Forgot your password?
typodupeerror
It's funny.  Laugh. Security

Reporters At Black Hat Get Bounced For Hacking 128

Posted by Soulskill
from the no-brownie-points-for-you dept.
rickb928 and several others have written to inform us that three reporters for the French publication "Global Security Magazine" were booted out of the Black Hat convention for uncovering the login information of other reporters. Quoting the AP: "The separate, wired Internet connections set up for reporters are supposed to be off-limits to hacking and the Wall of Sheep. Even so reporters who didn't take the extra step and log onto the Internet through an additional secure connection like a virtual private network, risked having their data exposed to colleagues sitting just feet away. It didn't appear to be a complicated hack. The network was working properly, but it wasn't set up to shield each journalist's computer from one another."
This discussion has been archived. No new comments can be posted.

Reporters At Black Hat Get Bounced For Hacking

Comments Filter:
  • Not Surprised (Score:3, Insightful)

    by Anonymous Coward on Friday August 08, 2008 @10:02PM (#24534283)

    Really, I'm not surprised at all that people were kicked out of The Black Hat "Hacker" Conference for hacking.

    Just shows that Corporate sponsored Hacker conferences are a contradiction in terms

    • by Lehk228 (705449) on Friday August 08, 2008 @11:04PM (#24534605) Journal
      well technically he was bounced for GETTING CAUGHT hacking. there is a difference.
      • Re:Not Surprised (Score:4, Informative)

        by fmwap (686598) on Friday August 08, 2008 @11:16PM (#24534679) Journal
        and even one more difference, from TFA:
        Organizers said the trio was caught when they took their purloined password prizes to Wall of Sheep workers and asked them to post the information. The workers refused.

        So...they turned themselves in.
        • To prove a point (Score:5, Insightful)

          by SpaceLifeForm (228190) on Friday August 08, 2008 @11:58PM (#24534875)

          That the wired lan was not secure.

          The reporters that allowed their login/passwords
          to be sniffed should be the ones exposed on the Wall of Sheep.

          Talk about being led into a false sense of security.

          They *knew* the Wireless was not secure.

          But to *ASSUME* the wired LAN was to be trusted
          clearly shows their ignorance of security.

          The reporter that exposed the problem should not
          be booted from future conferences, he should be
          welcomed back!

          • Re: (Score:1, Insightful)

            by Anonymous Coward

            Prove a point that the LAN was insecure? They could have used TEMPEST to prove some point, too.

            It is allowed to use e.g. sniffers on the Black Hat conference, but the journalist/press cente is exempted; here it is not allowed. In there, journalists are doing their work just like journalists always do their work in a journalist/press centre.

            You've never been in such room. Ask any journalist how the atmosphere is, and about the ethics in such room. You don't spy on your collegues there. They don't see each ot

          • Re: (Score:2, Informative)

            by Anonymous Coward

            How is this insightful the parent obviously didn't RTFA. The wired LAN was off limits to this activity, please trying reading first before you post, it's in the summary for Christ sake

            • Re: (Score:3, Interesting)

              by mrboyd (1211932)
              The mistake of the journalist was to assume that any network at all is secure.

              They were lucky their account info were only stolen for "fun", I doubt anyone else would have had the decency to tell them they had been compromised.

              I will side with the people who think that if you attend a "black hat" conference and dare use a) a computer that you don't own, b) on a network that you don't know, c) to access unencrypted private information, you are fair game.

              IMHO:
              1/ The journalists that were "hacked" do
          • The reporter that exposed the problem should not be booted from future conferences, he should be welcomed back!

            Dug Song wrote dsniff [monkey.org] in 2000 - it's not news that you can see passwords go past on switched ethernet.

          • by idlehanz (1262698)
            Duh... reporters... Reporters report. People that think get paid more.
      • by Adriax (746043) on Saturday August 09, 2008 @12:30AM (#24535031)

        The offending journalist was caught when, after stealing the passwords, he stood up and shouted "Yes, I am invincible!" with a bad russian accent.

