Who on earth uses a wireless network, secure or not, without using an SSH or VPN tunnel??
Complain all you like
Organizers of last week's SecTor security conference collected names, passwords, and all other traffic passing over two Wi-Fi networks provided to attendees, including one that was encrypted, the event's director has confirmed. Borrowing a page from the Wall of Sheep at the Defcon hacker conference each year in Las Vegas, the …
No-one at a security conference should reasonably expect any pubic network to be secure.
If you're using someone elses internet connection, you should expect it to be compromised in some way.
If you're using email, you should expect someone at your ISP or government to be intercepting all email that isn't secured.
Just because you're paranoid, doesn't mean they aren't after you!
Ah, here come the black helicopters bringing me my tinfoil hat.
The old real estate adage is, "Location, location, location."
The wireless network itself wasn't compromised, as the sniffing was done at the *wired* side. The only thing that a public network is good for is surfing the web. If you have anything that uses credentials on a network, expect it to be sniffed and hacked.
1) "Bourne countered that he and other organizers were "very clear and transparent" that all networks were being bugged during announcements made in between talks."
- Not true. It was never announced to everyone that the physical network was being sniffed. The term "open wireless" was used. Brian and I have argued back and forth about this but there are two different accounts of how this was "communicated".
2) "It doesn't take a networking expert to know that unless end users take special care, such traffic is easily sniffed by anyone with access to the cables. And yet that seemed to come as news to some attending the conference."
- Perhaps that's because the audience was never made aware the full extent of the monitoring. Why should anyone, but the conference organizers, have access to the service provided by the conference? Since this is a security and education conference there are those attending from the business word that simply don't know this. Who has the right to slam them for not knowing security if that's why they're at the conference in the first place - to learn about security.
3) "Bourne declined to address those claims, but he said the the controversy could easily have been prevented by using a "captive portal," the screens that typically require Wi-Fi users to agree to terms of service before they can use the service."
- Unfortunately he is correct and unfortunately this was not done. Consent was not given and this fact makes what was done illegal under Canadian law.
BOTTOM LINE: SecTor is not Defcon, all attendees aren't security experts, and what happened was wrong.
But *everyone* knew the key, and it was given to all on asking.
This is a security confrerence right?.. they're supposed to be paranoid, not patsies who get conned by bit a bit of social engineering.
Anyone complaining should be kept away in future.. they sound like they're a danger to themselves and others.
oh noes the hackers didnt knock on our door and tell us that the "secure" wap was really controlled by them bla bla bla well now ur on a wall the only networks you can trust are your own the isp can watch everythign go by do deep packet inspection and all kinds of other bs and you would never know
Isn't the point here that experts who fully understand the issues get caught, so god help the rest of the general public. They are only complaining about it being illegal because they are embarrassed - after all real hackers consider the legal implications don't they?
Paris - because she was caught n flagrante delicto
>BOTTOM LINE: SecTor is not Defcon, all attendees aren't security experts, and what happened
The real bottom line is some pansies got owned and and are now crying a river they should've been protected by some written policy.
B.S. Your adults, you screwed up -- LEARN FROM IT. That's why you go to conferences, not to sit in some ivory tower saying nothing ever bad can happen to you without your express, prior written consent.
Mate so you're telling us you've attended a conference full of hac^H^H^Hsecurity consultants and *not* expected someone to be snooping in, if just for a laugh? And anyway why would you go around using insecure credentials and still have any expectations of privacy whatsoever?
Makes you wonder sometimes.
Anyone attending and complaining should be informed that anyone at the event could have been snooping on the network, it's just a switched network so you could easily spoof the arp address of the gateway for instance and intercept all outgoing traffic (you know, the part that usually contains unencrypted credentials).
So why are they complaining that the event organisers did it as an exercise in education?
Pretty good piece of education if you ask me.
A better piece of education is that everything which says "secured" on the tin isn't necessarily secure.
The conference guys sure have a point, whatever the legality of the whole thing... I mean, common folks (like me) would think that you are safe when you have an encrypted connection. Problem is that we don't just not know that; we don't know how to be safe to begin with.
