Warning: Change Your Passwords After Ad:Tech

[Derek Pankaew]

Most affiliates don't really pay attention to security. Open networks like the one at Ad Tech are very easy to crack; and sniffing passwords is as easy as monitoring the traffic data on the network.

There is literally no protection against someone just picking up your data and isolating your password.

Dozens of affiliates were logging into accounts worth thousands if not millions of dollars. There were at least two people I know of who were joking about how easy it would be to steal keywords at Ad Tech.

My friends didn't do it, but someone else may have. It's a lot of money on the table. If you have keywords, campaigns or data worth protecting and you logged in to your AdWords, your affiliate accounts or your tracking at Ad Tech, then it's probably a good idea to change your passwords.

- Derek

 

[Seema]

What a scary fucking thought.

 

[CitizenSmif]

You unsecurely check your accounts on public wifi?

 

[conv3rsion]

Very basic but important. I recommend getting a cert for your propser server too so you can login over https

 

[Derek Pankaew]

You unsecurely check your accounts on public wifi?

A lot of people do.

Very basic but important. I recommend getting a cert for your propser server too so you can login over https

Yep. You can also SSH into your own server when you login to adwords, prosper or your accounts to encrypt all your data.

 

[JamesH]

Me and my roommate were sitting in Psychology class (800 person class) and he showed me how to packet sniff. Anything anybody logged into during that class, we had the password to it (unsecured connections only, of course).

 

[Dimaseo]

Me and my roommate were sitting in Psychology class (800 person class) and he showed me how to packet sniff. Anything anybody logged into during that class, we had the password to it (unsecured connections only, of course).

Want to make a couple bucks? LOL, just joking. I would be interested to see how that is done though......kind of crazy.

 

[PSU4Life]

Very basic but important. I recommend getting a cert for your propser server too so you can login over https

When doing this, did you have any issues with IE7? Like it warns the user of a certificate error which would lower your convs. Did you come up with a fix for this? Wes from masterlesssamurai has a post on it.
How To Install Prosper202 On An SSL (HTTPS) Server | MasterlessSamurai.com

 

[prince]

what if i'm using softwares like roboform to login to my stuff, are the passwords still able to be compromised?

 

[PSU4Life]

Would using secure tunnel services like Gotrusted help in this case?

Any recommendations of how to securely log into tracking/etc when traveling out of the office? Am I good to go with an aircard and some secure tunnel service?

Most affiliates don't really pay attention to security. Open networks like the one at Ad Tech are very easy to crack; and sniffing passwords is as easy as monitoring the traffic data on the network.

There is literally no protection against someone just picking up your data and isolating your password.

Dozens of affiliates were logging into accounts worth thousands if not millions of dollars. There were at least two people I know of who were joking about how easy it would be to steal keywords at Ad Tech.

My friends didn't do it, but someone else may have. It's a lot of money on the table. If you have keywords, campaigns or data worth protecting and you logged in to your AdWords, your affiliate accounts or your tracking at Ad Tech, then it's probably a good idea to change your passwords.

- Derek

 

[Lord B]

StrongVPN.com FTW!

 

[Netphase]

what if i'm using softwares like roboform to login to my stuff, are the passwords still able to be compromised?

Yes. Roboform just saves the passwords on your computer, it doesn't change how they are sent over the network.

 

[tvmatt]

Why are you logging into anything unsecurely anyway? I'm pretty sure that all networks use SSL, and my email is always always SSL as well. If you're running a tracking script on your own, that should be behind SSL as well. It's just common sense.

 

[GeorgeB]

Gmail HTTPS Doesn't Protect Account, New Setting Does | Threat Level from Wired.com

 

[micfire]

Hahah, if you think this is scary you should check out what RATs do and what a mean spirited person can do with web browser exploits (hint: they can install RAT to your computer without you knowing when you visit malicious website like CNN from XSSed link)

 

[intermanic]

Most affiliates don't really pay attention to security. Open networks like the one at Ad Tech are very easy to crack; and sniffing passwords is as easy as monitoring the traffic data on the network.

And apparently those who do pay attention are ill-informed. There's nothing to "crack" on a public wifi network. That said wifi traffic capture is not a weekend job. You either need lots of transceivers in lots of places or specialized equipment with specialized antennas or both. Most intrinsically valuable passwords that would traverse the wifi are protected by ssl, which is not trivial to break. 99.999% of the traffic on any public wifi is totally worthless which contributes a steganographic obfuscation.

 

[conv3rsion]

When doing this, did you have any issues with IE7? Like it warns the user of a certificate error which would lower your convs. Did you come up with a fix for this? Wes from masterlesssamurai has a post on it.
How To Install Prosper202 On An SSL (HTTPS) Server | MasterlessSamurai.com

i would only use ssl for logining in, not for my redirects

edit: basically i would not do steps 3 and 4 in his guide. I dont need all traffic going over https (in fact that might slow things down and result in unforseen problems like the one mentioned about IE7)

 

[tainted]

And apparently those who do pay attention are ill-informed. There's nothing to "crack" on a public wifi network. That said wifi traffic capture is not a weekend job. You either need lots of transceivers in lots of places or specialized equipment with specialized antennas or both. Most intrinsically valuable passwords that would traverse the wifi are protected by ssl, which is not trivial to break. 99.999% of the traffic on any public wifi is totally worthless which contributes a steganographic obfuscation.

This.

 

[Nikko]

Never log onto anything unsecured. Also, keep your wallet in your front pocket. Crowded conventions are a pickpockets dream - no school like the old school.

 

[PSU4Life]

When you say networks use SSL are you referring to Affiliate networks? Unless there is something I'm missing maxbounty, neverblue, Hydra, Incentaclick don't have https on the log in page.

Azoogle, Copeac, affiliate.com don't have the https on the homepage, but if you leave the login fields blank and click "login" it will take you to a Https login page. Same thing for Godaddy and Namecheap.

If you go to a networks homepage and log is your id/pw unsecure if the Https is not showing? Or does it go through https once u enter it? Wonder why they don't use Https on the homepage.

Why are you logging into anything unsecurely anyway? I'm pretty sure that all networks use SSL, and my email is always always SSL as well. If you're running a tracking script on your own, that should be behind SSL as well. It's just common sense.