« A lovely terrible internet interface
Forgive their debts »

Missouri Lawmakers caught by Firesheep?

Yesterday the St. Louis Post Dispatch carried a front page article Missouri lawmakers’ Facebook accounts hacked. It said in part:

Three Republican and one Democratic state House members, and one Republican staff member have reported that their Facebook have been hacked since the Jan. 5 start of the legislative session, the St. Louis Post-Dispatch reported Monday.

It is unclear how the accounts were accessed, but it may have been over a free wireless network at the state House that visitors, staff members and lawmakers use. In instances in which Facebook accounts were accessed, the owner had used that network.

This sounds like the work of the Firefox add in Firesheep. Used on the sort of open network found at the capitol, that is one without any password required for use, it is able to “sniff” the wireless traffic and capture enough information to allow the attacker to impersonate the legitimate user – seeing and editing their pages. This works with sites like Facebook and Twitter and is drop dead simple for the attacker. All they need do is to install this free software and click on the user they wish to impersonate. This software is easily available has been downloaded by almost 1.2 million people.

Is if you do not what to let others pretend to be you what do you do:

  • Never enter your username/password into a web site when you are connected to a Wi-Fi hotspots that does not require a WPA password. Even if that password is written on the wall you are protected.
  • In those open Wi-Fi hotspots you can connect to sites that ALWAYS serve their pages in a protected mode (using https). However, many sites only encrypt the initial logon which is not a protection to this attack.
  • Use a Virtual Private Network (VPN) which encrypts all of your web traffic regardless of the Wi-Fi hotspot to which you are connected.

The bottom line. It is dangerous out there. Be paranoid. Make sure you are very careful with which Wi-Fi network you consort.

Cross posted on my personal and professional blogs.

This entry was posted on Tuesday, February 8th, 2011 at 6:41 am and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply