Fake Password Reset E-mail Hits 7,500 Black Hat Registrants

An anonymous reader writes "7,500 Black Hat USA 2012 attendees may have been surprised to get a fake password reset e-mail sent to accounts they used to register for the conference. Black Hat has apologized and explained the lame phishing spam attempt."

I would be deeply saddened

...if any of them fell for it.

Re:I would be deeply saddened

[Mabhatter]

They totally deserve that? Why would you sign up for a "Black Hat" event with an important account? The trusting fools!

Re:I would be deeply saddened

[Karmashock]

It would be pretty choice irony.

They should make that part of the event. Every time they should use the registrant's information to try and scam the whole group.

Not take money or whatever. But just as a challenge and a reminder.

Re:I would be deeply saddened

Because you want to get the owner into trouble. Obvious really.

Re:I would be deeply saddened

[flyneye]

Why be saddened? They signed up for it, paid with (possibly) their credit card, showed their I.D. at the desk for their room, walked in plain view of security cameras placed by both the hotel and the FBI facial recognitioin database team, hung out in their bugged rooms, chatted in bugged elevators, walked the floors with undercovers all around. 7500 show up, but 8000 in attendance hmmmmmmm. I wouldn't be surprised if half of them fell for it.

Re:I would be deeply saddened

First off, Black Hat is not for the elite. Black Hat is the watered down version of DefCon, made palatable for people and businesses who are afraid of being associated with the criminal element of hacking. While there is some good information to be had at Black Hat, it is generally a pale shadow of what can be found at DefCon. That said, DefCon is a pale shadow of its former self, not in terms of attendance for sure, but definitely in terms of content. For content you must now go to B-Sides, Skytalks, etc., or smaller group meetings in a non-public venue. As far as the "why sign up" using an important account question, what a stupid question. The account is not you, if you are dumb enough to fall for a phishing attempt, it does not matter if it is your main or a throw-away account, as the mentality that falls for such things rarely uses a unique password for each and every on-line service, list membership, etc. Protecting yourself against this kind of crap requires you to not only have a brain, but to use it, ask relevant questions, and trust no sources, ever, no matter what.

Re:I would be deeply saddened

[postbigbang]

By your description, I don't think you've been to either. I don't consider myself "elite" but I *am* very interested in the latest war stories and postures by varying agencies, ostensible hacker groups, and listening to the delicious screeds of various hacking icons.

That they were p0wn3d is hilarious. I don't believe their story regarding how it was some fool at ITN that did it, either. Someone ate their lunch. They should know better. The payload was a useless malformed URL, by the way, not a real one.

Re:I would be deeply saddened

[Legion303]

"7500 show up, but 8000 in attendance hmmmmmmm."

to be fair, 400 of those extras are hotel union staff who stand around and get surly if you try to move your own conference table two inches to the right because it's blocking access to your heart medication.

Re:I would be deeply saddened

[LordLimecat]

This wasnt something "to fall for"-- the emails were legit in that they really came from BlackHat registration. That everyone thinks the summary is accurate is little hillarious.

I mean, the article wasnt exctly lengthy, and they even gave an executive summary:

This morning, some idle hands browsed their way to a screen that looked like this:

We would provide a better screenshot, but that actually ends in sending an email. Call it a 'feature'. The link provided in the email is to an onsite host on our registration network.

Basically, a volunteer went to a place they shouldnt have, which resulted in reset emails being fired off to everyone.

Nowhere does it say or imply that it was phishing attempt. Im glad the editors are continuing the fine tradition of not even opening the links of the article they are supposed to be reviewing.

Re:I would be deeply saddened

[Shoten]

You've clearly never even looked at the speakers list or topics for Black Hat. It's not at all watered down; in fact, there used to be a time when a good enough talk would be given at both...but at Defcon, the talk would leave out certain details and depth. By no means is what's delivered light, either...Moxie Marlinspike revealed how to subvert SSL, for example. Dug Song and Thomas Lopatic revealed how to root a Checkpoint Firewall (back when Checkpoint was the big one to get). Major and very serious vulnerabilities in AMI meters (used for Smart Grid) were revealed by IOActive...the list goes on. And you get an incredible mix of major industry players like Cisco and Apple speaking frankly (there's a talk this year on the security architecture of Apple's IOS) along with independent researchers and even lateral thinkers. Jose Nazario...now the Senior Manager for Security Research at Arbor networks, and a Board Member at the Honeynet Project, gave a talk when he was fresh out of finishing his Ph.D. in biochemistry...on viral propagation algorithms for computer viruses. It turns out that what he did his thesis on...viral propagation models for biological viruses...mapped directly to the concept, and the man never worked a day in the biochem field after he finished his doctorate.

So, just because you're not able to afford the ticket, or for some reason you can't gain entry into the infosec field (past criminal record, perhaps? Caught with the ganja, were we?), don't try to tarnish the people trying to share information at the front end of things.

