Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reporters At Black Hat Get Bounced For Hacking

Posted by Soulskill on from the no-brownie-points-for-you dept.

rickb928 and several others have written to inform us that three reporters for the French publication "Global Security Magazine" were booted out of the Black Hat convention for uncovering the login information of other reporters. Quoting the AP: "The separate, wired Internet connections set up for reporters are supposed to be off-limits to hacking and the Wall of Sheep. Even so reporters who didn't take the extra step and log onto the Internet through an additional secure connection like a virtual private network, risked having their data exposed to colleagues sitting just feet away. It didn't appear to be a complicated hack. The network was working properly, but it wasn't set up to shield each journalist's computer from one another."

39 of 128 comments (clear)

  1. Not Surprised by Anonymous Coward · · Score: 3, Insightful

    Really, I'm not surprised at all that people were kicked out of The Black Hat "Hacker" Conference for hacking.

    Just shows that Corporate sponsored Hacker conferences are a contradiction in terms

    1. Re:Not Surprised by Lehk228 · · Score: 5, Funny

      well technically he was bounced for GETTING CAUGHT hacking. there is a difference.

      --
      Snowden and Manning are heroes.
    2. Re:Not Surprised by fmwap · · Score: 4, Informative

      and even one more difference, from TFA:
      Organizers said the trio was caught when they took their purloined password prizes to Wall of Sheep workers and asked them to post the information. The workers refused.

      So...they turned themselves in.

    3. Re:Not Surprised by Adriax · · Score: 4, Funny

      The offending journalist was caught when, after stealing the passwords, he stood up and shouted "Yes, I am invincible!" with a bad russian accent.

      --
      I don't suffer from insanity, I enjoy every minute of it!
  2. Did they forget there role? by pauljuno · · Score: 4, Funny

    Did these journalist not understand what their role was at this event? The Wi-Fi connections were free targets and that was understood. The hard-wired connections were off limits to all involved and only for the press, as I understand it. What were they thinking?

    1. Re:Did they forget there role? by SanityInAnarchy · · Score: 4, Insightful

      You'd think the organizers of the Black Hat convention could properly secure a wired network.

      Which they did. They just didn't secure it from the other journalists.

      Consider that it is actually impossible to do so, and allow journalists to bring their own laptops. The best you can do is secure a network, not secure the computers on the network, without insisting on admining each such computer -- think Mordac-style.

      I'd lay the blame with the Black Hat organizers.

      For kicking them? Maybe.

      But for allowing it to happen? Not so much.

      --
      Don't thank God, thank a doctor!
    2. Re:Did they forget there role? by Anonymous Coward · · Score: 2, Informative

      What are you talking about. You are completely wrong. The organizers could have done much more.

      By properly laying the wiring, they could ensure that you could not set-up such a passive filter. Each group of journalists could have had their own separate connection to a properly configured router - that way, if you wanted to snoop on another journalists traffic, you would have to walk over to their table and jack into their Ethernet connectors, which is significantly mitigates the severity of the problem.

      Another thing - there's any number of industry-standard authentication & encryption systems out there. IPSEC, 802.1X, Radius, etc. The organizers were just lazy and decided that they would simply call it a trusted system and not actually bother securing it.

      I'm sorry, but this demonstrates hypocrisy on the part of the organizers. They criticize (rightly) businesses for being lazy when it comes to security, yet turn around and do the same thing themselves.

      As far as I'm concerned, the journalists acted at least within the spirit of the conference.

    3. Re:Did they forget there role? by SanityInAnarchy · · Score: 4, Insightful

      Each group of journalists could have had their own separate connection to a properly configured router

      Implying they could attack each other, still.

      Another thing - there's any number of industry-standard authentication & encryption systems out there. IPSEC, 802.1X, Radius, etc.

      And if someone didn't even bother to use SSL, what makes you think they'll set all these up on their own computer?

      The organizers were just lazy...

      For what? Not mandating every journalist use a known-good computer? For not blocking port 80 in favor of 443? For allowing these people on the Internet at all?

      Tell me -- given that it's impossible to idiot-proof a single computer, how are you proposing that they idiot-proof an entire network of humans -- humans who can and will make mistakes?

