Reporters At Black Hat Get Bounced For Hacking

← Back to Stories (view on slashdot.org)

Reporters At Black Hat Get Bounced For Hacking

Posted by Soulskill on Friday August 8, 2008 @01:56PM from the no-brownie-points-for-you dept.

rickb928 and several others have written to inform us that three reporters for the French publication "Global Security Magazine" were booted out of the Black Hat convention for uncovering the login information of other reporters. Quoting the AP: "The separate, wired Internet connections set up for reporters are supposed to be off-limits to hacking and the Wall of Sheep. Even so reporters who didn't take the extra step and log onto the Internet through an additional secure connection like a virtual private network, risked having their data exposed to colleagues sitting just feet away. It didn't appear to be a complicated hack. The network was working properly, but it wasn't set up to shield each journalist's computer from one another."

22 of 128 comments (clear)

Not Surprised by Anonymous Coward · 2008-08-08 14:02 · Score: 3, Insightful

Really, I'm not surprised at all that people were kicked out of The Black Hat "Hacker" Conference for hacking.
Just shows that Corporate sponsored Hacker conferences are a contradiction in terms
1. Re:Not Surprised by Lehk228 · 2008-08-08 15:04 · Score: 5, Funny
  
  well technically he was bounced for GETTING CAUGHT hacking. there is a difference.
  
  --
  Snowden and Manning are heroes.
2. Re:Not Surprised by fmwap · 2008-08-08 15:16 · Score: 4, Informative
  
  and even one more difference, from TFA:
  Organizers said the trio was caught when they took their purloined password prizes to Wall of Sheep workers and asked them to post the information. The workers refused.
  
  So...they turned themselves in.
3. Re:Not Surprised by Adriax · 2008-08-08 16:30 · Score: 4, Funny
  
  The offending journalist was caught when, after stealing the passwords, he stood up and shouted "Yes, I am invincible!" with a bad russian accent.
  
  --
  I don't suffer from insanity, I enjoy every minute of it!
Did they forget there role? by pauljuno · 2008-08-08 14:03 · Score: 4, Funny

Did these journalist not understand what their role was at this event? The Wi-Fi connections were free targets and that was understood. The hard-wired connections were off limits to all involved and only for the press, as I understand it. What were they thinking?
1. Re:Did they forget there role? by SanityInAnarchy · 2008-08-08 14:59 · Score: 4, Insightful
  
  You'd think the organizers of the Black Hat convention could properly secure a wired network.
  Which they did. They just didn't secure it from the other journalists.
  Consider that it is actually impossible to do so, and allow journalists to bring their own laptops. The best you can do is secure a network, not secure the computers on the network, without insisting on admining each such computer -- think Mordac-style.
  
  I'd lay the blame with the Black Hat organizers.
  For kicking them? Maybe.
  But for allowing it to happen? Not so much.
  
  --
  Don't thank God, thank a doctor!
2. Re:Did they forget there role? by SanityInAnarchy · 2008-08-08 15:33 · Score: 4, Insightful
  
  Each group of journalists could have had their own separate connection to a properly configured router
  Implying they could attack each other, still.
  
  Another thing - there's any number of industry-standard authentication & encryption systems out there. IPSEC, 802.1X, Radius, etc.
  And if someone didn't even bother to use SSL, what makes you think they'll set all these up on their own computer?
  
  The organizers were just lazy...
  For what? Not mandating every journalist use a known-good computer? For not blocking port 80 in favor of 443? For allowing these people on the Internet at all?
  Tell me -- given that it's impossible to idiot-proof a single computer, how are you proposing that they idiot-proof an entire network of humans -- humans who can and will make mistakes?
  
  --
  Don't thank God, thank a doctor!
3. Re:Did they forget there role? by MrNaz · 2008-08-08 16:30 · Score: 3, Funny
  
  I fail at clicking "Post Anonymously".
  
  --
  I hate printers.
I guess by Korbeau · 2008-08-08 14:08 · Score: 5, Interesting

nobody plays Uplink enough these days.
1. Re:I guess by Starayo · 2008-08-08 15:06 · Score: 3, Insightful
  
  Ah, uplink. Good times, good times.
  
  Don't forget Dark Signs either.
  
  --
  Ezekiel 23:20
comma, duh by StuffMaster · 2008-08-08 14:18 · Score: 3, Funny

Even so reporters who didn't take the extra step and log onto the Internet through an additional secure connection like a virtual private network, risked having their data exposed to colleagues sitting just feet away.

