Wednesday, September 12, 2012

UD Students: Watch Out While Using UD's Public Wifi!

I've been using UD's wireless connection a lot lately, which drove me to think: "Is my internet activity, through this network, secure? Are my passwords and other information safe?"

Well, the answer may (or may not) surprise you.

The University of Dayton's public WiFi (aka UDwireless) is NOT secure.

Most of you should be aware of that, as when you connect to UDwireless, your computer complains that you are connecting to an "Open" network and that the "information sent over this network might be visible to others".
Have you ever taken the time to think about the risks of ignoring this message?

Don't blame your laptop for not warning you

In case you haven't, I hope that this blogpost would shed light on some of the risks associated with using UDwireless for accessing private info.

If you are too lazy/uninterested to read the whole thing, you could jump to end of the blogpost for some security tips.

First, let's clear up some common misconceptions.

Hackers aren't necessarily socially awkward computer geeks -- they aren't even necessarily that smart! Thanks to some easily downloadable point-and-click tools, even the "technologically-challenged" can "hack" into some stuff.
However, I guess that reaching this skill level would require lots of training

Therefore, I bet that you could easily find, in a university with 11,000 enrolled students, at least a dozen with some "hacking" knowledge.

The Risks of Using UDwireless

Ok, now to move on to the actual point of this blogpost.
When you access a website using a WiFi connection, you are communicating with the Access Point (such as a router) through wireless packets.
A hacker can, using a normal laptop, "watch" these wireless packets as they flow in the air.

Since UDwireless is unencrypted, then all the packets you are sending can be easily read by the hacker.
The hacker can now know what sites you are visiting, what pages you viewed, and so on.

More importantly, the hacker can steal your cookies (yes, the technical term is cookies).
Those cookies contain unique information pertaining to your logins.
For instance, when you login to facebook.com, a set of "cookies" are stored on your computer so that next time you visit facebook.com during the same session, your homepage would show up.

A professional hacker plotting for a cookie-theft attack

If a hacker steals your precious cookies, he/she would be able to trick facebook.com into showing him/her YOUR homepage without requiring any login.

Therefore, no matter how strong you think your password is, your account is "hacked" once your cookies are stolen.

The above scenario is not a fictional one. Literally anyone with minimal computer knowledge is able to do this.

I went on and tested that same scenario using my own Facebook account.

I logged into facebook from one laptop (Victim), while I used another (Attacker) to monitor all the traffic going from/to the Victim laptop. Note that I could've easily been spying on the traffic flowing through the entire network; however, in respect for the law and other people's privacy, I didn't.

I watched as the Attacker laptop showed me all the pictures I was viewing on facebook, and all the chat conversations I was having with my friends.
Then, still on the Attacker laptop, I copied the captured "cookies", fed them to the browser, and accessed www.facebook.com ... and as simple as that, I was able to bypass the facebook login and view my account on the Attacker laptop.

This could have easily been done to your account.

Take a moment to think of all the sites you have visited lately, and consider the number of things you don't want random individuals to be stealing from you while you are viewing these websites.
Quite a lot of private stuff, huh?

But but ... I don't want anyone going around stealing my cookies

To prevent anyone from spying on your internet traffic, make sure that you are using the HTTPS version of the website. For example, make sure you use https://www.facebook.com instead of http://www.facebook.com

When you surf websites using https, a hacker watching the wireless traffic can still see what domains you visited, but the actual content is encrypted. That is, the pages you visit and your cookies are hidden, or obfuscated.

If you are using Firefox or Chrome, I highly suggest you install the HTTPS Everywhere plugin. This plugin would force the browser to use -if available- the https version of the page you are accessing.

If you are a Windows user and are still using Internet Explorer, then do yourself a favor and switch to Mozilla Firefox or Google Chrome. Trust me, you won't regret it.

Is that it?

What I have discussed here is simply one of the risks involved while using the UDwireless public WiFi (or any other public WiFi). However, that is not the only danger.
Hackers sitting on your network might be able to redirect you, without your knowledge, from a legitimate webpage to fake ones and steal your passwords or even install malware on your PC. Hackers can also exploits flaws in your laptop by launching the payload via the wireless network.
These kinds of attacks are slightly more sophisticated, and UDwireless may or may not be vulnerable. I have not tested any of them as this would require permission from UDIT, and I will not discuss the attack vectors as I don't want to increase the risk of some potential so-called "hackers" making use of it to steal students' passwords and/or compromise their computers.

Bottom line, be smart while using UDwireless and double check that the website you are accessing is using "https" in its URL, especially if you are typing in important information such as passwords, credit cards, and so on.

To UDIT: Please consider using a more secure connection method. Thank you.

Extra Note for the Tech-Savy

If you're a technologically-inclined person, and are paranoid about your privacy while using UDwireless, then I would suggest you look into using a personal VPN.

Wednesday, June 27, 2012

Personal Thoughts About #WikiBoatWednesday 's 1337 Data Leaks

This blog post comes partly because I just remembered I have a blog that I never update, and partly because I just read about one of @TheWikiBoat's dump and found it hilarious.

So here we go ...

This post is in reference to the following dump: http://pastebin.com/kUzhSFFP
and the related news posted about it (http://news.cnet.com/8301-1009_3-57462403-83/latest-hacker-dump-looks-like-comcast-at-t-data/)

So TWB claims to have gotten its hands on Comcast employee's names and salaries huh?

Wow! How were they able to get their hands on this super sensitive database?
Could it be from this link?? http://home.comcast.net/~drbrucehartman/exercise5_4.sql
It clearly says "comcast.net", it gotta be comcast's own database backed up in Dr. Bruce Hartman's (Professor of Operations Management and Statistics) personal folder, right?

Well, wait don't these links have the same info?
http://pages.cs.wisc.edu/~dbbook/openAccess/thirdEdition/exercise_data/emp.txt
http://medicalopensource.net/mcs/ex5sql.html


Turns out these information are the tables used in Ramakrishnan's textbook Database Management Systems for Chapter 5 (exercise 5.4 more specifically).

Moving on to the facebook quiz UB3R leak (that contains data as fresh as 2009):
You can visit this link for even more "dumps", http://c-76-24-66-27.hsd1.ma.comcast.net/facebook/facebook-platform/Cron/ now how's that for a leak?

Not that I'm disrespecting any of your accomplishments, but you gotta admit the "Comcast database leak" is just hilarious. At least do a little bit of research before claiming to have leaked something - for your credibility's sake.

I'm now reading some twitter feeds about "#UGNazi and #TheWikiBoat will be teaming up to give you all a show this Friday!" ... I would love to see what they got in store ... I hope it's not DDoS attacks as these are becoming more and more lame.
(NB: some UGNazi members, including its self-proclaimed leader, have been arrested by the FBI a couple of days ago).

Goodnight!

EDIT: I just read TheWikiBoat's statement (http://pastebin.com/43ft5UU4), and saw the "GOVERNMENT PROXY LIST LEAKED", which is in fact a list from MIT's host files (ftp://amusing.mit.edu/afs/net/admin/hosts/hosts.campus , ftp://amusing.mit.edu/afs/net/admin/hosts/hstath.txt, etc.. you can get more info by digging into the folders: ftp://amusing.mit.edu/afs/ )

EDIT 2: The "Uganda Education System Leak" also goes back to 2009 http://emailactivate.mak.ac.ug/emails-2009-2010.sql