Last week, Mark wrote twice about backing up your Twitter archives (on your own server and using ThinkUp). In the first of these posts he noted ProfHacker’s obsession with backup. Making sure that you have backed up your essential files is an important part of using a computer securely.
Regular backups aren’t the only important measure of computer security that you should consider. We all know that we need to be wary of emails from Nigerian officials, to use anti-virus and anti-malware tools, and to not trust attachments that come on those messages about particular pharmaceutical products. Equally important with these common-sense practices for behaving securely on the Internet is whether we connect securely to the Internet.
If you’re like the rest of the ProfHacker team and occasionally use a coffee shop as workspace (or even your public library), you will likely have had times when you connect your laptop, PDA, or iPod Touch to the public wifi that is offered in these locations. Even if you have a super smartphone, you might sometimes use the wifi since it will be faster than the 3G or 4G connection. Deep down, we probably all know that using public wifi might be risky, but most of us think that the chances of our information being stolen is low.
That might have been the case until October 24. That was the day that the Firesheep extension was released for the Firefox browser.* This simple add-on, which takes all of 15 seconds to install, “allows you to,” in the words of Peter Shankman, “see who’s connecting to various sites that don’t encrypt their HTTP login cookies, like Facebook, Evernote, Yahoo, Amazon, Dropbox, Gowalla, Twitter, WordPress, and others....” (See also this detailed explanation of Firesheep on TechCrunch.) It’s always been possible to spy on people’s activity when they were using public wifi, as this May 2010 article by Cory Bohon (friend of ProfHacker and occasional guest author) points out. But while it’s been possible to spy on others’ activity, Firesheep has made it ridiculously easy to do this. Not only does the add-on allow you to see people’s plain text passwords, but it allows you to login as this person by simply double-clicking on their information. Again, to quote Shankman, “This isn’t kid stuff. This is REAL, and this is DANGEROUS.”
If deep down you knew that it wasn’t perfectly safe to use public wifi previously, now you must assume that any public wifi is compromised. This last Wednesday, only 3 days after Firesheep was released, a friend of mine had her Facebook and Twitter accounts hacked while in a coffee shop. Racist and otherwise offensive messages were posted on her friends’ Facebook walls and Twitter accounts. As annoying as this is to deal with, it’s better than the damage that could have been done in these circumstances.
There are a number of ways to protect yourself from Firesheep attacks. In the first place, you should recognize that computers that have a wired connection are safe. This means that your office computer is likely protected.
Second, if your campus’s wifi network requires you to login with a network ID and password before connection, you should be safe as well. The open network for campus guests, on the other hand, is not protected.
The third way to be safe is perhaps the most obvious: do not use any public wifi signal. Connecting to the Internet via a 3G card or a MiFi device will keep you safe. Unfortunately, these services cost $50+/month. If you don’t want to or cannot shell out that money (and let’s remember that most faculty members are graduate students, adjuncts, contingent, or otherwise off the tenure-track), there are a few other solutions.
A fourth method of protection has been reported on by both TechCrunch and ZDNet. Firefox extensions such as HTTPS Everywhere and Force-TLS will improve security on sites that do not default to HTTPS logins by switching to the more secure protocol. But these only work in Firefox. And while Firesheep is a Firefox add-on, it works against any browser. This means that Safari, Chrome, IE, and Opera users are unprotected at the moment.
Perhaps the best way, then, for ProfHackers to be safe and still work as they like is to make use of their campus’s Virtual Private Network, or VPN. As the crowd puts it on Wikipedia, a VPN “is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization’s network” (my emphasis). Connecting to a VPN does not mean that you can’t access anything besides your university’s website. Instead, it takes advantage of your university’s Internet security to hide the data that you are sending and receiving from others’ eyes--including those who are using Firesheep. A VPN should work independent of which operating system or browser you use. And best of all, it will almost certainly be free!
I cannot speak about every university in the world, but I have had access to a VPN at both those where I have worked. When I have set up my computer to make use of the VPN, it has only taken a few minutes the first time. Subsequent VPN sessions can be started in under 30 seconds. Sure, it’s a hassle to have to take one more step before beginning to use the Internet, but it’s far better than having to apologize to all of your Facebook friends...or try to explain to your bank that you didn’t withdraw all that money.
To find out whether your campus provides access to a VPN and how to go about setting it up on your mobile devices, search for “vpn” or “virtual private network” on the university’s website. If that doesn’t get you the information you need or if it doesn’t make sense, then call someone in your IT department. I’m willing to bet you a latté that they will be more than happy to get you set up. Remember, this is not the time to be too proud to ask for help.
Even once you have a VPN up and running, you still must use common sense when handling sensitive computing tasks in public. The person next to you may no longer be able to Firesheep you, but they could still watch you type in your username and password.
What precautions do you take when computing in the wild?
*It’s worth mentioning that Eric Butler, the author of Firesheep, writes that he built it not to enable attacks so much as to demonstrate forcefully that "[HTTP session jacking] is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users.”
[Lead image by Flickr user lizjones112 / Creative Commons licensed]