Affected attendees claim the organizers broke the law

Oct 16, 2009 12:17 GMT  ·  By
SecTor excercise brings accusations of unlawful network traffic interception
   SecTor excercise brings accusations of unlawful network traffic interception

An HTTP traffic snooping exercise performed during the Security Conference Toronto (SecTor) earlier this month has upset many attendees whose login credentials for various websites were captured and displayed publicly. The affected individuals claim that the organizers were deceptive and that they potentially broke Canadian federal law.

This year, the organizers of the SecTor conference introduced a new exercise that apparently aimed at educating users about the risks of not using encryption protocols when sending information over public networks. Attendees were informed that network traffic would be snooped and that the captured credentials would be posted on a Wall of Shame.

The concept was borrowed from the renowned Black Hat hacking conference, which has a similar security exercise called the Wall of Sheep. However, as it turns out, SecTor's implementation of the idea was a bit different and unexpected. While at DEFCON, only traffic passing over an insecure network is intercepted, the SecTor organizers snooped traffic from both the open wireless network called "Sector2009" and the WPA2-AES-protected one called "Sector2009Secured."

In fact, eSentire, a Canadian security vendor in charge with the network bugging at SecTor, did not even bother to intercept wireless traffic and tapped directly outside the access points, into the wired network, instead. This allowed it to monitor information sent even over the "secure" wlan. This did not seem fair to the attendees who thought they were surfing securely and later found their partially obscured credentials on the Wall of Shame.

eSentire thought this method would more accurately represent the risks of not using encryption when passing login credentials and other confidential information onto the Internet. This happens when HTTP is used for sensitive communication instead of HTTPS, something which security experts strongly advise against.

Apparently, there was a failure of communication somewhere between eSentire, the conference organizers, and the public, as many attendees were unaware of the full extent of the snooping. Announcements of the exercise were made during breaks by SecTor founder Brian Bourne, who eventually ended up on the wall of shame himself, but many might have missed them.

In addition, Andrew Hay, a Canadian security professional, notes on his blog that "During the morning break announcements on the second day of the conference, Bourne informed all attendees that only the unsecured wireless network traffic was being collected and displayed by eSentire on the Wall of Shame neglecting to mention the direct network collection captures." Hay points out that this could even have legal repercussions, as the Canadian Criminal Code clearly prohibits the interception of private communication without prior consent.

Due to the overwhelming number of complaints, the organizers decided to take down the wall of shame earlier than scheduled and proceeded to destroying the data. Nevertheless, Bourne applauded the exercise and said that it would be performed again next year. "We plan to bring it back next year with an even more in-your-face communication. That way, there's no misunderstanding," he commented for The Register.