SECTOR Sniffing: It Smells, as does the Response
Apparently, at the SecTor security conference, someone tapped into the network and posted passwords to a Wall of Sheep.
At the SecTor speakers dinner, several attendees were approached by colleagues and informed that their credentials appeared on the “Wall of Shame” for all to see. When questioned about how the encrypted and unencrypted traffic was being monitored, Eldon Sprickerhoff (founding partner at eSentire) stated that, although capturing and decrypting the “secured WiFi” traffic was possible, it was much easier to directly connect a network tap into the physical network and capture both streams of traffic. Because both streams were unencrypted by the time the traffic reached the physical network, the security of the secured WiFi no longer existed. Enterasys, when questioned about their involvement in or knowledge of the collection, stated that they were only aware that the unsecured wireless network was being monitored and were shocked to find out that the physical network was also affected.
Andrew Hay comments (at length) in “Security Vendor Illegally Collects and Displays Attendee Information at Security Conference.”
I’d like to set aside, for a moment, the legality and ethics, and look at the outrage. Before I do, I have no reason to think that Andrew is wrong, and he quotes David Fraser at length, and I’ve read and enjoyed David’s blog for years. Additionally, what was done was likely unethical.
That said, I have been watching with fascination — utter fascination — the outrage factory going to school on these guys. Have you read the terms of service that your hotel network makes you click through? Are you aware that AT&T installed entire rooms in their network hubs to capture not only your usernames and passwords, but are anticipating feeding into a yottabyte-scale datacenter?
From where I sit, there are an awful lot of people who should be using a full-bore VPN to get out of clear and present danger to a host and network that they trust, and they’ve been caught with their pants down.
Being outraged that someone actually captured your data? Are you a security professional? [If you are,] why not do something about it, rather than sputter?
SSH has had tunneling for so long I can’t remember when I first used it. I know I was tunneling SSH through SSL proxies while I was still consulting, so at least a dozen years. A good number of modern operating systems include IPv6. It’s not that hard to do something about most of these problems.
[If you’re not a security professional, then I’d suggest directing your outrage in roughly equal parts at the people who did this and the security pros operating the services which are not secured against this sort of thing.]
[Updated after comments from Andrew Hay.]