Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reporters At Black Hat Get Bounced For Hacking

Posted by Soulskill on from the no-brownie-points-for-you dept.

rickb928 and several others have written to inform us that three reporters for the French publication "Global Security Magazine" were booted out of the Black Hat convention for uncovering the login information of other reporters. Quoting the AP: "The separate, wired Internet connections set up for reporters are supposed to be off-limits to hacking and the Wall of Sheep. Even so reporters who didn't take the extra step and log onto the Internet through an additional secure connection like a virtual private network, risked having their data exposed to colleagues sitting just feet away. It didn't appear to be a complicated hack. The network was working properly, but it wasn't set up to shield each journalist's computer from one another."

128 comments

  1. Not Surprised by Anonymous Coward · · Score: 3, Insightful

    Really, I'm not surprised at all that people were kicked out of The Black Hat "Hacker" Conference for hacking.

    Just shows that Corporate sponsored Hacker conferences are a contradiction in terms

    1. Re:Not Surprised by Lehk228 · · Score: 5, Funny

      well technically he was bounced for GETTING CAUGHT hacking. there is a difference.

      --
      Snowden and Manning are heroes.
    2. Re:Not Surprised by fmwap · · Score: 4, Informative

      and even one more difference, from TFA:
      Organizers said the trio was caught when they took their purloined password prizes to Wall of Sheep workers and asked them to post the information. The workers refused.

      So...they turned themselves in.

    3. Re:Not Surprised by Adriax · · Score: 4, Funny

      The offending journalist was caught when, after stealing the passwords, he stood up and shouted "Yes, I am invincible!" with a bad russian accent.

      --
      I don't suffer from insanity, I enjoy every minute of it!
    4. Re:Not Surprised by Elektroschock · · Score: 1

      And furthermore, just because people can you don't expect them to do as a matter of professional convenience. You don't piss in our own pool.

      But here people just show what can be done.

      It is illegal when its without consent, that might be the problem. Time for an NDA.

    5. Re:Not Surprised by Frnknstn · · Score: 1

      Is there no honour among thieves?

      --
      If it's in you sig, it's in your post.
    6. Re:Not Surprised by mrboyd · · Score: 1

      Well, there used to be. But the time of the romantic Sicilian mafioso is long gone and we are now in the era of the ruthless backstabbing russian gangbangers running corporate multinational. So I guess the one with honor are somewhere at the bottom of lake Michigan or in a retirement pension. :)

    7. Re:Not Surprised by Anonymous Coward · · Score: 0

      well technically he was bounced for GETTING CAUGHT hacking. there is a difference.

      He was actually caught CRACKING.

  2. Did they forget there role? by pauljuno · · Score: 4, Funny

    Did these journalist not understand what their role was at this event? The Wi-Fi connections were free targets and that was understood. The hard-wired connections were off limits to all involved and only for the press, as I understand it. What were they thinking?

    1. Re:Did they forget there role? by Anonymous Coward · · Score: 0

      Who cares about the role. You'd think the organizers of the Black Hat convention could properly secure a wired network. You could do all sorts of things to at least prevent what appears to be casual snooping.

      I'd lay the blame with the Black Hat organizers. If you note, the journalists claim to have done this simply to educate their fellow journalists (they took it to the Wall of Sheep for display).

    2. Re:Did they forget there role? by Anonymous Coward · · Score: 0, Redundant

      sorry... pet peeve...

      "their" not "there"

    3. Re:Did they forget there role? by SanityInAnarchy · · Score: 4, Insightful

      You'd think the organizers of the Black Hat convention could properly secure a wired network.

      Which they did. They just didn't secure it from the other journalists.

      Consider that it is actually impossible to do so, and allow journalists to bring their own laptops. The best you can do is secure a network, not secure the computers on the network, without insisting on admining each such computer -- think Mordac-style.

      I'd lay the blame with the Black Hat organizers.

      For kicking them? Maybe.

      But for allowing it to happen? Not so much.

      --
      Don't thank God, thank a doctor!
    4. Re:Did they forget there role? by Anonymous Coward · · Score: 2, Informative

      What are you talking about. You are completely wrong. The organizers could have done much more.

      By properly laying the wiring, they could ensure that you could not set-up such a passive filter. Each group of journalists could have had their own separate connection to a properly configured router - that way, if you wanted to snoop on another journalists traffic, you would have to walk over to their table and jack into their Ethernet connectors, which is significantly mitigates the severity of the problem.

      Another thing - there's any number of industry-standard authentication & encryption systems out there. IPSEC, 802.1X, Radius, etc. The organizers were just lazy and decided that they would simply call it a trusted system and not actually bother securing it.

      I'm sorry, but this demonstrates hypocrisy on the part of the organizers. They criticize (rightly) businesses for being lazy when it comes to security, yet turn around and do the same thing themselves.

      As far as I'm concerned, the journalists acted at least within the spirit of the conference.

    5. Re:Did they forget there role? by Rakishi · · Score: 1

      The way I understand it the network itself was not secure rather than the computer's the journalists using being insecure. If any computer on the network can intercept traffic going through the network then generally that is a problem.

    6. Re:Did they forget there role? by pauljuno · · Score: 1

      Point well taken, actually I tend to type quickly and go back and proof read prior to posting. Unfortunately, I forgot to change the title but did correct the body of the text. I also hate these mistakes.

    7. Re:Did they forget there role? by SanityInAnarchy · · Score: 4, Insightful

      Each group of journalists could have had their own separate connection to a properly configured router

      Implying they could attack each other, still.

      Another thing - there's any number of industry-standard authentication & encryption systems out there. IPSEC, 802.1X, Radius, etc.

