Organizers of last week's SecTor security conference collected names, passwords, and all other traffic passing over two Wi-Fi networks provided to attendees, including one that was encrypted, the event's director has confirmed. Borrowing a page from the Wall of Sheep at the Defcon hacker conference each year in Las Vegas, the …
Who on earth uses a wireless network, secure or not, without using an SSH or VPN tunnel??
Complain all you like
reasonable expectation of privacy?
Its unreasonable to expect a 'secure' network, you should always assume a conference like this to be bugged, regardless of any advertising or assumptions made, soceng 101. Maybe those that are upset should stick to a different type of con.
Should have rung warning bells in itself. My sympathy is minimal.
No-one at a security conference should reasonably expect any pubic network to be secure.
If you're using someone elses internet connection, you should expect it to be compromised in some way.
If you're using email, you should expect someone at your ISP or government to be intercepting all email that isn't secured.
Just because you're paranoid, doesn't mean they aren't after you!
Ah, here come the black helicopters bringing me my tinfoil hat.
Location, location, location
The old real estate adage is, "Location, location, location."
The wireless network itself wasn't compromised, as the sniffing was done at the *wired* side. The only thing that a public network is good for is surfing the web. If you have anything that uses credentials on a network, expect it to be sniffed and hacked.
Not quite accurate...
1) "Bourne countered that he and other organizers were "very clear and transparent" that all networks were being bugged during announcements made in between talks."
- Not true. It was never announced to everyone that the physical network was being sniffed. The term "open wireless" was used. Brian and I have argued back and forth about this but there are two different accounts of how this was "communicated".
2) "It doesn't take a networking expert to know that unless end users take special care, such traffic is easily sniffed by anyone with access to the cables. And yet that seemed to come as news to some attending the conference."
- Perhaps that's because the audience was never made aware the full extent of the monitoring. Why should anyone, but the conference organizers, have access to the service provided by the conference? Since this is a security and education conference there are those attending from the business word that simply don't know this. Who has the right to slam them for not knowing security if that's why they're at the conference in the first place - to learn about security.
3) "Bourne declined to address those claims, but he said the the controversy could easily have been prevented by using a "captive portal," the screens that typically require Wi-Fi users to agree to terms of service before they can use the service."
- Unfortunately he is correct and unfortunately this was not done. Consent was not given and this fact makes what was done illegal under Canadian law.
BOTTOM LINE: SecTor is not Defcon, all attendees aren't security experts, and what happened was wrong.
So... 'secure' wifi
But *everyone* knew the key, and it was given to all on asking.
This is a security confrerence right?.. they're supposed to be paranoid, not patsies who get conned by bit a bit of social engineering.
Anyone complaining should be kept away in future.. they sound like they're a danger to themselves and others.
oh noes the hackers didnt knock on our door and tell us that the "secure" wap was really controlled by them bla bla bla well now ur on a wall the only networks you can trust are your own the isp can watch everythign go by do deep packet inspection and all kinds of other bs and you would never know
OOps - pants around ankles!
Isn't the point here that experts who fully understand the issues get caught, so god help the rest of the general public. They are only complaining about it being illegal because they are embarrassed - after all real hackers consider the legal implications don't they?
Paris - because she was caught n flagrante delicto
The real bottom line
>BOTTOM LINE: SecTor is not Defcon, all attendees aren't security experts, and what happened
The real bottom line is some pansies got owned and and are now crying a river they should've been protected by some written policy.
B.S. Your adults, you screwed up -- LEARN FROM IT. That's why you go to conferences, not to sit in some ivory tower saying nothing ever bad can happen to you without your express, prior written consent.
Mate so you're telling us you've attended a conference full of hac^H^H^Hsecurity consultants and *not* expected someone to be snooping in, if just for a laugh? And anyway why would you go around using insecure credentials and still have any expectations of privacy whatsoever?
Makes you wonder sometimes.
experts got pwnd, fools
Anyone attending and complaining should be informed that anyone at the event could have been snooping on the network, it's just a switched network so you could easily spoof the arp address of the gateway for instance and intercept all outgoing traffic (you know, the part that usually contains unencrypted credentials).
