ID Theft? 3 Clicks and a Coffee away from your Facebook account

More Identity Theft?

There is a new, easy way to access other people’s accounts going around. This came out in late October, and users of some websites are still at risk – including Facebook.

Here is the email I received this morning:

There is a new tool that allows anyone to easily hack into your Web accounts (e.g. Facebook) when you use an open Wi-Fi network, such as at Starbucks or an airport. It is called FireSheep. FireSheep is effective when you use your Mac, your iPhone, your iPad, or your iPod Touch: (or PC, Windows, any computer).

There are two ways to deal with this. The first is to use a VPN (virtual private network). The second is to use a free Firefox add-on called BlackSheep. Here are two articles that will give you details on doing both:

Here is a screenshot of what I saw when I tried it – Note that I was able to access the facebook accounts I saw here simply by doubleclicking on them –
FIre-Sheep logins captured

There is a third way – don’t use unsecured (i.e. no password) wireless networks to access FaceBook and other social networking sites. If your wireless network is open, put a password on it. If your local coffee shop has wireless, ask them to password-protect it. It’s quick, it’s relatively easy to do. Users only have to enter the password once, the computer usually remembers it for you.

This is actually a problem that has existed for a long time, but now it’s been made super easy to take advantage of.

This is the new tool and explanation thereof:

I just tested it, and was able to see Facebook and WordPress connections, and even masquerade as the people whose logins I was able to see. (Yes, I did ask permission first).

While this issue has been around for a good long while, until now, it hasn’t been this easy. The only technical knowledge required is the ability to install a Firefox plugin. Once that’s done, you’re 3 clicks and a coffee away from someone else’s Facebook.

In a nutshell, it works like this:

Mr. BadMan installs a bit of software.
He then goes out for coffee, anywhere with an open wireless network.
He opens Firefox and clicks “start capturing”.
His computer watches the wireless traffic, looking for cookies that are going back and forth to Facebook, Google, Yahoo, and some other social sites.
He gets a list of people who are online.

He then can doubleclick on any of them to login AS THEM. He can then post messages, change their profile information, change their passwords, or anything else he wants.

There are a couple of solutions to this:
a) If you are using unsecured (no password) wireless, you can install your own Firefox addon (HTTPS Everywhere). This requires that you a) install it, and b) use Firefox, not Safari, Internet Explorer, Chrome, or other browsers.

b) Social media sites can change their servers to send all traffic through encrypted connections. Google and Yahoo have apparently done this – Facebook is still vulnerable to this attack. This is the reqson most banking sites are not vulnerable to this attack – they use secure web pages for everything after sign-in – not just the sign-in itself.

c) Coffeeshop owners and anyone else who provides free wireless can add a password to their wireless networks. It’s quick, it’s easy, and covers everybody in one fell swoop.

The wireless password can be freely provided to customers, even written on a sign or menu board. In general, once they’ve entered it once, they don’t have to again until they come in with a new computer. Now all wireless traffic is encrypted, thus preventing this attack from working.

I’ve secured one Portland coffee-shop /non-profit space today, and another one is a go for tomorrow. Ideally, ANY open wireless network needs to be encrypted.