This weekend I was privileged enough to be asked to come to the 2nd annual Privacy Camp Toronto. Without any expectation on what this event was going to focus on I was fascinated on how many different issues related to privacy there really was. From the very beginning of the morning I knew it was going to be an awesome day with Allen Gunner as the moderator of this “unconference”. He was one of the best moderators I have seen and he made the day go by so quickly. The first activity that Gunner introduced was the “analog line”, a long line from one side of the room to the other. He started asking questions about privacy and everyone moved along the line according to their opinion, one side was strongly agree, and the other was strongly disagree. This was an excellent icebreaker and really got everyone talking about their points of view. After this activity we broke up into groups for some mini presentations from a few speakers.

There was one presenation that really cought my eye. It was a new website called “Hibe” which aimed towards a privacy geared social networking site. Their goal was to create a service that allows its users to maintain multiple profiles based on their personal, professional and academic life. Users can choose who can see what so dilemmas like adding your boss on Facebook can be avoided. It is great to see such initiatives being taken to ensure users who want a fully private social network can.

After lunch we met back as a group and did an activity that involved writing questions on sticky notes and placing them on a wall. Then we grouped all the questions into categories and really got to see a wide variety of topics that people wanted to discus. After this activity we broke up into groups again just like in the morning and I headed over to a techy presentation about privacy at the coding level. This was a great conversation about the different ways developers can protect the public at the code level and not allowing users to make privacy mistakes without knowing about it. The group decided that it was education on a public level that is necessary to ensure privacy. Many people simply do not understand that although they are looking at their Facebook account through their computers, they are sending their data to a general server usually outside the country that can be data-mined. This talk concluded that the only real way to ensure this sort of privacy is to provide everyone in the world that has internet access a server which they can run 24/7 in their homes. This way they own all information on their server and no one else can access this information unless a chain of trust is provided.

Overall the day was extremely successful and I really learned a lot. After getting home I really wanted to see how easy it was to steal information from people with unprotected Wifi routers. I knew that I wanted to use a wifi sniffer to capture each packet and I knew there were hundreds of scripts written for computers, but since this was 2011 I knew that a creepy guy with a laptop in a car was not going to cut it. I wanted to use my iphone as a Wifi sniffer so that it could seem as though I was using my phone while looking for some awesome regex credentials 🙂 *During theses tests I only used my own personal connection not anyone elses if anyone is worried.

With a quick google search I found the perfect app that did just that (Yes! there really is an app for everything). It is called Pirni and it is available on Cydia. After downloading the app I found that just by pressing a button I was able to capture every single packet that was on the network. This really scared me.

In about 30 seconds I had a 1.9 mb text file with hundreds of cookies, passwords, urls and other encrypted information. To be fair, most of the information in this text file was encrypted, there are a lot of things like cookies that are completely visible. Here is an example of a facebook login or request from someone in my house. The actual password is not shown for obvious reasons.

As you can see in the image above, there is so much metadata information and real info being sent. Every single website that a user on the network visits is completely venerable to these sniffers unless they are encrypted on https. This is why it is very important to make sure you are using the https and not the http address when logging in to any financial institution or a website that has your credit card number linked to your account.

Although it is possible to get all sorts of info this way, it is extremely time consuming to do and you really have to be lucky to find something good. With the app that I installed on my phone here is also settings to sniff for specific keywords of phrases so that only valuable information like usernames and passwords will be collected. This really does work great if you know the regex of the website you are looking for. By default Pirni comes with three regex’s built it. One for vBulletin, one for phpBB and a generic username and password field. I wanted to test this out so I went to my favourite vBulletin based forum “psx-scene” and tried it out. To be safe I used a fake password but it worked very quickly.

This live feed shows that I logged in with the username vcazan and the password password after that MD5 checksum is decrypted. I will be looking for more regex options for other sites such as wordpress.

This has really shown me how at risk the general public is to these types of sniffers and how having an unprotected internet connection could really mean you losing your privacy online.

Tagged with:  

5 Responses to “PrivacyCampTO – How easy it is for me to steal your information”

  1. Great post Vlad! I’m working on a wrap up post for both my blog and the privacycampTO blog and will link you!

  2. […] Vlad Cazan – PrivacyCampTO – How easy it is for me to steal your information […]

  3. […] Melanie Ching (and social post event organizer) wrote a recap of the event and Vlad Cazan posted his review of the day (and of […]

  4. […] Melanie Ching (and social post event organizer) wrote a recap of the event and Vlad Cazan posted his review of the day (and of […]

Leave a Reply

Premium WordPress Themes

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!