      And if someone didn't even bother to use SSL, what makes you think they'll set all these up on their own computer?

      The organizers were just lazy...

      For what? Not mandating every journalist use a known-good computer? For not blocking port 80 in favor of 443? For allowing these people on the Internet at all?

      Tell me -- given that it's impossible to idiot-proof a single computer, how are you proposing that they idiot-proof an entire network of humans -- humans who can and will make mistakes?

      --
      Don't thank God, thank a doctor!
    8. Re:Did they forget there role? by emmafreester · · Score: 2

      This situation reminds me of the past three ShmooCons I attended. My rule is that if I'm not entirely sure that my computer is hack-proof (an impossibility, I realize, but a goal nonetheless) and I know that I'm not going to be paying enough attention to it to ensure that I would notice if something strange were happening to it...then I don't get on the network and I turn off my wireless antenna so no one can find! When you're in a conference about hacking and computer security, you should expect that your computer should be broken into. All that aside, if the rules specifically stated that the wired networks were for reporter use only, and were not to be used for hacking ("separate, wired Internet connections set up for reporters are supposed to be off-limits to hacking and the Wall of Sheep" according to the article), then the reporters who used it to get login credentials and then turned them in despite the rule about no hacking and no Wall of Sheep are stupid and deserved to get kicked out.

    9. Re:Did they forget there role? by MrNaz · · Score: 3, Funny

      I fail at clicking "Post Anonymously".

      --
      I hate printers.
    10. Re:Did they forget there role? by Anonymous Coward · · Score: 0

      Particularly since you are calling out a person for using "their" correctly. In his only sentence that uses any of the versions, "their" is being used as a possessive to join reporters to role.
       
      An easy way to remember it is:

      They're there in their room.

      (Thanks "Look Around You"

    11. Re:Did they forget there role? by MikeBabcock · · Score: 1

      It is almost always possible to do this -- defeating switches is as easy as ARP flooding.

      Sniffing packets isn't rocket science.

      Setting up per-machine VLANs would've been overkill and required per-machine VLAN tagging.

      --
      - Michael T. Babcock (Yes, I blog)
    12. Re:Did they forget there role? by mysidia · · Score: 2

      Each group of journalists could have had their own separate connection to a properly configured router

      Implying they could attack each other, still.

      With a suitable access lists, and each Journalist's PC plugged into their own port on a Layer 3 switch and everyone NAT'ed, no they would have no normal means of using their legitimate connection to attack another journalist's PC.

      For instance, local PC to gateway might be allowed, but there would be no method allowed to have PC to PC or broadcast traffic. That's the ideal scenario.

      E.g. It would be essentially be an internet-only connection, no LAN whatsoever.

      Actually, the ideal scenario is the journalist uses a dedicated end-to-end encryption over a VPN, and their PC is config'ed to refuse all other traffic. (So any 'attack' would have to originate on the home network)

      802.1X auth is a good standard and all, but it's use is unrealistic -- many journalists would not understand how to connect their laptop.

      Actually, isolating each journalist into their own ethernet broadcast domain is probably unlikely -- due to the massive number of journalists at events like blackhat, and resulting burden in defining a unique ip network for each one.

      Port security (limit of one active MAC address per port), and DHCP+ARP inspection + filtering (to protect against ARP hijacking or fake DHCP server traffic) are more realistic security measures in an environment like this, and very basic.

      The attempted connection of a second PC to a port while another PC is recently active _should_ immediately set off alarms.

      Limit of number of active MAC addresses also makes it hard for a bad journalist from attempting to sniff by sending blank frames with spoofed victims' MAC address as source (to make the switch forward to the attacker).

      It's not surprising that blackhat didn't implement these types of security measures -- most network security features are rarely implemented, even on 'secure' networks.

      Security of such ad-hoc setups is more of an afterthought.

      The journalists are perhaps more at fault for not using SSL!

    13. Re:Did they forget there role? by pauljuno · · Score: 2, Funny

      I've already begged forgiveness for this once before. The body of text used the word correctly and the subject line did not. Please forgive me, and if the hague should come calling I will plead guilt.

    14. Re:Did they forget there role? by mwvdlee · · Score: 2, Insightful

      So basically the french got kicked not for hacking but for being a bunch of scriptkiddies that wanted to demonstrate they could "hack" a network known to be badly secured. Rightly so. These journalists wouldn't have been able to report on the real hacks; they wouldn't understand them.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    15. Re:Did they forget there role? by Anonymous Coward · · Score: 0

      While it is true that they are rarely if ever implemented, has anyone considered the fact that while Black Hat is an organisation they don't have the money nor time to sit there and program a Cisco/Juniper switch with the appropriate settings, and trouble shoot it if something goes wrong. Not only that, but the equipment costs would be insane.

      There is a sort of gentlemen's agreement that the press room was to be off-limits. What the French reporters did was stupid on their part, they will for now, and into the foreseeable future have trouble getting into Black Hat/DefCon and other security conferences. Is that really worth it?

    16. Re:Did they forget there role? by Elektroschock · · Score: 1

      So what was wrong? They gave media the stunt media wanted.

    17. Re:Did they forget there role? by Anonymous Coward · · Score: 0

      Another thing - there's any number of industry-standard authentication & encryption systems out there. IPSEC, 802.1X, Radius, etc

      Do you want to explain to a layman on how to set these things up?

    18. Re:Did they forget there role? by Anonymous Coward · · Score: 0

      The room the journalists were residing was exempted from the other Black Hat conference rules. While it was allowed to sniff on the Black Hat conference, it wasn't allowed in the journalist room. The 3 French journalists broke the ethics of journalists (spying on each other), the rules of Black Hat (no sniffing in journalism room), and arguably the US law.

