Reporters At Black Hat Get Bounced For Hacking 128
rickb928 and several others have written to inform us that three reporters for the French publication "Global Security Magazine" were booted out of the Black Hat convention for uncovering the login information of other reporters. Quoting the AP:
"The separate, wired Internet connections set up for reporters are supposed to be off-limits to hacking and the Wall of Sheep. Even so reporters who didn't take the extra step and log onto the Internet through an additional secure connection like a virtual private network, risked having their data exposed to colleagues sitting just feet away. It didn't appear to be a complicated hack. The network was working properly, but it wasn't set up to shield each journalist's computer from one another."
Not Surprised (Score:3, Insightful)
Really, I'm not surprised at all that people were kicked out of The Black Hat "Hacker" Conference for hacking.
Just shows that Corporate sponsored Hacker conferences are a contradiction in terms
Switches are not expensive (Score:1, Insightful)
Are they using a hub for wired connections at a security conference? Seems like the most plausible explanation for a simple "hack" like this with the network "working correctly"...
A fun and practical way to demonstrate how NOT to set up a network with nodes that shouldn't have to trust each other!
Many low cost switches... (Score:3, Insightful)
Journalists that hack? (Score:1, Insightful)
Re:Did they forget there role? (Score:5, Insightful)
You'd think the organizers of the Black Hat convention could properly secure a wired network.
Which they did. They just didn't secure it from the other journalists.
Consider that it is actually impossible to do so, and allow journalists to bring their own laptops. The best you can do is secure a network, not secure the computers on the network, without insisting on admining each such computer -- think Mordac [wikipedia.org]-style.
I'd lay the blame with the Black Hat organizers.
For kicking them? Maybe.
But for allowing it to happen? Not so much.
Re:I guess (Score:3, Insightful)
Don't forget Dark Signs [darksigns.com] either.
Re:Sure... (Score:3, Insightful)
Re:Did they forget there role? (Score:5, Insightful)
Each group of journalists could have had their own separate connection to a properly configured router
Implying they could attack each other, still.
Another thing - there's any number of industry-standard authentication & encryption systems out there. IPSEC, 802.1X, Radius, etc.
And if someone didn't even bother to use SSL, what makes you think they'll set all these up on their own computer?
The organizers were just lazy...
For what? Not mandating every journalist use a known-good computer? For not blocking port 80 in favor of 443? For allowing these people on the Internet at all?
Tell me -- given that it's impossible to idiot-proof a single computer, how are you proposing that they idiot-proof an entire network of humans -- humans who can and will make mistakes?
Re:FP (Score:3, Insightful)
To prove a point (Score:5, Insightful)
That the wired lan was not secure.
The reporters that allowed their login/passwords
to be sniffed should be the ones exposed on the Wall of Sheep.
Talk about being led into a false sense of security.
They *knew* the Wireless was not secure.
But to *ASSUME* the wired LAN was to be trusted
clearly shows their ignorance of security.
The reporter that exposed the problem should not
be booted from future conferences, he should be
welcomed back!
Re:Did they forget there role? (Score:3, Insightful)
So basically the french got kicked not for hacking but for being a bunch of scriptkiddies that wanted to demonstrate they could "hack" a network known to be badly secured. Rightly so. These journalists wouldn't have been able to report on the real hacks; they wouldn't understand them.
Re:Many low cost switches... (Score:1, Insightful)
That's not ARP poisoning, ARP maps layer 3 IP addresses to layer 2 MAC addresses and is a router function rather than a switch one (L3 switches aside). They could have used ARP poisoning for this attack but that's not what is being asked about.
For switches you are talking about MAC flooding which is a pure layer 2 (e.g. Ethernet/MAC) attack and different from ARP poisoning. Layer 2 switching knows nothing of IP addresses so doesn't use ARP.
If a switch sees a packet with a destination that it doesn't know about (e.g. doesn't have in memory) then it floods it out all ports in the same VLAN. It learns the source MACs in packets so when the reply comes through it learns which port that MAC belongs to. The MACs and ports are stored in memory, this can be overloaded. Then the switch cannot store any new MACs so has to flood packets out all ports (to the new MACs, not ones it already learnt).
You can configure something like port-security (Cisco specific, not sure what other companies use) which associates a list of MACs with a port and takes action if another MAC is seen, e.g. disable the port, refuse packets from that MAC or send an SNMP trap/syslog message. Things like VMWare, Virtual IPs and server dual-NIC failover mean that multiple MACs per-port is a fairly normal event so by default even "smart" switches may not take any action unless specifically set up to do so.
Re:To prove a point (Score:1, Insightful)
Prove a point that the LAN was insecure? They could have used TEMPEST to prove some point, too.
It is allowed to use e.g. sniffers on the Black Hat conference, but the journalist/press cente is exempted; here it is not allowed. In there, journalists are doing their work just like journalists always do their work in a journalist/press centre.
You've never been in such room. Ask any journalist how the atmosphere is, and about the ethics in such room. You don't spy on your collegues there. They don't see each other as competitors there. What the 3 French journalists have done goes against the unwritten, ethical rules of journalism which is a cultural thing standing for ages.
And, as stated, it also goes against Black Hat's rules because the journalist room is exempted from sniffing. If they'd allow that, these people might not be able to do their work anymore...
If the journalists wanted to act in spirit of the conference they shouldn't have went to the conference as journalist. They should have gone as a normal person attending the conference. And then still, the same rules and ethics apply, but they can play around and prove points if they wish to do so.