On U of C network, accounts vulnerable to Firesheep hack

A Firefox plug-in allows users to access and modify Facebook, Twitter, and other websites with a Firefox plug-in called Firesheep.

By Jessica Sheft-Ason

User accounts on Facebook, Twitter, and some other websites are vulnerable to hacking on the University network with a Firefox plug-in called Firesheep.

Firesheep allows a user to access and modify the accounts of other users on their WiFi network. It works through long-standing vulnerabilities in the websites themselves; sites that use a secure encryption, like Gmail, Bank of America, Cmail, Cmore, and Chalk, cannot be viewed by Firesheep.

Under the Illinois Computer Crime Prevention Law, which forbids unauthorized tampering with another person’s computer, editing another person’s account through Firesheep is illegal.

This reporter tested the two-week old plug-in to see how it worked on the University of Chicago’s wireless network. In a large lecture class in Kent, three Facebook and two Twitter accounts were accessible almost instantly through the application.

Other tests, performed in Hutch at lunchtime, at the Regenstein in the afternoon, in Stuart during the evening, and on the A-Level late at night, revealed more accounts. This reporter viewed 60 accounts over the testing period.

The University’s wireless network is divided among multiple routers around campus, and one can only access computers connected to the same router. For example, using Firesheep in Hutch showed only the account information of users in and around Hutch.

University’s IT Services (formerly NSIT) has no immediate plans to secure the wireless network, though the application attacks vulnerabilities in websites. It is aware of Firesheep and will be updating the “Safe Computing” page on the IT Services site, according to Tom Bardon, senior director for Architecture, Integration & CISO.

“You have to be smart and know where you are in your surrounding, just like the way you are used to behaving in the physical world,” Barton said.

IT Services will update its encryption standards in February, which will block Firesheep. “We’re going to be ready for deployment of a 802.1x IEEE, which will encrypt everything you do while connected to that,” Barton said.

He also recommended using some of the University’s tools to protect personal computers. “In the immediate term I would tell someone who is especially concerned that you can use our VPN service, called CVPN. It sets up an encryption tunnel so basically all of your traffic goes through [that] tunnel. It’s basically another way of encrypting the wireless network,” he said.

Always turning on wireless encryption when given the option is highly recommended. Furthermore, an application called Blacksheep, which helps block Firesheep unless the user modifies Firesheep’s code, was released yesterday.

After Firesheep debuted two weeks ago, the plug-in was downloaded over 560,000 times, according to a November 3 Forbes blog post. But the encryption vulnerabilities it exploits have been talked about for around three years.

The attempts of Firesheep’s creators to bring attention to the vulnerability has apparently worked—Microsoft’s Bing recently announced it would look into using SSL (Secure Sockets Layer), a way to block the unauthorized access of plug-ins like Firesheep.

A Faceboook spokesperson told Forbes on November 3 that the company was working on encrypting its site. “We have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months. As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks.”