So the news is all atwitter today over what has been dubbed "Weinergate" by at least some in the media, relating to New York Congressman Anthony Weiner allegedly tweeting a picture of an erection to a college student in Seattle. Anthony Weiner has claimed that his Twitter account was hacked in order to do this, a claim which conservatives are denying. This post is about the credibility of Weiner's claim, and the hidden danger of using public unencrypted WiFi to access password-protected services.
Weiner is a pretty aggressive user of social media services, from what I've seen, and he seems to be using them himself (rather than delegating that to a social media consultant). He probably uses a smartphone of some sort to post his tweets. Like many other people, he likely uses public WiFi access points when they're available, as such services are typically faster than the 3G network when they are available. The problem with this, though, is that when you access a password-protected service like Twitter or Facebook, your device sends your password to the service provider in order to authenticate your session. By default, that password is sent using what is called "basic authentication", which sends the password without any encryption; the password is sent in the clear, and anyone who can overhear the exchange will be able to see, and more importantly, capture both the username and password. The key here is the "anyone who can overhear the exchange": the only thing protecting your Twitter password is the physical security of the medium being used to send your login request to Twitter.
This isn't that terribly much of a problem if the computer is connected to the internet via a wired connection: the unencrypted passwords will typically be exposed only to the chain of internet service providers between the user's computer and the social network. Now, there are certainly risks here, but in general ISPs do not collect intelligence about their customers and share that intelligence with third parties (other than the US government, that is); I've never heard of a social media account being hacked through password collection at an ISP. Basically, in the wired case the physical security of the medium is fairly good, and so the risk is low.
The same is true if you're using 3G/4G wireless. All the various digital cellular protocols used for cellular wireless use transport encryption, meaning it would be phenomenally difficult to intercept and successfully recover the content of a login request sent via cellular wireless.
However, things get a lot shakier when we start talking about WiFi. WiFi is notorious for its history of poor transport security; the original WEP security provided with early WiFi systems is flawed and can be cracked with an ordinary computer in a matter of hundreds (sometimes tens) of seconds. There are newer standards that alleviate this in various ways and the newer WPA and WPA2 encryption algorithms are probably sufficiently as secure as the underlying wired networks they're connected to. But the real danger here is unencrypted public WiFi. Here there is no transport security at all: everything you send, and everything you receive, is sent with no encryption at all. And since it's being sent over a radio medium, that means anyone with a compatible radio receiver can listen in to the entire conversation. The long and the short of it is that if you log into Facebook, Twitter, or most other social networking services over a public unencrypted WiFi service, you are sharing your login details, including your password, with everyone in radio range of your device.
There are widely available tools that are specifically designed to sniff WiFi sessions for social media passwords, and it's a fair bet that at any event where a public-access unencrypted WiFi is available, someone will be running one of these tools. And if you're a prominent public political figure who is known to use social media from a mobile device, someone like, say, Anthony Weiner, it's reasonable to assume that your political enemies will send someone to follow you about with one of these tools for the sole purpose of trying to capture your passwords. In short, you got pwned by firesheep, Anthony.
So what's the solution here? First, don't ever use a public unencrypted WiFi service to send sensitive information, including a password, without taking additional steps to protect your security. The simplest is to not use public WiFi. With many devices, this is the only safe choice: my Droid will automatically attempt to log on to all of its various social networking connections (to collect updates) as soon as it detects that it has Internet access. For mobile devices, therefore, one should rely only on cellular access and on password-protected WiFi sources that you already trust. This means, for example, turning off the option to automatically connect to any public WiFi that your device might detect.
Another option, which isn't really available on smartphones but would be on notebooks, is to install a browser add-on that forces social media sessions to be conducted via HTTPS instead of HTTP. Most of Google's properties already offer this; Google forces all login sessions to be sent via HTTPS, meaning the password will be encrypted in transit. I think Yahoo is also doing this. There is a plugin available for Firefox that forces Facebook, Twitter, and selected other sites to always use HTTPS encryption, to protect you from password grabbing, and I would recommend the use of such tools. I use one called Force-TLS on my own notebook.
A more aggressive option, and one that would have likely be a good choice for Congressman Weiner, would be to set up a VPN endpoint at your home or business (or at a public VPN endpoint service like PublicVPN) and force all your public Internet access through that client. This also ensures that all your Internet activity is encrypted by the VPN client before it leaves your device, ensuring that you won't be vulnerable.
And, of course, we should all pressure Facebook, Twitter, and other services to do as Google has done and redesign their services to avoid this vulnerability in the first place.
To bring it back to Weinergate, I personally find Weiner's claim, that his password was hacked, fairly credible. At least one conservative has poopooed the notion that someone could have hacked both his Twitter password and his Yfrog password at the same time, but in reality that's fairly likely with a WiFi password capture tool; all they have to do is observe him using both Twitter and Yfrog in the same session, which is a fairly common usage since most usage of Yfrog is on referral from Twitter. If one of his political opponents has been chasing him about following him with a password sniffer it's entirely possible that they have a large collection of his passwords. Not to mention that there's the real risk that he used the same password on both; while Weiner is a smart guy that doesn't mean he's necessarily an expert on Internet security, and even smart guys fall prey to that fairly common mistake.
Weiner is a pretty aggressive user of social media services, from what I've seen, and he seems to be using them himself (rather than delegating that to a social media consultant). He probably uses a smartphone of some sort to post his tweets. Like many other people, he likely uses public WiFi access points when they're available, as such services are typically faster than the 3G network when they are available. The problem with this, though, is that when you access a password-protected service like Twitter or Facebook, your device sends your password to the service provider in order to authenticate your session. By default, that password is sent using what is called "basic authentication", which sends the password without any encryption; the password is sent in the clear, and anyone who can overhear the exchange will be able to see, and more importantly, capture both the username and password. The key here is the "anyone who can overhear the exchange": the only thing protecting your Twitter password is the physical security of the medium being used to send your login request to Twitter.
This isn't that terribly much of a problem if the computer is connected to the internet via a wired connection: the unencrypted passwords will typically be exposed only to the chain of internet service providers between the user's computer and the social network. Now, there are certainly risks here, but in general ISPs do not collect intelligence about their customers and share that intelligence with third parties (other than the US government, that is); I've never heard of a social media account being hacked through password collection at an ISP. Basically, in the wired case the physical security of the medium is fairly good, and so the risk is low.
The same is true if you're using 3G/4G wireless. All the various digital cellular protocols used for cellular wireless use transport encryption, meaning it would be phenomenally difficult to intercept and successfully recover the content of a login request sent via cellular wireless.
However, things get a lot shakier when we start talking about WiFi. WiFi is notorious for its history of poor transport security; the original WEP security provided with early WiFi systems is flawed and can be cracked with an ordinary computer in a matter of hundreds (sometimes tens) of seconds. There are newer standards that alleviate this in various ways and the newer WPA and WPA2 encryption algorithms are probably sufficiently as secure as the underlying wired networks they're connected to. But the real danger here is unencrypted public WiFi. Here there is no transport security at all: everything you send, and everything you receive, is sent with no encryption at all. And since it's being sent over a radio medium, that means anyone with a compatible radio receiver can listen in to the entire conversation. The long and the short of it is that if you log into Facebook, Twitter, or most other social networking services over a public unencrypted WiFi service, you are sharing your login details, including your password, with everyone in radio range of your device.
There are widely available tools that are specifically designed to sniff WiFi sessions for social media passwords, and it's a fair bet that at any event where a public-access unencrypted WiFi is available, someone will be running one of these tools. And if you're a prominent public political figure who is known to use social media from a mobile device, someone like, say, Anthony Weiner, it's reasonable to assume that your political enemies will send someone to follow you about with one of these tools for the sole purpose of trying to capture your passwords. In short, you got pwned by firesheep, Anthony.
So what's the solution here? First, don't ever use a public unencrypted WiFi service to send sensitive information, including a password, without taking additional steps to protect your security. The simplest is to not use public WiFi. With many devices, this is the only safe choice: my Droid will automatically attempt to log on to all of its various social networking connections (to collect updates) as soon as it detects that it has Internet access. For mobile devices, therefore, one should rely only on cellular access and on password-protected WiFi sources that you already trust. This means, for example, turning off the option to automatically connect to any public WiFi that your device might detect.
Another option, which isn't really available on smartphones but would be on notebooks, is to install a browser add-on that forces social media sessions to be conducted via HTTPS instead of HTTP. Most of Google's properties already offer this; Google forces all login sessions to be sent via HTTPS, meaning the password will be encrypted in transit. I think Yahoo is also doing this. There is a plugin available for Firefox that forces Facebook, Twitter, and selected other sites to always use HTTPS encryption, to protect you from password grabbing, and I would recommend the use of such tools. I use one called Force-TLS on my own notebook.
