A few weeks ago Ben Ellison had a story on a program called “Firesheep” which makes hacking WiFi signals much easier. Recently John Harries had an even better discussion on his website (be sure to read the comments on both). This issue is of concern to anyone who uses WiFi to send data they would not otherwise want in the hands of someone intent on no good.
Having an expert in this field in our own back yard, Mike Parker, we asked Mike for his take on the Firesheep problem. Mike’s comments follow:
Good discussion (Mike is referring to the John Harries article).
Most of the discussion focuses on the un-encrypted Wi-Fi over-the-air radio link, and this is a real threat. I always assume that anything sent over such a link may be intercepted. Sometimes things go over this link without you realizing it. For example, I found that my computer email was sending a default request to check all my email accounts every 10 minutes. That request included my mail server’s address, my user name and my password UNENCRYPTED.
Apparently, with the release of Firesheep, attacks on un-encrypted Wi-Fi links are trivial. See:
http://www.computerworld.com/s/article/9193201/How_to_protect_against_Firesheep_attacks
The computers at the marina end of the link are also an area of risk. If I were a criminal, I might get a job there. Of course, getting a job at a phone company or a company that routes internet traffic might be a more lucrative alternative.
The advice to use any security services that your bank, etc. offers is good. HTTPS helps if the web site supports it. Note that many sites only encrypt some things in the exchange with the web site. Apparently many sites only encrypt the initial login, and not the data that follows. The blog’s reference to:
https://www.eff.org/https-everywhere appears to be an excellent start if you use the Firefox browser.
I tend to trust an external data connection directly to the phone network. The phone system (like GSM) generally has security protection built in and you can hope it is turned on by the phone company. Also the equipment required for hacking the phone network is less available than Wi-Fi equipment. I believe I told you about the Ericcson W35 equipment we are buying for Avatar. That hooked to GSM plus WPA2 for our internal Wi-Fi is reasonably secure for now I think.
We have a Wi-Fi access point in the boat for internal use by laptops, etc. We have turned on WAP2 encryption. That protects us from someone nearby sniffing our internal network. Of course, it doesn’t protect anything that goes outside the internal boat network.
My office runs both hardware and software VPN. The goal is to keep anyone in between in the phone network (which is not usually encrypted internally) or any of the internet routers (whose data streams are typically not encrypted) from seeing anything other than an encrypted data stream that goes point-to-point from my terminal to my work network. The VPN software and hardware has not been trivial to set up correctly or totally bug free.
None of this protects you if the right kind of malware gets into a computer on your private network. Once the malware is installed, it can send (and receive) information to/from computers outside your VPN network and you are doomed. So be careful about attaching potentially infected laptops to your boat network (our emphasis).
Remember that the VPN services are encrypting stuff between your computer and their servers. That protects you from someone intercepting your over-the-air link or unencrypted phone/internet traffic. But it does not protect you from the VPN service itself. They are installing and controlling software inside your computer. So you MUST TRUST THEM. If I were the Russian mafia, I would be setting up sites like this. I have no reason to believe that there is a problem, but just because I’m paranoid doesn’t mean they aren’t out to get me 🙂
With firesheep on the loose, I suspect we are going to all learn a lot about wireless security and VPN in the coming months.
This story is going to become more interesting. We will keep you posted on what we learn.
Posted by Steve Dashew (December 20, 2010)
December 22nd, 2010 at 8:48 am
I’m working as a CISO in a Federal Agency in Germany.
My Tips: If you can NOT trust the WiFi network, protect your computer! Turn on a local firewall (Vista and Win7 have it on board). Install all updates for your system. Use an anti-virus programm and update the virus pattern every day. Update your browser if new versions are released. Do NOT visit the dirty corners of the internet. Do not work and browse with admin rights. Use only software from trusted sources.
I could write books about it, but would you read it at all? 😉
You will find a lot of sites in the web to learn more about IT security.
For your own WiFi use WPA2 with a long key. Short passwords can be recalculated very fast with “Rainbow Tables”. Nothing is 100% secure – like your boat!
For you now secure holidays and a peacefull new year.