Andrew Hay

the man, the myth, the blog

Security Vendor Illegally Collects and Displays Attendee Information at Security Conference

| 7 Comments

privacyDelivering a black eye to SecTor, the annual IT security conference held in Toronto, Ontario, Canadian security vendor eSentire admitted to collecting and displaying attendee information from what attendees thought was a secured network. With the full consent of conference organizers, eSentire collected login credentials for popular services such as Twitter, Google Mail, and Hotmail and posted the collected information on a “Wall of Shame”.

SecTor, in collaboration with Andover, MA-based Enterasys Secure Networks, provided wireless connectivity to attendees, presenters, and vendors in two formats: an “Open SSID, No Encryption, No Authentication” network named “Sector2009” and a “Secure SSID, WPA2-AES”-encrypted network named “Sector2009Secured”. To use the “secure network”, a short stop at the Enterasys booth to obtain the credentials, was required. Most security conscious attendees used the secure network understanding the perils of connecting to an open and unsecured network. This security blanket, however, was abruptly removed and attendees – who thought they were securely connected – were exposed.

The “Wall of Shame” idea was taken from the long standing “Wall of Sheep” that prominently appears at Defcon and Black Hat security conferences. The Wall of Sheep, commonly referred to as “The Wall”, is an interactive demonstration of what can happen when network users let down their guard. In an attempt to mimic the success of the Wall, eSentire and SecTor decided to create the “Wall of Shame”. This version of The Wall displayed usernames and partially obfuscated passwords for services that attendees connected to using unsecured protocols. Brian Bourne, conference organizer and master of ceremonies, announced that the collection would occur on the first day of the conference. What wasn’t mentioned, however, is that both the unsecured and secured wireless networks were being monitored even though the conference literature expressly stated the “Sector2009Secure” network was, in fact, secure. Most attendees, myself included, thought that using the SecTor/Enterasys provided “secured WiFi” connection would save themselves from the embarrassment of being displayed on the Wall of Shame. Unfortunately this was not the case.

At the SecTor speakers dinner, several attendees were approached by colleagues and informed that their credentials appeared on the “Wall of Shame” for all to see. When questioned about how the encrypted and unencrypted traffic was being monitored, Eldon Sprickerhoff (founding partner at eSentire) stated that, although capturing and decrypting the “secured WiFi” traffic was possible, it was much easier to directly connect a network tap into the physical network and capture both streams of traffic. Because both streams were unencrypted by the time the traffic reached the physical network, the security of the secured WiFi no longer existed. Enterasys, when questioned about their involvement in or knowledge of the collection, stated that they were only aware that the unsecured wireless network was being monitored and were shocked to find out that the physical network was also affected.

Several vendors on the trade show floor were understandably upset when they learned that portions of their sensitive credentials were put on display for all to see. “If vendors are going to be sponsoring the event, then we should be notified that this type of activity is going on.” said Billy Austin, CSO of SAINT Corporation. “Most people know me and personally do not care about my information being shown, however my time is of value and having conference attendees come up to me and tell me that my information is being illustrated on the wall of shame is consuming time away from my busy activities.” Austin stated that if he had been forewarned that the activity on the wireless access points would have been made public, he would have selected an alternative option.

Sprickerhoff stated that this practice had been cleared with the conference organizers to better represent the threat of unencrypted traffic being exposed on the Internet. The problem is that no one was informed that the “secure WiFi” traffic was also going to be subjected to the embarrassment of The Wall. David Fraser, Chair of McInnes Cooper’s Privacy Practice Group, expects that attendees probably had an expectation of privacy with their use of the WiFi network, particularly the secure one. “Broad lists of private communication interception tools are prohibited under the criminal code.” said Fraser “A computer being one of them.” Fraser stated that if a secure connection method and an unsecured connection method were provided to attendees, the expectation of privacy would be enhanced in regards to the secured WiFi option.

According to Fraser, Section 184 of the Canadian Criminal Code explains the legalities behind the interception of information. “There are laws against the interception of private information.” explained Fraser. “Section 184 of the Criminal Code state that it’s illegal to intercept private communication without consent.” Fraser stated that posted signs, login screens, and other informative mechanisms could have been used to communicate that attendees network activity was subject to collection, but it’s an open question whether that would be enough “consent” for the interception. “If someone walked in late, missed the announcements, and connected to the wireless network they might not have known that the collection was happening until after the fact.” explained Fraser. The act of intercepting private communications without consent is a federal offence and is punishable by up to 5 years in jail. Furthermore, Fraser said that privacy laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), also apply to the situation.

During the morning break announcements on the second day of the conference, Bourne informed all attendees that only the unsecured wireless network traffic was being collected and displayed by eSentire on the Wall of Shame neglecting to mention the direct network collection captures. During the lunchtime announcements it was announced that, “due to numerous complaints”, the Wall of Shame had been taken offline and the collected data would be destroyed. To add insult to injury Bourne thanked eSentire and applauded the exercise as a success.

Attendees have not received any guarantee that their collected information was disposed of by eSentire in a forensically sound way. “[eSentire] has an obligation to safeguard the collected personal information and must see to it that secure destruction methods be followed.” said Fraser. “Collecting the information in the first place is unreasonable.” Dr. Michael Geist, law professor and Canada Research Chair in Internet and E-commerce Law at Ottawa University, was also shocked about how the events unfolded. “This is a clear violation of Canadian privacy law.” said Geist. “Someone should file a complaint with the [Privacy] Commissioner as that would provide a more valuable lesson than the fake one the organizers tried to create.”

UPDATE (2009/10/15 at 5:04pm EST): After speaking with Brian Bourne at some length, we both agreed that it needed to be communicated that Eldon Sprickerhoff is a member of the SecTor organizing committee. This committee was responsible for the design and implementation of The Wall of Shame at SecTor 2009.