Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fake Password Reset E-mail Hits 7,500 Black Hat Registrants

Posted by timothy on from the perfectly-natural-return-to-your-homes dept.

An anonymous reader writes "7,500 Black Hat USA 2012 attendees may have been surprised to get a fake password reset e-mail sent to accounts they used to register for the conference. Black Hat has apologized and explained the lame phishing spam attempt."

17 of 67 comments (clear)

  1. I would be deeply saddened by Anonymous Coward · · Score: 5, Funny

    ...if any of them fell for it.

    1. Re:I would be deeply saddened by Mabhatter · · Score: 4, Insightful

      They totally deserve that? Why would you sign up for a "Black Hat" event with an important account? The trusting fools!

    2. Re:I would be deeply saddened by flyneye · · Score: 2

      Why be saddened? They signed up for it, paid with (possibly) their credit card, showed their I.D. at the desk for their room, walked in plain view of security cameras placed by both the hotel and the FBI facial recognitioin database team, hung out in their bugged rooms, chatted in bugged elevators, walked the floors with undercovers all around. 7500 show up, but 8000 in attendance hmmmmmmm. I wouldn't be surprised if half of them fell for it.

      --
      *Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
    3. Re:I would be deeply saddened by Anonymous Coward · · Score: 2, Interesting

      First off, Black Hat is not for the elite. Black Hat is the watered down version of DefCon, made palatable for people and businesses who are afraid of being associated with the criminal element of hacking. While there is some good information to be had at Black Hat, it is generally a pale shadow of what can be found at DefCon. That said, DefCon is a pale shadow of its former self, not in terms of attendance for sure, but definitely in terms of content. For content you must now go to B-Sides, Skytalks, etc., or smaller group meetings in a non-public venue. As far as the "why sign up" using an important account question, what a stupid question. The account is not you, if you are dumb enough to fall for a phishing attempt, it does not matter if it is your main or a throw-away account, as the mentality that falls for such things rarely uses a unique password for each and every on-line service, list membership, etc. Protecting yourself against this kind of crap requires you to not only have a brain, but to use it, ask relevant questions, and trust no sources, ever, no matter what.

    4. Re:I would be deeply saddened by postbigbang · · Score: 2

      By your description, I don't think you've been to either. I don't consider myself "elite" but I *am* very interested in the latest war stories and postures by varying agencies, ostensible hacker groups, and listening to the delicious screeds of various hacking icons.

      That they were p0wn3d is hilarious. I don't believe their story regarding how it was some fool at ITN that did it, either. Someone ate their lunch. They should know better. The payload was a useless malformed URL, by the way, not a real one.

      --
      ---- Teach Peace. It's Cheaper Than War.
    5. Re:I would be deeply saddened by LordLimecat · · Score: 3, Informative

      This wasnt something "to fall for"-- the emails were legit in that they really came from BlackHat registration. That everyone thinks the summary is accurate is little hillarious.

      I mean, the article wasnt exctly lengthy, and they even gave an executive summary:

      This morning, some idle hands browsed their way to a screen that looked like this:

      We would provide a better screenshot, but that actually ends in sending an email. Call it a 'feature'. The link provided in the email is to an onsite host on our registration network.

      Basically, a volunteer went to a place they shouldnt have, which resulted in reset emails being fired off to everyone.

      Nowhere does it say or imply that it was phishing attempt. Im glad the editors are continuing the fine tradition of not even opening the links of the article they are supposed to be reviewing.