      --
      Don't thank God, thank a doctor!
    4. Re:Did they forget there role? by emmafreester · · Score: 2

      This situation reminds me of the past three ShmooCons I attended. My rule is that if I'm not entirely sure that my computer is hack-proof (an impossibility, I realize, but a goal nonetheless) and I know that I'm not going to be paying enough attention to it to ensure that I would notice if something strange were happening to it...then I don't get on the network and I turn off my wireless antenna so no one can find! When you're in a conference about hacking and computer security, you should expect that your computer should be broken into. All that aside, if the rules specifically stated that the wired networks were for reporter use only, and were not to be used for hacking ("separate, wired Internet connections set up for reporters are supposed to be off-limits to hacking and the Wall of Sheep" according to the article), then the reporters who used it to get login credentials and then turned them in despite the rule about no hacking and no Wall of Sheep are stupid and deserved to get kicked out.

    5. Re:Did they forget there role? by MrNaz · · Score: 3, Funny

      I fail at clicking "Post Anonymously".

      --
      I hate printers.
    6. Re:Did they forget there role? by mysidia · · Score: 2

      Each group of journalists could have had their own separate connection to a properly configured router

      Implying they could attack each other, still.

      With a suitable access lists, and each Journalist's PC plugged into their own port on a Layer 3 switch and everyone NAT'ed, no they would have no normal means of using their legitimate connection to attack another journalist's PC.

      For instance, local PC to gateway might be allowed, but there would be no method allowed to have PC to PC or broadcast traffic. That's the ideal scenario.

      E.g. It would be essentially be an internet-only connection, no LAN whatsoever.

      Actually, the ideal scenario is the journalist uses a dedicated end-to-end encryption over a VPN, and their PC is config'ed to refuse all other traffic. (So any 'attack' would have to originate on the home network)

      802.1X auth is a good standard and all, but it's use is unrealistic -- many journalists would not understand how to connect their laptop.

      Actually, isolating each journalist into their own ethernet broadcast domain is probably unlikely -- due to the massive number of journalists at events like blackhat, and resulting burden in defining a unique ip network for each one.

      Port security (limit of one active MAC address per port), and DHCP+ARP inspection + filtering (to protect against ARP hijacking or fake DHCP server traffic) are more realistic security measures in an environment like this, and very basic.

      The attempted connection of a second PC to a port while another PC is recently active _should_ immediately set off alarms.

      Limit of number of active MAC addresses also makes it hard for a bad journalist from attempting to sniff by sending blank frames with spoofed victims' MAC address as source (to make the switch forward to the attacker).

      It's not surprising that blackhat didn't implement these types of security measures -- most network security features are rarely implemented, even on 'secure' networks.

      Security of such ad-hoc setups is more of an afterthought.

      The journalists are perhaps more at fault for not using SSL!

    7. Re:Did they forget there role? by pauljuno · · Score: 2, Funny

      I've already begged forgiveness for this once before. The body of text used the word correctly and the subject line did not. Please forgive me, and if the hague should come calling I will plead guilt.

    8. Re:Did they forget there role? by mwvdlee · · Score: 2, Insightful

      So basically the french got kicked not for hacking but for being a bunch of scriptkiddies that wanted to demonstrate they could "hack" a network known to be badly secured. Rightly so. These journalists wouldn't have been able to report on the real hacks; they wouldn't understand them.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  3. I guess by Korbeau · · Score: 5, Interesting

    nobody plays Uplink enough these days.

    1. Re:I guess by Starayo · · Score: 3, Insightful

      Ah, uplink. Good times, good times.

      Don't forget Dark Signs either.

      --
      Ezekiel 23:20
  4. comma, duh by StuffMaster · · Score: 3, Funny

    Even so reporters who didn't take the extra step and log onto the Internet through an additional secure connection like a virtual private network, risked having their data exposed to colleagues sitting just feet away.

    Even so people who post stories to Slashdot, should learn to use commas.

  5. It's happened at Usenix by argent · · Score: 3, Interesting

    One Usenix there was an announcement that everyone who had used Kerberos to log in from the terminal room needed to set up new keys. Another finished with a paper on what someone had sniffed on the Wifi LAN.

