Hilton Tokyo - ID stolen via Wifi (January 2016)

Status
Not open for further replies.
Re: Hilton Tokyo - ID stolen via Wifi

Cynicor, when you joined the HH wifi where you prompted to download anything or accept anything?
The reason why I ask is that whilst SSL (technically it's TLS these days) is very secure, if you where prompted to download something to join the wifi connection something called a "root certificate" could also be installed at the same time.

Nope. I'm pretty IT saavy and I was almost definitively on the Hilton WIFI. I would have noticed if it was different.
 
Re: Hilton Tokyo - ID stolen via Wifi

Yep, got it all back. Actually, if you don't count the time I spent on the phone, I made money on the deal (interest that wouldn't have been paid!)
cynicor, did all of you get the 'hacked' funds credited back to your account by the various financial institutions?
 
Yep, agree with Mal. My laptop had too much on it, and my email was compromised at some point in this, either before or after getting the info but it's a very insecure local ISP type email.

It was much harder for them to affect my brother's accounts which were on gmail, and required social engineering it seems (the old, call up and pretend the email was going to the wrong account or similar).

Based on what has been discussed, I see Three main possibilities:

- Laptop was cloned (ie, a copy of the hdd was made, and the personal details stored on it later used to answer security questions when setting up the later attack)
- Laptop had file sharing enabled when on the wifi network (pretty uncommon in default configurations of laptops etc these days, but can still be set up accidentally )
- Email compromised and like the laptop contained enough personal identification to bypass security checking.

This wasn't a simple attack. The perps needed enough personal information to bypass security for porting phones, logging into internet banking (or to get the password reset to log on)

There is much more to this!
 
Find a bank that doesn't use SSL/TLS.
Indeed find a webmail or social media app that doesn't use it these days

I personally think SSL provides pretty good protection against most vectors.
People installing a keylogger on unlocked laptops is probably biggest risk I see.

Ironically, this site doesn't use SSL or HTTPS. I'm not saying that using a non-secure bulletin board worries me, but I wouldn't trust any financial site that didn't force HTTPS.

HTTPS implies SSL/TLS, and uses certificate-driven encryption to set up a totally secure tunnel from you to the far end, whether you're using a VPN or not. The Wikipedia article on HTTPS is relatively readable, and explains how that works. In general, it's not possible for a snooper to identify specific data on an encrypted page, although there are ways to work out what page you were on.... maybe.

Many anti-virus packages (eg: Kaspersky) go even further and force usage of a separate browser instance if they think there might be a financial transaction happening.

By definition, if your communication to the far end uses HTTPS (and that's obvious from the command line, and generally a little padlock symbol) then a man-in-the-middle attack is not possible.
 
Last edited:
Ironically, this site doesn't use SSL or HTTPS. I'm not saying that using a non-secure bulletin board worries me, but I wouldn't trust any financial site that didn't force HTTPS.

I brought this up awhile ago in the feedback section
 
I brought this up awhile ago in the feedback section

Should it though?

I notice many account login's can remember passwords etc. NAB seems to actually open a new page altogether and requires details to be entered each time ie password/account no. remembering via the computer is not possible. Is this the Kaspersky that themaiz spoke of?
 
There isn't an excuse anymore for websites that you enter an username and password not to have HTTPS set as required
 
Sponsored Post

Struggling to use your Frequent Flyer Points?

Frequent Flyer Concierge takes the hard work out of finding award availability and redeeming your frequent flyer or credit card points for flights.

Using their expert knowledge and specialised tools, the Frequent Flyer Concierge team at Frequent Flyer Concierge will help you book a great trip that maximises the value for your points.

Should it though?

I notice many account login's can remember passwords etc. NAB seems to actually open a new page altogether and requires details to be entered each time ie password/account no. remembering via the computer is not possible. Is this the Kaspersky that themaiz spoke of?

Usually remembered by a cookie set on your browser. Try open the same page in incognito mode and you will find there are no details pre filled
 
I brought this up awhile ago in the feedback section
And what was the answer? Does seem strange, but then this is a very technical site with possibly a lot of modifications and hooks beyond the basic PHPBB code. It's also one of the best bulletin boards I know, so given a choice I accept it they way it is.
 
Should it though?

I notice many account login's can remember passwords etc. NAB seems to actually open a new page altogether and requires details to be entered each time ie password/account no. remembering via the computer is not possible. Is this the Kaspersky that themaiz spoke of?

As jbman said, that's cookies at work on the local machine, and specifically the browser. So if you log on with Chrome, and allow the password to be remembered, it will be filled in next time you access that site with Chrome. But it won't be remembered if you access the site with IE, because it's different cookies. And it won't be remembered if you access the same site with Chrome on another device.

