Firesheep's Real Lesson: Take Wi-Fi Security Seriously

Firesheep's Real Lesson: Take Wi-Fi Security Seriously

Summary: Firesheep has people in a panic because it makes it easy to grab useful information when you're using public Wi-Fi. Big deal. You could always do that. The real worry is that businesses' Wi-Fi networks were, and are, often just as vulnerable.


From all the yammering, you'd actually think there was something new about Firesheep, the Firefox extension that lets you grab login IDs, passwords, and other important information . What a joke. I, and any hacker or network administrator worth his salt, have been able to do this kind of stuff for years.

The only thing "new" about Firesheep is that how it easy makes it to do. I'm unimpressed. Anyone who was serious about grabbing your personal information has already been doing it for years. Trust me, if someone really wanted your data and you've been using open Wi-Fi networks, they've already grabbed it.

No, the real worry isn't about some jerk grabbing your Twitter password in a coffee house. The real worry has always been that your office Wi-Fi is easy to compromise and then someone can use a packet-sniffer to get something that really matters like your Accounts Payable password.

As an experiment I recently sat outside an office building and start scanning for Wi-Fi Access Points (AP). It took me a hour to find about 40 APs and "break" into 28 of them. Was I able to do this because I'm some kind of expert cracker? Hardily. At best, I'm a good network administrator but a mediocre cracker.

No, the real reason I was able to be so successful with minimal efforts is that many network administrators don't have the first clue on how to secure a wireless network. Five APs didn't have any security. Three of those used the default passwords for their wireless routers and APs.

Another ten were using, I kid you not, Wi-Fi Wired Equivalency Privacy (WEP). WEP has been broken for almost a decade. More amazing still, people still recommend its use! Consumer Reports, as recently as 2009, recommended using WEP.

Another dozen used WPA (Wi-Fi Protected Access), with the built-in Temporal Key Integrity Protocol (TKIP) security protocol. There, I used a rainbow table, a list of the most common WPA passwords, to pop open APs almost as quickly as I could open up a coke bottle. I also managed to pry open a pair of routers using WPA2 (Wi-Fi Protected Access 2) with TKIP using rainbow table.

If you really want to secure a Wi-Fi network in 2010 you must use WPA2 with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), aka Advanced Encryption Standard (AES). If you don't, trust me, if someone really wanted your important information out of your business network they've already got it and then they didn't a baby cracker tool like Firesheep to do it.

So, I guess, in a way I should thank Firesheep. Maybe it will finally make it clear to the vast majority of people that network security is important.

What am I saying? Most people, not even many network administrators, ever learn these lessons. Still, maybe a few people will start taking security seriously. I live in hope.

Topics: Mobility, Networking, Security, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • yea, switched to AES years ago.

    Just use the security auditor toolkit iso to discover if your network is easily compromised.
  • Twitter password is probably same as bank...

    People use the same password for FAR too many services. And I doubt this will change many habits.

    There are options for people to use WiFi more securely but most are over the technical abilities of the majority of users.

    I'm working with a company that's built a beta version of a Firefox plug-in and it provides secure SSL encryption on any connection and is literally just plug and play, instant protection. It also hides your ip address and will let you create temporary anonymous email accounts to protect you from spam.

    It's free while in beta, so please check it out and share your feedback, we'd love to know what you think. Thanks! David
    • Cocoon can look at your private data

      @Davidkris2 I think it's only fair to point out that while your data is encrypted on Cocoon's servers and not available to the internet at large, Cocoon does have the encryption keys, not you. Their terms of service make it clear they will decode your database for debug issues (at least during the beta period), as well as to respond to any legal request by a court. I have no reason to believe that they would casually look at your data, but I would prefer a system where all encryption is done on your local machine using keys only you have access to.
  • Not just Wifi security... but online security practices by everyone

    One of the reasons people don't practice good online security is because people don't think they're going to be targeted. "I only have $200 in the bank - why would someone want to get my banking credentials?". That ignorance was just backed up and affirmed by this article: "No, the real worry isn?t about some jerk grabbing your Twitter password in a coffee house."

    Absolutely, that's a real worry (granted, not the only one). People get paid by crime syndicates, albeit nickles and dimes, for each and every legitiamte account user/pw compromise they can deliver. Sit in an airport, and sniff a few hundred facebook/twitter/yahoo/hotmail/gmail/etc accounts in an hour or so, and you just made a quick hundred bucks.

    There are over 1.5M compromised facebook accounts available for purchase right now if you know the right IRC channels to look in. $25 gets you a group of 100 accounts. $40 gets you a group of 100 accounts that are "garuanteed" to be active (although, good luck getting your money back).

    Associate those newly-compromised fb/twt/yh/hm/gm accounts with a bank account (as Davidkris2 pointed out, the majority of people use the same password), and your hundred bucks just turned into a cool thousand.

    So, yes, this sniffing capability has been around forever... it's been exploited forever... and it's nothing new. But, giving out this tool to the masses just garaunteed that the number of compromised accounts is going to go up exponentially. No matter how secure that "free airport wireless" actually is.

