The New York Times has published an article discussing the various issues this very website is dedicated to promoting, including hack attacks, encryption, public wifi threats, identity theft, and other similar worries about our online safety and privacy.
The article even explores the controversy surrounding Firesheep and low-tech hackers, noting the following about this data threat:
“You may think the only people capable of snooping on your Internet activity are government intelligence agents or possibly a talented teenage hacker holed up in his parents’ basement. But some simple software lets just about anyone sitting next to you at your local coffee shop watch you browse the Web and even assume your identity online.”
Indeed, as we’ve noted in the past, Firesheep is controversial because even novice hackers without any special skills –- you, your grandmother, your ten year old nephew — can spy on anyone’s Internet activity in a wifi hotspot.
That means your activities on sites lacking proper encryption are at risk because the web browser’s cookie – a small code that that identifies your computer – lets Firesheep users see the cookie and gain access to your site and accounts.
We’ve even published several ideas for downloads to secure yourself against such low-tech hackers who choose to spy via Firesheep.
A Shared Mindset
The NYT article highlights additional points that are aligned with our own philosophy and outlook on computer privacy. Here are four key examples of our shared mindset:
1. In the last few months, both Gmail and Facebook have enhanced user security by adding more security layers. Gmail made end-to-end encryption its default mode and Facebook gave users an opt-in security feature, though it still does not work with many third-party “apps” that are used by millions on Facebook. The NYT quotes the creator behind Firesheep, Eric Butler, who questions Facebook’s decision to add the “s” for security in HTTP. As Butler says, “most people aren’t going to know about it or won’t think it’s important or won’t want to use it when they find out that it disables major applications.” The article also quotes Joe Sullivan, chief security officer at Facebook, who said the company is working to address problems with third-party applications and its plans to make HTTPS the default setting.
2. Not all websites have the ability to create a more secure HTTPS version for user safety. The NYT quotes Bill Pennington, chief strategy officer with WhiteHat Security, who offers online consumer privacy advice: “I tell people that if you’re doing things with sensitive data, don’t do it at a wifi hot spot. Do it at home.” Pennington is not affiliated with our website but clearly shares our same sentiments and concerns, as this is the exact advice we recommend.
3. Home wireless networks may not be all that safe either. The NYT says “because of free and widely available wifi cracking programs [which fake] legitimate user activity to collect a series of so-called weak keys or clues to the password,” even “techno-ignoramuses” can recover a wireless router’s password in a matter of seconds. In our recent article, entitled “Study Finds Wireless Networks Are Wide Open to Hackers,” it was urged that people take some of the following security steps:
- Change the default wireless network name and administrative password. Network devices generally come with default names and passwords which are easy for hackers to find online.
- Make sure your firewall is turned on and your antivirus software is up to date. It can reduce the damage hackers can inflict if they try to access your network.
- Only allow authorized users to access your network. Restrict access by filtering MAC (Media Access Control) addresses. This will discourage accidental connections from neighbors, but not serious attacks by sophisticated hackers.
- Turn off wireless connectivity when you’re not using it.
4. The best defense is a virtual private network. For a more secure computer experience, use a virtual private network — exactly the service provided by PRIVATE WiFi™ — since a VPN encrypts all communication transmitted wirelessly at home or out in public hotspots. As the NYT article states, “setting up a virtual private network, or VPN, which encrypts all communications you transmit wirelessly whether on your home network or at a hotspot, is even more secure. The data looks like gibberish to a snooper as it travels from your computer to a secure server before it is blasted onto the Internet.”
We’re Just Getting Started
We applaud the New York Times for bringing this issue to light. There is still much work to be done, however, as the problem is multi-pronged:
- First, consumers are still largely unaware of their basic security risks in wifi hotspots, hotel rooms, even their own home sweet home. No one thinks they will be a victim of identity theft or a data breach, and sadly, most people won’t notice for months, if not years, that their accounts have been compromised or their identities stolen.
- Second, many websites are simply not capable of redesigning their entire site to a more secure level of encryption, but as many people are not actively demanding an upgrade to HTTPS, there is not much incentive for companies to invest in better security.
- Third, fourth, fifth, well, there are so many other interconnected issues at play – we’ve literally only scratched the surface. From proposed government rules about privacy to gaining a better personal sense of privacy control, online security, especially at wifi hotspots, is an issue that will grow exponentially in the United States and globally. Five, ten, fifteen years from now, will we look back and wonder how naïve we were? Sure, free wifi is absolutely alluring when waiting to board your plane or when working at Starbucks. But until more people wake up to the inherent risks of “being naked” in hotspots, the risk/benefit ratio is clearly favoring the cybercriminal.
You’ve been warned, now what will you do next?