Re:I would be deeply saddened

[Shoten]

It wasn't a phishing email. Here's the email body itself:

This is a note from BlackHat 2012.
________________________________________

You have requested a new password. Here are your details:

Username:
Password:

To sign in, please go to this URL:

https://svel1023/BH12/Admin/

Okay...so that link, if you notice, wouldn't even work. (Try it and see for yourself if you like.) It turns out that this was a software error; a password provisioning function at ITN (the event company supporting BH) sent the email to everyone instead of (presumably) the intended recipient. Indeed, the headers of the email indicate that it emanated from ITN's email server as well. So, the OP is ass-poundingly dishonest in referring to this as a "lame phishing attempt".

Re:I would be deeply saddened

I curse you for my business partner actually suggesting to me the other day that we try gamemaker for a project. I told him our engineers would see his head on a pike before they were subjected to that garbage.

Re:I would be deeply saddened

[wiedzmin]

Okay...so that link, if you notice, wouldn't even work. (Try it and see for yourself if you like.)

That link is to a server on a local network, to which attendees (if they're dumb enough to use an electronic device, connected to a network, to check their email, while at BlackHat) could have been connected during the conference.

Re:I would be deeply saddened

[Shoten]

Only if that server is on the same local network as the conference. Which it isn't.

I can explain.

it is just a fake first post.

Re:I can explain.

I can tell, since it's actually the second post.

Re:I can explain.

[sumdumass]

But it was the first second post?

Re:I can explain.

[Pieroxy]

But it was the first second post?

No, it was the second first post.

How many peeps fell for it?

[Snotnose]

The only newsworthy chunk of info here is, How many of these peeps fell for it? These are the elite, what percentage fell for it?

Re:How many peeps fell for it?

[Sir_Sri]

These are the elite

No, some of them are elite hackers, some of them are just trying to keep up with the mischief elite hackers are going to be creating or trying to feel like they're part of the culture.

Re:How many peeps fell for it?

[Snotnose]

Ya, I mispoke. These are the ones who think they're elite. I suspect half the attendees are like the script kiddies in MW who load a cheat onto their PS3, then brag about how good they are.

Still, how many of these peeps fell for it?

Re:How many peeps fell for it?

Pfffft, that's nothing. I play TF2 and I load a cheat onto my PC and then brag about how good I am. On a game that's completely free.

It's all about the lulz, to be honest.

Sure, I could win legitimately, but when the entire enemy team ragequits, that's what does it for me. It's like eating a perfectly prepared steak, or eating french fries with bacon, cheddar, and ranch, or drinking two 40's of Olde English 800.

Re:How many peeps fell for it?

Still, how many of these peeps fell for it?

You lazy ass... if you want to know, be a man... hack you way through and examine the server logs.

Re:How many peeps fell for it?

How do you know they ragequit? I would just mehquit.

Re:How many peeps fell for it?

[fractalVisionz]

I don't know whether to mod you insightful or troll, so I will comment instead.

Re:How many peeps fell for it?

I tend to pityquit.

Re:How many peeps fell for it?

[PolygamousRanchKid+]

Black Hat attracts a lot of "hang arounds" . . . journalists, and folks who just want to see who attends, and what they are talking about. So some folks in these groups might be more susceptible to a simple phishing attack.

I akt el33t, now give me warez

[Grindalf]

Leet Leet Leet Leet Leet! Erm ... I think! Maybe it's the quality of clientele?

Re:I akt el33t, now give me warez

[Grindalf]

That's 7,499 US Secret Service Agents and Gary McKinnon in a frizz wig and dark glasses! :0)

LOL

That is all.

the ironing

is delicious

Re:the ironing

[philip.paradis]

Man, I've heard of some strange fetishes in my time, but savoring the flavor of freshly ironed clothing is a first in my book. Do you prefer light or heavy starch?

Re:the ironing

Mmmmmm... starch....

Re:the ironing

[schroedingers_hat]

I wouldn't go so far as to call it a fetish, but freshly ironed/fresh out of the dryer pants/underpants feel pretty good.

Re:the ironing

Is it wrong for me to push my fantasies/fetish on to my husband?

I have an steam ironing fetish which, for me, involves my husband' active sexual participation whenever he sees me doing it. However, lately he doesn't seem overly interested and I'm thinking that maybe he's bored with me. The problem is that I've always really really enjoyed the seductiveness of my fetish with him and other men in the past, which is a turn-on for me.

http://answers.yahoo.com/question/index?qid=20090601141840AAlRImH

When Yahoo Answers is ahead of the curve, you know you're a little behind(*).

(*) Being surely another fetish.

Re:the ironing

[WrongSizeGlass]

Actually, it's a Simspons reference from "The Simpsons: Grift of the Magi (#11.9)" (1999)

Re:the ironing

[Mikkeles]

Actually, he irons his 'grilled' cheese sandwich. It gives it that soupcon of je ne sais quoi.