    • And furthermore, just because people can you don't expect them to do as a matter of professional convenience. You don't piss in our own pool.

      But here people just show what can be done.

      It is illegal when its without consent, that might be the problem. Time for an NDA.

    • by Frnknstn (663642)

      Is there no honour among thieves?

      • by mrboyd (1211932)
        Well, there used to be. But the time of the romantic Sicilian mafioso is long gone and we are now in the era of the ruthless backstabbing russian gangbangers running corporate multinational. So I guess the one with honor are somewhere at the bottom of lake Michigan or in a retirement pension. :)
  • by pauljuno (998497) on Friday August 08, 2008 @10:03PM (#24534291)
    Did these journalist not understand what their role was at this event? The Wi-Fi connections were free targets and that was understood. The hard-wired connections were off limits to all involved and only for the press, as I understand it. What were they thinking?
    • Re: (Score:3, Insightful)

      by mwvdlee (775178)

      So basically the french got kicked not for hacking but for being a bunch of scriptkiddies that wanted to demonstrate they could "hack" a network known to be badly secured. Rightly so. These journalists wouldn't have been able to report on the real hacks; they wouldn't understand them.

  • I guess (Score:5, Interesting)

    by Korbeau (913903) on Friday August 08, 2008 @10:08PM (#24534317)

    nobody plays Uplink [introversion.co.uk] enough these days.

    • Re: (Score:3, Insightful)

      by Starayo (989319)
      Ah, uplink. Good times, good times.

      Don't forget Dark Signs [darksigns.com] either.
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Eh, you hafta pay for it or pirate it though.

      I always thought mod-x [mod-x.co.uk] was way more fun, although I could never beat the last stage of level 8.

    • by syntek (1265716)
      I love that game! Gametap has it, but if you get the real version, you get multiplayer.
  • by Anonymous Coward

    Are they using a hub for wired connections at a security conference? Seems like the most plausible explanation for a simple "hack" like this with the network "working correctly"...

    A fun and practical way to demonstrate how NOT to set up a network with nodes that shouldn't have to trust each other!

    • are really only switched between different speed segments. I.e., they might bridge (switch) between a 10 mb segment and a 100 mb segment, but they're only repeaters (hubs) on each.
      • by LostCluster (625375) * on Friday August 08, 2008 @10:31PM (#24534435)

        We're all taught in network design class that a switch unlike a hub doesn't send traffic that's not yours to you, then learn in security class that it's easy to turn a switch into a hub.

        • by CrazedWalrus (901897) on Friday August 08, 2008 @11:06PM (#24534625) Journal

          I don't understand this very well, so someone who does please chime in.

          Switches use your ethernet card's MAC address (not IP) to know how to route ethernet frames on across the switch. It knows that MAC AB:CD:EF:etc is on port 1, and 12:34:56:etc is on port 2. Because you can daisy chain switches, it actually has to remember a many MACs to 1 port sort of mapping.

          Switches can only remember a finite number of MAC addresses, so if you overflow the memory of the switch with bogus MAC addresses, it fails over to hub mode and just broadcasts all the packets to all the ports. It's not pretty, and would cause the network to get slower, but at least it would continue to work.

          As I can't see hubs being used at a Black Hat conference, I'd guess this is the sort of thing the reporters did. I'm sure there's a name for it... probably "ARP Cache Smashing" or something, but I don't know it.

          Anyway, if someone can give a better explanation, I'd be grateful.

          • by LostCluster (625375) * on Friday August 08, 2008 @11:50PM (#24534837)

            "ARP poisioning" is what it's called, and your explaination sums it up pretty well. If the other side of a port is claiming to have enough MAC addresses reachable by it the cache will fill and the switch will start over with a blank cache which renders it into a hub until it learns what's really where, then gets poisioned again, rinse, wash, repeat.

