Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Firesheep, Blacksheep, and protecting your Wi-Fi data

Firefox plug-in Firesheep illustrates how easy it is to eavesdrop wireless traffic and provides the tool for anyone to do it

Despite the convenience, free public Wi-Fi networks like those found in hotels, Starbucks, and McDonald's are also a serious risk when it comes to your data and personal information. A new Firefox plug-in makes it even easier for tech novices to snoop wireless traffic, making it even more crucial than ever that users understand the risks and take precautions when using Wi-fi hotspots.

The Firesheep plug-in was developed by security researchers to highlight how insecure public Wi-Fi networks can be. Mission accomplished. Unfortunately, the tool works quite well, and its public availability now places a relatively powerful snooping tool that requires virtually no hacking skills or exceptional tech knowledge in the hands of anyone.

Another Firefox plug-in called Blacksheep was developed as a Firesheep alarm. It won't secure your wireless data, and it won't prevent your information from being snooped by Firesheep per se, but it will alert you when Firesheep is in use on the network you're connected to so that you're aware.

Bottom line, wireless networks are not as secure as their wired counterparts, and Wi-Fi hotspots open to the general public are even less secure. If your laptop can connect to a wireless router 100 feet away, then so can any other device in a 100-foot radius of that wireless router--which is why the router should have encryption enabled and require a password of some sort to gain access.

The issue is mainly a function of public Wi-Fi hotspots which generally have a completely open, and unencrypted wireless network available for patrons to join. In some cases, such as hotels, the Wi-Fi may actually use a password to prevent abuse by users who aren't actually staying at the hotel, but those are only slightly more secure because the password is shared with everyone who stays there, and is rarely changed so acquiring it is a trivial matter.

Chet Wisniewski, a senior security advisor with Sophos, implored establishments such as Starbucks and McDonald's to improve security by adopting an encrypted network with a default shared password. The sentiment is admirable, and the solution offered would provide better protection than no encryption at all--and prevent snooping by the current version of Firesheep--but, in the grand scheme it's not much better.

A comment on the Sophos blog explains, "I'm not really sure "free" as password is a great idea, since a password in WPA2 is nothing but a pre-shared secret, which in turn is then used to create a unique key. The problem is, when everyone uses the same password, everyone will end up with the same key, which will be in intended use client and access point, but if someone else knows the password he will be able to come up with the same key."

The commenter concludes with, "You might say now it's better to have some encryption instead of none, but I think that's even more dangerous, because people now will actually think they are secure, and will therefore feel at ease to do more dangerous stuff, while a black hat will actually have just little more inconvenience to decrypt it first based on the password he knows. In fact, a black hat might even be more attracted to such hot spots because he knows people feel more at ease to do dangerous things there."

Public hotspots are convenient. It is nice to be able to kick back and surf the Web while sipping a pumpkin spice latte at Starbucks. Just realize that the Wi-Fi is insecure and limit your activities. Go ahead and read the headlines at CNN.com, but don't check your bank balance, or do anything else that requires entering a username, password, or account number.

If you want or need to do more sensitive tasks over the public Wi-Fi, use a VPN connection of some sort so that there is an encrypted tunnel between your laptop or tablet and the destination you are connecting to.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: CNN, McDonald's, NN, Sophos, Starbucks
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: applications, browser security, data protection, encryption, firefox, mobile security, security, software, wireless security
Latest Blog Posts
Whitepapers
  • Consolidation Without Compromise
    Virtualisation of computer, storage and infrastructure is enabling the transformation of enterprise datacentres into private clouds. The impact is an unprecedented ability to consolidate infrastructure without compromise: no change to service level agreements (SLAs), no loss of performance or scale, and no regression in the organisation’s overall security posture. Read on.
    Learn more »
  • CIO Executive Council ROI
    This document was created by Council CIOs as a means to illustrate ROI for membership. It outlines the services available to member CIOs and their deputies.
    Learn more »
  • NetScaler 2048-bit SSL performance advantage
    Citrix® NetScaler® provides advanced layer 4-7 traffic management and load balancing. Like other leading Application Delivery Controllers (ADCs), NetScaler can offload computationally expensive SSL processing responsibilities from web and application servers to speed the delivery of SSL-protected applications. Learn more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments