Wall of Sheep comes to Black Hat

A popular fixture at Defcon is at this year's Black Hat to show the corporate crowd how vulnerable their data is on public networks.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi
3 min read
Wall of Sheep

LAS VEGAS--How confident are you when using your laptop at a conference?

For years, a group called Wall of Sheep has been showing attendees of Defcon when their network connections are insecure. The Wall of Sheep board has been a fixture at Defcon, Black Hat's sister conference set to begin tomorrow at the Riviera Hotel and Casino. The board displays the names (with some identifying information obscured) of those connecting to the Internet in insecure ways. The idea is both meant to shame and educate users on best practices.

"If the 'Best of the Best' in security can be exposed, think of the average users," said Riverside, a member of Aries Security, a group that maintains the Wall of Sheep.

For most of the year, the individual members (of which there are about seven) are scattered across the country, working in security at various companies. But for two weeks they come together in Las Vegas to plan and mount their equipment, though not without glitches.

On Thursday, Riverside was addressing some hardware failures in a conference room at Caesars Palace. "We have redundancy," he said. In the back of the room were various boxes and other electronic equipment and wires. In the past they've used their own equipment, although this year they're starting to get donations. "We're vendor agnostic," said Riverside, adding that they are using Windows, Mac, and various flavors of Linux.

What they're doing is passively monitoring the network traffic at Black Hat 2008. "We call it 'High Availability Sniffing,'" Riverside said. They're dangerously close to violating federal wiretapping laws, but they're on the "good guys" side, he added. "We've had CSOs, CIOs stop in and see just how vulnerable their communications are at this conference."

"And we've had people from three-letter agencies as well," added CeDoxx, another Aries member. They do inspect their logs, so if someone says they're with, say, the FBI, the Wall of Sheep will also see any Fail messages to rule out any bogus claims to greatness. At past Defcons, they've had pranksters flood the network with bogus claims just to slow down their work.

To see what's going across the Black Hat network, there are seats where you can plug in your own laptop and use whatever sniffer you have to see what they see. If they can see your network, they can see the clear text contents of your e-mail. "We don't do decryption," added Riverside. But, he quickly cautioned, he doesn't know what anyone coming into the room might do with the data. Or, more likely, roaming the hallways, noting that the network is available for anyone to monitor.

At least within the Wall of Sheep room you can get help on how not be posted on the display wall. For example, use encryption on your wireless connection such as WPA2. That will encrypt the signal from your mobile device to the access point. From there, the network itself should run Secure Sockets Layer (SSL).

Another thing Riverside recommends is to turn off all automatic connections to the Internet that fire up before you can establish a VPN connection. "Once on the VPN, you can open your chat or messaging apps." Even then, you should only connect to trusted Web sites and inspect their certificate to make sure it's valid. He said he's seen one certificate that misspelled Verisign as the certificate authority.

Click here for full coverage of Black Hat 2008.