            Dumb switches will fall for this trick and have no way for anybody to notice, smarter switches will log this and let the admin know there's more than one MAC address being reported on a port... you just trace to who's on the other end of the report and you've busted them.

            • Re: (Score:1, Insightful)

              by Anonymous Coward

              That's not ARP poisoning, ARP maps layer 3 IP addresses to layer 2 MAC addresses and is a router function rather than a switch one (L3 switches aside). They could have used ARP poisoning for this attack but that's not what is being asked about.

              For switches you are talking about MAC flooding which is a pure layer 2 (e.g. Ethernet/MAC) attack and different from ARP poisoning. Layer 2 switching knows nothing of IP addresses so doesn't use ARP.

              If a switch sees a packet with a destination that it doesn't know ab

          • Re: (Score:3, Informative)

            by cheater512 (783349)

            Far easier than overflowing the memory.

            Just look for the other computer's MACs and then tell the switch that they are on your port.
            You then send a copy of their data to them.

          • by sjames (1099)

            That's more or less it, but there are a few nuances.

            The switch remembers what MACs are on what ports in a table. If a packet's destination MAC isn't in the table, it gets sent to all ports in the same VLAN (a simple switch may have only 1 VLAN). The reply to that packet (having the same MAC address as the source) will let the switch determine which particular port it should use for that MAC in the future.

            If you overflow the table, the switch is forced to flush out all entries and learn them again. When the

      • by camperslo (704715)

        are really only switched between different speed segments. I.e., they might bridge (switch) between a 10 mb segment and a 100 mb segment, but they're only repeaters (hubs) on each.

        I think there's a good chance those guys know about ARP poisoning [sourceforge.net].

      • Many low-cost switches are simple layer 2 switching bridges, devices that pass packets from one interface to another, electrically segmenting a network into collision domains. If the network had stayed wired with nothing but switches, there wouldn't have been an issue. Let me guess, someone thought some hubs would be a good idea. Congratulations, epic fail.

      • by el americano (799629) on Friday August 08, 2008 @11:27PM (#24534733) Homepage

        If only their were experts who knew the specification of network switches and how not to expose users to casual snooping, then we could set up a conference where such people get together to share their knowledge of these type of vulnerabilities.

    • by foom (29095) on Friday August 08, 2008 @10:25PM (#24534407) Homepage

      Are they using a hub for wired connections at a security conference? Seems like the most plausible explanation for a simple "hack" like this with the network "working correctly"...

      It's a common misconception that switches prevent snooping. Switches are *not* security devices, they are an performance optimization. As such, they mostly "fail open".

      If you flood the switch with many different MAC addresses, such that its internal ethernet routing table fills up, it will usually simply direct *all* traffic to your port, rather than potentially incorrectly dropping some traffic you should have received.

      And then you can snoop to your heart's content, with nobody else the wiser.

      • by mixmatch (957776)
        A layer 2 switch with port-based vlan tagging set up would not be susceptible to such attacks.
        • if you want to burn 4 addresses for every host (host, router, subnet, and broadcast - a ".252"), have a router which can support enough interfaces/VLANs, and want to take the time to configure all that.
          • Re: (Score:3, Insightful)

            by mixmatch (957776)
            You're right it takes more work than setting up a dhcp server and plugging in a switch. No wonder they didn't do it.
          • by ppanon (16583)
            Well I would think that a) they would be using a private IP address range with NAT and therefore have plenty of IP address range to play with. b) a good admin should be able to use a simple script (be it bash, python, emacs lisp, whatever) to quickly generate configuration files for the hubs and switches and upload them. You would think an organizer of a security conference would have somebody in their rolodex who they could tap to do this efficiently and correctly

            You should always view any network not c
          • by sjames (1099)

            And then a slightly more savvy reporter hooks up a mini switch and two devices and wonders why it won't work (even though it's never been a problem at any of the dozens of other events he's covered).

