Thursday, October 28, 2010

Princeton's WiFi Perfect for Facebook Hacking

By Tim Koby '11

Wireless networking at Princeton was never that great to begin with. Slow speeds, dropped connections, and weak signals have kept me tied to my Ethernet cord in my dorm. But what if you are in class and receive a really important email? Or want to check your Facebook in the moments before class begins? It may come as a shock to some people, but you’re exposing your Login sessions to everyone in the room.

What does this mean exactly? No, they don’t get your password and can’t login after you log out. But while you’re logged in, anyone on the same network can steal your “cookie,” a piece of information that flies unencrypted over our networks and lets sites know that you’ve already logged in. Once the hacker has that, they have full access to your account.But isn’t Facebook secure? Gmail? Blackboard? Yes and no. They encrypt your Login information, but once you log in, the content is delivered without encryption. So while people can’t directly get your password, access is just a click away.

This has always been a problem with the networks. The problem has become especially relevant after the release of a Firefox extension, Firesheep, which requires no technical knowledge of Internet security. Just press start and wait for someone to log in. In seconds, you can be reading that guy on the other side of the room’s love letter his girlfriend just sent.

Of course, use of this program is against the code of conduct for our Internet use at the university, so no one should be using it. However, we know that this doesn’t stop all illicit activity, and since this snooping is pretty much untraceable, it’s not a stretch to assume it will be used.

To protect yourself, the easiest way is to plug into Ethernet when possible. This is an almost completely secure way of accessing these sites. But when wireless is necessary, you’re pretty much out of luck until either a) websites start encrypting their cookies and content in addition to logins or b) OIT secures our network. In my humble opinion, we shouldn’t wait for all websites to do this. OIT can make our network much more secure by establishing a 802.1X server to let us log into the wireless network with our netID and password. This is a mild inconvenience, but worth it in the security it gives us.

7 comments:

Anonymous said...

Does using a VPN impede it at all?

Anonymous said...

It is irresponsible and ignorant for the article author to claim that "To protect yourself, the easiest way is to plug into Ethernet when possible. This is an almost completely secure way of accessing these sites."

If you are connected via wired connection (Ethernet), Firesheep has a setting to let you listen over that network instead of over wireless, and you can see exactly the same types of cookies for other users who are connected to the same wired subnet.

The problem isn't inherent to the Princeton wireless network. The problem is with the way that sites like Facebook, etc. deliver content without https encryption. With sites like Facebook, even if you manually try to use https, clicking around the site takes you right back to http.

Yes, logging into VPN would prevent others from hijacking your cookies. Perhaps OIT should start a public information campaign to promote use of VPN on-campus, as well as off-campus. http://kb.princeton.edu/6023

Anonymous said...

VPN? Yes and know. What you really want is end-to-end encryption. Install HTTPS Everywhere for firefox and relax.

Anonymous said...

This is frightening. What else can they hack into? Email?

Anonymous said...

erm, Gmail uses https always...

Anonymous said...

"you can see exactly the same types of cookies for other users who are connected to the same wired subnet"

This is just not true if you're connected to a switched network, which most (if not all) of the Princeton Ethernet network is, now that the old Butler College has been demolished.

Other than network administrators, nobody who's not connected to the very same wallbox (with a hub) will be able to see any of your communications with Facebook. Unicast IP traffic to/from the Internet is not seen by any other wallboxes on campus.

Anonymous said...

" erm, Gmail uses https always..."

Not by default, but you can force it to by using the firefox extension HTTPS Everywhere, like the other poster said.