A “Wall of Shame” or “Wall of Sheep” is a real-time demonstration application which searches for non secured (read: sent in clear text) login/passwords sent through a network. One of the well-know wall of sheep is the one operated every year during the Defcon conference in Las Vegas.
A few days ago, the second edition of BruCON was organized in Brussels, Belgium. Since the beginning, I was tempted to run a wall of shame but there was too much important tasks to complete during the first edition (it was just a “nice to have” project). This year, I came back with my idea and I did it. But this was a long debate! Some people were excited by the idea while others were more skeptical. Finally, it was decided to display the wall of shame during a few minutes like a sort of proof-of-concept. That’s why I’d like to give my vision about running a wall of shame.
Everybody who’s attending a security conference or bar using an open WiFi network must be aware of the risks encountered to use unencrypted protocols. Common “old” protocols are unencrypted like POP3, IMAP, HTTP, FTP, VNC and much more. Best practices are to use the “S” versions like POP3S, IMAPS or to completely encrypt your traffic into a VPN. From my point of view, a wall of sheep must be seen as an educational or security awareness tool. The goal is certainly not to compile a huge list of credentials and abuse of them later.
The pro of a wall of shame is the “electroshock” received by people who see their obfuscated login information published on a big screen. You prove to them by “A + B” that indeed their information is not protected. Unfortunately, the human behavior acts like this: you can repeat millions of time the same story, we’ll forget it soon. Our brain has two types of memory: short-term and long-term. By default, what we learn/see/listen is stored in the short-term memory. Sometimes, with the help of special actions or events, the information can be moved to the long-term memory. A wall of shame is a great security awareness tool. Keep in mind that awareness also means recurrent reminders. A lot of people had background processes or agents running without realizing it and got hit by using WiFi…. It’s not just about unaware users as even security experts made the screen (no name here 😉 ).
Besides the fact that a wall of shame is funny and well accepted by the audience, they are disadvantages and you have to keep them in mind. Some people won’t be happy to see their name mentioned on the wall. Be prepared to receive complaints from angry people. In some countries, there might also be legal issues (or gray areas). Do NOT try to decrypt encrypted traffic! Never! Finally, your wall of shame may revive the debate about hackers vs. crackers.
- First, think about the communication! Your visitors must be warned about the risks of potential collection and disclosure of personal data. This can be performed via printed documents (written black on white) and verbal announces at regular interval.
- The wall of shame must be available only from restricted terminals and certainly not published on the Internet. Do not let visitors to access it, just display it on a beamer or a big screen.
- The wall of shame must be running entirely in the server memory (via a tmpfs). No information is stored on disks. Just unplug the power cable and everything must be gone!
- Of course, the server must be installed in a safe location with restricted access (physical and logical)
- The server must collect data from a restricted network (example: the free / unencrypted WiFi network provided to the visitors)
- Do not display the complete IP address. The last byte of the destination address must be hidden (ex: 123.123.123.*);
- Only the first letter of the password is displayed;
- The remaining password is replaced by a random number of stars (to prevent people to guess the password length);
- The last 15 discovered login/password is displayed (to limit the history in time).
Of course, everything must be properly deleted wiped after the event. If you’re interested and would like to run your own wall of shame, have a look here.
One comment