I am on the plane killing time and just thought I would put together some thoughts going through my mind as I transition from DefCon mentality to SES.
First of all if any of you don’t know what DefCon is you should check it out. Basically its a world class hacker convention every year in Las Vegas. Its also something that is taken extremely seriously in the security world. Every networking player is here and every branch of government that has anything to do with computer security is represented. Department of Justice, Homeland Security, Department of Defense, CIA, FBI… Defcon is no joke.
Another thing about Defcon – its been kicked out of every hotel its ever been held at. I guess bad things happen when the world’s best hackers come together. I talked to one of the pit bosses at the Riviera Casino (conference host) and he said they had 3 separate meetings with law enforcement agencies about what has happened with previous defcons and how to protect themselves from hackers at this one. He said they implemented a separate IDS just to look for suspicious activity on the network (he didn’t actually say IDS but rather a “computer on the network to watch for hacker activity- I take that to mean an IDS).
I kept thinking about how totally different this is then a search engine conference. At Defcon you see all these people running around with shirts that proudly say “Blackhat” and also say “Death to white hats”.
I am new to the SES and Pubcon conference so like the first time I ever went I fired up ethereal to see what was going on the open wifi. Within seconds I had recorded over 400 passwords for smtp, aim, msn and various web form data and it was not like from stupid newbie users. It was from Google employees and Yahoo and Microsoft. Also I had aim conversations recorded. I of course deleted the data right away.
Then At SES in NYC 6 months later I was telling David Naylor about this. He was kind of surprised so I said here I will show you. We sat down on the open WIFI at New York SES and recorded 10 minutes worth of traffic. In that time there was so much unencrypted data captured on my computer that it auto-shut off cause my laptop only had FORTY GIGS OF FREE SPACE AVAILABLE… funny eh? Again I deleted everyone’s info I had captured right away.
Now check this out – at defcon they have this “wall of sheep” where they actually post in real time peoples passwords and info that were to stupid not to use a encrypted web session to there mail and web.
Well I am about to land in San Jose and I look forward to seeing you all there and I am sure they will have free internet but please keep security in mind when your using the shared public wifi at the conference. Remember everyone can see what your doing. Esp. if a lame out of date h4x0r like me can.
P.S. This is not a knock on SES or Pubcon open wifi what so ever. You are responsible for your security on the internet. This is the same thing as if you jump on a public hotspot or a hotel room wifi.
About the author...
Jeremy Schoemaker – who has written 2415 posts on ShoeMoney.com.
Hi I am Jeremy Schoemaker and ShoeMoney.com is my blog. 99% of the post here are done by me but you will see others occasionally make guest posts. This blog is fun to write but for my day job I run several online companies.
Images provided by ShutterStock
If I could – starting over 
Don’t Worry – People Know 
Split Testing with a Genetic Algorithm 
{ 47 comments… read them below or add one }
Wow, I never knew how easy it was to grab people’s passwords and information over WIFI. You said something about “encrypted web session” is there a place where a newbie like myself could go to start learning about protecting my information?
If you do a search for “The Broken” The first episode of their website goes into detail about WiFi security. Its as awesome as it is scary.
What is the best way to ensure your connection is encrypted when you are using public wifi?
Haha, interesting post – sounds like fun!
Shoemoney you have an interesting life. I would love to travel like you do. I am not much into security, but I do get around in unix and linux. Is pubcon open to the public? Funny how SES had so many insecure notebooks… Good thing to know when I go to Chicago!
shamu – shhh
Just make sure you use ssl for your email and important web pages.
Beeing a SES conference I wouldn’t expect that everyone knows how to setup a secure tunnel back to their main machines. Probably the wifi providers could implements some security messures about this.
yes please do tell about the best way to protect a wifi connection from problems like this, is that some kind of software i need to be safe? thanks shoe
I don’t get the 40gig of traffic in 10 mins bit – even if you got the full throughput of 54g then wouldn’t it take like 1.5 hours to transfer that much?
would be nice to know how to protect urself over wifi
you travel places man!! nice..
So how can you protect yourself on a public WiFi network?
hah!
Haha, Naylor mentioned that story on his radio show recently but wouldn’t name the h4x0r d00d who showed him that, I had a feeling it was you!
To the vast array of people wondering how to protect them selves on a public network.
here’s a few google links that I think will assist you.
ssh tunneling information running a ssh server on windows ssh key authentication
Personally I use a ssh tunnel when ever I’m away from the home connection.
You look very drunk in your defcon pics.