            Shortly thereafter, the story goes out that good network security is possible but only if Mordac grinds productivity to a halt.

            Let's try to remember, this is a temporary guest network. There are no corporate secrets behind the firewall. It's users are quite used to using whatever network is handy (hotel, press l

      • that's why God made routers.

        it's also why god made snort.

    • A fun and practical way to demonstrate how NOT to set up a network with nodes that shouldn't have to trust each other!

      At every place, there are rules and consequences if you break the rules.

      Where I work, if you hack into the wireless network and we find out, you get thrown out, and get prosecuted if we can find proof. Same if you hack into the wired network. That's our rules. At Black Hat, if you hack into the wireless network and they find out, your are fine (except for egg on your face if they catch you, and egg on your face if you are hacked). If you hack into the wired network reserved for reporters and they find ou

  • comma, duh (Score:3, Funny)

    by StuffMaster (412029) on Friday August 08, 2008 @10:18PM (#24534365)
    Even so reporters who didn't take the extra step and log onto the Internet through an additional secure connection like a virtual private network, risked having their data exposed to colleagues sitting just feet away.

    Even so people who post stories to Slashdot, should learn to use commas.
  • by argent (18001) <peter@slashdot.2 ... m ['nga' in gap]> on Friday August 08, 2008 @10:20PM (#24534375) Homepage Journal

    One Usenix there was an announcement that everyone who had used Kerberos to log in from the terminal room needed to set up new keys. Another finished with a paper on what someone had sniffed on the Wifi LAN.

    So it's no bloody surprise it's happened at Black Hat. Not that the guys who did it were justified, and they're lucky they were just booted out, but anyone who doesn't use encrypted VPNs or encrypted tunnels at ANY technical conference is asking for trouble.

    • by Acapulco (1289274)
      Ok, I agree that in a technical conference people will more likely be exposed, but it doesn't mean it SHOULD.

      For the sake fo changing the car analogy, think of a firing range. When you go there, you are specifically told you shoot in a particular area, and told NOT to shoot wildly at will. Going to a firing range doesn't mean you are more exposed to bullets IF people follow the instructions. I shouldn't be required to wear high impact body armor, just because "going to a firing range without body armor i
      • by argent (18001)

        I agree that in a technical conference people will more likely be exposed, but it doesn't mean it SHOULD.

        What part of "Not that the guys who did it were justified, and they're lucky they were just booted out" did you miss?

        For the sake fo changing the car analogy, think of a firing range. When you go there, you are specifically told you shoot in a particular area, and told NOT to shoot wildly at will.

        On the other hand, you're also not supposed to wander down the range to have a look at the targets, even thou

  • by Anonymous Coward

    ... hack like Romans hack!

    Seriously, these reporters, they were told where they were going and what they were reporting on, right?

    • by Rigrig (922033)
      They were also told

      The separate, wired Internet connections set up for reporters are supposed to be off-limits to hacking and the Wall of Sheep

      So while the reporters who got their logins compromised should learn to secure their connections better (just as well at the local pumpkin throwing contest as at a black hat conference), that reporter should've known he'd get into trouble for (getting caught) breaking the rules.

      • by ppanon (16583)
        The first rule of computer security is that you don't trust everyone else to be good guys that follow the rules. The second rule of computer security is that some of the people who are inside your organization's primary defense perimeter may be or become untrustworthy. I think it's funny that it's a reporter for an IT focused paper, not a more general newswire like AP or Reuters, who had their passwords sniffed.
  • by PJCRP (1314653)
    Worst nightmare coming true.
    • They were working for a French computer security journal. Sort of like ZDNet, Linux Format, PC World etc, but with a heavier emphasis on security.
    • Re: (Score:2, Funny)

      by zappepcs (820751)

      Journalists ARE hacks... right?
      http://en.wikipedia.org/wiki/Hack_writer [wikipedia.org]

      Come on now. If you are reporting the black hat conference, what better way to show you know what you're reporting on than to hack?

