Open Wi-Fi users beware:: Sidejacking is rampant - Montgomery Alabama news.

Open Wi-Fi users beware: Sidejacking is rampant

Reported by Colin Hackman – bio |email

WILMINGTON, NC (WECT) - A few minutes ago both Steve Kavcak and Mackenzie Cope were at coffee shops.   Enjoying some fresh brew, and the use of the free wireless internet.  That is - until I walked in.

To understand how a reporter armed with nothing more than an iPhone can shake an adult to the core, you have to understand something about people.  People like to feel safe.  They don't much like surprises.   So when I first met Mackenzie Cope, and surprised her by taking away her illusion of safety- well – she was shocked to say the least.

[Tips to protect yourself from sidejacking (PDF)]

"When I came in and showed you your email address on my cell phone how did that make you feel?" I asked.
"I was stunned. I was stunned," said Cope, a recent graduate from UNCW.
"What went through your mind?"
"How does this guy know me?  That's scary - really scary."

A recent New York Times article had the first mention of a word I have never heard before: Sidejacking.  Unlike traditional hacking where someone would have to gain access to your computer - sidejacking software allows people to steal your information out of thin air, directly off of open wifi networks.   The article explained how airports, coffee shops, libraries - any place where you can logon without a password is a breeding ground for stealing personal passwords and logons.  The most recent twist of this application actually shows you the pages people are logging on to in a wifi environment in real time.  This allows someone with limited computer knowledge the ability to logon to peoples emails, Facebook accounts, Twitter pages and anything else that isn't encrypted.

"From a crooks perspective how easy is this?"  I asked Brian Tucker, an expert in internet security.
"Very easy," he said, "With some of the tools we used I didn't necessarily realize how easy it was until we actually went and used them."

Tucker is the President of Impact Media, a computer company that provides security and web solutions for customers.  Until six months ago he had never heard the term sidejacking - now more than a million people have downloaded one of the most popular sidejacking tools.  That means that hackers are no longer an anonymous crooks in a far away place.  They could be sitting right next to you - sipping coffee.  Or sitting just outside.  Such was the case in an experiment we set up with Tucker and the New Hanover County Sheriff's Office. 

I wanted to find out why millions have downloaded this software, and what kind of information we could find - the sheriff's office there to make sure we didn't inadvertently break any laws.  It's a misdemeanor if you access a password protected page without permission and a felony if you do more than $1000 in damage.

On several trips to area wifi hotspots we were able to easily logon and within minutes begin to start capturing sensitive information.

"If we were to ignore it, it doesn't stop it from happening," said Steven Schnitzler - the CEO of Port City Java, "Any steps that we can take to help folks be safe when they are surfing the web in public and using our servers is a step in the right direction."

Port City Java owns of one of the hot spots we visited.  He was happy to let us see what we could find, even logging on to his own Facebook page on their public wifi.

"This can be a step towards doing this in a safer way," He commented,  "As people get more sophisticated, as hackers get more sophisticated, criminals do, people need to take as many steps as they can to protect themselves and their information at home, out on a public wifi, anywhere. Be careful with your information because there are folks all over the place will take advantage of having that access."

While we didn't access his account  - we found plenty of others.  Once we discovered the folks online, I asked them to come outside so with their permission, we could show them what we found.

"Let's see what ya dig up," said an anxious Kavack who was using the wifi network at a local coffee shop.
"That's interesting," he said as we logged in to his Facebook account, using his password.
"It's interesting?" I asked.
"It's more than interesting. You got into my Facebook account, being a stranger."
"We are logged on as you, right now."
"That's wild."
"How does this make you feel?"
"I don't like it. I thought passwords were secure."

That's the illusion.   Programs like Facebook and web based email accounts ask for a password once, but then store that password as a cookie.  That way after you have logged in the first time you don't have to keep logging in to navigate around.  Your stored password is how you are exposed to sidejacking.

 The software allows crooks to use your stored password and log into your account as you.

 "The front door was locked but the windows were left wide open," says Tucker, "Ignorance is bliss.  Most people have no idea the perils of what lies before them on the in Internet. You surf at your own risk."

"Very surprising," said Kavack.
"We're logged on as you," I reminded him, "What could we do?"
"You could create all kinds of havoc in my name."

Indeed we could.  We could post pictures, write emails, even ask relatives for money.  The possibilities are endless.  But it isn't just email and social networks.  We saw blogs, twitter accounts and web page editors too.  It was a creepers paradise.

So how does one protect themselves?

"When you are sending things wirelessly out from your smart phone or your computer you are essentially broadcasting that information," said Schnitzler.

That means when on an open wifi DO NOT broadcast anything that you wouldn't want the rest of the world to know.  Like your email or Facebook login.

"Would you go on an open wifi network, just to check your Facebook page?" I asked Brian Tucker.
"Doubtful," he replied.

Tucker says the only way to be sure you aren't getting jacked is to not use an open wifi, But if you must - use a VPN, or Virtual Private Network - which creates a crook proof tunnel where information can be transmitted that crooks can't see.

"I think people will be amazed how easy people get in there," remarked Kavack

 Copyright 2011 WECT.  All rights reserved.




Powered by Frankly