Now what about using the coffee shop's/airport's free, unencrypted connection that scores of people use? We iz all doomd...
Maybe things have changed with WPA, but I was of the impression that anyone could capture the encrypted traffic even if they aren't associated with the AP and anyone with the PSK could then decrypt it.
Since anyone who asked could find out the key, the network could hardly be considered "secure" regardless of what the organizers did.
Boo bloody hoo.
I'm not a security expert either, and I'm quite happy to tell you that any WiFi connection should be considered insecure.
A couple of bloggers are complaining? Boo bloody hoo. They're at a security conference for F&%$s sake, where did they *think* they were going?
Sillier still, is the captive portal that OKs users to acknowledge they're on an insecure network. Much like "don't kick and shake the soda vending machine or it'll topple and fall on you", or the beloved "warning, contents of hot coffee cup may be hot".
The orgainisers should seed all these idiot users and prevent entry for the next year's exhibition. They're clearly too stupid to be blogging about things they know nothing about.
Naw, that can't work, that's never stopped bloggers before, and besides, misinformation is pretty much their only line of work.
Watch the insecure wifi connection and shame people using it - great idea, security pros should get serious ass kicking's if they use such a link.
Unfortunately the security message is somewhat diluted when some idiot goes a little over the top and shames people using an "alleged" secure network.
Personally I would be double checking the signed agreement with the secure network people then probably suing their assess off.
Note - double check - always read the bloody contract before connecting.
Free wifi is not a right, even at conferences. If somebody offers you something for free always ask what the catch is.
@Brian Miller & others
"The only thing that a public network is good for is surfing the web. If you have anything that uses credentials on a network, expect it to be sniffed and hacked."
If I use an https login to gmail or something similar, is the browser to server encryption at risk if the network itself isn't secure? Assuming the server's certificates "seem to be OK".
OK, not saying I'll do online banking from a cafe (I don't do online banking from any of my wired XP machines either). But just how paranoid should I be from a low-mid level black hat?
Lr tbqf... Jr'er gnyxvat nobhg fb-pnyyrq frphevgl rkcregf urer. Gurl ner tvira GUR cer-funerq xrl gb gur ragver Juvssl argjbex. Naq gurl qb abg frr n ceboyrz jvgu guvf naq npg nyy fhecevfrq naq bhgentrq? Gurl arrqrq n tbbq uneq xvpx hc gur nefr. Whfg orpnhfr fbzrguvat fnlf FRPHER ba gur gva, qbrfa'g zrna vg vf.
Ohg yhpxvyl, nyy gur qngn gung jnf favssrq, unf orra qrfgeblrq. Bu lrf. Hfvat n irel gubebhtu qryrgvba cebtenz. Vg unf npebalzf. Abj... Ubj znal crbcyr jrer favssvat gur "frpher" arg gung gur Betnavfngvba qvqa'g nfx gb, xabj nobhg be pner nobhg? Rirelobql unq gur xrl.
V ungr frphevgl pvephf. V ungr vg gung V pna'g oevat n obggyr bs qvulqebtra zbabkvqr ba n cynar. V ungr vg gung vg'f nccneragyl nyevtug sbe n ohapu bs cybqf gb fabbc guebhtu zl uneq qevir ybbxvat sbe puvyq cbea. V ungr vg gung crbcyr pna nqiregvfr "frpher guvf" naq "frpher gung" jura gur guvat vf nalguvat ohg. Guvf qbrf abg znxr hf fnsre, ohg ol tbqf, qbrf vg znxr gur cbyvgvpvnaf ybbx tbbq.
Gurer. Naq abj V jvyy rapelcg guvf hfvat ROT-13 fb lbh jvyy arire or noyr gb ernq vg.
Jean-Luc, the majority of big-name websites use SSL certificate chains which include signatures using broken algorithms. If your browser disallows MD2, MD5, etc. then you will find that gmail is one of them. If it allows MD5 then "seems to be OK" doesn't necessarily mean OK - this was demonstrated months ago
Lets look at the titles of the people complaining.