      How is this 'funny'..?

    19. Re:Did they forget there role? by Anonymous Coward · · Score: 0

      Or how about a simple managed switch and a few vlans?

      Configure one port to see all the traffic (where the router/firewall sits) and you're done.

      Don't even have to worry about arp poisoning.

    20. Re:Did they forget there role? by mrboyd · · Score: 1

      I'd mod you up if I had not already posted a similar answer :)

    21. Re:Did they forget there role? by Wiseleo · · Score: 1

      OK...

      That was really funny!

      --
      Leonid S. Knyshov
      Find me on Quora :)
    22. Re:Did they forget there role? by mysidia · · Score: 1

      So the organizers of a security conference don't have the time and energy to find a way to configure their network to work and be reasonably secure?

      It shouldn't cost all that much for them to round up an ethernet switch or two, which they could rent for the duration of the conference.

      I would fully expect it to seem really cheap compared to the cost of the Wi-Fi equipment or of getting the internet connection itself for such a short period of time.

      None of this is just set-it-and-forget-it. They already need measures in place to secure the journalist network from being tampered with by the wi-fi users.

      I would expect organizers of a security conference to know a thing or two about security, and have a good idea of how to make it work properly on common platforms...

      Even about security measures that are rarely used in most situations (because competing journalists at Black Hat are sharing a local connection: whereas, in most situations in the real world, you don't usually physically allow your adversary onto your local premises).

    23. Re:Did they forget there role? by sjames · · Score: 1

      Considering that the reporter's LAN is a temporary guest network set up in a room that was probably ill designed for anything but a basic LAN setup, and that it's primary objective is to let a bunch of non-technical people connect a hodge-podge of random stuff to the internet with a minimum of bother, you seem to expect a lot.

      What they are demonstrating is appropriate security. The objective is to get the journalist's machines on the net without anyone having to sacrifice a goat to the security gods.

  3. I guess by Korbeau · · Score: 5, Interesting

    nobody plays Uplink enough these days.

    1. Re:I guess by Starayo · · Score: 3, Insightful

      Ah, uplink. Good times, good times.

      Don't forget Dark Signs either.

      --
      Ezekiel 23:20
    2. Re:I guess by Anonymous Coward · · Score: 1, Interesting

      Eh, you hafta pay for it or pirate it though.

      I always thought mod-x was way more fun, although I could never beat the last stage of level 8.

    3. Re:I guess by syntek · · Score: 1

      I love that game! Gametap has it, but if you get the real version, you get multiplayer.

  4. It was Defcon, not Black Hat by Anonymous Coward · · Score: 0, Informative

    The Wall of Sheep is at Defcon, not Black Hat. Priest announced that he was looking for the French reporters during the talk I was in, but didn't say why.

    1. Re:It was Defcon, not Black Hat by Anonymous Coward · · Score: 3, Informative

      wrong:

      http://www.blackhat.com/html/bh-usa-08/wallofsheep.html

    2. Re:It was Defcon, not Black Hat by 0x000000 · · Score: 1

      I can has research?

      This was the first year that the Wall of Sheep was also at Black Hat. There were posters posted that contained extra information on it saying that the wireless was going to be monitored.

      --
      cat /dev/null > .signature
  5. Switches are not expensive by Anonymous Coward · · Score: 1, Insightful

    Are they using a hub for wired connections at a security conference? Seems like the most plausible explanation for a simple "hack" like this with the network "working correctly"...

    A fun and practical way to demonstrate how NOT to set up a network with nodes that shouldn't have to trust each other!

    1. Re:Switches are not expensive by foom · · Score: 4, Informative

      Are they using a hub for wired connections at a security conference? Seems like the most plausible explanation for a simple "hack" like this with the network "working correctly"...

      It's a common misconception that switches prevent snooping. Switches are *not* security devices, they are an performance optimization. As such, they mostly "fail open".

      If you flood the switch with many different MAC addresses, such that its internal ethernet routing table fills up, it will usually simply direct *all* traffic to your port, rather than potentially incorrectly dropping some traffic you should have received.

      And then you can snoop to your heart's content, with nobody else the wiser.

    2. Re:Switches are not expensive by mixmatch · · Score: 1

      A layer 2 switch with port-based vlan tagging set up would not be susceptible to such attacks.

    3. Re:Switches are not expensive by gnasher719 · · Score: 1

      A fun and practical way to demonstrate how NOT to set up a network with nodes that shouldn't have to trust each other!

      At every place, there are rules and consequences if you break the rules.

      Where I work, if you hack into the wireless network and we find out, you get thrown out, and get prosecuted if we can find proof. Same if you hack into the wired network. That's our rules. At Black Hat, if you hack into the wireless network and they find out, your are fine (except for egg on your face if they catch you, and egg on your face if you are hacked). If you hack into the wired network reserved for reporters and they find out, you are thrown out.

    4. Re:Switches are not expensive by fedcb22 · · Score: 1

      Not really. See http://en.wikipedia.org/wiki/VLAN_hopping and http://www.perihel.at/sec/mz/index.html

  6. comma, duh by StuffMaster · · Score: 3, Funny

    Even so reporters who didn't take the extra step and log onto the Internet through an additional secure connection like a virtual private network, risked having their data exposed to colleagues sitting just feet away.

    Even so people who post stories to Slashdot, should learn to use commas.

  7. It's happened at Usenix by argent · · Score: 3, Interesting

    One Usenix there was an announcement that everyone who had used Kerberos to log in from the terminal room needed to set up new keys. Another finished with a paper on what someone had sniffed on the Wifi LAN.

