt out of the encrypted network and instead login over VT_WLAN, either because they don’t know the difference between the two networks, or because VT-Wireless requires a security certificate that can be difficult to install. The login page has a link to the certificate page.

 “I was aware that VT_WLAN is not secure,” said Adam Broda, a mechanical engineering major. “I tried setting it up last year, but I gave up because it was too difficult.”

“We’re transitioning away from VT_WLAN to VT-Wireless,” Marchany said.

Marchany encourages students to contact 4Help (answers.vt.edu) if they need any help transitioning to the more secure VT-Wireless.

4Help staff hasn’t had any major issues with certificates.

“When we go through it step by step with people it always works,” said Grant Hsu, a computer engineering major who works with 4Help.

Eric Butler, the programmer in Seattle who created Firesheep, said in a statementhe released the program to the public to raise awareness about security issues.

However, releasing a hacking program the general public can use has raised some ethical issues.

“His motive is noble,” Marchany said. “The method — there’s going to be people who are going to argue one way or the other.”

Butler’s goal is to force websites to implement the more secure Web standards throughout their entire websites.

Many websites, such as Facebook, use a secure “https://” for login screens to protect the password, but then they hand the user off to regular “http://” where programs like Firesheep can hijack the account.

“We’ve been saying this is how easy it is but nobody actually believes you until they see something like Firesheep come out, so I can understand his goals,” Marchay said.

“It’s kind of one of these maddening things with Facebook and a lot of the other social networking sites is that they don’t really treat security as an issue,” Marchany said.

Also watch out for phishing attacks, where a website will pretend to be another website to trick a user into giving a user name and password. To prevent phishing, always look at the address bar to make sure it matches the website you are visiting. 

One of the biggest security issues online isn’t hackers — it’s the information you release to the public whether you realize it or not.

Continue Reading: 12 Next » 

A version of this article appeared in the Nov 5 issue of the Collegiate Times.