Organizers of last week's SecTor security conference collected names, passwords, and all other traffic passing over two Wi-Fi networks provided to attendees, including one that was encrypted, the event's director has confirmed.
Borrowing a page from the Wall of Sheep at the Defcon hacker conference each year in Las Vegas, the exercise was designed to draw attention to the perils of public networks, conference organizer Brian Bourne told The Reg. Indeed, Bourne - who is the director of Black Arts Illuminated, the company that puts on the event - found partly obscured credentials for his own Twitter account on the SecTor Wall of Shame.
But what made the Wall of Shame different - at least to some attendees - was the sniffing of a network that was represented as secure. The wireless connection carried an SSID named "Sector2009Secured" and was encrypted using the WPA, or Wi-Fi Protected Access, protocol. Before it could be used, attendees had to stop by a booth sponsored by Canadian security vendor eSentire to retrieve the network's pre-shared key.
"In 2009, we still have so many applications leaking credentials onto the wire, and we have people still deploying and using insecure protocols," Bourne said. "Our intention with the Wall of Shame was to highlight that."
Not all attendees appreciated the object lesson in network insecurity. Bloggers such as Andrew Hay and Sean Michael Kerner howled in protest, claiming organizers provided no disclaimers that the WPA-protected network was being bugged.
"Most attendees, myself included, thought that using the SecTor/Enterasys provided 'secured WiFi' connection would save themselves from the embarrassment of being displayed on the Wall of Shame," Hay wrote. "Unfortunately this was not the case."
Bourne countered that he and other organizers were "very clear and transparent" that all networks were being bugged during announcements made in between talks. He acknowledged, however, that there was no notice provided when users first connected to the network or in written materials handed out to the 500 people attending the conference.
When Bourne learned some attendees were surprised at the monitoring, he called for an early end to it. He said all the collected traffic was stored on a single machine that was not connected to any other computers. Organizers have since destroyed all the traffic using a Department of Defense setting for the DBAN disk wiping utility.
The incident underscores two common pitfalls that await the security conscious. The first is how vulnerable all networks - even those that are encrypted - are to snooping. While WPA is believed to be secure, SecTor organizers had no trouble monitoring the network because they bugged the connection after wireless signals reached the wire.
It doesn't take a networking expert to know that unless end users take special care, such traffic is easily sniffed by anyone with access to the cables. And yet that seemed to come as news to some attending the conference.
The fact that Bourne himself was caught in the sting is testament to how easy it is to forget this simple fact. Bourne said his Twitter credentials were detected because he was accessing the micro-blogging site using TweetDeck, an application that occasionally fails to encrypt traffic when user profiles are viewed. Although this weakness is disclosed online, it had escaped Bourne's notice until he found his partial credentials on the Wall of Shame.
But equally as dangerous is the fallout that can result when hackers target third parties without first getting their explicit consent. Hay, one of the bloggers who wrote about the incident, cites several legal experts who claim it constitutes a violation of Canadian privacy law.
Bourne declined to address those claims, but he said the the controversy could easily have been prevented by using a "captive portal," the screens that typically require Wi-Fi users to agree to terms of service before they can use the service. And he said the criticism will be taken into account in 2010, at SecTor's fourth conference.
"We plan to bring it back next year with an even more in-your-face communication," he said. "That way, there's no misunderstanding." ®