    So it's no bloody surprise it's happened at Black Hat. Not that the guys who did it were justified, and they're lucky they were just booted out, but anyone who doesn't use encrypted VPNs or encrypted tunnels at ANY technical conference is asking for trouble.

    1. Re:It's happened at Usenix by Acapulco · · Score: 2

      Ok, I agree that in a technical conference people will more likely be exposed, but it doesn't mean it SHOULD.

      For the sake fo changing the car analogy, think of a firing range. When you go there, you are specifically told you shoot in a particular area, and told NOT to shoot wildly at will. Going to a firing range doesn't mean you are more exposed to bullets IF people follow the instructions. I shouldn't be required to wear high impact body armor, just because "going to a firing range without body armor is asking for trouble".

      I believe it was a wise decision to boot them off the conference, or else they would risk eveyone just saying fuck the rules, you get no punishment, and then it wouldn't be a technical conference as much as it would be a hacking playing ground, which is not something bad per se, just don't advertise it as a conference then.

      --
      Slashdot. Unreadable news to annoy nerds. - wonkey_monkey
  6. When in Rome... by Anonymous Coward · · Score: 2, Funny

    ... hack like Romans hack!

    Seriously, these reporters, they were told where they were going and what they were reporting on, right?

  7. Many low cost switches... by msauve · · Score: 2, Insightful

    are really only switched between different speed segments. I.e., they might bridge (switch) between a 10 mb segment and a 100 mb segment, but they're only repeaters (hubs) on each.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Many low cost switches... by LostCluster · · Score: 4, Interesting

      We're all taught in network design class that a switch unlike a hub doesn't send traffic that's not yours to you, then learn in security class that it's easy to turn a switch into a hub.

    2. Re:Many low cost switches... by CrazedWalrus · · Score: 4, Interesting

      I don't understand this very well, so someone who does please chime in.

      Switches use your ethernet card's MAC address (not IP) to know how to route ethernet frames on across the switch. It knows that MAC AB:CD:EF:etc is on port 1, and 12:34:56:etc is on port 2. Because you can daisy chain switches, it actually has to remember a many MACs to 1 port sort of mapping.

      Switches can only remember a finite number of MAC addresses, so if you overflow the memory of the switch with bogus MAC addresses, it fails over to hub mode and just broadcasts all the packets to all the ports. It's not pretty, and would cause the network to get slower, but at least it would continue to work.

      As I can't see hubs being used at a Black Hat conference, I'd guess this is the sort of thing the reporters did. I'm sure there's a name for it... probably "ARP Cache Smashing" or something, but I don't know it.

      Anyway, if someone can give a better explanation, I'd be grateful.

    3. Re:Many low cost switches... by el+americano · · Score: 5, Funny

      If only their were experts who knew the specification of network switches and how not to expose users to casual snooping, then we could set up a conference where such people get together to share their knowledge of these type of vulnerabilities.

      --
      Those are my principles. If you don't like them I have others. -Groucho Marx
    4. Re:Many low cost switches... by LostCluster · · Score: 4, Informative

      "ARP poisioning" is what it's called, and your explaination sums it up pretty well. If the other side of a port is claiming to have enough MAC addresses reachable by it the cache will fill and the switch will start over with a blank cache which renders it into a hub until it learns what's really where, then gets poisioned again, rinse, wash, repeat.

      Dumb switches will fall for this trick and have no way for anybody to notice, smarter switches will log this and let the admin know there's more than one MAC address being reported on a port... you just trace to who's on the other end of the report and you've busted them.

    5. Re:Many low cost switches... by cheater512 · · Score: 2, Informative

      Far easier than overflowing the memory.

      Just look for the other computer's MACs and then tell the switch that they are on your port.
      You then send a copy of their data to them.

  8. Re:Switches are not expensive by foom · · Score: 4, Informative

    Are they using a hub for wired connections at a security conference? Seems like the most plausible explanation for a simple "hack" like this with the network "working correctly"...

