On U of C network, accounts vulnerable to Firesheep hack

A Firefox plug-in allows users to access and modify Facebook, Twitter, and other websites with a Firefox plug-in called Firesheep.

Photo: Maroon Staff/The Chicago Maroon
Using the Firesheep plug-in on campus allowed access to dozens of student Facebook accounts on the University network.

User accounts on Facebook, Twitter, and some other websites are vulnerable to hacking on the University network with a Firefox plug-in called Firesheep.

Firesheep allows a user to access and modify the accounts of other users on their WiFi network. It works through long-standing vulnerabilities in the websites themselves; sites that use a secure encryption, like Gmail, Bank of America, Cmail, Cmore, and Chalk, cannot be viewed by Firesheep.

Under the Illinois Computer Crime Prevention Law, which forbids unauthorized tampering with another person’s computer, editing another person’s account through Firesheep is illegal.

This reporter tested the two-week old plug-in to see how it worked on the University of Chicago’s wireless network. In a large lecture class in Kent, three Facebook and two Twitter accounts were accessible almost instantly through the application.

Other tests, performed in Hutch at lunchtime, at the Regenstein in the afternoon, in Stuart during the evening, and on the A-Level late at night, revealed more accounts. This reporter viewed 60 accounts over the testing period.

The University’s wireless network is divided among multiple routers around campus, and one can only access computers connected to the same router. For example, using Firesheep in Hutch showed only the account information of users in and around Hutch.

University’s IT Services (formerly NSIT) has no immediate plans to secure the wireless network, though the application attacks vulnerabilities in websites. It is aware of Firesheep and will be updating the “Safe Computing” page on the IT Services site, according to Tom Bardon, senior director for Architecture, Integration & CISO.

“You have to be smart and know where you are in your surrounding, just like the way you are used to behaving in the physical world,” Barton said.
IT Services will update its encryption standards in February, which will block Firesheep. “We’re going to be ready for deployment of a 802.1x IEEE, which will encrypt everything you do while connected to that,” Barton said.

He also recommended using some of the University’s tools to protect personal computers. “In the immediate term I would tell someone who is especially concerned that you can use our VPN service, called CVPN. It sets up an encryption tunnel so basically all of your traffic goes through [that] tunnel. It’s basically another way of encrypting the wireless network,” he said.

Always turning on wireless encryption when given the option is highly recommended. Furthermore, an application called Blacksheep, which helps block Firesheep unless the user modifies Firesheep’s code, was released yesterday.

After Firesheep debuted two weeks ago, the plug-in was downloaded over 560,000 times, according to a November 3 Forbes blog post. But the encryption vulnerabilities it exploits have been talked about for around three years.

The attempts of Firesheep’s creators to bring attention to the vulnerability has apparently worked—Microsoft’s Bing recently announced it would look into using SSL (Secure Sockets Layer), a way to block the unauthorized access of plug-ins like Firesheep.

A Faceboook spokesperson told Forbes on November 3 that the company was working on encrypting its site. “We have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months. As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks.”

  • Andrew MacKie-Mason

    Just so you’re aware, even using Firesheep to snoop someone else’s computer for passwords is a violation of the Illinois Computer Crime Prevention Law (even if you don’t then use those passwords to access their account). Of course, there’s not an exception for researching stories.

    Specifically, it’s a violation 720 ILCS 5/16Dā€‘3(a)(2), which is a Class A misdemeanor.

    “(a) A person commits the offense of computer tampering when he knowingly and without the authorization of a computer’s owner, as defined in Section 15ā€‘2 of this Code, or in excess of the authority granted to him… (2) Accesses or causes to be accessed a computer or any part thereof, a computer network, or a program or data, and obtains data or services;”

    People should be aware that even messing around with Firesheep, regardless of whether you change anything in an account that you access, is a criminal offense.

  • JohnDoe

    Andrew –

    Because people never, ever break the law for seemingly harmless stuff…

    As I posted in the Viewpoints article:

    Maybe the University IT should set up the network so that it is encrypted – then this wouldn’t be a problem. This open wireless solution is a joke. The user/password page when you first connect gives a false sense of security and seems to be a lazy way to setup a wireless network (granted, I haven’t actually set up any networks larger than my own apartments).

    Other schools run WPA2 encrypted wireless networks…

    Regardless of those points that the University should take care of, basic computer security is to never transmit sensitive information over an unencrypted wireless network, as the information can be intercepted by anyone with the will to do so.

  • DJ Markey

    People should also be aware that simply becausing some is allegedly a criminal offense does not mean that they are likely to be charged with a crime.

    There are many many “criminal offenses” that take place on a daily basis that, for lack of detection or lack of evidence or lack of reporting, never result in an arrest or detention, let alone a prosecution.

    In other words, keep on hacking.

  • Joe


    The “802.1x IEEE” standard that the article states will be rolled out in February includes WPA2 encryption. You can actually try it out through November 12 in Harper and the Reg. There’s more information on the IT Services website, which I’d link to if the Maroon would let me.

  • JohnDoe

    Joe –

    I didn’t know that. I haven’t been following the tech developments at the UofC – just going on my experiences from when I did attend. But that is good that they are taking such steps.