How safe is life online?

 

Why personal data is at risk on unsecured public wi-fi

How safe are we living our lives online and whose job is it to make sure of that?

When you hand over your photos, your credit card details, your e-mails to companies which will store them on vast banks of computers somewhere the other side of the world, what are you risking?

And if you try to access all that personal data when you are on the move, is there a danger that someone else might get a look too?

All questions that we seek to answer in a film for Newsnight about security in the cloud, that nebulous concept which tries to capture the idea that more and more of our data is now on somebody else's computers, not ours.

It was a project about the security of public wi-fi networks mounted by Goldsmiths College in London that sparked our interest.

Vulnerable

Researchers from the Creative and Social Technologies Unit there have been studying how users react when they are shown evidence that they are not as secure or private as they might think when using public wi-fi.

Start Quote

We are all going to need to smarten up about the dangers of living in the cloud”

End Quote

They have been using an open-source tool called Firesheep released last October by a developer called Eric Butler, with the aim of alerting both websites and web users to a security threat.

Firesheep allows the hijacking of anyone's online accounts when they're using social networking sites on a public wi-fi network, and the Goldsmiths' team has been using it in various public places - though always after getting permission first from their targets. They ask these two questions:

1) Do you realize that you are susceptible to the use of software by a third party to get into your password-protected social networking identity?

2) Would you like me to show you?

Internet cafe Facebook and Twitter do offer a secure service - but it's not the default option

We filmed with them in an internet cafe in Cambridge, where the wi-fi network was protected by a password but the traffic flowing between users and various sites was not.

What Firesheep does is to sniff out cookies, the files that tell any website that we are who we say we are. So once someone has logged on to their Facebook or Twitter account, the Firesheep user can grab those cookies as they fly across the network.

And that's what the Goldsmiths team did, demonstrating to a series of people in the cafe that they could see their Facebook pages, update their Twitter status, even in one case read all of their e-mails from a webmail account. They reacted, as you can see in our film, with surprise and alarm.

Now anyone who reads the technology blogs will say this is old news - after all, Firesheep was created last October and has been downloaded something like two million times.

Tech savy

But the point is that, as yet, it has not succeeded in its aim of making us all - websites, network providers, and cloud consumers - a lot more security conscious.

Eric Butler, Firesheep's creator, is a man on a mission.

"The message of Firesheep," he told us," is sites like Facebook and pretty much anyone who has a site on the web where people log in and have any personal information need to use what's called https, which is a secure way to browse the web."

Data servers Enormous 'server farms' store our data around the world

Now Facebook and Twitter do offer that kind of secure service - but it's not the default option, so users have to switch it on if they want to be sure that their use of those sites is private when they are in a public wi-fi hotspot.

The other link in the security chain is the hotspot providers. After the experiment in the Cambridge cafe, the owners switched to a higher level of encryption for their network, making it impossible to use Firesheep.

BT, the largest provider of wi-fi hotspots in the UK, says it is rolling out new technology which will make its Openzone network more secure.

But Dave Hughes, BT's director for wireless broadband, told us we may need to think again about public wi-fi: "I think the old days of small, one-off coffee shops providing people with access to their broadband line and giving out the security key is not really going to be the right sort of behaviour for the future."

The holes in wi-fi security may be patched, but the recent high profile data breaches at companies like Sony show that we are all going to need to think carefully about what we hand over to the cloud.

We filmed at a massive data centre in Slough run by the American firm Rackspace. It handles all sorts of data, from the Virgin Trains ticketing website to the transactions on a Kenyan mobile payments system.

We had to pass through several layers of physical security to get in, and the company assured us that the data was well defended from the numerous cyber-attacks that the centre experiences every day.

But Rackspace says we all need to think carefully about what we put in the cloud: "If you look at young people today, they're putting their information on the cloud automatically without really thinking about it," says Fabio Torlini, whose rather wonderful title is vice-president of Cloud:

"If I was a young person today I would think twice in terms of what information I want to put online which is publicly available. Do you really want to put online all of your family information, your surname, your date of birth, online on a site which people can view day in day out?"

The new online services now being offered by Amazon and Apple, by Google and Facebook, offer all sorts of benefits to anyone who wants to run their life on the move from any device. But we are all going to need to smarten up about the dangers of living in the cloud.

You can see my report on safety in the cloud on Newsnight at 22:30 BST on BBC Two.

 
Rory Cellan-Jones Article written by Rory Cellan-Jones Rory Cellan-Jones Technology correspondent

Instant translation – no longer sci-fi

Automated translation is no longer the stuff of sci-fi fiction, since Skype launched a beta version of its Translator service.

Read full article

More on This Story

More from Rory

Comments

This entry is now closed for comments

Jump to comments pagination
 
  • rate this
    0

    Comment number 21.

    I am very uncertain after the Sony episode last month. Whenever I try to change my password, I get directed to a webpage that is half Japanese saying the site is under maintenance. I followed the links to find a phone number to call, which I did, I confirmed some details and was put on hold. Closer inspection of the web page with phone numbers, shows the UK text does not line up. Any suggestions?

  • rate this
    +1

    Comment number 20.

    I use a seperate e-mail address for banking, one for personal communication, one for memberships and subscriptions and a seperate one for generally mucking about. I keep a seperate bank account for online transactions and my passwords are site specific and change on a monthly basis.

    Your average user has one e-mail, one password and tells burglars when they're out of the house on twitter.

  • rate this
    +1

    Comment number 19.

    @14 Because your name, age and address would be impossible to figure out if someone hacked in and stole your e-mail address.

    I get where you're coming from, but in my view, as long as people keep using the same email address for everything and have the personal password security of e.g. their kids name and year of birth, they've only got themselves to blame.

    E-mail address, Facebook, £££

  • rate this
    0

    Comment number 18.

    @2.PhilT
    Sony, Microsoft, the government have lost data from their server, not from the communications link. Sniffing millions of packets going via a router to sift something useful is not easy, and takes time, hacking the server is a lot quicker. The BBC et al who demand personal info for no real purpose should learn not to, they want personal data, will lose it, will endanger people.

  • rate this
    0

    Comment number 17.

    @7.st321st
    mobile security is interesting, if you use a good phone they come with security capability and can use a standard webpage (like your laptop does).
    The problem with the data is the corporation requesting it often loses it in hack attacks, Many places (such as the BBC) demand information they don't realistically need, then get hacked at some point

 

Comments 5 of 21

 

Features & Analysis

BBC Future

(Thinkstock)

Five craziest space missions?

Landing on a comet is easy by comparison Read more...

Programmes

  • (File photo) A man dressed as Father Christmas with a sleigh and a reindeer Click Watch

    A website which tracks Father Christmas, plus other sites and apps to keep you entertained

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.