    So it's no bloody surprise it's happened at Black Hat. Not that the guys who did it were justified, and they're lucky they were just booted out, but anyone who doesn't use encrypted VPNs or encrypted tunnels at ANY technical conference is asking for trouble.

    1. Re:It's happened at Usenix by Acapulco · · Score: 2

      Ok, I agree that in a technical conference people will more likely be exposed, but it doesn't mean it SHOULD.

      For the sake fo changing the car analogy, think of a firing range. When you go there, you are specifically told you shoot in a particular area, and told NOT to shoot wildly at will. Going to a firing range doesn't mean you are more exposed to bullets IF people follow the instructions. I shouldn't be required to wear high impact body armor, just because "going to a firing range without body armor is asking for trouble".

      I believe it was a wise decision to boot them off the conference, or else they would risk eveyone just saying fuck the rules, you get no punishment, and then it wouldn't be a technical conference as much as it would be a hacking playing ground, which is not something bad per se, just don't advertise it as a conference then.

      --
      Slashdot. Unreadable news to annoy nerds. - wonkey_monkey
    2. Re:It's happened at Usenix by argent · · Score: 1

      I agree that in a technical conference people will more likely be exposed, but it doesn't mean it SHOULD.

      What part of "Not that the guys who did it were justified, and they're lucky they were just booted out" did you miss?

      For the sake fo changing the car analogy, think of a firing range. When you go there, you are specifically told you shoot in a particular area, and told NOT to shoot wildly at will.

      On the other hand, you're also not supposed to wander down the range to have a look at the targets, even though everyone's supposed to stop shooting when there's people on the range. Going to a geek conference (let alone Black Hat) and NOT using an an end-to-end encrypted connection is like ambling down the range while there's live firing going on.

  8. When in Rome... by Anonymous Coward · · Score: 2, Funny

    ... hack like Romans hack!

    Seriously, these reporters, they were told where they were going and what they were reporting on, right?

    1. Re:When in Rome... by Rigrig · · Score: 1
      They were also told

      The separate, wired Internet connections set up for reporters are supposed to be off-limits to hacking and the Wall of Sheep

      So while the reporters who got their logins compromised should learn to secure their connections better (just as well at the local pumpkin throwing contest as at a black hat conference), that reporter should've known he'd get into trouble for (getting caught) breaking the rules.

      --
      **TODO** [X] Steal someone elses sig.
    2. Re:When in Rome... by ppanon · · Score: 1

      The first rule of computer security is that you don't trust everyone else to be good guys that follow the rules. The second rule of computer security is that some of the people who are inside your organization's primary defense perimeter may be or become untrustworthy. I think it's funny that it's a reporter for an IT focused paper, not a more general newswire like AP or Reuters, who had their passwords sniffed.

      --
      Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
  9. you know... by Anonymous Coward · · Score: 0

    for a article posted obviously for its humor, there arn't many funny posts so far...

  10. Many low cost switches... by msauve · · Score: 2, Insightful

    are really only switched between different speed segments. I.e., they might bridge (switch) between a 10 mb segment and a 100 mb segment, but they're only repeaters (hubs) on each.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Many low cost switches... by LostCluster · · Score: 4, Interesting

      We're all taught in network design class that a switch unlike a hub doesn't send traffic that's not yours to you, then learn in security class that it's easy to turn a switch into a hub.

    2. Re:Many low cost switches... by camperslo · · Score: 1

      are really only switched between different speed segments. I.e., they might bridge (switch) between a 10 mb segment and a 100 mb segment, but they're only repeaters (hubs) on each.

      I think there's a good chance those guys know about ARP poisoning.

    3. Re:Many low cost switches... by CrazedWalrus · · Score: 4, Interesting

      I don't understand this very well, so someone who does please chime in.

      Switches use your ethernet card's MAC address (not IP) to know how to route ethernet frames on across the switch. It knows that MAC AB:CD:EF:etc is on port 1, and 12:34:56:etc is on port 2. Because you can daisy chain switches, it actually has to remember a many MACs to 1 port sort of mapping.

      Switches can only remember a finite number of MAC addresses, so if you overflow the memory of the switch with bogus MAC addresses, it fails over to hub mode and just broadcasts all the packets to all the ports. It's not pretty, and would cause the network to get slower, but at least it would continue to work.

      As I can't see hubs being used at a Black Hat conference, I'd guess this is the sort of thing the reporters did. I'm sure there's a name for it... probably "ARP Cache Smashing" or something, but I don't know it.

      Anyway, if someone can give a better explanation, I'd be grateful.

    4. Re:Many low cost switches... by Eggplant62 · · Score: 1

      Many low-cost switches are simple layer 2 switching bridges, devices that pass packets from one interface to another, electrically segmenting a network into collision domains. If the network had stayed wired with nothing but switches, there wouldn't have been an issue. Let me guess, someone thought some hubs would be a good idea. Congratulations, epic fail.

    5. Re:Many low cost switches... by Anonymous Coward · · Score: 0

      GARP to poison the forwarding caching & trick ppl into sending traffic to you instead of the gateway. As you said, 'ARP Poisoning'

    6. Re:Many low cost switches... by el+americano · · Score: 5, Funny

      If only their were experts who knew the specification of network switches and how not to expose users to casual snooping, then we could set up a conference where such people get together to share their knowledge of these type of vulnerabilities.

      --
      Those are my principles. If you don't like them I have others. -Groucho Marx
    7. Re:Many low cost switches... by LostCluster · · Score: 4, Informative

      "ARP poisioning" is what it's called, and your explaination sums it up pretty well. If the other side of a port is claiming to have enough MAC addresses reachable by it the cache will fill and the switch will start over with a blank cache which renders it into a hub until it learns what's really where, then gets poisioned again, rinse, wash, repeat.

