Wednesday, September 12, 2012

UD Students: Watch Out While Using UD's Public Wifi!

I've been using UD's wireless connection a lot lately, which drove me to think: "Is my internet activity, through this network, secure? Are my passwords and other information safe?"

Well, the answer may (or may not) surprise you.

The University of Dayton's public WiFi (aka UDwireless) is NOT secure.

Most of you should be aware of that, as when you connect to UDwireless, your computer complains that you are connecting to an "Open" network and that the "information sent over this network might be visible to others".
Have you ever taken the time to think about the risks of ignoring this message?

Don't blame your laptop for not warning you

In case you haven't, I hope that this blogpost would shed light on some of the risks associated with using UDwireless for accessing private info.

If you are too lazy/uninterested to read the whole thing, you could jump to end of the blogpost for some security tips.

First, let's clear up some common misconceptions.

Hackers aren't necessarily socially awkward computer geeks -- they aren't even necessarily that smart! Thanks to some easily downloadable point-and-click tools, even the "technologically-challenged" can "hack" into some stuff.
However, I guess that reaching this skill level would require lots of training

Therefore, I bet that you could easily find, in a university with 11,000 enrolled students, at least a dozen with some "hacking" knowledge.

The Risks of Using UDwireless

Ok, now to move on to the actual point of this blogpost.
When you access a website using a WiFi connection, you are communicating with the Access Point (such as a router) through wireless packets.
A hacker can, using a normal laptop, "watch" these wireless packets as they flow in the air.

Since UDwireless is unencrypted, then all the packets you are sending can be easily read by the hacker.
The hacker can now know what sites you are visiting, what pages you viewed, and so on.

More importantly, the hacker can steal your cookies (yes, the technical term is cookies).
Those cookies contain unique information pertaining to your logins.
For instance, when you login to facebook.com, a set of "cookies" are stored on your computer so that next time you visit facebook.com during the same session, your homepage would show up.

A professional hacker plotting for a cookie-theft attack

If a hacker steals your precious cookies, he/she would be able to trick facebook.com into showing him/her YOUR homepage without requiring any login.

Therefore, no matter how strong you think your password is, your account is "hacked" once your cookies are stolen.

The above scenario is not a fictional one. Literally anyone with minimal computer knowledge is able to do this.

I went on and tested that same scenario using my own Facebook account.

I logged into facebook from one laptop (Victim), while I used another (Attacker) to monitor all the traffic going from/to the Victim laptop. Note that I could've easily been spying on the traffic flowing through the entire network; however, in respect for the law and other people's privacy, I didn't.

I watched as the Attacker laptop showed me all the pictures I was viewing on facebook, and all the chat conversations I was having with my friends.
Then, still on the Attacker laptop, I copied the captured "cookies", fed them to the browser, and accessed www.facebook.com ... and as simple as that, I was able to bypass the facebook login and view my account on the Attacker laptop.

This could have easily been done to your account.

Take a moment to think of all the sites you have visited lately, and consider the number of things you don't want random individuals to be stealing from you while you are viewing these websites.
Quite a lot of private stuff, huh?

But but ... I don't want anyone going around stealing my cookies

To prevent anyone from spying on your internet traffic, make sure that you are using the HTTPS version of the website. For example, make sure you use https://www.facebook.com instead of http://www.facebook.com

When you surf websites using https, a hacker watching the wireless traffic can still see what domains you visited, but the actual content is encrypted. That is, the pages you visit and your cookies are hidden, or obfuscated.

If you are using Firefox or Chrome, I highly suggest you install the HTTPS Everywhere plugin. This plugin would force the browser to use -if available- the https version of the page you are accessing.

If you are a Windows user and are still using Internet Explorer, then do yourself a favor and switch to Mozilla Firefox or Google Chrome. Trust me, you won't regret it.

Is that it?

What I have discussed here is simply one of the risks involved while using the UDwireless public WiFi (or any other public WiFi). However, that is not the only danger.
Hackers sitting on your network might be able to redirect you, without your knowledge, from a legitimate webpage to fake ones and steal your passwords or even install malware on your PC. Hackers can also exploits flaws in your laptop by launching the payload via the wireless network.
These kinds of attacks are slightly more sophisticated, and UDwireless may or may not be vulnerable. I have not tested any of them as this would require permission from UDIT, and I will not discuss the attack vectors as I don't want to increase the risk of some potential so-called "hackers" making use of it to steal students' passwords and/or compromise their computers.

Bottom line, be smart while using UDwireless and double check that the website you are accessing is using "https" in its URL, especially if you are typing in important information such as passwords, credit cards, and so on.

To UDIT: Please consider using a more secure connection method. Thank you.

Extra Note for the Tech-Savy

If you're a technologically-inclined person, and are paranoid about your privacy while using UDwireless, then I would suggest you look into using a personal VPN.

