It’s a typical day at the University of Wisconsin’s College Library. You’re sitting in the second floor reading room, minding your own business and harmlessly browsing Facebook. Suddenly, a post by you shows up in your news feed, a post you didn’t write.
You, my friend, have just become the victim of Firesheep, an intrusive software that hacks computer sessions, according to Division of Information Technology spokesperson Brian Rust.
When users download Firesheep software, it enables them to search or “sniff” open accounts the user can then hack, Rust said.
The reason Firesheep is successful, Rust said, is because sites only encrypt their log-in pages. So only the log-in page is encoded as Hypertext Transfer Protocol Secure (HTTPS), while the rest of the site is Hypertext Transfer Protocol (HTTP). Because the rest of the site is HTTP, it is not secure, which makes hacking into the session simple with tools such as Firesheep.
Once hackers capture the information from a user’s computer, they can then log-in again under the user’s accounts, Rust said.
“They have your credentials, so they can stay on your account,” Rust said.
While someone hacking a Twitter or Facebook account may not seem too upsetting, Rust said private information relating to a person’s identity such as credit card and social security numbers could be gained from information on certain sites.
“That [information] can be used to create accounts in your name that you don’t even know about … creating a checking account in your name [for example],” Rust said.
The tool surfaced in late October, Rust said, but became a concern within the last week or so.
Breaking into a user’s active session is not old technology, but the new software just automated the process.
While he does not know why anyone would want to develop this type of software, Rust said it is at least causing people to think more about Internet safety.
“What it leads to is people being hyper-concerned about security including – hopefully – people who develop web browsers,” Rust said.
One method to combat the issue is by using a wireless virtual private network (VPN), which Rust said will encrypt data sent from a user’s computer and make it difficult for hackers to access.
However, the data can still be hacked when it gets to the VPN provider before it goes to the website, Rust said.
Add-ons for web browsers such as HTTPS Everywhere for Firefox will ensure all data is protected until websites move to HTTPS for all content, Rust said.
The reason websites such as Facebook and Twitter only encrypt the log-in page is content-related, because beyond the log-in page Facebook and Twitter in general feel their content is not pertinent enough to warrant protection, Rust said.
UW freshman Charlotte Poduch said she doesn’t approve of the software because it invades privacy. She also said she would like to see it stopped.
Already in an age where Facebook is scrutinized, UW freshman Joe Robaidek said he thought Firesheep would take the criticism to a new level.