      Dumb switches will fall for this trick and have no way for anybody to notice, smarter switches will log this and let the admin know there's more than one MAC address being reported on a port... you just trace to who's on the other end of the report and you've busted them.

    8. Re:Many low cost switches... by cheater512 · · Score: 2, Informative

      Far easier than overflowing the memory.

      Just look for the other computer's MACs and then tell the switch that they are on your port.
      You then send a copy of their data to them.

    9. Re:Many low cost switches... by Anonymous Coward · · Score: 0

      are really only switched between different speed segments. I.e., they might bridge (switch) between a 10 mb segment and a 100 mb segment, but they're only repeaters (hubs) on each.

      No, you are describing a dual-speed hub, not a switch. I remember pulling out some perfectly functional dual-speed hubs (3com) back in 2002 or so.

      Nobody sells them anymore - the price differential between a cheap dumb switch and a hubs is negligible.

    10. Re:Many low cost switches... by Anonymous Coward · · Score: 0

      are really only switched between different speed segments. I.e., they might bridge (switch) between a 10 mb segment and a 100 mb segment, but they're only repeaters (hubs) on each.

      Got any examples? I've never heard of a dual-speed hub being fraudulently labeled a switch.

    11. Re:Many low cost switches... by Anonymous Coward · · Score: 0

      No, almost all switches are actual switches. What you describe is called a switching hub. In case you need to tell them apart: a switch allows you to use full duplex and a hub does not.

      The problem is that switches are thought of as enhancing security, but their purpose is to enhance performance. Unmanaged switches can't separate ports through VLANs, can't enforce MACs and can't disable ports on disconnect. The table which records the MAC-to-port relation can be flooded and then practically all unmanaged switches forward all packets to all ports, effectively turning the switch into a hub.

    12. Re:Many low cost switches... by Anonymous Coward · · Score: 0

      ARP poisoning and MAC address table flooding are two different types of attacks.

      ARP poisoning is directed at a host's IP-to-MAC address translation table. It is used to make the other host think that your MAC address is where packets for another IP need to be sent. It will then send packets directly to your ethernet card's MAC address.

      MAC address table flooding is directed at the MAC-to-port translation table of a switch. It is used to turn switches into hubs, so that you get packets which are not addressed to your ethernet card's MAC address.

    13. Re:Many low cost switches... by Anonymous Coward · · Score: 0

      You fail it.

    14. Re:Many low cost switches... by Anonymous Coward · · Score: 1, Insightful

      That's not ARP poisoning, ARP maps layer 3 IP addresses to layer 2 MAC addresses and is a router function rather than a switch one (L3 switches aside). They could have used ARP poisoning for this attack but that's not what is being asked about.

      For switches you are talking about MAC flooding which is a pure layer 2 (e.g. Ethernet/MAC) attack and different from ARP poisoning. Layer 2 switching knows nothing of IP addresses so doesn't use ARP.

      If a switch sees a packet with a destination that it doesn't know about (e.g. doesn't have in memory) then it floods it out all ports in the same VLAN. It learns the source MACs in packets so when the reply comes through it learns which port that MAC belongs to. The MACs and ports are stored in memory, this can be overloaded. Then the switch cannot store any new MACs so has to flood packets out all ports (to the new MACs, not ones it already learnt).

      You can configure something like port-security (Cisco specific, not sure what other companies use) which associates a list of MACs with a port and takes action if another MAC is seen, e.g. disable the port, refuse packets from that MAC or send an SNMP trap/syslog message. Things like VMWare, Virtual IPs and server dual-NIC failover mean that multiple MACs per-port is a fairly normal event so by default even "smart" switches may not take any action unless specifically set up to do so.

    15. Re:Many low cost switches... by Anonymous Coward · · Score: 0

      He's actually talking about MAC Flooding. ARP poisoning is a targeted attack that affects the host, not the switch.

    16. Re:Many low cost switches... by Anonymous Coward · · Score: 0

      sticky mac on Cisco Catalysts and port security on Foundry will limit MAC addresses on a port to a default of 1 (and can be set to more). I have this on all my switches and email alerts when more than one MAC appears or the MAC changes, the port also instantly disables itself until someone enables it again. arp poisoning is trivial to stop if you secure the switch.

    17. Re:Many low cost switches... by sjames · · Score: 1

      That's more or less it, but there are a few nuances.

      The switch remembers what MACs are on what ports in a table. If a packet's destination MAC isn't in the table, it gets sent to all ports in the same VLAN (a simple switch may have only 1 VLAN). The reply to that packet (having the same MAC address as the source) will let the switch determine which particular port it should use for that MAC in the future.

      If you overflow the table, the switch is forced to flush out all entries and learn them again. When the table is cleared, it will briefly act like a hub as it re-learns the MACs associated with each port.

      All of that is based on a switch making best effort to deliver packets without overloading the network. They are not naturally a security device at all.

      However, in this case, the ARP tables on the client machines were probably the target. Just listen for ARP requests (which are broadcast packets, so the switch must forward them on all ports) and answer them all quickly. The objective is to answer faster than thge legitimate holder of the IP address does.

      Then, when the packets come in intended for another host, sniff them and forward them to the real machine (at the link layer) so nobody sees anything wrong. Your machine is now the man in the middle.

      There are a few refinements to the technique. For example, one countermeasure is that Windows machines send out ARP requests for their own IP address in order to detect network conflicts. So, your attack program should first build a map of legitimate MAC to IP so it can avoid replying to those. It can also be useful to only attack one or two clients at a time so you don't call attention to yourself by bottlenecking the LAN or becoming the busiest port on the switch. In a case like this, you'll also want to just answer ARP requests for the gateway's IP from anywhere but the gateway and all of the gateway's ARP requests.