"the website of a devastatingly handsome author, sporadic blogger, bbq junkie, and security strong man"
Sean Michael Kerner writes about.........Security (tools, attack vectors, vendors and exploits)
Sorry, these people punt themselves as experts, so don't complain when you fall for this scam. If these people said "Dave, total novie in the IT world" then I'd have sympathy, but no these people claim to be experts. So they should know better.
If a anti-fraud office got caught in a phising scam, or a policemans car was knicked because he left the keys in the ignition, they would deserve equal ridcule.
Sorry, but they are whining becuase it's made them look dumb, far from the "experts" they pretend to be.
If I provide you a network, then anything you send over it can be read by me. Simple as that.
If these so called security professionals at a conference didn't understand that, then they don't deserve their jobs.
Who is to say that whoever runs the conference centre's network wasn't dishonest and stealing passwords, or whoever runs the ISP doing that, etc...
It's probably not hard in a conference centre for someone with a bit of tech savvy to install a wiretap on the whole building's internet connection. (get a few mates to complain about the network, then turn up in overalls, wave a badge "I'm here to fix your network", probably wouldn't even need that much cunning, you just need to find the right cable!)
Always encrypt your data (it's "httpS" people, it's not hard)
Give me your passwords. No, you don't need to know why, you can trust me.
Presumably this WiFi network was being used for internet access, seeing as Bourne was using Twitter over it. And presumably - WPA aside - their credentials were being sent in plain text.
Are these security experts trying to claim that they thought they had end-to-end security to arbitrary servers on the internet, just because the WiFi provider claimed it was 'secure'?
HTTPS (SSL) is transport layer encryption carried out on the device before the packets are placed on the network, so even if you sniff the packets, they cannot be decrypted without the keys.
The security does rely on trusting the certificate, as this contains the public key which is used to encrypt the intitial packet to start exchange of the session keys. At no time does any sensitive information go over the network in the clear.
That is until quantum computing breaks public/private key crypto....
if they can capture the whole session then they'll be able to decode it eventually if they have a super computer :D We're talking years tho.
Unless they do a full man in the middle attack and then it's all theirs'. This is much harder to do unless they control the wireless network, in which case it easy as pie. It just requires a small tweak to the DNS settings which are propagated by DHCP when you connect and a machine to proxy the requests. Hell, even proxy settings via dhcp that request TLS thru proxy is sufficient.
In theory TLS and the weaker SSL shouldn't be hackable but there are some flaws.
The bottom line; don't trust wireless networks unless you completely trust all other known and unknown clients.
WPA2 is the only security that lasts. TKIP used in WPA1 is flawed and crackable.
Always use a VPN when doing business or confidential transactions online with a network that is weak (<WPA2), untrusted or unknown.
It would have been someone else. Less scrupulous no doubt.
WPA is uses symmetric ciphers - if you have the key, you can listen to anything on the network, not just your traffic. The WPA key was given out to world + dog. World could have been easily listening to dog, and vice versa. There was absolutely no reason to believe this network was 'secure'.
Perhaps it's safe to say that this was a demonstration against people who should know better, OR the quickest way to show those who don't know better just what can happen.
think that they are secured just because they are using a networking with encryption?
All the encryption does here is keep you from getting onto the network in the first place, the way this article goes on its like these so called security experts think ahhh we are using a SECURED network so all our communications are secured. WTF?
All a hacker had to do was authenticate to the network, posion the ARP tables of whoever he pleases and become the router, job done.
The Jericho Forum commandments (www.jerichoforum.org) have made it clear for years, the network cannot provide any decent level of security (is the title "Network Security Manager" an oxymoron?). you must use ONLY inherently secure protocols. Unfortunately when caught out they resort to crying "it isn't fair" - come on you alleged security professional - the bad guys out there don't understand "fair", so up your game.
Ref your comment on Secure this, and secure that.