Shared hosting is the same thing. It scares me to think of all the passwords that are accessable. Most hosting accounts are wide open to intrusion.
Script kiddies and their toys..
blah.
Defcon and SES… those are the two conferences I most wish to attend.
Good comments on the security issues – they are issues which are generally not taken serioiusly enough among the webmaster community. Having done some security ‘research’ in the last couple of years, I cannot stress how much information is transmitted open to anyone, especially in this day and age of wifi communications.
To the anon with the comment about script kiddies, well, why not? If the work has already been done, I don’t see the problem with taking advantage of it. I write some scripts myself, although I don’t often make them publicly available. Also, most professional security analysts use tools and scripts themselves – why always reinvent the wheel?
Also, the fact that many ‘hackers’ are no more than script kiddies in no way minimizes the danger, as you seem to imply by the way you write them off. Many hackers do it for personal interest, and community prestige and esteem. Most script kiddies do it because they are immature and destructive. Generally, if they get ahold of your data, script kiddies are more likely to act destructively with it than an honest-to-goodness hacker.
At any rate, good job bringing this issue up Shoe – people definately need to be more aware of this at conferences. There is alot to lose!
Yeah! Funny. Thanks!
I didn’t know you were coming to DefCon. You should have dropped me a line, I would have introduced you to some people you’d probably like to know. Next time.
Any time you install any kind of wireless device make sure you have all the security settings correct, this includes but not limited to, changing the SSID, master password, master login name, enabling WEP or WAP, using MAC filter, along with a good software firewall.
“It was from Google employees and Yahoo and Microsoft.”
hehe
Most of the time there’s little you can do – if the site you’re visiting doesn’t use SSL, you’ve no choice but to either deal with plaintext details being sent, or not login. This isn’t usually an issue at home (since you’re the only one on your network – or so you should be) but in something like a conference with a shared connection it’s obviously a problem!!
For the folks who could not make it and also for you (since you couldn’t possibly see all sessions yourself either, unless you are able to split yourself up into 5 shoemoneys hehe)…
I posted ALL!! 125 session and panel video recordings from DefCon 15 up on the web and as a little bonus did I throw in a link to download the CD-Rom ISOs from the last five DefCons with tools, PDFs and PowerPoints on it as well.
Enjoy!
Hah, after reading that…He actually does!
Well thats true, but theirs alot of great information you can get from going to these conferences, not to mention the goodies
Great post, I think I’m going to be attending the next one. I missed this years too bad
http://www.optimize-pc.pipbiz.com
Pipbiz Software for optimizing your P C.
Have you ever had The feeling your P C has given up, getting old,getting slower. It happens to all us HUMANS
But there really is no need for it to Happen to your computer. Inexpensive software to optimize your P C, Making it feel like new again. All TRY BEFORE BUY down loadable. All the best names in optimization software.
Give your P C a boost, and cheer your self up too!!
Pipbiz offers Optimization Software
I still don’t dare to use wifi. To many people get it and don’t think about the risks.
the wall of sheep/shame should be put into all conferences IMHO
passing plaintext passwords (normally to access email systems) should be KILL’d
the only comment I have is that now more and more Wifi providers traffic shape the SSL connections so the speed slow’s down
regards
John Jones
http://www.johnjones.me.uk
That defcon thing sounds awesome! I want to go.
I will go next year if my finance allows
it’s not as easy as it sounds to grab passwords. most web sessions are encrypted. u can probably learn more on wikipedia
look for the padlock icon in the corner of your browser. if you dont see the icon, then the web session is not encrypted
don’t enable file sharing
just be careful. don’t login unless u know the web session is secure. also, take a look around. if you see shoe there on his laptop… he might be capturing wifi traffic.
the dumbass system admins that manage those unsecured email system should be killed
First time visiting your blog and the first time hearing anything about this. I am glad for both.
This is not good. E-mailing with so much security issues is too dangerous.
Public Wifi connections are starting to get dangerous everyday. One of your simple mistake can cause a hacked mail account, which will give you pretty much of headache.
Connecting to a VPN, your company’s or your own, first would pretty much take care most of the issues mentioned above.
Disabling your internet aware apps to automatically login/sign-in once a connection is available would also be a good idea.
bad things are bound to happen when the top hackers in the world come together. government agencies must and should take them seriously
you are a real conference and expo guy.
The hacker is amazing in terms of what he is in the modern digital format. There really has never been a person in history that can come and go so freely while still having access to so much vital information.
WiFi is not secured
Thanks for the post. Hope to see more articles regarding this one. It will really be a big help.
Thank you