Recent Firefox extension makes it easier for people to hack campus wireless networks

Most of the wireless networks on UCLA’s campus are now vulnerable to being hacked.

This is because Firesheep, an easy-to-use Firefox extension that was released in October, makes it easier for people with or without hacking knowledge to access other people’s stored information.

For students, this means their log-in information can be stolen when they use popular websites like Twitter, Amazon, Dropbox and Facebook.

Mobile devices that connect to the Internet through a nonsecure network are also at risk, said Mark Bower, director of managed network services at UCLA Communications Technology Services.

When users connect to a wireless network, their computers broadcast packets of information to the wireless access point, said Ross Bollens, director of security at UCLA Information Technology. These packets contain cookies, or information about the users’ Web session.

For example, if someone is logging onto Facebook on an un-encrypted wireless network, a Firesheep user can capture that person’s Facebook log-in cookie, allowing the Firesheep user to log in as that person and access their account, Bower said.

Timothy Ma, associate director of technology at the James West Alumni Center, wanted to see how easy Firesheep was to use and whether his office should make any adjustments to its Web usage. All he had to do was download and install the add-on, he said.

“It was very easy, maybe a three- or four-step process,” Ma said. “For anybody who is on the same unprotected wireless network you are on, the program actually tells you, “˜So-and-so has logged on to Facebook,’ and you can click on them and use their account.”

The best way to protect against Firesheep is to always connect to an encrypted network or to connect to a network through a virtual private network client, which automatically encrypts your data, Bower said.

UCLA Communications Technology Services provides three wireless networks: UCLA_WIFI, UCLA_WEB and UCLA_SECURE. Of the three, only UCLA_SECURE provides an encrypted connection. To connect to UCLA_SECURE, users must first configure their computers, Bower said.

The information to configure a computer can be found at the Bruin OnLine website, Bower said.

“If anyone has any problems, just contact BOL, and we’d be happy to help them out,” he added.

Since Firesheep was released, UCLA has taken steps to protect students who use programs run by UCLA servers, such as URSA, Bollens said. Instead of HTTP, all UCLA servers now use HTTPS, which provides a secure connection for users regardless of what type of wireless network they are on.

And while UCLA has addressed the vulnerability of its servers by switching all websites it runs to HTTPS, there is nothing the university can do about outside websites that are not secure, Bollens said.

“Ultimately, it’s up to the students to be aware of the situation and keep themselves safe,” he said. “With so many students on campus, all their information will just be out there for the taking if they’re not aware of the issue.”