Millions of Facebook and Twitter accounts at risk because of new freely-available hac

[nat965]

MILLIONS of Facebook and Twitter users risk having private accounts hacked into after the release of an insidious new computer program.

Strangers can now use ``Firesheep'' freely available on the internet to access the private accounts of anyone using unsecured wireless networks like those at hotels, cafes and libraries.

The alarming development means online hacking of private information is no longer the domain of computer experts... at the click of a button, anyone with a grudge or malicious intent could do it.

The Sunday Mail tested Firesheep last week and within 20 minutes had accessed 15 Facebook accounts and a Hotmail email account.

The first they knew that their private Facebook, Twitter and Hotmail accounts had been hacked was a tap on the shoulder.

``Oh my God,'' said Austrian backpacker Carina Schmeissl, when approached by The Sunday Mail in Brisbane's Fortitude Valley mall last week.

Start of sidebar. Skip to end of sidebar.

End of sidebar. Return to start of sidebar.

``It's awful. I am shocked that is really scary.''

An insidious new computer program freely available on the internet is putting millions of users of social networking sites such as Facebook at risk.

At the click of a button, ``Firesheep'' can access the personal accounts of anyone using an unsecured wireless network like those available at hotels, cafes or libraries.

For the first time, online hacking is no longer the domain of computer experts now anyone with a grudge or malicious intent can target account holders.

The Sunday Mail downloaded Firesheep last week and tested it in public areas where nearby computer users had no idea that their security had been breached.

Within 20 minutes at the State Library of Queensland our computer had access to the Facebook accounts of 15 people plus a Hotmail email account. Unsuspecting student Anna Westrin was stunned when showed how easy it was to access her profile.

``I think it's really scary that it's so easy, especially if you can just press one button,'' the 23-year-old student said.

``I wouldn't believe it if I hadn't seen it for myself. I'll definitely be a lot more cautious from now on.''

Ms Schmeissl and her Austrian backpacker friend Melanie Mayr were using the free wireless internet at a McDonald's outlet in Fortitude Valley, when we showed them how easy it was to hack into their Facebook accounts.

Firesheep, available as a free add-on to the popular internet browser Firefox, can break into 26 major websites, including Facebook, Twitter, Yahoo, Hotmail (Windows Live) and Amazon.com.

More than 200,000 people downloaded it in the first three days after its release. The online program is outside the reach of legal authorities, but Detective Superintendent Brian Hay from Queensland's Fraud and Corporate Crime Group said anyone using Firesheep could be committing an offence.

He acknowledged the program meant computer crime had entered a whole new era.

``What was once the domain of people who were highly skilled on computers is now available to anyone through the click of a button,'' Supt Hay said.

``If someone has a nefarious intent, the opportunity they have to harvest vast quantities of personal information is there and the more information we put out there the more insecure we're going to be.

``If you use unsecure wi-fi you have to go in with the mindset thatensomeone is accessing your computer at all times.''

Firesheep will also be of great concern to the increasing number of businesses using Facebook and Twitter accounts.

Malicious messages from their sites by hackers could expose businesses to lawsuits from customers or suppliers.

A Facebook spokeswoman said the social network was ``hoping'' to provide protection against such attacks ``in the coming months''.

``Be careful about the information you access or send from a public wireless network. To be on the safe side, you may want to assume that other people can access any information you see or send over a public wireless network,'' she said.

Seattle-based software developer Eric Butler said he released Firesheep to show the dangers of using public wi-fi networks which do not have password protection.

Mr Butler said websites had ignored their responsibility to protect users for too long.

``The real story here is not the success of Firesheep but the fact that something like it is even possible. The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data,'' Mr Butler wrote on his blog.

A Microsoft spokeswoman said all Hotmail accounts would soon be protected against Firesheep attacks by full-session SSL encryption.

Mozilla, which controls the Firefox browser, said it would not block the add-on from being used.

``(Firesheep) demonstrates a security weakness in a number of popular websites, but does not exploit any vulnerability in Firefox or other Web browsers,'' Mike Beltzner, director of Firefox, told computerworld.com.

Backpacker Emma Lambeth, who was using the public wi-fi while on holidays, said she could have been emailing bank details or any personal information.

``You don't know what people could have looked at. They (websites) need to do something about this.''
What you need to know


How does Firesheep work?



If you're using an unsecured wireless network to surf the internet, anyone can use Firesheep to intercept the communication between your computer and a website and then log in to your account.

Are all websites vulnerable?



Firesheep only attacks 26 major websites, but this list includes Facebook, Twitter, Yahoo, Flickr, Windows Live, Amazon.com and Twitter.

How do you stop this?



If major websites, like Facebook and Twitter, adopt end-to-end encryption so that cookies and not just usernames and passwords are protected the problem would be solved

OK, but what can I do?



Several things. Avoid public Wi-Fi networks but if you cant do that subscribe to a virtual private network (VPN) which will encrypt all traffic between your computer and the internet or download the HTTPS-Everywhere add-on for Firefox. This tool encrypts communication between your computer and a number of major websites, including Facebook and Twitter.

I want to learn more
Watch this video by the man who created Firesheep

Source: http://www.couriermail.com.au/news/s...-1225945598929

[Chippiewill]

I was listening to one of my podcasts covering this today, he made some interesting points and as to why it's actually a good thing that this has happened.
http://twit.tv/sn272

He also has one episode specifically on how session hijacking works so I'll probably go look for that now..

Edit: Found it:
http://twit.tv/sn217