Black Hat expels reporters in network snooping

Kurt Opsahl, left, a senior staff attorney at the Electronic Frontier Foundation, discusses the ejection of the three French journalists over networking snooping allegations.

(Credit: Declan McCullagh/CNET News)

Robert Vamosi of CNET News co-wrote this story.

Updated 10:30 p.m. with comment from Brami.

LAS VEGAS--Three journalists for a French security magazine were kicked out of the Black Hat security conference after they allegedly sniffed the press room computer network on Thursday.

The journalists work for Global Security Mag, which was a media sponsor of the event. Two of the men, Dominique Jouniot and Mauro Israel, could not be reached for comment.

The third, Marc Brami, director of the magazine, told CNET News later that he blamed Israel for the incident, which Brami described as "a joke." Brami said Israel is a security expert who occasionally blogs and likes to sniff networks as a prank. Brami said he did not know what Israel was up to until it was too late.

"It was a big mistake," Brami said via telephone. "(Israel) said it was a joke and that he didn't think it was important."

Organizers required the men to leave the conference, confiscated their badges, and barred them from Defcon, a sister security conference that runs over the weekend, and from all future events, a Black Hat representative said.

Asked to comment on his ban from the events over the incident, Brami said: "It's not good for my magazine, but also it is not so good for Black Hat...maybe they lost a good supporter. For us, it was like a joke."

The reporters' badges sit on a chair after they were confiscated.

(Credit: Declan McCullagh/CNET News)

The men were seen huddled over a table in the two press rooms for much of the day and took their computer to the Wall of Sheep (a project that monitors wireless network activity), asking them to display the alleged usernames and passwords of journalists.

The Wall of Sheep organizers refused to do that, saying that they do not monitor the traffic of the press room. A reporter from TG Daily was standing nearby, took a photo of the screenshot, and wrote a short article about it.

CNET News was listed as one of the alleged victims, but the username and password displayed were inaccurate. A journalist from eWeek, on the other hand, confirmed that the username and password he used had been exposed.

Asked why they allegedly sniffed the press room network and attempted to embarrass other journalists, the French journalists said they wanted to educate the public about the privacy dangers with using public Internet connections, the Black Hat representative said. They cited journalists working in China covering the Olympics, she added.

A security expert who works for Black Hat speculated that the men may have re-routed a protocol in the network switch and redirected the traffic through their machine in a classic man-in-the-middle attack.

Unlike the Wi-Fi network that the Wall of Sheep is monitoring, the closed, local area network the press room uses is considered a safe zone at the event, said Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation.

While he couldn't comment on the legalities of the situation without knowing the specifics, Opsahl said it sounded like it could have been a violation of the federal wiretap statute.

"As a general rule, capturing the content of communications without the consent of any of the parties is illegal," he said.

"It's important to have press come here and be able to communicate securely with their home offices," Opsahl added. "It's just not good manners to try and crack into the press network."

Click here for full coverage of Black Hat 2008.

[mrparamus]

This is hardly the first incident of its kind. Several years ago, I found active key loggers on several press room computers at the CTIA show in Atlanta. The log files had the user IDs and passwords for many of the journalists covering that show. I printed out 40 pages worth of those keystrokes and gave the info to the show mgt, but don't know if they did anything about it. Caveat: Don't assume press room computers are any more secure than an Internet cafe.

[SlimGem]

What's good for the goose is good for the gander.
Hack 'em and crack 'em one and all.

[jef5623]

Thankfully, we won't have more of such network snooping events since the 7th age of computing is near.

[igl00lgi]

The best off the the hackers at this conference get of on being the best off the best. But most are not.

[6itu]

As a former journalist for the french edition of CSO Mag (IDG), and working in the I.T. security for the last 10 years, I can swear that neither Jouniot or Israel have a press card or have ever been journalist.
THIS is not, and will definitely NOT be an attitude of a responsible member of the french press.

Marc Olanie

[benjaminstraight]

This is Cloak and Dagger stuff.

[78cherche]

These journalists need to grow up, they remind me of myself 9 years ago when I first found out about network spoofing while taking a few classes in networking. I went around gleefully sniffing passwords etc, for a few months.

Get over it already - they look like little drunken children first exposed to alcohol.

[78cherche]

These journalists need to grow up, they remind me of myself 9 years ago when I first found out about network spoofing while taking a few classes in networking. I went around gleefully sniffing passwords etc, for a few months.

Get over it already - they look like little drunken children first exposed to alcohol.

[johnwmgibson]

The "journalists" in question don't need to grow up, just grow a brain. However, if they indeed hacked the network at "THE" major security conference in the world, then, perhaps, the conference organizers also need to be questioned about the horridly inadequate security of the press network. No one should "feel safe" when there's an open network connect like that. Joke or not, they did point up a very serious problem.

[M_K_Higa]

but they got busted. Isn't that part of security, albeit the last string of defense?

[The_Decider]

They didn't "hack" anything, they probably just put their network card in promiscuous mode and had wireshark running.

Hardly a hack, or cloak and dagger stuff like someone else said.

[The_Decider]

Whoops, forget to mention, the possibility of a MIM attack isn't much of a hack either, it is a method of taking advantage of the fatal flaw in SSL based traffic: end user ignorance. It is based more on social engineering than real technical matters.

It is nearly impossible to stop via security measures.

[Kings X Rocks!]

This is the comment that made me giggle:

"As a general rule, capturing the content of communications without the consent of any of the parties is illegal," he said.

...of course it is...and that's why people don't ever do it!!!

[TV James]

Boy, that's rich. Talk about irony.

Maybe these "victims" should have been vetted before being issued press credentials. If you're that easy to hack at a hacking convention, how can you effectively and accurately report on something you obviously don't understand yourself?

[Ngallendou]

For too many Frenchmen, the rest of the world remains a... joke upon whom we smile benignly. Everything we do has as its objective to educate the ignorant, exposing their non-Cartesian stupidity. Well, if we get caught, we shall laugh it off like mothers whose babes spit up on them

[nmcphers]

That comment made as much sense to me as if it were written in French.

[alegr]

I thought protocols that require plaintext login went out of vogue years ago.

And you thought old NTLM authentication was bad!

[c1_ken]

The three individuals tossed out should be allowed to return to the event - as soon as it can be reasonably ascertained that hell has frozen over. Kudos to the organizers that the press is allowed. Not all of the press are security savvy so it's good that there is some kind of safe zone. Hopefully the press will use this to educate the public about the potential risks involved in using a public network.

[ferretboy88]

Its "ok" to do anything you want in the name of security. Sure.

[Harrison912]

Well, it looks like the black hat guys actually had white hats on! Good go'in fellas!

As a web site owner of safety and security products, I'm glad to see the security of communication is also kept safe.

[jatos]

Question begs: what happens if someone trys to repeat the trick and doesn't reveal they are doing it?