Even so people who post stories to Slashdot, should learn to use commas.
It's happened at Usenix by argent · 2008-08-08 14:20 · Score: 3, Interesting

One Usenix there was an announcement that everyone who had used Kerberos to log in from the terminal room needed to set up new keys. Another finished with a paper on what someone had sniffed on the Wifi LAN.
So it's no bloody surprise it's happened at Black Hat. Not that the guys who did it were justified, and they're lucky they were just booted out, but anyone who doesn't use encrypted VPNs or encrypted tunnels at ANY technical conference is asking for trouble.
Re:Switches are not expensive by foom · 2008-08-08 14:25 · Score: 4, Informative

Are they using a hub for wired connections at a security conference? Seems like the most plausible explanation for a simple "hack" like this with the network "working correctly"...
It's a common misconception that switches prevent snooping. Switches are *not* security devices, they are an performance optimization. As such, they mostly "fail open".
If you flood the switch with many different MAC addresses, such that its internal ethernet routing table fills up, it will usually simply direct *all* traffic to your port, rather than potentially incorrectly dropping some traffic you should have received.
And then you can snoop to your heart's content, with nobody else the wiser.
Re:Many low cost switches... by LostCluster · 2008-08-08 14:31 · Score: 4, Interesting

We're all taught in network design class that a switch unlike a hub doesn't send traffic that's not yours to you, then learn in security class that it's easy to turn a switch into a hub.
Re:It was Defcon, not Black Hat by Anonymous Coward · 2008-08-08 14:39 · Score: 3, Informative

wrong:
http://www.blackhat.com/html/bh-usa-08/wallofsheep.html
Two people... by Eggplant62 · 2008-08-08 14:42 · Score: 4, Interesting

... are seated in a noisy restaurant, yelling back and forth to each other from one side of the table to the other. I'm sitting 3 tables away and can hear them.
Am I hacking??
1. Re:Two people... by Ortega-Starfire · 2008-08-08 14:46 · Score: 5, Funny
  
  Yes.
  Die, Hacker!
  
  --
  ---- Liquid was a patriot ----
Re:Many low cost switches... by CrazedWalrus · 2008-08-08 15:06 · Score: 4, Interesting

I don't understand this very well, so someone who does please chime in.
Switches use your ethernet card's MAC address (not IP) to know how to route ethernet frames on across the switch. It knows that MAC AB:CD:EF:etc is on port 1, and 12:34:56:etc is on port 2. Because you can daisy chain switches, it actually has to remember a many MACs to 1 port sort of mapping.
Switches can only remember a finite number of MAC addresses, so if you overflow the memory of the switch with bogus MAC addresses, it fails over to hub mode and just broadcasts all the packets to all the ports. It's not pretty, and would cause the network to get slower, but at least it would continue to work.
As I can't see hubs being used at a Black Hat conference, I'd guess this is the sort of thing the reporters did. I'm sure there's a name for it... probably "ARP Cache Smashing" or something, but I don't know it.
Anyway, if someone can give a better explanation, I'd be grateful.
Re:Many low cost switches... by el+americano · 2008-08-08 15:27 · Score: 5, Funny

If only their were experts who knew the specification of network switches and how not to expose users to casual snooping, then we could set up a conference where such people get together to share their knowledge of these type of vulnerabilities.

--
Those are my principles. If you don't like them I have others. -Groucho Marx
Re:FP by Ron_Fitzgerald · 2008-08-08 15:37 · Score: 3, Insightful

Isn't about time /. just not allow anonymous first posts?

--
~ Ron Fitzgerald
Re:Many low cost switches... by LostCluster · 2008-08-08 15:50 · Score: 4, Informative

"ARP poisioning" is what it's called, and your explaination sums it up pretty well. If the other side of a port is claiming to have enough MAC addresses reachable by it the cache will fill and the switch will start over with a blank cache which renders it into a hub until it learns what's really where, then gets poisioned again, rinse, wash, repeat.
Dumb switches will fall for this trick and have no way for anybody to notice, smarter switches will log this and let the admin know there's more than one MAC address being reported on a port... you just trace to who's on the other end of the report and you've busted them.
To prove a point by SpaceLifeForm · 2008-08-08 15:58 · Score: 4, Insightful

That the wired lan was not secure.
The reporters that allowed their login/passwords
to be sniffed should be the ones exposed on the Wall of Sheep.
Talk about being led into a false sense of security.
They *knew* the Wireless was not secure.
But to *ASSUME* the wired LAN was to be trusted
clearly shows their ignorance of security.
The reporter that exposed the problem should not
be booted from future conferences, he should be
welcomed back!

--
You are being MICROattacked, from various angles, in a SOFT manner.