Vegas hacker conference attracts pranksters 3 kicked out of Las Vegas convention after siphoning user names

Dan Kaminsky, director of penetration testing for Seattle-based computer security consultant IOActive Inc., speaks at the annual Black Hat convention in Las Vegas, Wednesday, Aug. 6, 2008. (AP Photo/Jae C. Hong) less Dan Kaminsky, director of penetration testing for Seattle-based computer security consultant IOActive Inc., speaks at the annual Black Hat convention in Las Vegas, Wednesday, Aug. 6, 2008. (AP Photo/Jae C. ... more Photo: Jae C. Hong, AP Photo: Jae C. Hong, AP Image 1 of / 1 Caption Close Vegas hacker conference attracts pranksters 1 / 1 Back to Gallery

For the second year in a row, reporters at the BlackHat and DefCon security conferences in Las Vegas have been kicked out for, well, hacking.

This year, three French reporters from Global Security Magazine, one of BlackHat's sponsors, had their badges seized after they siphoned user names and passwords off the press room's network from reporters for Cnet in San Francisco and the technology magazine eWeek in New York.

Their goal was to get victims' credentials posted on the conferences' "Wall of Sheep," where people who access the wireless network at the conference without taking security precautions are publicly exposed.

MBA BY THE BAY: See how an MBA could change your life with SFGATE's interactive directory of Bay Area programs.

"Potentially everyone in the room had been a victim," wrote one target, Robert Vamosi of Cnet, in his first-person account, describing how other reporters reacted to the news. "And as such, we rallied around each other for support."

Reporters weren't so supportive of each other last year, when a producer from "Dateline NBC" tried to attend DefCon undercover but was found out. Videos of her fleeing the conference as other reporters taped her exit are still posted on YouTube.

BlackHat and its sister conference, DefCon, are two of the year's biggest and most entertaining security conferences, and thousands of hackers and wannabe hackers - some wearing tattoos and multiple body piercings and spiky colored hair - attend.

Federal agents try to recruit the ones who haven't engaged in criminal activity to help the government fight cybercrime. Security vendors hawk their products, researchers hold talks to demonstrate the latest Internet security vulnerabilities they've discovered, and there's a large press corps on hand to chronicle it all.

The conferences started out small, but as hacking has changed over the past few years from an anti-establishment hobby to a multimillion-dollar international business controlled by hard-core criminals, conference attendance has grown, too.

As usual, activities have ranged from the comic to the serious.

Some portion of the Internet is still vulnerable to one of the most serious flaws to hit the network in years - a design flaw in the Internet's Domain Name System, which locates Web sites as users surf the Web, researcher Dan Kaminsky said Wednesday.

He presented a long list of problems the flaw makes possible - from diverting people to fake Web sites to redirecting their e-mails. The only reason it's not been exploited much so far is that the good guys found it first and are watching for malicious activity, said David Ulevitch, the CEO of OpenDNS in San Francisco, whose software is not vulnerable to the problem.

Researchers at the conference have been meeting this week to negotiate a long-term fix. (Check doxpara.com for more information and to see if your computer is vulnerable.)

As in past years, the number of new security flaws demonstrated at the conferences is breathtaking. Hacked iPhones left sitting unattended in corporate mail rooms can scan for nearby wireless connections, and Google Gadgets may harbor malicious code.

Even some experts in security proved they can be tricked. A couple of pranksters - Shawn Moyer, chief information security officer for Agura Digital Security, and Nathan Hamiel, senior consultant for Idea Information Security - said they attracted more than 50 friends to each of three fake profiles they set up on social-networking sites.

They declined to name the sites or those they lured, but said they included people who should know better - chief information security officers of major corporations and people who work in the defense industry.

"We really were surprised at the level of trust we found," Moyer said.