Firesheep Wi-Fi eavesdropper works at McDonald’s, Starbucks and elsewhere

You might want to think twice about using free Wi-Fi connections now commonly available in public places. A free tool, called Firesheep, has made commandeering, or “sidejacking”, your Wi-Fi session trivial.

“Firesheep is dead simple to install and use,” says Chester Wisniewski, senior security advisor at antivirus firm Sophos.

Anyone sitting within 50 feet of you at the airport, or your favorite café or book shop could be using Firesheep. It might merely be a pranskter. Or it could be a newbie cyberthief out to swipe your web mail and social network account logons — hot commodities, at the moment, in the cyberunderground.

Sidejacking has been around since 2007. But because there are so many easier ways for hackers to take control of the computers we use to surf the Web from our homes and workplaces, sidejacking, by comparison, is not believed to occur very often, security experts say.

Firesheep lowers the bar for entry-level crooks. Since its Oct. 25th unveiling, the free program has been downloaded 764,000-plus times. “It’s now even easier to spend a day going from coffee shop to coffee shop gathering accounts and selling them,” says Julien Sobrier, senior researcher at security firm Zscaler.

Cybergangs buy stolen web mail and social network logons, then use the accounts to spread viral messages and postings to all of the victim’s contacts.

Several developments have security and privacy experts concerned. Unencrypted public Wi-Fi service has become ubiquitous. And free, public Wi-Fi is being increasingly used by people on the go to check e-mail, update their Facebook accounts and send Twitter micro-blogs.

Starbucks Coffee and Panera Bread make free, unencrypted Wi-Fi available in all of their 7,550 and 1,421 stores, respectively, in the U.S. and Canada. Barnes & Noble does so in its 717 U.S. stores, and McDonald’s supplies free Wi-Fi in 12,500 of its 14,000 U.S. locations. Smaller merchants sometimes require patrons to type a simple password to use free Wi-Fi, a practice which stops Firesheep snoopers. But most big merchants generally do not require a password. “We don’t use a password for ease of customer use and convenience of using free Wi-Fi,” says McDonald’s spokesperson Danya Proud.? “It’s one less thing a customer has to do to get connected.”

Firesheep enables sidejacking of Windows PCs — and Apple Macs. And tools like Firesheep are not difficult to create. A criminal threat could emerge as consumers increasingly turn to using their smartphones, tablet PCs and e-readers to get online at public places, says Sorin Mustaca,  security analyst at antivirus firm Avira. “The danger is simply much bigger, as there are many more potential victims,” says Mustaca.

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone