Q: Can you please explain what sidejacking is and how to avoid it? Thanks.— Patti
A: Sidejacking refers to the ability to hijack a Web session on another computer that is connected to the same open Wi-Fi network (someone sitting by your side, hijacking your Web surfing session).
This exploit originally surfaced in early 2008, but at the time, only sophisticated technical types could set up a laptop to accomplish this feat and the time it took to assemble the bits of captured data made it uncommon in the wild.
It’s always been dangerous to conduct private business on public Wi-Fi networks, but the danger just elevated a thousandfold this past week.
A programmer at a hacker conference in San Diego released a free add-on to the Firefox browser to illustrate how dangerous it is to log in to any unsecured Web site on a public hotspot.
Anyone who downloads the plug-in can start monitoring the traffic on any open Wi-Fi network and capture the ‘session cookies’ that are common to how most Web sites work with registered users.
For instance, when you sign into your Facebook account, a session cookie is sent back to your machine for any other requests you make during that session (so you don’t have to constantly input your username and password). Once you log off, the session cookie is terminated and is no longer of use.
If someone sitting near you (30 to 100 feet) is on the same unsecured network, they can literally snatch a copy of the session cookie out of the air and start using your account as if you had just logged into their computer.
The tool comes pre-loaded with the ability to recognize session cookies from dozens of major online networks including Amazon, Flickr, Foursquare, Google, Yahoo, Facebook, Twitter, Bit.ly, Windows Live, WordPress, and the list goes on.
Any Web site can be added to the ‘watchlist’ so that session cookies from just about any unsecured transaction can be captured.
To be clear, banking sites or other secure Web sites that use the “HTTPS” protocol on all pages cannot be exploited by this tool, only exchanges that are unsecured (HTTP), which is how many sites operate once you log in.
This tool has turned every wannabe hacker into a one-click hijacker, which is why things just got more dangerous for public Wi-Fi users. In my tests, any device (including smartphones and iPads) that use a browser to log in to an unsecured site can be hijacked by this tool.
There are a number of ways to avoid getting hijacked that range from changing your behavior to installing special software.
First and foremost, don’t ever log in to any of your email, shopping, or social networking accounts through a Web browser on a public network ever again (or install the add-ons in the next paragraph).
If you have a smartphone that you occasionally use on public Wi-Fi (because it’s faster than the cell data networks), download the associated social media apps instead of going to Twitter.com or Facebook.com on a Web browser.
If you want to make sure your Web browsing sessions are not captured while on public Wi-Fi networks, you can install a free Firefox add-on called Force TLS or if you use Google’s Chrome, install KB SSL Enforcer, both of which automatically redirect you to secured pages for the sites that you choose.
If you have a cellular broadband data card or stick, use it instead of the public Wi-Fi hotpot unless you don’t plan to log in to any Web sites. It will be slower, but its much more secure.
If your laptop is part of a corporate network, it may already have VPN (Virtual Private Networking) software installed, which will also protect you.
All of these security programs will add ‘overhead’ to your sessions and in some cases functionality may be impacted (Facebook chat doesn’t seem to work in secured https: sessions), but the tradeoff is more than worth it.
Data Doctors Computer Services
Data Doctors Data Recovery Labs
Data Doctors Franchise Systems, Inc.
Weekly video tech contributor to CNN.com
Host of the award-winning “Computer Corner” radio show