Feeds

Bloggers howl after conference snoops on 'secure' network

Network insecurity 101

The essential guide to IT transformation

Organizers of last week's SecTor security conference collected names, passwords, and all other traffic passing over two Wi-Fi networks provided to attendees, including one that was encrypted, the event's director has confirmed.

Borrowing a page from the Wall of Sheep at the Defcon hacker conference each year in Las Vegas, the exercise was designed to draw attention to the perils of public networks, conference organizer Brian Bourne told The Reg. Indeed, Bourne - who is the director of Black Arts Illuminated, the company that puts on the event - found partly obscured credentials for his own Twitter account on the SecTor Wall of Shame.

But what made the Wall of Shame different - at least to some attendees - was the sniffing of a network that was represented as secure. The wireless connection carried an SSID named "Sector2009Secured" and was encrypted using the WPA, or Wi-Fi Protected Access, protocol. Before it could be used, attendees had to stop by a booth sponsored by Canadian security vendor eSentire to retrieve the network's pre-shared key.

"In 2009, we still have so many applications leaking credentials onto the wire, and we have people still deploying and using insecure protocols," Bourne said. "Our intention with the Wall of Shame was to highlight that."

Not all attendees appreciated the object lesson in network insecurity. Bloggers such as Andrew Hay and Sean Michael Kerner howled in protest, claiming organizers provided no disclaimers that the WPA-protected network was being bugged.

"Most attendees, myself included, thought that using the SecTor/Enterasys provided 'secured WiFi' connection would save themselves from the embarrassment of being displayed on the Wall of Shame," Hay wrote. "Unfortunately this was not the case."

Bourne countered that he and other organizers were "very clear and transparent" that all networks were being bugged during announcements made in between talks. He acknowledged, however, that there was no notice provided when users first connected to the network or in written materials handed out to the 500 people attending the conference.

When Bourne learned some attendees were surprised at the monitoring, he called for an early end to it. He said all the collected traffic was stored on a single machine that was not connected to any other computers. Organizers have since destroyed all the traffic using a Department of Defense setting for the DBAN disk wiping utility.

The incident underscores two common pitfalls that await the security conscious. The first is how vulnerable all networks - even those that are encrypted - are to snooping. While WPA is believed to be secure, SecTor organizers had no trouble monitoring the network because they bugged the connection after wireless signals reached the wire.

It doesn't take a networking expert to know that unless end users take special care, such traffic is easily sniffed by anyone with access to the cables. And yet that seemed to come as news to some attending the conference.

The fact that Bourne himself was caught in the sting is testament to how easy it is to forget this simple fact. Bourne said his Twitter credentials were detected because he was accessing the micro-blogging site using TweetDeck, an application that occasionally fails to encrypt traffic when user profiles are viewed. Although this weakness is disclosed online, it had escaped Bourne's notice until he found his partial credentials on the Wall of Shame.

But equally as dangerous is the fallout that can result when hackers target third parties without first getting their explicit consent. Hay, one of the bloggers who wrote about the incident, cites several legal experts who claim it constitutes a violation of Canadian privacy law.

Bourne declined to address those claims, but he said the the controversy could easily have been prevented by using a "captive portal," the screens that typically require Wi-Fi users to agree to terms of service before they can use the service. And he said the criticism will be taken into account in 2010, at SecTor's fourth conference.

"We plan to bring it back next year with an even more in-your-face communication," he said. "That way, there's no misunderstanding." ®

5 things you didn’t know about cloud backup

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.