Wednesday Dec 13
Oct
08/09
Good, Bad and Ugly: On SecTor’s Wall of Shame
Updated on Tuesday, 31 January 2012 02:05
Share

In the past 48 hours or so, rumours about the SecTor Wall of Shame have been circulating through the intertubes, blogs, twitter and exhibitor floor conversations.

 

 

After an obviously agitated media member (a blogger for InternetNews.com) wrote this post about SecTor’s Wall of Shame, several security professionals attending the event began asking questions about the collection of data on the Wall. Honestly, I blew off most of the blogger’s statements due to his poor writing, agitated tone and obvious misunderstanding of the technology and security. I didn’t investigate until a handful of colleagues approached me.

Many of those attendees (and other vendors) didn’t like what they heard; The Wall of Shame was displaying captures from both the secured and unsecured (open) wireless networks.

I heard a flurry of rumours that the vendor hosting the Wall of Shame (eSentire) was cracking the AES encryption, the wireless sniffing was actually a wire tap and several others; some true, some not. After hearing all the noise and being contacted by several peers, I decided to write this post.

Brief History of the Wall
Similar to the popular Defcon Wall of Sheep, the Wall of Shame at SecTor follows tradition of most security and hacker events, at which unprotected user data is prominently displayed to the conference audience. Generally the Walls are run by conference staff or volunteers. They typically capture unencrypted data from users on the Open (unsecured) wireless conference network and display it in a fairly harmless way, with the username and a partially masked password shown. Common practice is to mask (or blank) all but the first three characters of the password. It is not uncommon for conference Walls to collect the wireless data on the wired side, instead of sniffing wireless traffic directly.

Quick Facts: Wall of Shame

  • Therewere two conference (non-hotel) wireless networks: Open wireless and WPA2 secured wireless.
  • The WPA2 PSK (pre shared key) could be requested at the Enterasys vendor booth.
  • The Wall was hosted by vendor eSentire at their booth.
  • The Wall was collecting data on the wire (vs sniffing wireless).
  • The Wall was displaying data with username and partially masked/obscured password.
  • The Wall was collecting (but not displaying) all wireless traffic, passwords, cookies, attachments.
  • The conference management announced the Wall and wireless usage to attendees during the opening remarks and lunch breaks both days of the conference.
  • At no point did eSentire or the conference management try to mislead attendees or wireless users as to the monitoring of the network.

Why People are Mad
In addition to the blogger, several people have expressed their extreme displeasure in the Wall of Shame. As it turns out, the Wall was, in fact, displaying data from both the Open wireless (as expected) as well as the Secured wireless (not expected). The point of the Wall at most events is to demonstrate how unsecure wireless networks are. The fact that they choose to tap the wire instead of sniffing wireless to get the data is just a matter of convenience. Having said that, it is not common practice for conferences to tap BOTH the Open and Secured networks. By virtue of offering two networks at SecTor, most people had an expectation of privacy on the Secured wireless; and I believe that’s not unrealistic.

How the Secure Wireless was Shown
There was no crazy crypto or magic fairy dust. Since the wireless data was captured on the wired side, it was unencrypted. To be more accurate – any added protection offered by the encryption between the access point and the endpoints had been removed. Wireless security can be applied several ways, a common method being encryption between AP and connecting device (ie laptop). If users were accessing something PAST the conference network securely, then that data was secure as it traveled through the wired and wireless SecTor network. See Figure 1 below.

I did hear a few rumours of eSentire decrypting traffic as well as general notions that the Secured (WPA2) wireless wasn’t really secure, since the pre-shared key was available to everyone. ESentire was not decrypting or cracking anything. Ideally in WPA2 implementations, key rotation is turned on, making the wireless portion secure even with a shared key.

The Good Intent
Although the use of the Wall might have been past our normal expectations, the intent was good and not malicious in the least, both by the SecTor management as well as eSentire. The purpose of The Wall of Shame, just like all other Walls, is to demonstrate exactly how unsecure we are each day. Most users of network technologies don’t understand the vulnerability of sniffing wireless and/or tapping wired networks and eavesdropping. The only way to convince them in many cases is to SHOW them, and that’s exactly what the wall does.

By extending the Wall beyond Open wireless and also showing the decrypted wire-side traffic from the Secured wireless network, I think they further proved the point. They did not ‘crack’ anyone’s encryption, nor did they dig into tunneled or secured traffic passing through the conference network. All they did was shine a light on what people were happily passing through the network, just as they do everywhere else. If it was secured coming in, it was still secure going out, and vice versa.

Figure 1: Wireless security methods

 

You can be mad if you want to, but anyone that’s mad about the Wall of Shame should be thankful that it was pointed out to them in a safe, controlled environment. If you were on the Wall, that means every day you connect to networks you assume to be secure. Every day you pass data, unsecured, through other peoples’ networks. Every day you’re vulnerable and every day you’re ONE day closer to being compromised.

Even SecTor’s conference director, Brian Bourne was a victim of his own showcase of vulnerability. Brian posed a tweet, poking fun at himself “Note to self: Tweetdeck does not make SSL connections. My password on wall of shame. I am shamed.”

 

An Aside On How Not to Be a Sheep
Figure 1 above shows the various methods we can secure wireless (and wired) networks as our traffic passes through other peoples’ networks. This is really another topic, deserving of another post – stay tuned. In the meantime, as you think about the Wall of Shame, keep this image in mind. The Open wireless has security 0 (no encryption, anywhere). Other options might be to encrypt between the laptop and access point (A). Some wireless designs include a controller-based model that allow access points to encrypt data through the first set of switches, to the wireless controller (B). Many secure wireless networks use a VPN model and secure between the endpoint/laptop and some VPN aggregator sitting at the core or WAN edge (C). Using HTTPS sites (secure HTTP) are recommended highly since they encrypt from the browser of the laptop to the web server (D). One of the most secure options is a VPN tunnel through any unknown or hostile networks (including the Internet) to a VPN termination at home office (E).

In the context of the Wall of Shame, methods 0 (open) and A (encrypted to AP) are vulnerable in many ways, such as the Wall demonstrated so clearly. Methods B and C didn’t apply to this scenario and methods D and E would have remained secure and uncompromised on the SecTor conference network.

The Bad
There are a couple of things I didn’t like about the Wall of Shame. I’m not comfortable with a vendor hosting the wall and therefore collecting the data and having access to it; even if the intention is to immediately destroy it. I think there’s a potential for trust violation. What a vendor does is beyond the immediate control of the conference management and staff. That little nit pick aside, I do think users should have been warned in a way that they could not claim ignorance. The conference management told attendees about the Wall and the network monitoring numerous times and made no attempt to hide or mislead the group. However, it is possible to have attended the event and not been present for those notifications. A captive portal with a terms of use clause and warning would fix that. After speaking to conference management about concerns, I believe they are all being addressed in any future versions of The Wall.

Your Opinion?
I feel the technical implementation of the Wall was acceptable. There was no malicious intent, no harm done and it did not introduce any new vulnerability to clients connecting to the network. It was simply a spotlight.

People not familiar with the technology may disagree. To avoid any misunderstanding or further complaints, the Wall was taken down early Wednesday morning and all data removed/destroyed. Brian and the SecTor management have taken the feedback and are planning a better implementation of the Wall for 2010. What are your thoughts?

# # #