Skip to content

OPLIN 4Cast #204: Locking down WiFi

Posted in 4cast

wifi padlockUp until now, many public libraries have not been too concerned with the security of their public wireless networks. Libraries, after all, are open to the public, so why shouldn’t their networks be “open,” too? Does it really matter if a neighbor might “steal” some of the library’s bandwidth? But about a week before Halloween, the Firesheep extension for the Firefox web browser rattled the WiFi world. Suddenly, it became ludicrously easy to use open WiFi library networks to steal patrons’ usernames and passwords to unsecured websites like Facebook and Twitter. Suddenly, there’s a really good reason to lock down the library WiFi.

  • Firesheep in wolves’ clothing: extension lets you hack into Twitter, Facebook accounts easily (TechCrunch/Evelyn Rusli)  “Developer Eric Butler has exposed the soft underbelly of the web with his new Firefox extension, Firesheep, which will let you essentially eavesdrop on any open Wi-Fi network and capture users’ cookies. As Butler explains in his post, ‘As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed’ in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user’s site with their credentials.”
  • Protection from FireSheep (ReadWriteWeb/Audrey Watters)   “Since Firesheep was released, there have been a number of countermeasures developed, ostensibly to warn if not protect users from potential side-jacking. Blacksheep, released earlier this week by Zscaler, generates ‘fake traffic’ then monitors the network to see if Firesheep is active. But Blacksheep warns you that it is, then what? Other than shutting off your notebook and perhaps relocating to a different cafe with free Wi-Fi, what are your options?”
  • Free WiFi should use “free” password (Ars Technica/Jacqui Cheng)  “…businesses that offer free WiFi to customers—such as Starbucks or hotels—are still putting everyone at risk of being sniffed and hacked by leaving their networks open. If those businesses were to simply lock their networks down (WPA2, of course) with the password of ‘free,’ then customers’ information would be much more secure and the world would be a happier place.”
  • Password doesn’t shear Firesheep (BoingBoing/Glenn Fleishman)  “Thus, you could defeat Firesheep today by assigning a shared key to a Wi-Fi network until the point at which some clever person simply grafts aircrack-ng into Firesheep to create an automated way to deauth clients, snatch their keys, and then perform the normal sheepshearing operations to grab tokens. […] The way around this is to use 802.1X, port-based access control, which uses a complicated system of allowing a client to connect to a network through a single port with just enough access to provide credentials.”

89% (645) of all Ohio public library buildings offer free public WiFi.