If you’re using free WiFi hotspots to connect to websites like Facebook, you had best be careful.
A number of politicians in Missouri appear to have learnt that lesson the hard way – with five people reporting that they have had their Facebook accounts hacked since the beginning of the year.
And suspicious minds are leaning towards the theory that hackers took advantage of a free, open wireless network to sidejack state representatives’ Facebook accounts and post mischievous messages such as
"I love lobbyist! All the free food and stuff you get. This job is awesome!"
Victims who had their Facebook accounts hacked in January included Democrat Stacey Newman and Republicans Donna Lichtenegger and Dave Schatz. Lichtenegger says that on the day a hacker posted an unauthorised message from her account, she had used the House’s free public WiFi.
She later posted an apology on Facebook about the message which claimed she loved free gifts from lobbyists:
To my Facebook Fans, I want you to know that my Facebook page has been hacked today. As I was traveling back home this afternoon someone decided to hack into my Facebook and write this false statement about me liking lobbiest and getting lots of free food. First of all I'm not eating most of the food at the Capitol because I've plegded to myself to loose the freshman 15 instead of gaining. The last posting I placed was to let folks know how to recieve my Capitol Report. Sorry for the statement. Donna
Hmm.. she might do well to buy a dictionary.
Tools such as the Firefox plug-in Firesheep make it easy for anybody within range to jump onto your Facebook account if you’re using an unencrypted WiFi connection, for example at a coffee shop.
The victims of the current spate of Facebook hacking at the Missouri State Capitol building (three Republican legislators, one Democratic legislator and one Republican staffer) have all been using the free WiFi network provided for visitors and workers according to media reports, rather than a secure, encrypted connection.
Facebook recently allowed users to choose full SSL/HTTPS encryption throughout their session to stop accounts being compromised through unencrypted WiFi using tools like Firesheep.
Facebook hasn’t rolled out that functionality to every user yet, but I would recommend that every user enable it as soon as possible. Here’s a YouTube video showing you how:[youtube=http://www.youtube.com/watch?v=JIXxXFbrmKA&rel=0&w=500&h=311] (Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)
If you’re a user of Facebook, in addition to selecting the new HTTPS option, you also benefit from reading our guide on how to secure your profile.
And don’t forget to join the Sophos page on Facebook, where we regularly alert on the latest security threats on the social network.