    It's a common misconception that switches prevent snooping. Switches are *not* security devices, they are an performance optimization. As such, they mostly "fail open".

    If you flood the switch with many different MAC addresses, such that its internal ethernet routing table fills up, it will usually simply direct *all* traffic to your port, rather than potentially incorrectly dropping some traffic you should have received.

    And then you can snoop to your heart's content, with nobody else the wiser.

  9. Re:Just use a network switch ya morons! by Anonymous Coward · · Score: 2, Funny

    I wonder what lucky guy is overpaying you for network administration.

  10. Re:It was Defcon, not Black Hat by Anonymous Coward · · Score: 3, Informative

    wrong:

    http://www.blackhat.com/html/bh-usa-08/wallofsheep.html

  11. Two people... by Eggplant62 · · Score: 4, Interesting

    ... are seated in a noisy restaurant, yelling back and forth to each other from one side of the table to the other. I'm sitting 3 tables away and can hear them.

    Am I hacking??

    1. Re:Two people... by Ortega-Starfire · · Score: 5, Funny

      Yes.

      Die, Hacker!

      --
      ---- Liquid was a patriot ----
    2. Re:Two people... by ppanon · · Score: 2, Funny

      ACK THPPPT if person two is Bill the Cat.

      --
      Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
  12. Re:Sure... by mixmatch · · Score: 2, Insightful

    You're right it takes more work than setting up a dhcp server and plugging in a switch. No wonder they didn't do it.

  13. Re:FP by Ron_Fitzgerald · · Score: 3, Insightful

    Isn't about time /. just not allow anonymous first posts?

    --
    ~ Ron Fitzgerald
  14. To prove a point by SpaceLifeForm · · Score: 4, Insightful

    That the wired lan was not secure.

    The reporters that allowed their login/passwords
    to be sniffed should be the ones exposed on the Wall of Sheep.

    Talk about being led into a false sense of security.

    They *knew* the Wireless was not secure.

    But to *ASSUME* the wired LAN was to be trusted
    clearly shows their ignorance of security.

    The reporter that exposed the problem should not
    be booted from future conferences, he should be
    welcomed back!

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
    1. Re:To prove a point by Anonymous Coward · · Score: 2, Informative

      How is this insightful the parent obviously didn't RTFA. The wired LAN was off limits to this activity, please trying reading first before you post, it's in the summary for Christ sake

    2. Re:To prove a point by mrboyd · · Score: 2, Interesting

      The mistake of the journalist was to assume that any network at all is secure.

      They were lucky their account info were only stolen for "fun", I doubt anyone else would have had the decency to tell them they had been compromised.

      I will side with the people who think that if you attend a "black hat" conference and dare use a) a computer that you don't own, b) on a network that you don't know, c) to access unencrypted private information, you are fair game.

      IMHO:
      1/ The journalists that were "hacked" don't deserve writing about a topic they can't seem to grasp.

      2/ The black hat organizer should be begging for pardon to be so grossly incompetent they have set up a network which is either plugged in a hub or with a router so lame that arp spoofing is still an option. The "hack" is not detailed and I assume that by "proper separation of the workstation" they mean "Plugged everyone on a hub".

      3/ Finally, because there is two side to a coin, those "hacker" journalist were in clear breach of the journalist ethos which is to report the news and not create the news. There is enough bad journalist around and I don't think those will be missed.

      4/ In the AP news The EFF sounds like a bunch trigger happy hirsute lawyers ready to sue anyone for any reason whatsoever just to get their name in a press release.

  15. Re:DMCA violation, anyone? by cduffy · · Score: 2, Informative

    Computer misuse is illegal, yes, but not under the DMCA.

  16. Reminds me of a demoparty I once attended.. by msgmonkey · · Score: 2, Funny

    where at one point all of a sudden some guy a few rows in front of me shouts out "I was blind but now I can see!" on of those moments only a coder can truely appreciate I guess :)

  17. Re:FP by McGiraf · · Score: 2, Funny

    Just start reading at the second post and do not reply to fist posts, not that hard.. Also The frosty pist at the top of the page tells you your are really on /. and that your DNS has not been hacked and redirected you to some fake ./ site.