I have written software that enables any moderately experienced computer user to easily intercept login data of popular websites and platforms such as Facebook, Twitter, PayPal, LinkedIn, Dropbox and WordPress. In future releases Yahoo, Google and Microsoft Hotmail/Live will be supported as well.
This means that I am, anybody is able to takeover your account without you even realizing it. I can post on your wall, see your private pictures, change your profile and send e-mails from your account.
I will release my software to the public within one week.
Please note that, although it might seem otherwise, this software is not intented to be a hacking tool. My primary goal with this release is to create awareness of the great security risks involved with these websites, and of the relative ease with which even moderately experienced computer users can hack into them.
In the following paragraph, I will suggest various methods to counter them, for the sake of the users’ security.
We send large amounts of sensitive data via the web every day. Large companies such as Facebook, Twitter and financial institutions put a lot of effort in keeping their security as effective as possible.
Despite their efforts, some areas they can’t take influence on.
1. If your home WiFi network is not protected appropriately, an intruder can connect to your network. This can also be done from several hundreds of meters away from the router by means of a tuned, home made WiFi antenna.
2. When using public networks (e.g. at University, Schools, Starbucks etc.), any user on the same network can take over the data stream and modify it.
Individuals can intercept usernames, passwords, complete running Facebook or e-banking sessions) and is able to inject data. Instead of the Firefox_Install.exe that you want to download the attacker injects his own, infected file. With a minimum amount of effort a computer can be bugged and the mechanisms that are supposed to protect your system or installed software are circumvented or deactivated (Skype has weaknesses until today).
How data streams can be owned, how to intercept usernames/passwords and how to take over running sessions (Facebook, LinkedIn, …) will be demonstrated with the tool that I will release in about one week.
Whenever possible encryption should be activated. This is important in two parts :
- In home or public WiFi network
- while sending or receiving data over a network (mostly happens though a broser or an email program)
- If encryption is not activate at all or you are using WEP: activate WPA2. If you dont know how to do it, ask a trustable teenager in your neighborhood.
- A reliable password needs at least 10 characters, including lower case and capital letters, numbers and if possible a special character. Don’t use a password that can be found in a dictionary (in any language). Computers are fast. Damn fast. If you use a password that stands in a dictionary it will find it in a reasonable amount of time.
- Check if your router supports WPS. If yes: switch it of! If you dont know how, go and ask the same teenager that activated WPA2 again or go to the place where you bought the WiFi router.
Mostly Pages such as Google, Twitter or Facebook support an encrypted access to their homepage.
If the connection is unencrypted the address in the browser looks like this:
If the connection is encrypted the address looks like this :
If nothing written in front of the address probably the connection is unencrypted :
The S in https makes the difference and stands for secure.
Very often pages don’t support encryption and if they do one has to type in the https oneself, that
is hard going.
- Use https instead of http where ever possible. Not all pages support https and your browser will show you an error message. If that is the case you have to decide yourself if http is save enough for what you want to do.
- As one gets careless and lazy with the time and forgets the first rule, you can do as follows: If you
are using Google Chrome or Firefox, install the die [ 1 ] HTTPS-Everywhere extention. For any other browser (Internet firefox, Safari Opera etc.) there is no alternative (yet). Either you install an other
browser or you manually change the http to https.
[ 1 ] https://www.eff.org/https-everywhere/