Wi-Fi networks less private than ever

When you use a wireless network - or even many wired ones - your communications are sent to every other computer on the network, said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation, a nonprofit group that defends civil rights in the digital world.

For years, there have been readily available programs known as "packet sniffers" that intercept those communications. Schoen said he's given demonstrations where he's shown intercepted e-mail and instant messages as well as Google search terms. Until recently, it required a little bit of Internet know-how.

But now a programmer has released a browser modification called Firesheep that makes spying on certain information much, much easier - causing quite a stir in the computer world.

Some sites such as Facebook encrypt your information when you're entering your password to log on - denoted by the padlock at the bottom of the browser. But afterward, it saves a credential on your computer that indicates you're currently logged on and reverts to its unencrypted version.

A nefarious user could then intercept and copy that credential into another browser to impersonate you on that site, Schoen said.

Some sites, such as Amazon, encrypt payment and shipping steps, but not clicks through pages of books or other products. Financial sites usually encrypt your entire session, he said.

Schoen said he believes many popular sites such as Twitter also should be encrypted. "Other things that people do online are also very sensitive and private, and can and ought to be protected in the same way," Schoen said.

Encrypted sites are denoted by the "https" in the URL line of your Web browser. To protect yourself, you could bookmark https links to your favorite websites on your computer and smart phone.

If you use the Firefox browser, you could also install the "HTTPS Everywhere" extension developed by the Electronic Frontier Foundation and the Tor Project, dedicated to improving Web privacy. That automatically directs you to the encrypted version of every site that offers one.

But there are limitations. It doesn't block sites that don't support encryption, but it does disable functions such as Facebook Chat and Google Instant search findings.

Even some areas of sites that support encryption may be vulnerable, he said, but he believes the situation will improve in the long term. "Some of these sites have more engineering work that they have to do in order to protect users," Schoen said.

Mike O'Leary, director of the Center for Applied Information Technology at Towson University, also said consumers should be wary of free Wi-Fi hotspots they don't have a reason to trust.

Those who use Wi-Fi may have noticed at times a network called "Free Public WiFi." This isn't actually a network at all, O'Leary warned. When a computer running Windows XP that hasn't had certain upgrades can't find a Wi-Fi network, it offers itself up. It wouldn't give you Internet access, but it could give another user access to your computer.

"If an evildoer wanted to get access to your credentials, an incredibly easy way is for them to put an access point somewhere," O'Leary said.

As this operating system is phased out, consumers will likely see this glitch less and less frequently, he said. But criminals may try to set up rogue access points.

"Regardless of how you're connecting to the Internet, you have to trust all of the intermediary nodes along that path," O'Leary said. "You're placing trust in these organizations."

(c) 2010, The Baltimore Sun.
Distributed by McClatchy-Tribune Information Services.