I'm glad to see I'm not the only one! Take for example Citrix's Gotomypc advert (one with the pigeons). It says that it's safe to use & "Completely secure".
Now, you're connecting your host PC (the one you wish to 'goto') to the net, you're presumably opening a port on your firewall. They may be using VPN, and encrypting the connection, but to me Completely means 100%. Can a PC attached to the net be 100% secure (Let alone with Port forwarding active?)
So it's false advertising then.
As for the article, these people should know better. I wonder how many access their online banking from McDonalds or Starbucks?
They should be very grateful. Its proven to them they were not as secure as they *assumed* they were. It just goes to show their own judgment is very flawed. It also means if even so called experts in security can be fooled this easily, then non-technical people don't have a hope of ever avoiding being spied on. I hope these so called experts feel totally humiliated. Its time their overly trusting complacency was utterly destroyed.
"But what made the Wall of Shame different - at least to some attendees - was the sniffing of a network that was represented as secure"
So in other words they assume people don't lie. Holding an attitude along the lines of assuming its secure, because they say its secure only shows they are overly trusting fools. The sad fact of life is that some people lie just so they can gain an advantage over others.
Their overly trusting attitude also proves they are very ignorant of the behavior of Narcissistic Personality Disorder (NPD) people yet ironically it exactly this kind of person who wants to spy on others just so they can gain an advantage over others. Therefore these so called security experts show they are ignorant of the exact kind of person they seek to protect everyone from.
Very evidently being a good security programmer isn't the only thing they need to learn, if they ever hope to protect people and computers. I hope they feel totally humiliated. Its the first step to them finally learning their overly trusting complacency is preventing them seeing how some people will game their systems to bypass their security. When they finally learn they will finally see how and where they need to improve these security to protect everyone.
Crash course in Narcissism: Estimates vary slightly as to the exact percentage of the population that are Narcissistic and its a sliding scale between mildly Narcissistic to extremely Narcissistic but a good rule of thumb is around 10% of the population with a few percent at the extreme end. But with a population of about 6.5 billion people in the world that still adds up to a lot of extreme end Narcissistic people in the world to avoid and guard against.
Crash course in Narcissistic Behavior: Lying, cheating, very two faced, endlessly manipulative, very self centered, relentlessly power seeking behind their lies to gain at the expense of others, also very distrustful of others, often willing to bully others so they can force and manipulate people to do what they want. Ultimately they lack almost any empathy for others, because they are so totally self centered They are even happy when their lies win over others because it confirms to them that they can gain power over others by using lies. Also as they have almost no empathy for others they even just see their lies as them out smarting others. They don't care they are lying. Worse still they even think themselves better than others, because they don't fall for these kinds of lies. That is because they are deeply distrustful of the intentions of others and always on the lookout for how anyone could manipulate them. (They are fearful of people gaining power over them). Their every act of manipulation is a moment where they have power over others, to get others to do what they want and they seek that power almost relentlessly. They also often seek jobs that give them power over others. For example they seek to become managers and then bosses of companies. They also go into politics as that also gives them considerable power over others. They seek groups like them to give them collectively more power, but they lack loyalty to the group, they will sell it out as soon as its in their best interest, so they just use groups of people when it suits them (they often treat and exploit employees the same way). Also as they have so little empathy for others they will happily setup companies that ruthlessly exploit others. (Spyware, Spam, Phorm are all good examples of this kind of organised exploitation of others).
In an ideal world their behavior wouldn't exist, so it would be one big happy family etc.., but that will never happen. So its time everyone finally wakes up from their dream like trusting state so they can see that people with a Narcissistic attitude are the real enemy of us all. Everyone who is openly trusting of others, is a willing victim just waiting to be exploited by Narcissists and its not a case of sooner or later, because most of us (especially in companies) are exposed to some Narcissists in our daily lives almost every day, so we have to all become completely mindful of how they think, for our own protection, so we can defend ourselves against their lying manipulative self centered corrupt attitude.
