Yesterday, Senator Charles Schumer held a press conference in an unusual place: Birch Coffee, a cafe near Madison Square Park in Manhattan.
With the funny choice of venue, the senator was making a point: even your friendly neighborhood barista might just be a malevolent hacker. And he doesn’t even need to know how to write a line of code to do so.
It seems likely that Schumer’s recent concern was piqued by a New York Timesarticle from February 16th, which drew attention to the new vulnerabilities faced by WiFi users. In particular, a free program called Firesheep, which first made waves in October. Firesheep makes hacking your fellow cafe-goer a simple, user-friendly, DIY affair. Firesheep takes advantage of a lack of end-to-end encryption, allowing hackers to grab cookies, the snippets of code that indentify your private information. This, in turn, enables hackers to masquerade as you on sites like Facebook, Twitter, Amazon, or eBay. Over a million people have downloaded the program. (Fast Company covered Firesheep months ago.)
Sites that use HTTPS, rather than HTTP, are safe from this sort of hacking. Banking sites tend to use HTTPS, but other sites like the ones mentioned above do not. The purpose of the Schumer conference was to call on sites like Twitter and Amazon to start beefing up their security, acting more like banks.
So just how easy is Firesheep is use? Even a Senator’s aide can do it! A Schumer staffer hacked into the Twitter account of a nearby colleague. Call it consensual hacking. Anyhow, it impressed reporters, as did Schumer’s talk of the HTTP protocol as “a welcome mat for would-be hackers” and a “one-stop-shop for identity theft.”
Easy solution: Don’t go to Starbucks or any coffee shop. Better yet, never leave your house. Stay at home with all the safe Internet you can have, where you belong.
Hardy-har-har. Better solution: use Firefox and install either Force-TLS or HTTPS Everywhere so that you connect via HTTPS to sites that otherwise default to plain HTTP. And if you want to be super-paranoid, also use a VPN. There are other Firefox add-ons, such as BlackSheep, that are supposed to protect you from Firesheep, but they don’t work.