Feeds

Bloggers howl after conference snoops on 'secure' network

Network insecurity 101

Secure remote control for conventional and virtual desktops

Organizers of last week's SecTor security conference collected names, passwords, and all other traffic passing over two Wi-Fi networks provided to attendees, including one that was encrypted, the event's director has confirmed.

Borrowing a page from the Wall of Sheep at the Defcon hacker conference each year in Las Vegas, the exercise was designed to draw attention to the perils of public networks, conference organizer Brian Bourne told The Reg. Indeed, Bourne - who is the director of Black Arts Illuminated, the company that puts on the event - found partly obscured credentials for his own Twitter account on the SecTor Wall of Shame.

But what made the Wall of Shame different - at least to some attendees - was the sniffing of a network that was represented as secure. The wireless connection carried an SSID named "Sector2009Secured" and was encrypted using the WPA, or Wi-Fi Protected Access, protocol. Before it could be used, attendees had to stop by a booth sponsored by Canadian security vendor eSentire to retrieve the network's pre-shared key.

"In 2009, we still have so many applications leaking credentials onto the wire, and we have people still deploying and using insecure protocols," Bourne said. "Our intention with the Wall of Shame was to highlight that."

Not all attendees appreciated the object lesson in network insecurity. Bloggers such as Andrew Hay and Sean Michael Kerner howled in protest, claiming organizers provided no disclaimers that the WPA-protected network was being bugged.

"Most attendees, myself included, thought that using the SecTor/Enterasys provided 'secured WiFi' connection would save themselves from the embarrassment of being displayed on the Wall of Shame," Hay wrote. "Unfortunately this was not the case."

Bourne countered that he and other organizers were "very clear and transparent" that all networks were being bugged during announcements made in between talks. He acknowledged, however, that there was no notice provided when users first connected to the network or in written materials handed out to the 500 people attending the conference.

When Bourne learned some attendees were surprised at the monitoring, he called for an early end to it. He said all the collected traffic was stored on a single machine that was not connected to any other computers. Organizers have since destroyed all the traffic using a Department of Defense setting for the DBAN disk wiping utility.

The incident underscores two common pitfalls that await the security conscious. The first is how vulnerable all networks - even those that are encrypted - are to snooping. While WPA is believed to be secure, SecTor organizers had no trouble monitoring the network because they bugged the connection after wireless signals reached the wire.

It doesn't take a networking expert to know that unless end users take special care, such traffic is easily sniffed by anyone with access to the cables. And yet that seemed to come as news to some attending the conference.

The fact that Bourne himself was caught in the sting is testament to how easy it is to forget this simple fact. Bourne said his Twitter credentials were detected because he was accessing the micro-blogging site using TweetDeck, an application that occasionally fails to encrypt traffic when user profiles are viewed. Although this weakness is disclosed online, it had escaped Bourne's notice until he found his partial credentials on the Wall of Shame.

But equally as dangerous is the fallout that can result when hackers target third parties without first getting their explicit consent. Hay, one of the bloggers who wrote about the incident, cites several legal experts who claim it constitutes a violation of Canadian privacy law.

Bourne declined to address those claims, but he said the the controversy could easily have been prevented by using a "captive portal," the screens that typically require Wi-Fi users to agree to terms of service before they can use the service. And he said the criticism will be taken into account in 2010, at SecTor's fourth conference.

"We plan to bring it back next year with an even more in-your-face communication," he said. "That way, there's no misunderstanding." ®

Beginner's guide to SSL certificates

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.