Feeds

Bloggers howl after conference snoops on 'secure' network

Network insecurity 101

The Power of One eBook: Top reasons to choose HP BladeSystem

Organizers of last week's SecTor security conference collected names, passwords, and all other traffic passing over two Wi-Fi networks provided to attendees, including one that was encrypted, the event's director has confirmed.

Borrowing a page from the Wall of Sheep at the Defcon hacker conference each year in Las Vegas, the exercise was designed to draw attention to the perils of public networks, conference organizer Brian Bourne told The Reg. Indeed, Bourne - who is the director of Black Arts Illuminated, the company that puts on the event - found partly obscured credentials for his own Twitter account on the SecTor Wall of Shame.

But what made the Wall of Shame different - at least to some attendees - was the sniffing of a network that was represented as secure. The wireless connection carried an SSID named "Sector2009Secured" and was encrypted using the WPA, or Wi-Fi Protected Access, protocol. Before it could be used, attendees had to stop by a booth sponsored by Canadian security vendor eSentire to retrieve the network's pre-shared key.

"In 2009, we still have so many applications leaking credentials onto the wire, and we have people still deploying and using insecure protocols," Bourne said. "Our intention with the Wall of Shame was to highlight that."

Not all attendees appreciated the object lesson in network insecurity. Bloggers such as Andrew Hay and Sean Michael Kerner howled in protest, claiming organizers provided no disclaimers that the WPA-protected network was being bugged.

"Most attendees, myself included, thought that using the SecTor/Enterasys provided 'secured WiFi' connection would save themselves from the embarrassment of being displayed on the Wall of Shame," Hay wrote. "Unfortunately this was not the case."

Bourne countered that he and other organizers were "very clear and transparent" that all networks were being bugged during announcements made in between talks. He acknowledged, however, that there was no notice provided when users first connected to the network or in written materials handed out to the 500 people attending the conference.

When Bourne learned some attendees were surprised at the monitoring, he called for an early end to it. He said all the collected traffic was stored on a single machine that was not connected to any other computers. Organizers have since destroyed all the traffic using a Department of Defense setting for the DBAN disk wiping utility.

The incident underscores two common pitfalls that await the security conscious. The first is how vulnerable all networks - even those that are encrypted - are to snooping. While WPA is believed to be secure, SecTor organizers had no trouble monitoring the network because they bugged the connection after wireless signals reached the wire.

It doesn't take a networking expert to know that unless end users take special care, such traffic is easily sniffed by anyone with access to the cables. And yet that seemed to come as news to some attending the conference.

The fact that Bourne himself was caught in the sting is testament to how easy it is to forget this simple fact. Bourne said his Twitter credentials were detected because he was accessing the micro-blogging site using TweetDeck, an application that occasionally fails to encrypt traffic when user profiles are viewed. Although this weakness is disclosed online, it had escaped Bourne's notice until he found his partial credentials on the Wall of Shame.

But equally as dangerous is the fallout that can result when hackers target third parties without first getting their explicit consent. Hay, one of the bloggers who wrote about the incident, cites several legal experts who claim it constitutes a violation of Canadian privacy law.

Bourne declined to address those claims, but he said the the controversy could easily have been prevented by using a "captive portal," the screens that typically require Wi-Fi users to agree to terms of service before they can use the service. And he said the criticism will be taken into account in 2010, at SecTor's fourth conference.

"We plan to bring it back next year with an even more in-your-face communication," he said. "That way, there's no misunderstanding." ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.