A more aggressive option, and one that would have likely be a good choice for Congressman Weiner, would be to set up a VPN endpoint at your home or business (or at a public VPN endpoint service like PublicVPN) and force all your public Internet access through that client. This also ensures that all your Internet activity is encrypted by the VPN client before it leaves your device, ensuring that you won't be vulnerable.
And, of course, we should all pressure Facebook, Twitter, and other services to do as Google has done and redesign their services to avoid this vulnerability in the first place.
To bring it back to Weinergate, I personally find Weiner's claim, that his password was hacked, fairly credible. At least one conservative has poopooed the notion that someone could have hacked both his Twitter password and his Yfrog password at the same time, but in reality that's fairly likely with a WiFi password capture tool; all they have to do is observe him using both Twitter and Yfrog in the same session, which is a fairly common usage since most usage of Yfrog is on referral from Twitter. If one of his political opponents has been chasing him about following him with a password sniffer it's entirely possible that they have a large collection of his passwords. Not to mention that there's the real risk that he used the same password on both; while Weiner is a smart guy that doesn't mean he's necessarily an expert on Internet security, and even smart guys fall prey to that fairly common mistake.
I just hope that scandals like this don't lead public figures like politicians, celebrities, corporate bosses, etc., to retreat from personally using online social networking, tweeting, blogging, etc., rather than having everything they say get run through their handlers and PR/marketing types. I find it refreshingly genuine that there are some big-name public figures who are actually willing to make off-the-cuff remarks in public online, showing their true personalities instead of a carefully-crafted marketing image. It would be a shame if the "handler" types use a few scandals as reason to crack down on it and insist their bosses submit to censorship coming from their own assistants.
ReplyDeleteWPA with TKIP is broken too. WPA2 or WPA with CCMP/AES is still fine though. And I was told at one hacker con that sniffing 3G is dead simple.
ReplyDeleteFor some reason, LinuxChix's Live aggregator links all your posts back to an August 2010 permalink instead of to the actual post.
Weiner will never have this investigated because he would then have to come up with a story about how the hacker must have gotten a hold of his blackberry.
ReplyDeleteI'm not trying to flame you or anything, but almost none of your second paragraph is true.
ReplyDeleteOne of the absolute basic "Rule 0" type laws of data security is that the medium is never secure. That's why we have encryption.
The security hole is that sites like Twitter and FB generally encrypt the authentication process, but then allow a cookie to be passed in the clear after the authentication is complete. The password is not intercepted. The cookie is. But since the sites interpret the presence of the cookie as "this person has already authenticated", if I grab your cookie, I can do certain things to your account (such as post).
Using a physical wire certainly makes it more difficult to snoop a cookie, but a motivated attacker with a little bit of knowledge can certainly still do it.
Weiner’s first step is to explain what he knows; the second is to report the incident to the FBI to investigate. Hacking the verified social media account of a sitting US congressman is an FBI matter. No lawyers necessary at this point. Once it’s investigated, then lawyers get involved.
ReplyDeleteI do not see that WiFi presents any danger at all because I have been writing about the Coming Privacy Singularity where you can see everything down to every atom anyway. Is it really too much to ask that Mr. Weiner present the truth about himself and his character properly before asking for the Vote of the People? I realize that the other politicians he might be running against might also present themselves as chaste angels or demi-gods, but I try to assess people on their sincerity and the platform they claim, not their priest-like purity.
ReplyDeleteI grew up in Buffalo, New York and I always resented how over-rated New York City, where Mr. Weiner's district is. My Mom had fond memories of her 20's in NYC and so she always loved it. I am hoping that the focus of USA shifts away from Israel and the Jews of NYC and just starts to focus on paying its trade deficit to China. NYC and Jewville is just a dumb, mean place to me. Please do not blame WiFi for dumb, mean Jews or a whimpy politician who resigned after such a minor scandal. If Mr. Weiner could somehow re-gain his office and then face re-election, I would vote for him as long as I thought that he would then "vote for me" by being a proper, strong representative. As it is, I now know more about his lasting character that I just do not like: he is a waffle and a whimp. Anyway, if this mamma's boy is Jewish and he can exercise his
http://en.wikipedia.org/wiki/Law_of_Return
and we are done with this Jewish asshole-loser. Otherwise, let us fire up the crematorium or at least "put his feet to the fire" and see if that makes a man out of him.
In any case: *please* do not blame WiFi.