Dangers in Public Browsing

I think that we’ve all heard about the dangers of connecting to open networks.  It’s the stuff that spy stories thrive on.  You’re at your local coffee store doing some internet activity and a bad guy attaches to the same network and steals your identity.  After all, you’re both sharing the same wireless connection.  Futuristic, eh?

Not any more.

If you have the Firefox browser and an appropriate add-on, you can do it yourself.  A great deal has been written about the Firesheep add-on lately.  It’s reportedly a proof of concept utility that Mozilla allows to be downloaded and installed to hijack http connections.  Once installed, the curious can monitor the connection for logins and passwords so that you might assume someone else’s account.

In this day and age, I think many of us are quite comfortable with online banking or shopping.  We’ve all been trained to “look for the lock” or whatever the equivalent is for your browser.  That is a visual that you have a secure connection with the other end for the purposes of doing these sorts of things.  You may notice that increasingly more websites are using the same technology for just regular use.  If you head to the Mozilla web presence, it’s all presented securely for you.  So, what’s the issue?

Check out this story.  Watch the CBC report here.

Increasingly, we’re using social networking sites that do require a logon and a password.  The issue becomes one of security.  Is the connection secure or is your logon/password combination open to anyone who happens to be listening.  An article that I read yesterday from the Digital Report Card provides a nice summary of some popular services like Facebook, Twitter, Gmail, Hotmail, Yahoo! Mail, etc.  The report card is an eye opener and the descriptions about SSL and hijacking are important reads for anyone who wants to go online and use these services.  You need to open the link about and read the article, focussing on your own online habits.

Thankfully, the online services involved are responding.  Here’s a report on Facebook‘s concerns.  The claim of over 500,000 downloads is kind of scary.  Especially, if one of the downloaders enjoys the same coffee as I do.

What can you do about it?  FireShepherd (and a tip of the hat to the humour of programmers) is a utility designed to jam Firesheep with random data to make it useless.  But, a better solution is to be aware of the type of connection that you’re making with these services.  More and more of them are offering secure options which you should always opt for.  To help the cause, the Electronic Frontier Foundation offers its own solution – an add-on called https Everywhere which should take the guessing out of the process and force a secure solution when you access the services thereby protecting your credentials.  There is a startup switch that you can apply to Google Chrome to force https connections as well.  That’s been around for a while.

It’s not just coffee shops that you should be concerned about these things happening.  How about a school network where you invite guests to attach?  Not necessarily related, but this report from London should give some pause for thought. Can we ensure that everyone who is attaching to the network is playing nice?  How about a hotel with complimentary internet access?  How about a conference centre like you’d find at an ISTE Conference?

Do we take our online sessions seriously enough?

Stay ahead of the bad guys

It’s a shame but the number of people who would attack your computer and compromise your data is on the rise.  Is it healthy to be paranoid?  After all, what are the chances that someone is going to exploit a weakness in your computer?

It would be difficult to arrive at a figure, but all that it would take is one exploit to attack you and you and your information could be toast.  Or, worse than that, your identity stolen.

How do you stay on top of things?

There’s the common knowledge that you need to patch your operating system, patch all of your applications, run anti-virus, run anti-spyware, …

How do you know where to start?  How do you know if and when your applications need patching or attention?

For me, it’s Secunia, a Danish security firm.  This firm stays on top of rumours, announcements, and does their own research about the status of software packages.  Yes, there are advantages to having automatic updates turned on.  But, do you have them all turned on?  What about software that doesn’t auto-update?  What if your software hasn’t polled to get the latest patch as you download that attachment that arrived by email?  (btw, shame on you…)

Secunia offers an email subscription service.  As soon as they know of it, you will be notified by email.  If you are fascinated by this whole area of computing as am I, check out the Secunia blog.

This will keep you on top of the breaking security stories, and most importantly, keep your computer and your data safe.

Social Bookmarks:
Blogged with the Flock Browser