A real hacker conference would test antendees :)

It would be great to keep out the script kiddies. I have just the test to determine if someone is a hacker. Just ask them what they like to hack. If they answer with responses like "i like breaking into xyz systems" then deny them a ticket. If they answer with "i like to hack on xyz" and go into how they configured/wrote/learned about some system then let them in. Hacking isn't about breaking into systems or clicking on some button to attack something. It is literally the joy of learning. While breaking into a system might be hacking it's not so unless there is a learning component to it. I like to hack. I hack stuff together all the time. I throw some GNU/Linux distribution together (and having known nothing prior enjoy that). I'm a hacker. I *could* break into a system... but can't say I ever really have. Sure. I've exploited a bug or two for fun. That was a hacking as I learned something and enjoyed it. However someone clicking a button (something any computer users knows how to do) to join in on a DDoS attack on some web site is not hacking. You'd have to be the dumbest person on earth or at least over the age of 40 (loss of skills/memory/ability etc) to call that hacking.

The Reply

[azalin]

An automatic reply should have been sent to everyone who fell for it:

Your reservation has been revoked. Please invest some time in learning basic security guidelines before applying again.
Best regards

Re:The Reply

That would be a neat trick since the URL is essentially unresolvable for anyone not on their network.

This is a note from BlackHat 2012.

        You have requested a new password. Here are your details:

        Username:
        Password:

        To sign in, please go to this URL:

        https://svel1023/BH12/Admin/

svel1023 looks like a username to me. Maybe the volunteer who sent the email out?

Re:The Reply

read it backwards in l33t speak

Re:The Reply

ezoilevs?

Re:The Reply

i've pwned ur brain. tks.

Shit security

[FormOfActionBanana]

Shit security on their end, and that posting does NOT look like an apology.

And what's this BS about expecting the most hostile network? I thought that was DEFCON...

Re:Shit security

I've got captures of the caesars network throughout blackhat... blackhat is where the l33t who went pro go get pieces of paper for their bosses. And the lame bosses who dont know jack get pwned and don't know it. There were dozens of people spoofing gateways plenty of portscans and people trying out ettercap et al. It is a fucking mess. Aruba even recommends hardcoding the gateway mac address for their wireless net... all that for the least informative (and informed) security conference in vegas that week.

Re:Shit security

Also known as FEDCON.

Re:Shit security

Black Hat is not Defcon

Makes me smile

[pbjones]

What a laugh! I read the article, but it still makes me smile. one of their own ranks, doing this for 'fun'.

I got one

It was an obvious fake, and clearly came from someone with access to the BlackHat registration database. The link included for the password reset did not even appear to be valid (I did not actually try it.). A few hours later they sent me a follow-up email with a link to an explanation.

Re:I got one

"A few hours later they sent me a follow-up email with a link to an explanation."

_That_ was the real attack. I bet you were curious and now you're infected.

Re:I got one

[jtownatpunk.net]

Oh, I'm sure the link was valid. Anyone who clicked it is banned for life from all future events.

Re:I got one

Good thing I was spoofing your account when I clicked on it!

Good for the goose...

I support all efforts by black hats to screw over other black hats. In my ideal world, those characters would spend all their time fighting and pwning each other, leaving us out of their vile shitstorm. The situation is similar to drug dealers: let them shoot each other as much as they want, it keeps them busy and leaves us in peace.

Re:Good for the goose...

A little mellow-dramatic dontchathink?

Re:Good for the goose...

[ThatsMyNick]

And anyone caught in cross fire can die too. Right?

Re:Good for the goose...

A phish here or there sent to a misspelled address is a small price to pay for keeping out of the tornado of shit that is the blackhat world.

Re:Good for the goose...

Given that the question is whether or not we're pelted with shit hail the size of shit grapefruits, I don't think I'm being over the top. If anything, I'm being restrained.

PS - it's melodramatic

Re:A real hacker conference would test antendees :

First half of that looked pretty sage, and then

I throw some GNU/Linux distribution together (and having known nothing prior enjoy that). I'm a hacker. I *could* break into a system... but can't say I ever really have.

I realized you were just a dumb arrogant kid yourself.

"Attempt"? Bad article summary

[syntap]

"Lame phishing spam attempt" should be reworded to "sucessful phishing spam launch that took advantage of an insider security threat".

If it is in the recipient's inbox, the spam happened sucessfully. If it didn't, it was an unsucessful attempt.

A read of TFA shows no mention of the word "lame". In fact the statement does what it should do... describes what happened and what action was taken. "The email this morning was an abuse of functionality by a volunteer who has been spoken to. This feature has since been removed as a precautionary measure."

This kind of thing would not happen if ...

[Skapare]

... we just get rid of the old legacy email system. What kind of black hatter still uses that spam infested crap.

Re:"Attempt"? Bad article summary

Why was the volunteer "spoken to" instead of being "asked to leave"?

Re:A real hacker conference would test antendees :

[DerekLyons]

Hacking isn't about breaking into systems or clicking on some button to attack something. It is literally the joy of learning.

The 1970's called - they want to drop off the disco balls and bell bottom trousers for the rest of your nostalgia trip.
 

You'd have to be the dumbest person on earth or at least over the age of 40 (loss of skills/memory/ability etc) to call that hacking.

No, you'd have to be someone using the word as it's been commonly used for thirty odd years now.