Targeted for hacking by reporters at my table

A CNET News reporter explains how she may or may not have gotten hacked at the Black Hat security conference.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
6 min read

Updated Friday with details about TG Daily notifying CNET News about the breach.

LAS VEGAS--I should have known it was only a matter of time.

I've been covering security conferences on and off for about 14 years and considered myself lucky not to have been hacked, that I knew of. Until Thursday.

Here's what happened. I was in one of the press rooms at the Black Hat security conference trying to upload some video to the Web. It was a slow process using my Sprint wireless air card, so I decided to plug into the local area network that the conference was providing for journalists' use.

That sped things up and while I waited I checked some e-mail and read some Web sites. While this was going on I noticed three men sit down at my table and open a laptop. Speaking French, they acted excited and furtive, like they were doing something they weren't supposed to be doing--like boys sneaking a peak at dad's Playboy magazines.

I initially thought they were regular attendees just being bad by using the press room network when they weren't supposed to. Then I noticed their press badges, but I didn't think much more about it.

I left for a meeting and when I came back and logged on, I saw e-mails from editors at CNET News asking if me and my two colleagues were being hacked because they had received a tip from someone that we were. Then I got sent this link to an article that shows a screen shot of what looks like usernames and password of computers used by reporters at CNET News and eWeek. Apparently, as I learned later, the editor-in-chief of TG Daily had contacted CNET News to alert us to the situation, for which we are very grateful.

The TG Daily article says a network-sniffing tool called Cain had been used to expose the information in "journalist-on-journalist hacking" and that the organizers of the Wall of Sheep, who monitor the event's Wi-Fi network and display exposed passwords, had declined to publicize the breach.

My face flushed and I'm sure I had terror in my eyes as I looked at my colleague Robert Vamosi and realized what was happening.

Rendezvous at the Wall of Sheep
Vamosi and I went to talk to the guys who run the Wall of Sheep and they told us that three men had come in with a laptop, saying they had sniffed the usernames and passwords from the press room network and asked that they be posted to the Wall of Sheep. When I heard that they had French accents, I realized it was the three men sharing my table in the press room earlier.

According to the Wall of Sheep organizers, the men justified their actions by saying that journalists should be more careful about network security, particularly covering the Olympic games in China, and they scoffed at the lax security of the supposed CNET News password. At least one of the men, Marc Brami, a director of Global Security Magazine, left a business card.

I grabbed the press liaison for Black Hat to explain what was going on and she told me what she had heard and that they were investigating. Vamosi and I headed down to the press room to strategize, but when I poked my head into one of the press rooms, I saw a couple of the men. I notified the Black Hat press liaison and she pulled them aside privately to talk and eventually kicked them out of the conference, convinced of their malfeasance.

Meanwhile, my colleagues and I were in the other press room trying to figure out how this happened and what exactly happened. My two colleagues both use secure VPNs and are much more tech savvy than I am, so obviously I had to be the weak link. But I had thought I was being safe. As advised, I had taken my laptop to the network experts at the event before I even turned on my laptop. I told them I planned to use my wireless card. They checked that my Wi-Fi was turned off and said everything was kosher.

And I was using a VPN every time I logged on, with a strong password, even when I was using the local area network instead of my wireless card.

Then looking at the screenshot of the allegedly breached usernames and passwords, we noticed that the one purportedly associated with CNET News was not anything remotely similar to a username or password that I or my colleagues use. Maybe the breach was fake, we wondered.

eWeek reporter Brian Prince then confirmed that the exposed username and password attributed to his publication had been used by him. He has since written a sweet and self-deprecating account of what happened to him.

We still aren't certain whether CNET News traffic was compromised, or even if other reporters' passwords were sniffed. The sniffing could have merely grabbed data from someone downloading a CNET News page. We may never know.

A big mistake, a joke, or what?
Later, I called Brami to get comment for our original article on the incident and he claimed not to have known about the hacking until after it was done and that he and his colleague, Dominique Jouniot, had nothing to do with it. Brami blamed Mauro Israel, whose handle is "le netwizz" and who had accompanied he and Jouniot to the conference and was using a Global Security press badge.

I asked Brami why they were trying to embarrass journalists, and he denied that that was the purpose and said Israel "didn't know the rules," and that it was a "big mistake." I asked him if he had been huddled around a laptop with the other two or not shortly before the news got out, and he said, yes, he had been using the press room to file stories. Then I asked him if he had not been with the others when they showed their laptop with the password evidence to the Wall of Sheep organizers. Brami said, yes, he had been there too, but he said he didn't know what Israel was telling the Wall of Sheep organizers. "I didn't hear what he said," he explained. "(Israel) said it was a joke and that he didn't think it was important."

Tellingly, later Brami said: "For us, it was like a joke."

Some joke! Snooping on other journalists' passwords in the press room. Maybe they were confused about the purpose of the Wall of Sheep, which is designed to keep security professionals attending the show on their toes. But journalists aren't, and shouldn't be, held to that standard. The press room is seen as a safe haven for reporters and it is hosted by the show organizers who want reporters to cover the event. It's not a "hostile" network like the event's Wi-Fi network, where consent is implied, as Kurt Opsahl of the Electronic Frontier Foundation says.

Discussing the situation over dinner, I learned that while it may not exactly be a badge of honor to get hacked, the odds of it happening are higher the longer you hang out with hackers.

"If you've been in the industry long enough, you've been owned at some point," said George Kurtz, a senior vice president and general manager of McAfee's risk and compliance business unit.

That made me feel better, but I can't shake the feeling of violation I have. It's like a wind has blown my skirt up and exposed my underwear to a bunch of strangers. I guess I'll have to get used to the risk if I stay in the business, but from now on I'm wearing overalls.

Click here for full coverage of Black Hat 2008.