The correct answer if you're at all concerned about passwords, is to not let the browser remember them. Or, if the password is remembered and you don't want that, use the settings to go back and delete the password from the browser's memory. It's a choice of convenience vs security, and I'd much rather look up a password than risk being compromised. In the case of the OP, for whom I feel immensely, that was significant compromise!!

BTW, the Kaspersky Safe Money thing is that it opens a completely new browser window for the actual logon and transaction. It's literally a cocoon; I believe that feature is intended to ensure that no session remnants are brought in, nothing is left when the session is closed, no part of the transaction is unsecured, and none of your keystrokes can be tracked and that nothing is passed via the clipboard. It's sometimes annoyingly over-the-top, but I've never been compromised, so maybe it helps?
 
And what was the answer? Does seem strange, but then this is a very technical site with possibly a lot of modifications and hooks beyond the basic PHPBB code. It's also one of the best bulletin boards I know, so given a choice I accept it they way it is.

Enabling HTTPS on a site is pretty trivial and minimum cost (cost of a certificate is well under $100 for a couple of years validity).

Zero excuse for any website not to be using HTTPS, especially if you need to login in to access it. If using an open WiFi network anyone with a little know how would be able to see your login username and password. If you then use the same credentials on other sites...oh dear!
 
The Frequent Flyer Concierge team takes the hard work out of finding reward seat availability. Using their expert knowledge and specialised tools, they'll help you book a great trip that maximises the value for your points.

AFF Supporters can remove this and all advertisements

Use https://letsencrypt.org/ and the certs are free

When I brought this up before (October 2016) I was told
"We do have a security certificate and you can access AFF via https - https://www.australianfrequentflyer.com.au/community/. It is not the default and some internal links are hard coded, so AFF may revert to the standard http protocol when following these links."

I tested it with the HTTPS everywhere plugin and had issues making posts and getting script errors.
http://www.australianfrequentflyer....ons-and-feedback/https-for-website-78987.html


Hopefully the updated version of AFF is fully HTTPS as most people would be using this site at some point on open free wifi meaning their login details are being passed unencrypted
 
I hope this is helpful to the OP and others who are unfamiliar with HTTPS, SSL and TLS. When it works, which should be 100% of the time for any commercial transaction these days, it's transparent and effective.

But it might not require you to log into a site or app unsecurely. For instance, if you use a non-secure link to look at a list of your passwords, AND if someone is watching, your security might be compromised.

When I tried https for this BB, I got weird results, and jbman has confirmed what I thought about the site's coding.

It's not a big deal though: I'm protected to the extent that my password for this site is unique (is used for NOTHING else), and there's no personal information here that I wouldn't share.
 
A good quality password manager is a great advantage, since it will produce long and complex passwords that you never need remember. Something like LastPass is good, though I also use the password manager built-in to Chrome. (See your passwords at passwords.google.com ). I trust Google's security far more than I do anyone else's. You could also run a password manager on your mobile phone.

One caveat: LastPass and others do produce browser plugins. I'd caution against using these: it's one more thing to be attacked. Trust the Chrome password manager, and/or type passwords in.

There are a couple of disadvantages with the Chrome password manager for me:
1. As far as I can tell, if someone gets access to your laptop, once they open Chrome they can then use any saved login details without any further restriction. That's not true with LastPass - I have it set up so that every time I start a new browser session, I have to re-enter my LastPass credentials before I can access anything saved within LastPass.
2. LastPass allows me to easily access the same info on various devices - i.e. laptop, phone and iPad. I don't think the Chrome password manager does that, but I could be wrong.

Interesting comment about browser plugins - I do use the LastPass plugins. How much of an issue is this? Sorry, as I mentioned earlier, this is not exactly my area of expertise, so it's not obvious to me why this is a risk.
 
There are a couple of disadvantages with the Chrome password manager for me:
1. As far as I can tell, if someone gets access to your laptop, once they open Chrome they can then use any saved login details without any further restriction.
Absolutely true, but the critical phrase here is: "if someone gets access to your laptop". That's got to be the first line of defence. Don't make it easy for someone to get into the laptop if it (literally) falls into the wrong hands. Non-trival unlock password, non-trivial logon password, and NO access to the userids they might expect (eg: administrator). And, if you REALLY want to go the full hog, allow the hardware to lock or encrypt the disk so that there's no access to your files if they take the disk out and scan it.

Chrome password memory (for Windows) is accessed via Settings/Advanced/Passwords, and if you're in there AND you know that machine's Windows password, then you can visibly expose the passwords that Chrome has saved. I'm a strong believer in NOT using Chrome's memory for passwords that are critical, but to be fair someone has to get to Chrome before that is an attack vector. They would physically need to have hands on your machine. Secure your machine!!