      Personally, despite any failure on the part of the organizers, I think it admirable that they did a 'little' hacking. Perhaps we can get a new "meme that is never spoken"(TM) like male sportscasters all have stupid ties and bad hair and female sportscasters are Playboy bunny wouldhavebeens. Hacking conference

      • The other thing to think about is in regards to it being a conference full of hackers. Yes, it seems silly to tell them not to hack the wired connections. On the other hand, did they really think that a thousand hackers wouldn't be able to figure out who was doing the hacking? I find what they did slightly humorous, but I think they're idiots if they thought they could do it and get away with it.
    • What's next? Hackers that write articl... oh, nevermind.

  • Two people... (Score:5, Interesting)

    by Eggplant62 (120514) on Friday August 08, 2008 @10:42PM (#24534485)

    ... are seated in a noisy restaurant, yelling back and forth to each other from one side of the table to the other. I'm sitting 3 tables away and can hear them.

    Am I hacking??

    • by Ortega-Starfire (930563) on Friday August 08, 2008 @10:46PM (#24534505) Journal

      Yes.

      Die, Hacker!

    • by mortonda (5175)

      ... are seated in a noisy restaurant, yelling back and forth to each other from one side of the table to the other. I'm sitting 3 tables away and can hear them.

      Am I hacking??

      If you are busy writing down what you hear and/or intend to use it, yes!

      • I disagree. If you yell username and password pairs along with hosts that they work with across a room, that conversation is what we call unprotected. Like there is freedom of speech, there is also freedom to listen. If you're going to broadcast your conversation, without first taking steps to protect that conversation, that conversation is open game to all and sundry. Same with broadcast tv. Brits might disagree with their odd television licensing, but here in the States, we don't need a license to receive

        • by mortonda (5175)

          If you feel that shouting your protected information across the room without some form of encryption is a great idea, hey, go for it. Basic security 101 - Fail.

          I didn't say it was a good idea, or good security. Nevertheless, anyone who overhears that info and *uses* it, is doing wrong.

        • by Shotgun (30919)

          What if I'm shouting in pig-latin? Or I use rot13? Is rot13 ok if I do it twice?

    • depends... Does person 1 say "SYN" before each statement and person 2 say "ACK" before their response?
    • by pauljuno (998497)
      Absolutely not. Now play this mind game with me, what if the two people are talking with each other in a sound proof room that is unlocked and you open the door to listen. Are you now hacking?
    • I must report you to the analogy police. This is more like two people sitting in a restaurant speaking at normal volume or lower. You could hear what they are saying if you move closer. If you do so, are you behaving ethically?
    • by The Raven (30575)

      Two people are seated in a quiet restaurant with partitions between each table, talking to each other in relative privacy. I'm sitting 3 tables away and can't hear them.

      So I make a reservation for 50 of my closest friends to come down. The restaurant has to take down the partitions to make room for the huge party... except all those people never show up, it was a false reservation. However, by overflowing the Active Restaurant Patron tables, I turned the private restaurant into a public one.

      Am I hacking?

  • If this were any other event, these reporters would be arrested a la Dmitry Sklyarov for violation of the DMCA, and should be sentenced to a billion life sentences without the possibility of parole without the unnecessary step of a time-consuming trial. But given that this is a hacking event, the reporters will probably be hailed as heroes. What is the world coming to?
    • Re: (Score:3, Informative)

      by cduffy (652)

      Computer misuse is illegal, yes, but not under the DMCA.

    • by mrboyd (1211932)
      I sincerely hope you're only failing at being funny and not implying that the former is better than the later....
  • "You're not a journalist! You're a hack!"

    I know, shoot me.

  • by Cynic.AU (1205120)

    If they'd kept their hack secret, nobody would've been the wiser. Thus, their point may have been that the press room is in fact INSECURE and should not be trusted.

    Not a very smart move, politically speaking.

Kleeneness is next to Godelness.

Working...