Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reporters At Black Hat Get Bounced For Hacking

Posted by Soulskill on from the no-brownie-points-for-you dept.

rickb928 and several others have written to inform us that three reporters for the French publication "Global Security Magazine" were booted out of the Black Hat convention for uncovering the login information of other reporters. Quoting the AP: "The separate, wired Internet connections set up for reporters are supposed to be off-limits to hacking and the Wall of Sheep. Even so reporters who didn't take the extra step and log onto the Internet through an additional secure connection like a virtual private network, risked having their data exposed to colleagues sitting just feet away. It didn't appear to be a complicated hack. The network was working properly, but it wasn't set up to shield each journalist's computer from one another."

3 of 128 comments (clear)

  1. Re:Switches are not expensive by foom · · Score: 4, Informative

    Are they using a hub for wired connections at a security conference? Seems like the most plausible explanation for a simple "hack" like this with the network "working correctly"...

    It's a common misconception that switches prevent snooping. Switches are *not* security devices, they are an performance optimization. As such, they mostly "fail open".

    If you flood the switch with many different MAC addresses, such that its internal ethernet routing table fills up, it will usually simply direct *all* traffic to your port, rather than potentially incorrectly dropping some traffic you should have received.

    And then you can snoop to your heart's content, with nobody else the wiser.

  2. Re:Not Surprised by fmwap · · Score: 4, Informative

    and even one more difference, from TFA:
    Organizers said the trio was caught when they took their purloined password prizes to Wall of Sheep workers and asked them to post the information. The workers refused.

    So...they turned themselves in.

  3. Re:Many low cost switches... by LostCluster · · Score: 4, Informative

    "ARP poisioning" is what it's called, and your explaination sums it up pretty well. If the other side of a port is claiming to have enough MAC addresses reachable by it the cache will fill and the switch will start over with a blank cache which renders it into a hub until it learns what's really where, then gets poisioned again, rinse, wash, repeat.

    Dumb switches will fall for this trick and have no way for anybody to notice, smarter switches will log this and let the admin know there's more than one MAC address being reported on a port... you just trace to who's on the other end of the report and you've busted them.