That's not true with LastPass - I have it set up so that every time I start a new browser session, I have to re-enter my LastPass credentials before I can access anything saved within LastPass.
2. LastPass allows me to easily access the same info on various devices - i.e. laptop, phone and iPad. I don't think the Chrome password manager does that, but I could be wrong.
Again, that's a good strategy provided nobody can guess or find your credentials for LastPass.

I'm still, and will continue to be, curious about the attack vector that got the OP into trouble.
 
There are a couple of disadvantages with the Chrome password manager for me:
1. As far as I can tell, if someone gets access to your laptop, once they open Chrome they can then use any saved login details without any further restriction. That's not true with LastPass - I have it set up so that every time I start a new browser session, I have to re-enter my LastPass credentials before I can access anything saved within LastPass.
2. LastPass allows me to easily access the same info on various devices - i.e. laptop, phone and iPad. I don't think the Chrome password manager does that, but I could be wrong.

Interesting comment about browser plugins - I do use the LastPass plugins. How much of an issue is this? Sorry, as I mentioned earlier, this is not exactly my area of expertise, so it's not obvious to me why this is a risk.

I'm not a Chrome user (I use Firefox) but surely you can set a master password for the Chrome password manager?
 
Re: Hilton Tokyo - ID stolen via Wifi

Nope. I'm pretty IT saavy and I was almost definitively on the Hilton WIFI. I would have noticed if it was different.

Question, how exactly would you have noticed if it was different?
 
Absolutely true, but the critical phrase here is: "if someone gets access to your laptop". That's got to be the first line of defence. Don't make it easy for someone to get into the laptop if it (literally) falls into the wrong hands. Non-trival unlock password, non-trivial logon password, and NO access to the userids they might expect (eg: administrator). And, if you REALLY want to go the full hog, allow the hardware to lock or encrypt the disk so that there's no access to your files if they take the disk out and scan it.

Yes I agree with all that, but as someone mentioned previously, you can't entirely exclude the possibility that this will happen if someone is really determined - e.g. use of a hidden camera to see your logon/unlock password, followed by physical theft of the laptop.

I'm not a Chrome user (I use Firefox) but surely you can set a master password for the Chrome password manager?

I have not found a way to get it to do what LastPass does, i.e. require re-entry of the master password each time a new browser session is started. As before though, I'm not claiming to be an expert so maybe it can be done!
 
Yes I agree with all that, but as someone mentioned previously, you can't entirely exclude the possibility that this will happen if someone is really determined - e.g. use of a hidden camera to see your logon/unlock password, followed by physical theft of the laptop.

Yipes. If that's what's going on, I don't want to be in that hotel. I mean... what else could they be doing with a camera? But it's improbable that someone would have an invisible camera so well placed that they could accurately decode images of your typing in an actual room.

I've been noodling around the idea that an attacker might hide out in an adjacent room, spoof the hotel's SSID (so that you think you're connected to the hotel but really going via the attacker's IP path) and scan your packets on the way through. At a practical level, this seems more spy-movie stuff. It's not hard to do and it might yield, but it would be a random numbers game; it doesn't seem like a good business model unless you are targeting someone specific. If that's the case, there'd be a pattern of victims that would be obvious to investigation, there would be evidence of inside help, there would be pressure from banks... again, not reputation building for a major chain hotel. Unlikely, IMHO.
 
Yipes. If that's what's going on, I don't want to be in that hotel. I mean... what else could they be doing with a camera? But it's improbable that someone would have an invisible camera so well placed that they could accurately decode images of your typing in an actual room.

I've been noodling around the idea that an attacker might hide out in an adjacent room, spoof the hotel's SSID (so that you think you're connected to the hotel but really going via the attacker's IP path) and scan your packets on the way through. At a practical level, this seems more spy-movie stuff. It's not hard to do and it might yield, but it would be a random numbers game; it doesn't seem like a good business model unless you are targeting someone specific. If that's the case, there'd be a pattern of victims that would be obvious to investigation, there would be evidence of inside help, there would be pressure from banks... again, not reputation building for a major chain hotel. Unlikely, IMHO.

Yep, it all seems a bit far fetched to me too, but I wonder if I'm just being naïve in thinking like that. As for accessing the laptop, physically watching you logging in by "shoulder surfing" followed by pinching the laptop doesn't seem to be beyond the bounds of possibility (I mean in general - not suggesting this was what happened to Cynicor).
 
Status
Not open for further replies.
Back
Top