So why are they complaining that the event organisers did it as an exercise in education?
Pretty good piece of education if you ask me.
A better piece of education is that everything which says "secured" on the tin isn't necessarily secure.
Social Engineering ;)
They were lulled into a false sense of security using the oldest trick in the book, a trusting smile....
Beer as it is the universal Social Lubricant
Wasn't WPA cracked some time ago? I seem to remember reading it here.
The conference guys sure have a point, whatever the legality of the whole thing... I mean, common folks (like me) would think that you are safe when you have an encrypted connection. Problem is that we don't just not know that; we don't know how to be safe to begin with.
Now what about using the coffee shop's/airport's free, unencrypted connection that scores of people use? We iz all doomd...
Maybe things have changed with WPA, but I was of the impression that anyone could capture the encrypted traffic even if they aren't associated with the AP and anyone with the PSK could then decrypt it.
Since anyone who asked could find out the key, the network could hardly be considered "secure" regardless of what the organizers did.
I used someone elses network and they, *sniff*, they *sniff*, they sniffed everything I sent across it. Waaaaaaah!
Boo bloody hoo.
I'm not a security expert either, and I'm quite happy to tell you that any WiFi connection should be considered insecure.
A couple of bloggers are complaining? Boo bloody hoo. They're at a security conference for F&%$s sake, where did they *think* they were going?
Sillier still, is the captive portal that OKs users to acknowledge they're on an insecure network. Much like "don't kick and shake the soda vending machine or it'll topple and fall on you", or the beloved "warning, contents of hot coffee cup may be hot".
The orgainisers should seed all these idiot users and prevent entry for the next year's exhibition. They're clearly too stupid to be blogging about things they know nothing about.
Naw, that can't work, that's never stopped bloggers before, and besides, misinformation is pretty much their only line of work.
Watch the insecure wifi connection and shame people using it - great idea, security pros should get serious ass kicking's if they use such a link.
Unfortunately the security message is somewhat diluted when some idiot goes a little over the top and shames people using an "alleged" secure network.
Personally I would be double checking the signed agreement with the secure network people then probably suing their assess off.
Note - double check - always read the bloody contract before connecting.
Free wifi is not a right, even at conferences. If somebody offers you something for free always ask what the catch is.
color me clueless - I got a question
@Brian Miller & others
"The only thing that a public network is good for is surfing the web. If you have anything that uses credentials on a network, expect it to be sniffed and hacked."
If I use an https login to gmail or something similar, is the browser to server encryption at risk if the network itself isn't secure? Assuming the server's certificates "seem to be OK".
OK, not saying I'll do online banking from a cafe (I don't do online banking from any of my wired XP machines either). But just how paranoid should I be from a low-mid level black hat?
This is a secure and encrypted communication.
Lr tbqf... Jr'er gnyxvat nobhg fb-pnyyrq frphevgl rkcregf urer. Gurl ner tvira GUR cer-funerq xrl gb gur ragver Juvssl argjbex. Naq gurl qb abg frr n ceboyrz jvgu guvf naq npg nyy fhecevfrq naq bhgentrq? Gurl arrqrq n tbbq uneq xvpx hc gur nefr. Whfg orpnhfr fbzrguvat fnlf FRPHER ba gur gva, qbrfa'g zrna vg vf.
Ohg yhpxvyl, nyy gur qngn gung jnf favssrq, unf orra qrfgeblrq. Bu lrf. Hfvat n irel gubebhtu qryrgvba cebtenz. Vg unf npebalzf. Abj... Ubj znal crbcyr jrer favssvat gur "frpher" arg gung gur Betnavfngvba qvqa'g nfx gb, xabj nobhg be pner nobhg? Rirelobql unq gur xrl.
V ungr frphevgl pvephf. V ungr vg gung V pna'g oevat n obggyr bs qvulqebtra zbabkvqr ba n cynar. V ungr vg gung vg'f nccneragyl nyevtug sbe n ohapu bs cybqf gb fabbc guebhtu zl uneq qevir ybbxvat sbe puvyq cbea. V ungr vg gung crbcyr pna nqiregvfr "frpher guvf" naq "frpher gung" jura gur guvat vf nalguvat ohg. Guvf qbrf abg znxr hf fnsre, ohg ol tbqf, qbrf vg znxr gur cbyvgvpvnaf ybbx tbbq.