Also the more the self centered ruthless people in power subvert the Internet to move us all towards a world where they can spy on us ever more (as they are doing, ultimately for their own gain from having such growing power over us all), then the more we need security experts to be our line of defense against all the increasing spying and undermining of the Internet. But the security experts can't do that effectively if they are so ignorant and trusting towards the kind of people they seek to defend us all against.
While you might have a point that they breached your privacy, wouldn't that be case for say... 100% of illegitimate people trying to get your data? Think they care about legitimacy or law? Its why their CRIMINALS isn't it....
So, you got PWNED in a pretty trivial way. And instead of taking it as an opportunity to blog about "no such thing as secure when they have your wire" you went "cry mommy" and ruined your so professed "security expertise" profile in an epic way.
Any potential employer doing a google search will now find both names associated to "clueless" instead of "expert".
Bullet, meet foot.
" people asume that a respected group is going to brake the law? This is one step away from saying there is secure parking and then braking in to peoples cars and saying "lolz. All that meens is that there is a gate".
The whole thing has gone to far."
I'm not normally a grammar Nazi but enough is enough (I realise that the chances of a mistake occurring in my posting has now gone up substantially). Try "assume", "break", "people's", "means" and "too".
It's the oldest trick in the book, social engineering.
Rather than bleating about how they were conned or were shown to be gullible by devious sleight of hand they should take on board the lessons to be learned.
1) Things are not always what they seem to be
2) Things are not always what they claim to be
3) People lie
4) The 'truth' isn't necessarily so
5) Trust no one
6) People sometimes forget what they should know
7) Even the most cautious, most aware can still become victims
Mine's the one with a pocket full of passwords.
Great take on the whole incident ..one small clarification though...
I have no problem with the fact that NO passwords should ever be sent in the clear. The problem is that unlike Black Hat / Defcon - there was no disclaimer on a captive portal gateway prior to getting network admission.
Black Hat/Defcon and its networking partner Aruba have such a captive portal disclaimer which makes all the difference in the world.
Check out the image in the top left of this post i made at black hat in 2008 for an example.
Interview In June, Purism began shipping a privacy-focused smartphone called Librem 5 USA that runs on a version of Linux called PureOS rather than Android or iOS. As the name suggests, it's made in America – all the electronics are assembled in its Carlsbad, California facility, using as many US-fabricated parts as possible.
While past privacy-focused phones, such as Silent Circle's Android-based Blackphone failed to win much market share, the political situation is different now than it was seven years ago.
Supply-chain provenance has become more important in recent years, thanks to concerns about the national security implications of foreign-made tech gear. The Librem 5 USA comes at a cost, starting at $1,999, though there are now US government agencies willing to pay that price for homegrown hardware they can trust – and evidently tech enthusiasts, too.
Period- and fertility-tracking apps have become weapons in Friday's post-Roe America.
These seemingly innocuous trackers contain tons of data about sexual history, menstruation and pregnancy dates, all of which could now be used to prosecute women seeking abortions — or incite digital witch hunts in states that offer abortion bounties.
Under a law passed last year in Texas, any citizen who successfully sues an abortion provider, a health center worker, or anyone who helps someone access an abortion after six weeks can claim at least $10,000, and other US states are following that example.
Alibaba's financial services affiliate, Ant Group, has open sourced its "privacy-preserving Computation Framework."
The goal of the release, according to an Ant announcement, is "to make the technologies more accessible to global developers and speed up the framework's application."
The Framework, called SecretFlow, can be found on both GitHub and China's analog Gitee. In the repos you'll find code for:
Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.
US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions.
In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.
American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.
The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.
Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).
California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.
Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.
"First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."
A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.
That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.
In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.
Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure.
But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.
"Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."
A California state website exposed the personal details of anyone who applied for concealed-carry weapons (CCW) permits between 2011 and 2021.
According to the California Department of Justice, the blunder happened earlier this week when the US state's Firearms Dashboard Portal was overhauled.
In addition to that portal, data was exposed on several other online dashboards provided the state, including: Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards.
Biting the hand that feeds IT © 1998–2022