Defcon 2007: The Wall of Sheep gets “Hamsterized”

Posted by Humphrey Cheung

Las Vegas (NV) – “Oh look, I got a MySpace.”  While other attendees at the Defcon security convention were soaking in the atmosphere, a dedicated group of hackers were soaking in their data.  By sniffing both wired and wireless traffic, the group finds user names, passwords and yes even MySpace profile pages and then posts the information on the convention’s famous “Wall of Sheep”.  Sure it’s embarrassing if you’re the one being caught, but in this group considers it tough love.

 

 


Defcon 2007: The Wall of Sheep ...


The wall was started several years ago by a security researcher named “Riverside”.  At first his small group would sniff traffic and write the most interesting results on paper plates and then slap them on walls.  Over the years the group has grown and the paper plates have been replaced with projectors.

This year’s Wall of Sheep was particularly nasty because Errata Security’s CEO, Robert Graham, used his cookie sniffing skills to add Gmail and other webmail accounts to the Wall.  You may remember Graham from our article about Gmail hacking at the Black Hat security convention last week.

Using a $300 AirPCAP USB sniffer, Graham scanned the wireless network for passwords and cookies.  He found several people using Gmail, both in http and https mode and posted the victim’s username, password and protocol used on the projector.

Graham told us that many people at the convention had a false sense of security by logging into Gmail with https/SSL because that only encrypts the password, something that he doesn’t need.  “People see https and think I’m cool,” but nothing could be further from the truth.  In fact, so many people were caught after using the “secure” login of Gmail that a new moniker, “HAMSTERIZED”, was added to the wall.

Cookie sniffing and replay is a very powerful attack because the dynamic web pages of the Web 2.0 era often contain very personal information.  Graham told us it would be very easy to find people’s addresses by getting into their Gmail accounts (many people attach signatures to their emails).  His cookie attack will even show past searches in Google Maps.

To defend against cookie sniffing and replay attacks, Graham strongly recommends using either VPN or SSL during the entire Gmail session; unfortunately the average person is too lazy to do so.

“The vast majority maybe 99% don’t bother,” Graham said.

Graham showed his techniques to other volunteers working at the Wall of Sheep and one very hardcore hacker shunned Graham’s automated tools and did everything by hand.  Talk about dedication.

You would think that all this data sniffing would take a tremendous amount of computer hardware, but the Wall of Sheep runs on a shoestring budget and the equipment consists of some very old gear.  The volunteers themselves bring their own laptops while the network hardware is just a Cisco 2950 switch and an ancient Bay Networks (remember them?) hub.  The username and passwords are organized on a 400 MHz HP laptop.  When you think about it, Graham’s $300 USB sniffer probably costs more than all of the other gear put together.

“It doesn’t take much to run the wall,” said Riverside as he pointed to the pile of switches and hubs.

So are Defcon attendees getting the message and using more encryption at what has been called the world’s most dangerous network?  Riverside seems to think so, even though his group snagged dozens of people along with a delegation from Japan.

“It seems to have been a success, we saw lower numbers [people getting caught], but every year we have a fresh batch that get on the wall” he said.

One of those victims was Riverside’s 16-year-old headstrong nephew who was apparently overconfident in his computer skills.

“He told me that he wasn’t going to be on the Wall of Sheep…. And he was,” Riverside said.