Gurer. Naq abj V jvyy rapelcg guvf hfvat ROT-13 fb lbh jvyy arire or noyr gb ernq vg.
Cert chain broken
Jean-Luc, the majority of big-name websites use SSL certificate chains which include signatures using broken algorithms. If your browser disallows MD2, MD5, etc. then you will find that gmail is one of them. If it allows MD5 then "seems to be OK" doesn't necessarily mean OK - this was demonstrated months ago
Pant meet ankles...
Lets look at the titles of the people complaining.
"the website of a devastatingly handsome author, sporadic blogger, bbq junkie, and security strong man"
Sean Michael Kerner writes about.........Security (tools, attack vectors, vendors and exploits)
Sorry, these people punt themselves as experts, so don't complain when you fall for this scam. If these people said "Dave, total novie in the IT world" then I'd have sympathy, but no these people claim to be experts. So they should know better.
If a anti-fraud office got caught in a phising scam, or a policemans car was knicked because he left the keys in the ignition, they would deserve equal ridcule.
Sorry, but they are whining becuase it's made them look dumb, far from the "experts" they pretend to be.
Use MY network and what you do over it is MINE
If I provide you a network, then anything you send over it can be read by me. Simple as that.
If these so called security professionals at a conference didn't understand that, then they don't deserve their jobs.
Who is to say that whoever runs the conference centre's network wasn't dishonest and stealing passwords, or whoever runs the ISP doing that, etc...
It's probably not hard in a conference centre for someone with a bit of tech savvy to install a wiretap on the whole building's internet connection. (get a few mates to complain about the network, then turn up in overalls, wave a badge "I'm here to fix your network", probably wouldn't even need that much cunning, you just need to find the right cable!)
Always encrypt your data (it's "httpS" people, it's not hard)
Give me your passwords. No, you don't need to know why, you can trust me.
people asume that a respected group is going to brake the law? This is one step away from saying there is secure parking and then braking in to peoples cars and saying "lolz. All that meens is that there is a gate".
The whole thing has gone to far.
Go on, shoot the messenger.
Anyone with the WPA key could *also* have been collecting this information, but since they didn't helpfully 'fess up to it at the end of the conference, nobody complains. And these people claim to know about security. Sheesh!
Just a second...
Presumably this WiFi network was being used for internet access, seeing as Bourne was using Twitter over it. And presumably - WPA aside - their credentials were being sent in plain text.
Are these security experts trying to claim that they thought they had end-to-end security to arbitrary servers on the internet, just because the WiFi provider claimed it was 'secure'?
Ha, ha, ha, ha!
<gasp> ha, ha, ha, ha!
HTTPS (SSL) is transport layer encryption carried out on the device before the packets are placed on the network, so even if you sniff the packets, they cannot be decrypted without the keys.
The security does rely on trusting the certificate, as this contains the public key which is used to encrypt the intitial packet to start exchange of the session keys. At no time does any sensitive information go over the network in the clear.
That is until quantum computing breaks public/private key crypto....
if they can capture the whole session then they'll be able to decode it eventually if they have a super computer :D We're talking years tho.
Unless they do a full man in the middle attack and then it's all theirs'. This is much harder to do unless they control the wireless network, in which case it easy as pie. It just requires a small tweak to the DNS settings which are propagated by DHCP when you connect and a machine to proxy the requests. Hell, even proxy settings via dhcp that request TLS thru proxy is sufficient.
In theory TLS and the weaker SSL shouldn't be hackable but there are some flaws.
The bottom line; don't trust wireless networks unless you completely trust all other known and unknown clients.
WPA2 is the only security that lasts. TKIP used in WPA1 is flawed and crackable.
Always use a VPN when doing business or confidential transactions online with a network that is weak (<WPA2), untrusted or unknown.
Amazing how everyone is suddenly so security conscious innit?
They were sniffed illegaly so everything else is rather moot.
If it wasn't them
It would have been someone else. Less scrupulous no doubt.