      Clients can watch for this by detecting the case where multiple conflicting ARP replies come in (but typically don't) and a network admin can watch for this sort of thing on a monitor port.

  11. Just use a network switch ya morons! by Anonymous Coward · · Score: 0

    A simple el-cheapo switch would prevent wired connections from seeing each other's data. They must have been using one of those stupid broadcast routers which is pretty lame for people that supposedly know what they are doing.

    1. Re:Just use a network switch ya morons! by Anonymous Coward · · Score: 2, Funny

      I wonder what lucky guy is overpaying you for network administration.

  12. Journalists that hack? by PJCRP · · Score: 1, Insightful

    Worst nightmare coming true.

    --
    Knows everything about nothing and nothing about everything.
    1. Re:Journalists that hack? by jrothwell97 · · Score: 1

      They were working for a French computer security journal. Sort of like ZDNet, Linux Format, PC World etc, but with a heavier emphasis on security.

      --
      Those using pirated Tinysoft signatures(TM) are a real threat to society and should all be thrown in jail.
    2. Re:Journalists that hack? by zappepcs · · Score: 1, Funny

      Journalists ARE hacks... right?
      http://en.wikipedia.org/wiki/Hack_writer

      Come on now. If you are reporting the black hat conference, what better way to show you know what you're reporting on than to hack?

      Personally, despite any failure on the part of the organizers, I think it admirable that they did a 'little' hacking. Perhaps we can get a new "meme that is never spoken"(TM) like male sportscasters all have stupid ties and bad hair and female sportscasters are Playboy bunny wouldhavebeens. Hacking conference reporters are all hackers.

      Amazingly, you'd think that anyone going there would be paranoid enough to try to protect their computers? I don't even trust people at Starbucks, never mind a conference full of hackers? WTF?

      Jokes:
      _Black Hat reporters ARE the news
      _Reporters at Black Hat: news when we recover our data
      _Journalism in America: Booted at Black Hat, Hired by TSA; a day in the life of a journalist
      _Former football player turned journalist: Colbert's nightmare; bears that hack!

      Shall I continue?

      sigh

      --
      Support NYCountryLawyer RIAA vs People
    3. Re:Journalists that hack? by EveLibertine · · Score: 0

      The other thing to think about is in regards to it being a conference full of hackers. Yes, it seems silly to tell them not to hack the wired connections. On the other hand, did they really think that a thousand hackers wouldn't be able to figure out who was doing the hacking? I find what they did slightly humorous, but I think they're idiots if they thought they could do it and get away with it.

    4. Re:Journalists that hack? by Rigrig · · Score: 0

      Actually, hacking journalists is only number six on my list, right behind the one with the big shoe chasing me.

      --
      **TODO** [X] Steal someone elses sig.
    5. Re:Journalists that hack? by Opportunist · · Score: 1

      What's next? Hackers that write articl... oh, nevermind.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Journalists that hack? by l0cust · · Score: 0

      I would tell you to RTFA but then this is /. so yeah.. They _themselves_ went to the people in charge of the Wall of Sheep and _told_ them that they wanted the data on the wall to educate their colleagues about the need of being at least a bit paranoid. Of course they were refused and booted out after that.

      --
      Politicians and Pedophiles: Two groups of exploitive bastards who are most dangerous when they're thinking of children.
  13. Two people... by Eggplant62 · · Score: 4, Interesting

    ... are seated in a noisy restaurant, yelling back and forth to each other from one side of the table to the other. I'm sitting 3 tables away and can hear them.

    Am I hacking??

    1. Re:Two people... by Ortega-Starfire · · Score: 5, Funny

      Yes.

      Die, Hacker!

      --
      ---- Liquid was a patriot ----
    2. Re:Two people... by mortonda · · Score: 0

      ... are seated in a noisy restaurant, yelling back and forth to each other from one side of the table to the other. I'm sitting 3 tables away and can hear them.

      Am I hacking??

      If you are busy writing down what you hear and/or intend to use it, yes!

    3. Re:Two people... by THESuperShawn · · Score: 1

      depends... Does person 1 say "SYN" before each statement and person 2 say "ACK" before their response?

      --
      Repant. Thy end is sheer.
    4. Re:Two people... by Eggplant62 · · Score: 1

      I disagree. If you yell username and password pairs along with hosts that they work with across a room, that conversation is what we call unprotected. Like there is freedom of speech, there is also freedom to listen. If you're going to broadcast your conversation, without first taking steps to protect that conversation, that conversation is open game to all and sundry. Same with broadcast tv. Brits might disagree with their odd television licensing, but here in the States, we don't need a license to receive television and radio signals.

      But what about satellite television and radio, they broadcast from outer space. Why can't I listen in? Because they've taken steps to encrypt their conversation. Hacking that conversation is a no-no, just like sitting in a postal service truck, ripping open letters can get you in a world of hurt.

      Same principle on ethernet. There's a conversation happening, with several listeners on the wire in a hubbed, layer 1 network. Each listener can "hear" what's on the wire. If you feel that shouting your protected information across the room without some form of encryption is a great idea, hey, go for it. Basic security 101 - Fail.

    5. Re:Two people... by pauljuno · · Score: 1

      Absolutely not. Now play this mind game with me, what if the two people are talking with each other in a sound proof room that is unlocked and you open the door to listen. Are you now hacking?

    6. Re:Two people... by ppanon · · Score: 2, Funny

      ACK THPPPT if person two is Bill the Cat.

