Black Hat makes light of accidental password-reset email

A Black Hat volunteer mistakenly sent to 7,500 conference goers a password-reset email that was initially thought to be a phishing attempt.

Organizers of the security conference that started Saturday in Las Vegas, quickly released a statement making light of the error with a quote from Robert J. Hanlon: "Never attribute to malice that which is adequately explained by stupidity." Hanlon had submitted the quote for a 1980 compilation of various jokes related to Murphy's Law.

The volunteer, one of many at the conference, had triggered the mailing by changing the setting of a template system used in sending mass emails, said Wolfgang Kandek, chief technology officer for Qualys, who received one of the messages. "I thought it was some kind of test Black Hat was doing."

[ More from Black Hat with Bill Brenner in Salted Hash]

Black Hat General Manager Trey Ford issued a statement saying that a flaw in the system had made it possible for the volunteer to get the necessary privileges for sending mass emails.

"The email this morning was an abuse of functionality by a volunteer who has been spoken to," Ford said.

The email contained the subject line "your admin password" and the address of ITN International, the contractor used by Black Hat for on-site registration.

There were no reports of conference attendees clicking on the embedded link in the email to change their show passwords. Black Hat said there was no compromise of its database or attendee information.

Obvious signs the email was a mistake included not having the new credentials that would have been needed to change the original password. In addition, Black Hat participants, who are mostly security experts, probably noticed that the embedded link led to a site other than Black Hats. "Would we have clicked on anything like that? No, I don't think so," Kandek said on Monday.

Nevertheless, Black Hat attendees have played pranks on each other and occasionally on show organizers over the years. Ford made reference to the possibility of such mischief in his apology to people who received the email.

"We love to tease people that your systems need to be ready to hold their own if joining the Black Hat network," Ford said. "In this frame of mind, the community very correctly expected a prank or act of malice."

In the past, attendees at Black Hat and another security conference, Defcon, have hacked Las Vegas hotel TV billing systems and wireless computer networks to play tricks on fellow attendees. A "wall of sheep" has sometimes been created to display the names and partial passwords sniffed from unsecured computers on Wi-Fi networks.

Read more about data privacy in CSOonline's Data Privacy section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

More videos

Blog Posts