Thank you for broadcasting your data!

img_Firesheep

IDENTITY | SECURITY

It wasn't that long ago that the release of Firesheep sent a ripple through the tech community. But short attention span theater prevailed and the concern was short lived. People moved on to the next topic (something about Justin Bieber's hair IIRC).

Firesheep wasn't anything new per se; network sniffers have been around since the first network and have always been available to the bad guys so they can do bad stuff. What Firesheep did was to make network snooping, or more specifically session hijacking, available to the masses.

A quick Firefox install, an open wifi network, a couple of clicks and you're in control of someone's Facebook account. From there, email, then the bank password gets changed, etc. Github says more than 1.5 million downloads so far, which means to me that while the press may not be focused on it, plenty of people are still experimenting with Firesheep.

Earlier this week the same vulnerability raised its head in a slightly different form. It turns out that if you use an Android phone, your authentication data might be exposed when you connect to certain google services via an open wifi network. Here is an excellent article describing the details of the vulnerability and potential associated exploits.

The very good news here is that one day later, Google announced autoupdates that address the vulnerability. So can we all get back to fretting about American Idol? No!

Remember before the Internet we used this wireless device called a radio? Stations would broadcast their "content" over the "airwaves", and any radio in range can "tune in" to the "frequency" and get full access to everything broadcast. For free! Well, when you fire up wifi at Starbucks, you are that radio station and the content you're broadcasting is your data. And if you aren't careful, it is freely available to anyone in range.

Acknowledge that there will always be security vulnerabilities, and later there will be fixes. It's the ebb and flow of computer security. Thankfully Google was very quick to respond and Android users don't need to take explicit action. But we can't expect every vendor to be so quick nor as user focused.

Keeping safe means we need to change our behavior, and perhaps get smarter about the situation in the process. There are plenty of beginner resources online, let me Google that for you.

The press loves to create flash and bang when these issues are discovered. In trying to stretch the story, security issues can get conflated. Peoples' techno-babble fuse blows, readers stop following and awareness shifts to something else. 

In spite of this noise, it is incumbent on us as users to understand where we are at risk, and what our options are. I know this is hopeless, but part of the responsibility lies with us users. 

Like the joke about not having to outrun the bear, just the other campers, try to make yourself a harder target than the next guy. Try to get smarter. Understand that if your phone is automatically "checking in", it might be sharing data you don't want shared. Don't just click <OK> because your computer or that cool App says to. Be skeptical. 

While you're learning, you can also take action. Until every site supports authentication AND interaction via secure protocols (HTTPS), DON'T DO ANYTHING sensitive on an open wifi network. Be paranoid. Don't log in to anything when you aren't on a network you trust. But if you must, use a utility or browser plug-in that will force the connection to use HTTPS. Verify that that utility maintains HTTPS for the entire session. There are several candidates - search google for browser extensions that "force TLS" or "https only". 

When you're done with that site, log off. Especially if you're bouncing between open wifi networks. Don't let your device automatically re-connect, because you'll be broadcasting your data again before you know it. 

And if you're willing, use a VPN or VPN-like utility such as Hotspot Shield, which will ensure all your connections are handled through a secure network connection. 

Is all this practical? Will users wake up? Will we forever live in the punch-counterpunch world of vulnerabilities and fixes? I don't know. What do you think?

Scott Petry - Scott is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007.

Topics: Identity, Security