The Attack is Trivial

If you don’t switch over to using Columbia’s new secure wireless, you will be hacked. Accept that as a simple definitive statement. Breathe it; live by it; tattoo it onto your upper thigh. Security is a real issue, and until recently, hackers with a fairly limited skill-set could trivially camp out in Butler with an ordinary laptop and read your messages, emails, see some of your passwords, and hijack your Facebook account. To stress again: if you do not use secure Wi-Fi, hackers will mess with you.

So what’s the big deal? Well, while some websites use encryption of their own through a protocol suite called HTTPS (which you should have been using with Facebook already), the reality is that most websites fail to protect your account after you’ve logged in. This allows hackers to fire up programs like Wireshark and execute what’s called a “cookie hijacking attack.” In fact, the entire hack can be automated using novice tools like Firesheep.

The University has in the past offered another form of encryption called a virtual private network, which encrypts all your traffic and sends it through a central server, but this was only offered to faculty and staff. Over the past week, Columbia finally began offering wireless encryption using the WPA2 protocol, which allows all Columbians with UNIs to receive proper wireless encryption. This encrypted network isn’t available all over campus yet, but we’ve found it in Butler, Mudd, Schermerhorn, and a few dorms. It will presumably also be campus-wide soon. It’s protection—use it where you got it.

If you can’t figure out how to connect to the clearly marked “Columbia U Secure” network with your UNI and password, CUIT has put together a nice little automated wizard web page.

It’s about time.

Update 5/3: If you’re still having troubles connecting to the network, CUIT asks that you to let them know so they can help at askcuit@columbia.edu.

Hacking via Firesheep