Feeds

Bloggers howl after conference snoops on 'secure' network

Network insecurity 101

High performance access to file storage

Organizers of last week's SecTor security conference collected names, passwords, and all other traffic passing over two Wi-Fi networks provided to attendees, including one that was encrypted, the event's director has confirmed.

Borrowing a page from the Wall of Sheep at the Defcon hacker conference each year in Las Vegas, the exercise was designed to draw attention to the perils of public networks, conference organizer Brian Bourne told The Reg. Indeed, Bourne - who is the director of Black Arts Illuminated, the company that puts on the event - found partly obscured credentials for his own Twitter account on the SecTor Wall of Shame.

But what made the Wall of Shame different - at least to some attendees - was the sniffing of a network that was represented as secure. The wireless connection carried an SSID named "Sector2009Secured" and was encrypted using the WPA, or Wi-Fi Protected Access, protocol. Before it could be used, attendees had to stop by a booth sponsored by Canadian security vendor eSentire to retrieve the network's pre-shared key.

"In 2009, we still have so many applications leaking credentials onto the wire, and we have people still deploying and using insecure protocols," Bourne said. "Our intention with the Wall of Shame was to highlight that."

Not all attendees appreciated the object lesson in network insecurity. Bloggers such as Andrew Hay and Sean Michael Kerner howled in protest, claiming organizers provided no disclaimers that the WPA-protected network was being bugged.

"Most attendees, myself included, thought that using the SecTor/Enterasys provided 'secured WiFi' connection would save themselves from the embarrassment of being displayed on the Wall of Shame," Hay wrote. "Unfortunately this was not the case."

Bourne countered that he and other organizers were "very clear and transparent" that all networks were being bugged during announcements made in between talks. He acknowledged, however, that there was no notice provided when users first connected to the network or in written materials handed out to the 500 people attending the conference.

When Bourne learned some attendees were surprised at the monitoring, he called for an early end to it. He said all the collected traffic was stored on a single machine that was not connected to any other computers. Organizers have since destroyed all the traffic using a Department of Defense setting for the DBAN disk wiping utility.

The incident underscores two common pitfalls that await the security conscious. The first is how vulnerable all networks - even those that are encrypted - are to snooping. While WPA is believed to be secure, SecTor organizers had no trouble monitoring the network because they bugged the connection after wireless signals reached the wire.

It doesn't take a networking expert to know that unless end users take special care, such traffic is easily sniffed by anyone with access to the cables. And yet that seemed to come as news to some attending the conference.

The fact that Bourne himself was caught in the sting is testament to how easy it is to forget this simple fact. Bourne said his Twitter credentials were detected because he was accessing the micro-blogging site using TweetDeck, an application that occasionally fails to encrypt traffic when user profiles are viewed. Although this weakness is disclosed online, it had escaped Bourne's notice until he found his partial credentials on the Wall of Shame.

But equally as dangerous is the fallout that can result when hackers target third parties without first getting their explicit consent. Hay, one of the bloggers who wrote about the incident, cites several legal experts who claim it constitutes a violation of Canadian privacy law.

Bourne declined to address those claims, but he said the the controversy could easily have been prevented by using a "captive portal," the screens that typically require Wi-Fi users to agree to terms of service before they can use the service. And he said the criticism will be taken into account in 2010, at SecTor's fourth conference.

"We plan to bring it back next year with an even more in-your-face communication," he said. "That way, there's no misunderstanding." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.