Sign up to our newsletter
The latest security news direct to your inbox
I’m sure that at some point you have listened to the radio. A signal goes out and all radios in range can tune in to the broadcast. WI-FI is essentially a radio signal that transmits and receives data. The access point and your computer exchange information, but all computers with wireless capabilities can receive the same data that your computer sends and receives.
The way to protect your data from other computers that might be snooping is to encrypt the data. If your data isn’t encrypted then your username and password can be “sniffed” and stolen. So, how do you encrypt your data? There are a variety of ways to do this.
Let’s start with a secure wireless access point. There are 3 main levels of wireless security. WEP was the first wireless security protocol and offers such weak encryption that it is generally considered as unsecured. In the case of the Firesheep tool, WEP will protect you from the least sophisticated would be hackers. The next security protocol was WPA. WPA is better than WEP, but researchers found flaws that make it fairly insecure as well. The current protocol is WPA2. When you connect to a wireless access point you want to connect with WPA2, but that isn’t your choice. Either the wireless access point offers it or it doesn’t. At home if you have a wireless router that is less than a few years old, then you should have it configured to use WPA2 encryption.
A second way to encrypt the data over a wireless, or even wired connection, is to use a Virtual Private Network (VPN). If you use a VPN for work, it probably is not going to help you. Typically when a company has their employees use a VPN it only encrypts the data between the computer and the company. So if you are at Starbucks reading your email from your Hotmail account, your corporate VPN is probably not protecting you. There are both free and paid VPN solutions, but the free ones often have limits on how much data you can send and receive each month. Paid solutions usually allow for more data or unlimited data. If you use a VPN that tunnels all of your data, then when you are using an unsecured wireless access point your data is still encrypted.
If you don’t have a VPN and are connected to an unsecured wireless access point then you basically have one way to encrypt your data. The way you do it is by using Secure Sockets Layer (SSL). Without getting too techie, when you are at a web site that starts with HTTPS then your data is encrypted using SSL. When you go to log into your Facebook account the login button actually takes you to a webpage that starts with https://, which encrypts your username and password so that hackers can’t sniff it as it gets transmitted from your computer to the wireless access point and then on to Facebook. The problem is that after you are logged in, Facebook and most other social networking and email websites then go back to http://, which means your data is not encrypted anymore. This means that if you are reading your email, another person on the network can read it as well, but it does get worse. Once you log on to a website puts a cookie on your computer and that cookie is repeatedly sent back and forth with your data so the website knows you are logged on. The cookie is not encrypted and if someone else gets that cookie they can access your account as if it was you logged in. They can send email, tweets or messages to your contacts and friends. They can change your profile and the email address that confirmations or notifications are sent to.
It used to be that someone who wanted to capture your cookie to access your account had to have some pretty good technical skills, but with the release of Firesheep virtually anyone can perform the attack now. There are a handful of websites that do use SSL all of the time. If you use Gmail, log into your account, click on settings, and where it says “Browser connection” make sure it is set to always use https. Another thing you can do is use Firefox and a plug in call HTTPS Everywhere. HTTPS Everywhere only works with a few websites, but for those websites it will make sure you use https the entire time you are on the site. If a website, like Yahoo, Linked In, and most others, does not support full SSL sessions, then they are not safe to access over unsecured WIFI, even with HTTPS Everywhere.
The real solution is for websites to use SSL all of the time. Google has only gotten some of it right. If you log in when you go to www.google.com, then it is not encrypted. The cookie won’t get an attacker into your email account, but it will look like you visited every site the attacker visits after they steal the cookie. Facebook, Microsoft, Yahoo, MySpace, Twitter and most all of the other social networking and email sites out there are extremely irresponsible and are doing virtually nothing to protect your data privacy as long as they do not allow and default to full SSL sessions.
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC
Author ESET Research, ESET