      --
      Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
    7. Re:Two people... by mortonda · · Score: 1

      If you feel that shouting your protected information across the room without some form of encryption is a great idea, hey, go for it. Basic security 101 - Fail.

      I didn't say it was a good idea, or good security. Nevertheless, anyone who overhears that info and *uses* it, is doing wrong.

    8. Re:Two people... by simple+english+major · · Score: 1

      I must report you to the analogy police. This is more like two people sitting in a restaurant speaking at normal volume or lower. You could hear what they are saying if you move closer. If you do so, are you behaving ethically?

    9. Re:Two people... by Shotgun · · Score: 1

      What if I'm shouting in pig-latin? Or I use rot13? Is rot13 ok if I do it twice?

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
    10. Re:Two people... by The+Raven · · Score: 1

      Two people are seated in a quiet restaurant with partitions between each table, talking to each other in relative privacy. I'm sitting 3 tables away and can't hear them.

      So I make a reservation for 50 of my closest friends to come down. The restaurant has to take down the partitions to make room for the huge party... except all those people never show up, it was a false reservation. However, by overflowing the Active Restaurant Patron tables, I turned the private restaurant into a public one.

      Am I hacking?

      --
      "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
  14. Re:Tag this by ShieldW0lf · · Score: 1

    thepotcallingthekettleblack

    --
    -1 Uncomfortable Truth
  15. DMCA violation, anyone? by suck_burners_rice · · Score: 1

    If this were any other event, these reporters would be arrested a la Dmitry Sklyarov for violation of the DMCA, and should be sentenced to a billion life sentences without the possibility of parole without the unnecessary step of a time-consuming trial. But given that this is a hacking event, the reporters will probably be hailed as heroes. What is the world coming to?

    --
    McCain/Palin '08. Now THAT's hope and change!
    1. Re:DMCA violation, anyone? by cduffy · · Score: 2, Informative

      Computer misuse is illegal, yes, but not under the DMCA.

    2. Re:DMCA violation, anyone? by mrboyd · · Score: 1

      I sincerely hope you're only failing at being funny and not implying that the former is better than the later....

  16. Sure... by msauve · · Score: 1

    if you want to burn 4 addresses for every host (host, router, subnet, and broadcast - a ".252"), have a router which can support enough interfaces/VLANs, and want to take the time to configure all that.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Sure... by mixmatch · · Score: 2, Insightful

      You're right it takes more work than setting up a dhcp server and plugging in a switch. No wonder they didn't do it.

    2. Re:Sure... by ppanon · · Score: 1

      Well I would think that a) they would be using a private IP address range with NAT and therefore have plenty of IP address range to play with. b) a good admin should be able to use a simple script (be it bash, python, emacs lisp, whatever) to quickly generate configuration files for the hubs and switches and upload them. You would think an organizer of a security conference would have somebody in their rolodex who they could tap to do this efficiently and correctly

      You should always view any network not controlled by your organization with a certain degree of suspicion. Any passwords should never be transmitted in the clear. Personally, I wish they had posted the information on which reporters had had information compromised. You would think eWeek and ctNews, who are IT/computing focused, could find people who have a reasonable background in computer security to send to the conference.

      I tend to take those publications with a grain of sand anyways, but now their whole organization is tarred with that incompetence. Then again, if the reporters were uploading their stories to a plain FTP server because that's the only mechanism the company has available (in an age where OpenSSH and WinSCP are freely available, and https web submission forms are easy to set up) then the whole paper does deserve to have its reputation muddied a bit. So I also wouldn't mind knowing what was captured and how.

      --
      Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
    3. Re:Sure... by sjames · · Score: 1

      And then a slightly more savvy reporter hooks up a mini switch and two devices and wonders why it won't work (even though it's never been a problem at any of the dozens of other events he's covered).

      Shortly thereafter, the story goes out that good network security is possible but only if Mordac grinds productivity to a halt.

      Let's try to remember, this is a temporary guest network. There are no corporate secrets behind the firewall. It's users are quite used to using whatever network is handy (hotel, press lan at shows, cyber-cafe, random unsecured WiFi, etc). It's a bit surprising that they weren't using VPN software on their laptops.

  17. Re:Tag this by rickb928 · · Score: 1

    Finally, someone gets it.

    sheesh. /. used to be quicker than this...

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  18. This gives a new meaning too... by kaos07 · · Score: 1

    "You're not a journalist! You're a hack!"

    I know, shoot me.

  19. -_- by Cynic.AU · · Score: 1

    If they'd kept their hack secret, nobody would've been the wiser. Thus, their point may have been that the press room is in fact INSECURE and should not be trusted.

    Not a very smart move, politically speaking.

  20. Re:FP by Ron_Fitzgerald · · Score: 3, Insightful

    Isn't about time /. just not allow anonymous first posts?

    --
    ~ Ron Fitzgerald
  21. To prove a point by SpaceLifeForm · · Score: 4, Insightful

    That the wired lan was not secure.

    The reporters that allowed their login/passwords
    to be sniffed should be the ones exposed on the Wall of Sheep.

    Talk about being led into a false sense of security.

    They *knew* the Wireless was not secure.

    But to *ASSUME* the wired LAN was to be trusted
    clearly shows their ignorance of security.

    The reporter that exposed the problem should not
    be booted from future conferences, he should be
    welcomed back!

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
    1. Re:To prove a point by Anonymous Coward · · Score: 1, Insightful

      Prove a point that the LAN was insecure? They could have used TEMPEST to prove some point, too.

      It is allowed to use e.g. sniffers on the Black Hat conference, but the journalist/press cente is exempted; here it is not allowed. In there, journalists are doing their work just like journalists always do their work in a journalist/press centre.