    6. Re:I would be deeply saddened by Shoten · · Score: 4, Interesting

      You've clearly never even looked at the speakers list or topics for Black Hat. It's not at all watered down; in fact, there used to be a time when a good enough talk would be given at both...but at Defcon, the talk would leave out certain details and depth. By no means is what's delivered light, either...Moxie Marlinspike revealed how to subvert SSL, for example. Dug Song and Thomas Lopatic revealed how to root a Checkpoint Firewall (back when Checkpoint was the big one to get). Major and very serious vulnerabilities in AMI meters (used for Smart Grid) were revealed by IOActive...the list goes on. And you get an incredible mix of major industry players like Cisco and Apple speaking frankly (there's a talk this year on the security architecture of Apple's IOS) along with independent researchers and even lateral thinkers. Jose Nazario...now the Senior Manager for Security Research at Arbor networks, and a Board Member at the Honeynet Project, gave a talk when he was fresh out of finishing his Ph.D. in biochemistry...on viral propagation algorithms for computer viruses. It turns out that what he did his thesis on...viral propagation models for biological viruses...mapped directly to the concept, and the man never worked a day in the biochem field after he finished his doctorate.

      So, just because you're not able to afford the ticket, or for some reason you can't gain entry into the infosec field (past criminal record, perhaps? Caught with the ganja, were we?), don't try to tarnish the people trying to share information at the front end of things.

      --

      For your security, this post has been encrypted with ROT-13, twice.
  2. How many peeps fell for it? by Snotnose · · Score: 2, Insightful

    The only newsworthy chunk of info here is, How many of these peeps fell for it? These are the elite, what percentage fell for it?

    1. Re:How many peeps fell for it? by Sir_Sri · · Score: 4, Insightful

      These are the elite

      No, some of them are elite hackers, some of them are just trying to keep up with the mischief elite hackers are going to be creating or trying to feel like they're part of the culture.

    2. Re:How many peeps fell for it? by PolygamousRanchKid+ · · Score: 2

      Black Hat attracts a lot of "hang arounds" . . . journalists, and folks who just want to see who attends, and what they are talking about. So some folks in these groups might be more susceptible to a simple phishing attack.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  3. Re:I can explain. by Anonymous Coward · · Score: 3, Funny

    I can tell, since it's actually the second post.

  4. Re:the ironing by philip.paradis · · Score: 4, Funny

    Man, I've heard of some strange fetishes in my time, but savoring the flavor of freshly ironed clothing is a first in my book. Do you prefer light or heavy starch?

    --
    Write failed: Broken pipe
  5. A real hacker conference would test antendees :) by Anonymous Coward · · Score: 2, Insightful

    It would be great to keep out the script kiddies. I have just the test to determine if someone is a hacker. Just ask them what they like to hack. If they answer with responses like "i like breaking into xyz systems" then deny them a ticket. If they answer with "i like to hack on xyz" and go into how they configured/wrote/learned about some system then let them in. Hacking isn't about breaking into systems or clicking on some button to attack something. It is literally the joy of learning. While breaking into a system might be hacking it's not so unless there is a learning component to it. I like to hack. I hack stuff together all the time. I throw some GNU/Linux distribution together (and having known nothing prior enjoy that). I'm a hacker. I *could* break into a system... but can't say I ever really have. Sure. I've exploited a bug or two for fun. That was a hacking as I learned something and enjoyed it. However someone clicking a button (something any computer users knows how to do) to join in on a DDoS attack on some web site is not hacking. You'd have to be the dumbest person on earth or at least over the age of 40 (loss of skills/memory/ability etc) to call that hacking.

  6. The Reply by azalin · · Score: 5, Insightful

    An automatic reply should have been sent to everyone who fell for it:

    Your reservation has been revoked. Please invest some time in learning basic security guidelines before applying again.
    Best regards

  7. Shit security by FormOfActionBanana · · Score: 4, Interesting

    Shit security on their end, and that posting does NOT look like an apology.

    And what's this BS about expecting the most hostile network? I thought that was DEFCON...

    --
    Take off every 'sig' !!
  8. Re:the ironing by WrongSizeGlass · · Score: 3, Insightful

    Actually, it's a Simspons reference from "The Simpsons: Grift of the Magi (#11.9)" (1999)

  9. Re:the ironing by Mikkeles · · Score: 2

    Actually, he irons his 'grilled' cheese sandwich. It gives it that soupcon of je ne sais quoi.

    --
    Great minds think alike; fools seldom differ.