    I agree with you that I hope this firesheep wakes up SysAds to the need for better security... but I also hope it wakes up Joe Q. Public to the fact that they're "running around online, buck naked, with their account numbers and pin numbers tatooed all over their body, for the whole world to see".
  • @Steven J.

    out of curiosity, what toolset did you use to crack the 28 networks?
    • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

      @SonofaSailor Several, and after that, let me just say that if you know how to use WireShark and AirPcap there's not a lot you can't track on a network. But, those stories for another day.
  • Get Windows 7!

    Problem Solved!
  • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

    Man, do you guys ever need an editor to review your blogs before they are posted! Sheesh...
    • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

      @GVC2031 Welcome to blogs. We don't have editors. Trust me. I wish we did.
  • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

    in our neighborhood, I ASSUME that some of the kids are hacking wi-fi and secure accordingly
  • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

    I agree with GVC...
    He can hack but he can't intelligible English.
  • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

    The Consumer Reports story was updated just 5 days following the orginal posting regarding the use of WEP and changed that to WPA... It would be wise to at least read the ENTIRE story before pointing out a bad recommendation.

    Regardless, I use various methods to prevent outside access and sniffing including, as mentioned, using AES encryption.

    My WiFi/router security practices include WPA2/AES encryption, not broadcasting my SSID, using a non default channel number, use MAC filtering, and reduce transmit power (most routers have this option) to reduce distance of the signal, and obviosuly do not use the default settings including passwords. I have other tricks I use as well that are more advanced concepts. Skepticism has been the best security of all for me.
    • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

      @ryanstrassburg you dont need to do all of that, first of all if someone is hacking into your wifi network they are probably using backtrack or a similar linux distro. changing ones mack address is elementary. the best thing you can do is of-course keep the wpa2 and set a STRONG atypical password, a combination of things or atypical names and numbers and characters, that way no dictionary has it. the next thing you can do is change your subnet mask so that it allows for only 2 ip addresses (you and your gateway, this is assuming you only need one on your wifi network) and lastly turn off your dhcp. also since sniffing requires arp poisoning put static entries into your arp table for your gateway (router), that way the hacker cant do a mitm on you.
  • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

    My action has been to rely on a wired network around the house. I think that the trade off between convenience and safety has been lost to many. Why engage in a never ending war with potential hackers when you could just operate off-air in absolute safety apart from a major league operation on your house or office.<br><br>If my employment was enhanced by the importance of keeping a secure system would I suggest a Luddite solution!? I doubt it.
    • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously



      Not only does it sidestep the Wifi packets being sent hither and yon, it also sidesteps the "everyone and their brother having a Wifi AP" interference issues. Multiple radio sources (digital or otherwise) WILL step on each other when in close proximity, and there's not that many channel frequencies you can choose from.

      That, and I swore off Facebook months ago. I don't care if FB starts using HTTPS, I don't trust Zuckerberg with my info in the first place, he's just going to give it to Zynga anyhow.
  • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

    I sold security assessments briefly. I would pick up the customer in a cab, have them buy a random laptop with a wireless network adapter, then cruise around looking for open networks at random.

    My last stop would be their business. After discovering multiple insecure routes into their business, the customers response was invariably "I'll have my guys look at it" (rather than commit to a security assessment by an outside company).

    Pointing out "your guys were the cause of the problem, is it realistic to assume that they are going to be the cause of the solution?" got me dirty looks.

    Asking them to allow an outside company to do an assessment, so "their guys could focus their efforts" got me no traction.

    I'd love to think that it was my style alone that caused me to not close sales... but unfortunately I truely believe that it's apathy.

    One of the clients was a bank where I had an account. After the customer didn't commit to an audit, I walked into a branch with the customer and closed my account. After that (oddly enough), they signed.
    Marc Jellinek
    • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

      @Marc Jellinek I've found that most insecure networks are not insecure because the in-house talent can't or won't secure them, it's because the management won't let them.
      • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

        @jred I've found that most insecure networks are not secure because someone hid a consumer-grade wireless access point in a closet, under their desk or in the ceiling somewhere, and forgot about it.

        Another favorite is someone turning on Internet Connection Sharing. They'll have a secure wired connection to their corporate LAN, then share it out via their laptops wireless network adapter.
        Marc Jellinek
  • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

    He probably used the aircrack-ng toolkit. It is easy to use, widely available, and any schoolkid with their head on straight could break into 70% of networks with it, just like he did.
  • RE: Firesheep's Real Lesson: Take Wi-Fi Security Seriously

    Oh, and if you want to know how to make it run, I recommend using Puppy Linux 4.3.1 with the developer tools added in to compile it, along with iw and nl available as .PET files (self-installing in Puppy)

    Then /usr/local/sbin/airmon-ng start wlan0
    and /usr/local/sbin/airodump-ng mon0
    will get you headed in the right direction.