Warning: Change Your Passwords After Ad:Tech

[SeanW]

And apparently those who do pay attention are ill-informed. There's nothing to "crack" on a public wifi network. That said wifi traffic capture is not a weekend job. You either need lots of transceivers in lots of places or specialized equipment with specialized antennas or both. Most intrinsically valuable passwords that would traverse the wifi are protected by ssl, which is not trivial to break. 99.999% of the traffic on any public wifi is totally worthless which contributes a steganographic obfuscation.

If you're after website passwords, it would be trivial to pull all the POST and HTTP Basic auth requests out of a capture. As you say, SSL is a different animal, though, assuming people pay attention to the warnings their browser gives them.

I was at Sharkfest last year (conference for packet capture and analysis using Wireshark), a surprising amount of people logged in insecurely over the open network. Other than Blackhat/Defcon, I can't think of a worse place to put unencrypted passwords over the air!

(As an aside, if anyone here is in tech and happens to be going to Sharkfest this year, PM me. Awesome conference)

 

[andyt]

When you say networks use SSL are you referring to Affiliate networks? Unless there is something I'm missing maxbounty, neverblue, Hydra, Incentaclick don't have https on the log in page.

Azoogle, Copeac, affiliate.com don't have the https on the homepage, but if you leave the login fields blank and click "login" it will take you to a Https login page. Same thing for Godaddy and Namecheap.

If you go to a networks homepage and log is your id/pw unsecure if the Https is not showing? Or does it go through https once u enter it? Wonder why they don't use Https on the homepage.

At least for Max-bounty, it's not the default but you can go to an https version of the page ( https://www.maxbounty.com/) and login securely. It will keep you on the https version. Gmail is the same way.

It would be nice if there was a browser plugin that makes sure you are on the https versions of pages if you are on public wifi.

 

[Damain]

When you say networks use SSL are you referring to Affiliate networks? Unless there is something I'm missing maxbounty, neverblue, Hydra, Incentaclick don't have https on the log in page

They all post the form to a HTTPS URL.

 

[zimok]

I guarantee you guys aren't secure unless you're using a VPN tunnel...https/ssl = lol

 

[Fatbat]

Never log onto anything unsecured. Also, keep your wallet in your front pocket. Crowded conventions are a pickpockets dream - no school like the old school.

I always keep my wallet in my front pocket because sitting on it is uncomfortable.