      You've never been in such room. Ask any journalist how the atmosphere is, and about the ethics in such room. You don't spy on your collegues there. They don't see each other as competitors there. What the 3 French journalists have done goes against the unwritten, ethical rules of journalism which is a cultural thing standing for ages.

      And, as stated, it also goes against Black Hat's rules because the journalist room is exempted from sniffing. If they'd allow that, these people might not be able to do their work anymore...

      If the journalists wanted to act in spirit of the conference they shouldn't have went to the conference as journalist. They should have gone as a normal person attending the conference. And then still, the same rules and ethics apply, but they can play around and prove points if they wish to do so.

    2. Re:To prove a point by Anonymous Coward · · Score: 2, Informative

      How is this insightful the parent obviously didn't RTFA. The wired LAN was off limits to this activity, please trying reading first before you post, it's in the summary for Christ sake

    3. Re:To prove a point by mrboyd · · Score: 2, Interesting

      The mistake of the journalist was to assume that any network at all is secure.

      They were lucky their account info were only stolen for "fun", I doubt anyone else would have had the decency to tell them they had been compromised.

      I will side with the people who think that if you attend a "black hat" conference and dare use a) a computer that you don't own, b) on a network that you don't know, c) to access unencrypted private information, you are fair game.

      IMHO:
      1/ The journalists that were "hacked" don't deserve writing about a topic they can't seem to grasp.

      2/ The black hat organizer should be begging for pardon to be so grossly incompetent they have set up a network which is either plugged in a hub or with a router so lame that arp spoofing is still an option. The "hack" is not detailed and I assume that by "proper separation of the workstation" they mean "Plugged everyone on a hub".

      3/ Finally, because there is two side to a coin, those "hacker" journalist were in clear breach of the journalist ethos which is to report the news and not create the news. There is enough bad journalist around and I don't think those will be missed.

      4/ In the AP news The EFF sounds like a bunch trigger happy hirsute lawyers ready to sue anyone for any reason whatsoever just to get their name in a press release.

    4. Re:To prove a point by Anonymous Coward · · Score: 0

      Like I said earlier 2 posts before, the journalist room has different rules than the actual conference. It wasn't allowed to sniff there, and journalists are not part of the actual conference they are there to work. They aren't security professionals.

      On that basis, and because sniffing traffic is illegal in the US, EFF & AP are considering to sue the 3 French journalists who 1) didn't abide the rules of the conference (the rules for journalists) 2) broke the journalist ethos which is normally friendly for colleagues 3) arguably, broke the law.

      Whatever else you write is nice for chit-chat with the tea, but it all does not take the above I wrote into account.

      BTW, usually journalists bring their own laptops with them, and its the question which data was actually sniffed. Thus far, it doesn't seem much.

    5. Re:To prove a point by MadMidnightBomber · · Score: 1

      The reporter that exposed the problem should not be booted from future conferences, he should be welcomed back!

      Dug Song wrote dsniff in 2000 - it's not news that you can see passwords go past on switched ethernet.

      --
      "It doesn't cost enough, and it makes too much sense."
    6. Re:To prove a point by idlehanz · · Score: 1

      Duh... reporters... Reporters report. People that think get paid more.

      --
      Changing the world... one research project at a time.
    7. Re:To prove a point by Anonymous Coward · · Score: 0

      You don't need to hit the RETURN key when you get near the right-hand side of the text box; any decent browser will automatically wrap the text for you. Wrapping text manually just makes you look like a moron.

  22. Re:FP by Slashdot+Suxxors · · Score: 0

    You must be new here.

  23. Blackhat is a misnomer by Anonymous Coward · · Score: 0

    totally commercial event

  24. Why are they called 'hackers'? by axlr8or · · Score: 0

    Hackers, real ones, do positive things. Like, o say, create Linux(s). Not show how smart they are and make fun of people that are inept. Ah well.

  25. Re:Routers are (*cough*) by Ox0065 · · Score: 1

    that's why God made routers.

    it's also why god made snort.

    --
    thx e
  26. Re:FP by hostyle · · Score: 0

    In Communist Slashdot, Anonymous Cowards post last.

    --
    Caesar si viveret, ad remum dareris.
  27. Reminds me of a demoparty I once attended.. by msgmonkey · · Score: 2, Funny

    where at one point all of a sudden some guy a few rows in front of me shouts out "I was blind but now I can see!" on of those moments only a coder can truely appreciate I guess :)

  28. Re:FP by McGiraf · · Score: 2, Funny

    Just start reading at the second post and do not reply to fist posts, not that hard.. Also The frosty pist at the top of the page tells you your are really on /. and that your DNS has not been hacked and redirected you to some fake ./ site.

  29. Re:FP by Mistshadow2k4 · · Score: 1

    Considering that they have the time to get the first post in some of them must be subscribers, so probably not.

    --
    I dream of a better world... one in which chickens can cross roads without their motives being questioned.
  30. honest journalist by Anonymous Coward · · Score: 0

    Did these journalist not understand what their role was at this event? The Wi-Fi connections were free targets and that was understood. The hard-wired connections were off limits to all involved and only for the press, as I understand it. What were they thinking?

    the press network was part of the wall of sheep; hereafter the evidence:

    an email sent by Black Hat press manager to all journalists one week before the conference:

    "Beware, the Wall of Sheep will debut at Black Hat this year. Do not send your usernames and passwords in the clear. If you are not sure how to safely connect, we suggest visiting the Wall of Sheep experts when you first arrive. "

    So these journalist did their job in a hacker conference and they went to responsibly disclose the security issue