On Saturday Karachi witnessed the first ever Pakistan International Social Media Summit where 300 or more social media experts aggregated at Avari for a day long conference on upcoming social media in Pakistan organized by PC World Pakistan. In my opinion it was a great experience, and there are many raves about it across many media portals online and offline.
What did come as a shock was the knowledge that these online experts when using their online tools did not have the adequate security to prevent anyone from hacking their accounts. WiFi Sniffing is a very simple trick that anyone can use to search and read insecure browser utilization on an open WiFi network literally reading every page the person uses on their own browser consequetnily it also means that if such a tool were to fall into the wrong hands passwords can be easily stolen and misused.
In comes the geek from Rawalpindi Abdullah Saad [@Kursed], an online acquaintance whom I have known and respected for over five years, joins us in Karachi having specially flown in from Rawalpindi. After one of the sessions he showed me screen captures of a accounts of a few dozen people who were using insecure browsers during the summit while surfing online. It listed their Facebook and twitter handles enough to convince me that he has truly captured their browsing sessions enough potent power to make a mess, if he had any evil intentions. He shared this information because he wanted to alarm us as to on how lax we all are with our own online security, if a small sample of online social media experts could not be bothered with their personal online security what may become of the general public who may at times be open to such security lapses unknowing to them
I assure you Abdullah Saad has no mal-intention of hacking anyone’s account but he needed to set an example mostly to alert us to ensure the importance of online security. Im glad that Saad has chosen also not reveal his methods used to capture these browser sessions, and I can also vouch for him to have not made any damage to any of the hacked account, I think its important to highlight this issue to everyone to double check our online security protocols.
Facebook, Twitter and even Gmail offer free encrypted connections while browsing please take a moment and ensure that your security is up to the mark and take a moment to enable your security
On Facebook > Click Account Settings > Click on Account Security > ‘Check’ Browse Facebook on a Secure Connection (https)
On Gmail > Go to Mail Settings > in the General Settings Tab go to Browser Connection and check “Always use https”
Thank you Saad for taking up this issue for us all
Comments
6 responses to “Pakistani Blogosphere Accounts Hacked during Summit”
I was really shocked when I found out that a lot of people at the Social Media Summit had not enabled SSL on their Twitter, Facebook and Gmail. It was a good thing that Saad tweeted the pic you shared above. All my accounts use SSL as I don't want my privacy to be compromised. Good job sharing this post with everyone 🙂
HTTPs neither prevents cookie hijacking nor man-in-the-middle attacks. It's worthless for stopping blocking and other forms of censorship. Many sites will have sign-ins with HTTPs and then dump users back out.
Applications such as Yahoo Messenger do not use HTTPs and expose users (and their online contacts) to stalking. Apple users’ names are broadcast regardless of whether HTTPs is used, and which is particularly dangerous for women.
Even when used, HTTPs gives false confidence.
TLS over VPN is a good start. So too is better login control. ISPs should start offering TLS to users as a premium service.
I’ve not used a WiFi connection in several years where users were not regularly subjected to some form of packet capture and stalking, so not disclosing popular tools being used is no longer sufficient to discourage bad behavior.
This is a good share. Regarding online safety, I have also posted something that I recommend to read. http://blog.merrycode.com/6-ways-your-online-iden…
🙂 Just amazing, I never took this thing so seriously….
Doesn't WiFi encryption and authentication system suffice? I mean if you're attending the conference, you can create a secure AP/network using these two and give out passwords to those who're there?
All ‘secure’ WiFi networks I’ve seen using passwords are vulnerable to session hijacking, man-in-the-middle attacks, and more. Some ‘bad boys’ prefer operating in those environments because of the false sense of confidence encouraged by the password process.
The focus of security needs to go beyond conference settings. It needs to recognize broader issues of online safety, security and privacy — which HTTPs largely fails to address.
Ethical issues are often poorly understood, as evidenced above. Looking at WiFi traffic is NOT HACKING and is not seen as wrong by those who do it (and which includes most teenage boys I know with computers). Instead, computer users who fail to take basic precautions are seen as inviting others to ‘join the conversation’ much as one would be invited to listen in on a loud conversation on a public bus.
Solution? Use packet-capturing and other tools to check yourself and others for vulnerabilities. Then educate.
It’s not unusual to find at least one computer attacking all the other machines in the same WiFi network, unbeknownst to the owner of the offending machine. More often than not, out of a sample of ten laptops sharing a public WiFi connection, at least one will be attacking the others. Man-in-the-middle attacks against older operating systems are particularly popular today, but threats change.
If we refuse to monitor our WiFi environments, these security threats will never be addressed.
If someone in a WiFi network is intentionally trying to attack or break into another machine, this can usually be spotted — but only if we monitor network traffic.
Whether we like it or not, we are all riding on the same bus. And we need to get used to it.