WPA is uses symmetric ciphers - if you have the key, you can listen to anything on the network, not just your traffic. The WPA key was given out to world + dog. World could have been easily listening to dog, and vice versa. There was absolutely no reason to believe this network was 'secure'.
Perhaps it's safe to say that this was a demonstration against people who should know better, OR the quickest way to show those who don't know better just what can happen.
Why do people...
think that they are secured just because they are using a networking with encryption?
All the encryption does here is keep you from getting onto the network in the first place, the way this article goes on its like these so called security experts think ahhh we are using a SECURED network so all our communications are secured. WTF?
All a hacker had to do was authenticate to the network, posion the ARP tables of whoever he pleases and become the router, job done.
Unu, lbhe zvtugyl ebg13 unf abg fgbccrq zl ryvgr unpxfnj fxvyyf.
People never listen or learn
The Jericho Forum commandments (www.jerichoforum.org) have made it clear for years, the network cannot provide any decent level of security (is the title "Network Security Manager" an oxymoron?). you must use ONLY inherently secure protocols. Unfortunately when caught out they resort to crying "it isn't fair" - come on you alleged security professional - the bad guys out there don't understand "fair", so up your game.
This post has been ROT-13 encoded twice. That obviously makes it *doubly* secure.
"Cry more, noob".
That is all.
Ref your comment on Secure this, and secure that.
I'm glad to see I'm not the only one! Take for example Citrix's Gotomypc advert (one with the pigeons). It says that it's safe to use & "Completely secure".
Now, you're connecting your host PC (the one you wish to 'goto') to the net, you're presumably opening a port on your firewall. They may be using VPN, and encrypting the connection, but to me Completely means 100%. Can a PC attached to the net be 100% secure (Let alone with Port forwarding active?)
So it's false advertising then.
As for the article, these people should know better. I wonder how many access their online banking from McDonalds or Starbucks?
Gun owners have a rule: Assume all guns are loaded until you verify for yourself.
Sounds apt here.
@AC 2009-10-16 10:56
I do my online banking from McD. But I vpn into my company server first. I figure I can trust them as they already have all my bank details!
Dude, it only works if you encipher the whole message.
Now here's a message:
32 31 52 05 61 62 92 71 35 57 78 79 85 65 93 86 79 93 79 21 54 08 25 07 43 00 76 73 27 07 59 96 88 59 25 65 86 81 84 47 41 04 13 23 12 27 81 44 29 49 99 45 57 62 42 52 95 97 93 97 88
Overly trusting fools. When will they ever learn...
They should be very grateful. Its proven to them they were not as secure as they *assumed* they were. It just goes to show their own judgment is very flawed. It also means if even so called experts in security can be fooled this easily, then non-technical people don't have a hope of ever avoiding being spied on. I hope these so called experts feel totally humiliated. Its time their overly trusting complacency was utterly destroyed.
"But what made the Wall of Shame different - at least to some attendees - was the sniffing of a network that was represented as secure"
So in other words they assume people don't lie. Holding an attitude along the lines of assuming its secure, because they say its secure only shows they are overly trusting fools. The sad fact of life is that some people lie just so they can gain an advantage over others.
Their overly trusting attitude also proves they are very ignorant of the behavior of Narcissistic Personality Disorder (NPD) people yet ironically it exactly this kind of person who wants to spy on others just so they can gain an advantage over others. Therefore these so called security experts show they are ignorant of the exact kind of person they seek to protect everyone from.
Very evidently being a good security programmer isn't the only thing they need to learn, if they ever hope to protect people and computers. I hope they feel totally humiliated. Its the first step to them finally learning their overly trusting complacency is preventing them seeing how some people will game their systems to bypass their security. When they finally learn they will finally see how and where they need to improve these security to protect everyone.
Crash course in Narcissism: Estimates vary slightly as to the exact percentage of the population that are Narcissistic and its a sliding scale between mildly Narcissistic to extremely Narcissistic but a good rule of thumb is around 10% of the population with a few percent at the extreme end. But with a population of about 6.5 billion people in the world that still adds up to a lot of extreme end Narcissistic people in the world to avoid and guard against.