Wednesday, June 27, 2012

Personal Thoughts About #WikiBoatWednesday 's 1337 Data Leaks

This blog post comes partly because I just remembered I have a blog that I never update, and partly because I just read about one of @TheWikiBoat's dump and found it hilarious.

So here we go ...

This post is in reference to the following dump: http://pastebin.com/kUzhSFFP
and the related news posted about it (http://news.cnet.com/8301-1009_3-57462403-83/latest-hacker-dump-looks-like-comcast-at-t-data/)

So TWB claims to have gotten its hands on Comcast employee's names and salaries huh?

Wow! How were they able to get their hands on this super sensitive database?
Could it be from this link?? http://home.comcast.net/~drbrucehartman/exercise5_4.sql
It clearly says "comcast.net", it gotta be comcast's own database backed up in Dr. Bruce Hartman's (Professor of Operations Management and Statistics) personal folder, right?

Well, wait don't these links have the same info?
http://pages.cs.wisc.edu/~dbbook/openAccess/thirdEdition/exercise_data/emp.txt
http://medicalopensource.net/mcs/ex5sql.html


Turns out these information are the tables used in Ramakrishnan's textbook Database Management Systems for Chapter 5 (exercise 5.4 more specifically).

Moving on to the facebook quiz UB3R leak (that contains data as fresh as 2009):
You can visit this link for even more "dumps", http://c-76-24-66-27.hsd1.ma.comcast.net/facebook/facebook-platform/Cron/ now how's that for a leak?

Not that I'm disrespecting any of your accomplishments, but you gotta admit the "Comcast database leak" is just hilarious. At least do a little bit of research before claiming to have leaked something - for your credibility's sake.

I'm now reading some twitter feeds about "#UGNazi and #TheWikiBoat will be teaming up to give you all a show this Friday!" ... I would love to see what they got in store ... I hope it's not DDoS attacks as these are becoming more and more lame.
(NB: some UGNazi members, including its self-proclaimed leader, have been arrested by the FBI a couple of days ago).

Goodnight!

EDIT: I just read TheWikiBoat's statement (http://pastebin.com/43ft5UU4), and saw the "GOVERNMENT PROXY LIST LEAKED", which is in fact a list from MIT's host files (ftp://amusing.mit.edu/afs/net/admin/hosts/hosts.campus , ftp://amusing.mit.edu/afs/net/admin/hosts/hstath.txt, etc.. you can get more info by digging into the folders: ftp://amusing.mit.edu/afs/ )

EDIT 2: The "Uganda Education System Leak" also goes back to 2009 http://emailactivate.mak.ac.ug/emails-2009-2010.sql 

Thursday, November 17, 2011

Youtube Changes their Theme

So since I'm a youtube addict, I spend a lot of my time watching random youtube videos.

Today, while searching for a Pink Floyd song, I noticed that the youtube theme has changed (quite observant, eh?) ... well it's kinda hard to miss.
I think they're trying to fit it more with the "Google+" concept?


The favicon has also changed:

I'm so eager to see people's reactions to these modifications since it appears that many internet users fear change (let us all remember the 'bring back the old facebook' campaigns we see each time facebook alters anything, even as trivial as the font size)

Cheers for now ... i'll go back to enjoying Pink Floyd songs now :)

Wednesday, September 28, 2011

Enjoy the Spaghetti You Sewage Rats!

So I decided to cook today ... nothing fancy, just some macaroni and cheese.

While trying to drain the water out, my hand slipped ... I saw the spaghetti slithering their way through the sink.
A whole dish of perfectly cooked macaroni going down the drain (literally)...what a sight!

I hope you enjoy my spaghetti you stinkin' sewage rats!



Saturday, September 17, 2011

Woooo! First Blog Post!!


Robert Stolarik for The New York Times,  Lousy Photoshop: Charles El-Mir Protestors gathered in lower Manhattan for what they called a Day of Action Against Charles's No Blog Status.

"For months the protesters had planned to descend and occupy part of the streets as an expression of anger"  -- NY Times


Things have started to escalate; I should do something about that before it turns into a riot.

Therefore ... due to popular demand, I have finally decided to start my very own blog.

Now, I'm pretty sure my blog won't be as artistic as my awesome sister's blog nor as inspiring as my other awesome sister's blog. Perhaps the only thing we might have in common (besides the 'elmir' part in the URL), is that I would most probably forget about it in a few weeks and leave it un-updated (Yeah, latshe).
My blog will also not be featuring "Dear diary" entries (you know yourself).

I'll keep you with that first post until I figure out what I'm gonna be writing in this space.

To my blog readers, welcome ... grab a pizza while you're at it.
To my stalker (that's you, mum) ... where's the pizza?

So now that I have taken the first step and started the blog, perhaps protesters can focus on other equally important stuff like, say ... word peace.

Charles El-Mir for The Whatsapp Running on The Samsung Galaxy S (sarl)
---
PS: Myra, I need some simple design for this thing please *rolls eyes*