Small Job Offer: Wifi Security and Video Creation

[pinkytoe]

Hi guys,

(I have gotten permission from one of the Mod's here to post this, so I think it's okay)

I already feel out of my depth here by looking at a few topics :)

I am a webmaster for an up and coming poker news website - Flushdraw dot com. I have a good number of years in the online gambling/poker niche and am always looking to offer value to my readers. As part of this value I am looking for a technically gifted candidate to perform a task for me.

In my niche there is a threat for with players with regards to data security. Many players (recreational and professional) are very unaware of the dangers of playing (or even browsing) online using a un-secure Wifi connection. When they play on open Wifi networks they are open to poker exploitation (I think!) and data fraud. I am hoping to highlight the dangers and security threats for these players.

Below I will outline the details of what I want and feel free to ask me any questions.

What I would like is a 1 or 2 videos made by a security expert showing; 1) The dangers of using an open Wifi connection for credit cards, data, email passwords etc... and 2) The dangers of playing online poker or casino games (for real money) over an open Wifi connection. I assume there is a way to exploit someone playing an online poker game on an un-secure connection but you the security expert would be better able to tell me this.

When I say the video should show the dangers, I mean the candidate show show it being done whilst explaining how (easy) they done it.

When I say 1 or 2 videos, it means that if number 2 can be done, I want two videos.

I assume videos will be made in HD using Camstia (if available on Linunx) or some other desktop recording software.

In addition to this, I would like the expert to write a few words on the subject. I assume about 300 -500 words detailing the risks, consequences and precautions. Excellent writing skills are not exactly requitred as out editing team can change it up - we jut need the technical know-how to produce the content.

Requirements:

You need to know what you are doing. If you are not a security expert, I will know. I have friends in this vertical that will be analysing applications and submissions.

You should have a company and/or security website (for accreditation and background research check). Your website will be mentioned with the video.

You should have exemplary English. I do not care if you are foreign, once you speak very good English :)

You should be a very anal about your work. I want perfection to a clean finished product.

You should be able to speak jargon in laymans terms. The audience will range from very internet savvy to not so savvy.

Payment:

While I hate to say this and it probably works out badly for me is: I am quite flexible on this. I would like users to give me either an hourly rate and estimated number of hours, or a fixed price for the job. Cost is not my concern here, it's quality - Although I'm not retarded. I will know what is a blatant overprice .

I can pay on PayPal or MoneyBookers (Skrill) or even work with something else. If there any any concerns, I am willing to discuss Escrow with on of the Mods here (if they oblige) or with Escrow.com.

Submissions:

Please PM me as much relevant information as possible. I want to see samples of your videos in the past, your thoughts, your opinions, your experience, etc... Show off to me. Also please include your hourly rate x estimate number of hours or your fixed price proposal.

I am open to a discussion here too guy about any suggestions or opinions you may have. Again feel free to ask any questions.

Thanks

Edited February 20, 2013 by pinkytoe

[digip]

Um, you could just hit youtube and vimdeo, or security tube and search for video demos on breaking WEP and WPA and reaver attacks. Plenty already out there demonstrating these flaws, why reinvent the wheel?

[pinkytoe]

Hi digip

Thanks for your reply.

Ideally I would like the video to be directly related to poker and include narrative relating to the audience.

While the flaws exist and they are highlighted already - simply posting a video of this will bore, overwhelm and mean very little to the viewer unless it relates to poker and how they are in danger.

Thanks

Edited February 20, 2013 by pinkytoe

[airman_dopey]

Number one is extremely easy to accomplish as there have been numerous topics done on it in the past. I am unsure on number two though unless you are simply referring to capturing credentials (similar to capturing banking login creds). Anything further and I would be concerned with the legal ramifications from openly attacking another company for the sake of posting on your site.

[pinkytoe]

Airman,

On Number 2. Would someone's activity not be visible if they are on an un-secure network? I.e you could more or less see their screen? I am not looking to compromise poker clients software, more highlight what can be done to users who are operating on an undecure network.

[airman_dopey]

Assuming the poker site is not running HSTS (preventing unsecure connections, or straight HTTP vs HTTPS) then yes; you could sniff the traffic in route. Perhaps it is simply my infancy into security (only been working at it a couple years) but I would assume gaining their login creds (or capturing their credit card numbers if you happen to be sniffing at that time) would be much more detrimental than monitoring what they are doing inside the game. From there you could easily (I assume) log in as them, sit down at your table, all in real cash, and lose. Bye bye money.

If the site is running HSTS you would need to create a dummy page that looks like the real deal (no pun intended) and trick your target into logging in to your page.

Also not sure how much info you're looking to give. DO you want to suggest SSH/VPN tunnels? Do you want to explain what is being done? Or are you simply looking for scare tactics (very effective and nothing wrong with it).

[pinkytoe]

Thanks for your reply again,

I would assume most poker sites are running HSTS - the traffic between poker client and web server would be encrypted.

I would like to highlight/show the user what can be done to them while on an un-secure network for 1) personal sensitive data, Facebook, Email, Credit Card etc.. and 2) Show how they can even be exploited while using a poker client - not by compromising the client, but by being on an un-secure network and someone has the ability to remotely access their activities. I am getting from what you are saying that because of the HSPS, the only way to remotely access their device is directing them to a phishing page of inserting malicious code?

The amount of info required would be a visual demonstration and audio narration of what is being done. I expect each video to be 5-10 mins long .

Here is a similar video style that was released by a Software exploit found.

Thanks

[airman_dopey]

Most (if not all) of the vulnerabilities discovered and released would have been patched. I think (though correct me if I'm wrong) you want another vulnerability discovered and recorded for your site.

[pinkytoe]

I am looking for WiFi vulnerabilities for poker players. There is vulnerabilities there for password and data protection for sure - which I would like highlighter and tailored for my site and poker players.

If there are any other vulnerabilities specific to poker players (as in remotely viewing their machine) the I want that too. I don't want to comprimise or try to find an exploit in a poker client. Just an open or unsecure WiFi connection.

I am unsure if the second part can be done, or makes sense - but if it does, then I want it :)

[sober]

i will take a look at a few clients this weekend and go from there. i havent played since full tilt got shut down so time to see whats popular nowa days.

[Shark3y]

I had typed more but it comes down to this.

If there is HSTS, you need to find a way to do it other than messing with POST data from a MITM type attack.

That way would be something client side, browser exploit, etc.. with a payload that is going to allow you to do what you are talking about. WIFI would only be a possible entry point for an 'attack' like this and isn't likely to be the interesting/innovative parts...

I urge you to be careful how you proceed as there are possible legal implications of posting a video like this, especially if you disclose too much information.

PM me if you want more info.