Crash course in Narcissistic Behavior: Lying, cheating, very two faced, endlessly manipulative, very self centered, relentlessly power seeking behind their lies to gain at the expense of others, also very distrustful of others, often willing to bully others so they can force and manipulate people to do what they want. Ultimately they lack almost any empathy for others, because they are so totally self centered They are even happy when their lies win over others because it confirms to them that they can gain power over others by using lies. Also as they have almost no empathy for others they even just see their lies as them out smarting others. They don't care they are lying. Worse still they even think themselves better than others, because they don't fall for these kinds of lies. That is because they are deeply distrustful of the intentions of others and always on the lookout for how anyone could manipulate them. (They are fearful of people gaining power over them). Their every act of manipulation is a moment where they have power over others, to get others to do what they want and they seek that power almost relentlessly. They also often seek jobs that give them power over others. For example they seek to become managers and then bosses of companies. They also go into politics as that also gives them considerable power over others. They seek groups like them to give them collectively more power, but they lack loyalty to the group, they will sell it out as soon as its in their best interest, so they just use groups of people when it suits them (they often treat and exploit employees the same way). Also as they have so little empathy for others they will happily setup companies that ruthlessly exploit others. (Spyware, Spam, Phorm are all good examples of this kind of organised exploitation of others).
In an ideal world their behavior wouldn't exist, so it would be one big happy family etc.., but that will never happen. So its time everyone finally wakes up from their dream like trusting state so they can see that people with a Narcissistic attitude are the real enemy of us all. Everyone who is openly trusting of others, is a willing victim just waiting to be exploited by Narcissists and its not a case of sooner or later, because most of us (especially in companies) are exposed to some Narcissists in our daily lives almost every day, so we have to all become completely mindful of how they think, for our own protection, so we can defend ourselves against their lying manipulative self centered corrupt attitude.
Also the more the self centered ruthless people in power subvert the Internet to move us all towards a world where they can spy on us ever more (as they are doing, ultimately for their own gain from having such growing power over us all), then the more we need security experts to be our line of defense against all the increasing spying and undermining of the Internet. But the security experts can't do that effectively if they are so ignorant and trusting towards the kind of people they seek to defend us all against.
You log into a wireless network named "blahblah_secure" - it *must* be secure right? It says it on the name!
lolz. There's only one thing you can trust to do what it says on the tin...
While you might have a point that they breached your privacy, wouldn't that be case for say... 100% of illegitimate people trying to get your data? Think they care about legitimacy or law? Its why their CRIMINALS isn't it....
So, you got PWNED in a pretty trivial way. And instead of taking it as an opportunity to blog about "no such thing as secure when they have your wire" you went "cry mommy" and ruined your so professed "security expertise" profile in an epic way.
Any potential employer doing a google search will now find both names associated to "clueless" instead of "expert".
Bullet, meet foot.
@AC: Why should#
" people asume that a respected group is going to brake the law? This is one step away from saying there is secure parking and then braking in to peoples cars and saying "lolz. All that meens is that there is a gate".
The whole thing has gone to far."
I'm not normally a grammar Nazi but enough is enough (I realise that the chances of a mistake occurring in my posting has now gone up substantially). Try "assume", "break", "people's", "means" and "too".
It's the oldest trick in the book, social engineering.
Rather than bleating about how they were conned or were shown to be gullible by devious sleight of hand they should take on board the lessons to be learned.
1) Things are not always what they seem to be
2) Things are not always what they claim to be
3) People lie
4) The 'truth' isn't necessarily so
5) Trust no one
6) People sometimes forget what they should know
7) Even the most cautious, most aware can still become victims
Mine's the one with a pocket full of passwords.
Actually ..the problem was that there wasn't proper disclosure
Great take on the whole incident ..one small clarification though...
I have no problem with the fact that NO passwords should ever be sent in the clear. The problem is that unlike Black Hat / Defcon - there was no disclaimer on a captive portal gateway prior to getting network admission.
Black Hat/Defcon and its networking partner Aruba have such a captive portal disclaimer which makes all the difference in the world.
Check out the image in the top left of this post i made at black hat in 2008 for an example.