Forgot your password?
typodupeerror
EU Security

European Parliament Culls Public Wi-Fi Access After Email Hack 68

Posted by samzenpus
from the one-bad-apple dept.
hypnosec writes "A white hat hacker managed to break into multiple email accounts thereby forcing the European Parliament to cutoff its public Wi-Fi access. The French security researcher apparently performed man-in-the-middle attacks on multiple email accounts in a bid to expose the poor security at the Parliament. Through an internal mailer, members of the Parliament were informed that a 'hacker has captured the communication between private smartphones and the public Wi-Fi of the Parliament (EP-EXT Network).' The public Wi-Fi has been cut-off indefinitely and users at located at Brussels, Strasbourg and Luxembourg have been advised to apply for certificates and switch to more secure networks."
This discussion has been archived. No new comments can be posted.

European Parliament Culls Public Wi-Fi Access After Email Hack

Comments Filter:
  • by Gravis Zero (934156) on Friday November 29, 2013 @05:11AM (#45553923)

    nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

    • by Anonymous Coward on Friday November 29, 2013 @05:23AM (#45553959)

      it seems the more rational response is the fix the problem instead of treating the symptom.

      On the medium term the Parliament will take additional measures to further secure the communication to the Parliament.

      It sounds like they're shutting off the public system and encouraging people to use a more secure private system until they can figure out how to fix it. There's no point leaving the vulnerable system running while you work on a fix.

      • > until they can figure out how to fix it.

        It says "indefinitely".

        • Re: (Score:2, Informative)

          by Anonymous Coward

          > until they can figure out how to fix it.

          It says "indefinitely".

          Which is not the same as "permanently". "Indefinitely" can easily mean "Until we fix it, but as we don't have an ETA on that we're just going to say indefinitely so that people aren't constantly nagging us about whether it's going to be back tomorrow, next week or next month because we'd rather do a good job than rush it".

          • by durin (72931)

            You're way to gullible.
            "Indefinitely" in political terms is more or less equivalent to "permanently".

            • So you're the guy who's going to cut of a few hundreds of MPs permanently?
              • by phayes (202222)

                The MP's will move onto the WIFI protected with client certificates that the EU IT infrastructure will be deploying. For the public, indefinitely probably means permanently.

      • by mjwalshe (1680392)
        Should not there have been two separate systems with the staff one protected by certificates and a radius server - though after the fiasco of the cookie law it seems the eu it staff know as little about IT as the MEP's
    • by Anonymous Coward on Friday November 29, 2013 @05:28AM (#45553979)

      nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

      Why do you think they are not fixing the problem? The rational, first response is to stop the compromise getting any worse, as they have done. The next thing is to actually work out a proper and complete fix, which takes at least a little time. The geeky, fuckwitted, I'm-so-leet response would be to leave the public wifi up, slap on a simplistic set of changes quickly as possible and to miss some of the vulnerabilities.

    • by Anonymous Coward

      They took the most appropriate answer. Nobody attempted to hack a server. The vulnerability is bound to the use of wireless accesses and the possibility of social engineering. The most rational answer is to cut wireless until a secure alternative can be set to work.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        It makes 0 sense. He used a man-in-the-middle attach. Switching off the standard internet connection to the service under attack makes a man-in-the-middle attack _vastly easier_, not harder, since you do no longer have to compete against the legitimate service!
        In the worst case, everyone would now flock to the attacker since it's the only place where they still get "free public wifi".
        Sorry, but that is not a mitigation, it's idiocy.

    • nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

      They're simply following RFC 1925: [ietf.org]

      (6) It is easier to move a problem around (for example, by moving
      the problem to a different part of the overall network
      architecture) than it is to solve it.

      (6a) (corollary). It is always possible to add another level of
      indirection.

    • by beelsebob (529313)

      Certainly as a temporary measure, but you would hope that what they would eventually (fairly quickly) do is make the email server inaccessible to the public internet, and require use of a VPN to check email. Then this problem doesn't simply move to starbucks.

  • Certificates (Score:3, Informative)

    by Anonymous Coward on Friday November 29, 2013 @05:24AM (#45553965)

    They already use certificates to connect to their private wifi.
    Why not use certificates to connec to their email? Then a public wifi shouldn't have any impact.
    TLS/SSL should be sufficient, right?

    • by Lennie (16154)

      Maybe people clicked through the warning ?

    • by Krneki (1192201)

      TLS/SSL should be sufficient, right?

      It is, as long as you disable clear text connections and disable the user possibility to accept a different certificate pop-up. This means the user can only connect to the "work" email system if they use a device you provided and properly configured.

      It's time to secure the phones in the same way we secure PC/laptops.

  • by patrixmyth (167599) on Friday November 29, 2013 @05:31AM (#45553987)

    'Hey, I just kicked in your door to show how easy it is to kick in your door!'
    'Hey, I just graffitied your wall to show how easy it is to graffiti your wall!'
    'Hey, I just kicked you in the balls to show how easy it is kick you in the balls!'

    Calling yourself a security researcher doesn't magically give you rights to go dick with other people's networks.
    Email over a public wifi network is no less secure than a cellphone call, hallway conversation or written notes.

    A public wifi is a convenience and very useful for the right purposes. A white hat researcher reveals unknown vulnerabilities to the people who build protocols. This was an asshole with a script, a laptop and a desire for attention.

    • by Seumas (6865)

      This is a pretty useless submission as the things it links to offer no more information, as it is. However, I think people here are making a lot of unfounded assumptions, since the article doesn't indicate that the penetration tester was unauthorized. For all we know, it was someone contracted to perform the service and when he reported the issues, they took action.

      • Excellent point. It's an assumption of mine that no request to check vulnerabilities was made. That would make all the difference.
        My other assumption is that people on a public wifi network are informed they should be using it for only routine non-secure tasks.
        If the public network was being used for official business, then that's a problem, but it's not a technical problem. It's a training and education problem.
        Public Wifi is never secure.

    • by asifyoucare (302582) on Friday November 29, 2013 @05:43AM (#45554043)
      I'd agree with you if this just hacking some random shmoe, but this was the European parliament, even if it wasn't necessarily the parliamentarians themselves (though I bet more than one of them insist on having an insecure configuration). I'll guarantee that many black hats were already doing the same thing as this white hat. He did the parliament a great service, even if it meant shutting down the facility.
      • by Xest (935314) on Friday November 29, 2013 @08:30AM (#45554643)

        Yes but it's how you go about doing it. There's a difference between doing it and telling the world which is attention whoring, and just letting their IT team know, and if they don't fix it, escalating it to parliamentarians themselves.

        If you want fame you can still have it - wait until they've fixed it and then tell the world about how you found an exploit to access the e-mail of EU parliamentarians.

        The fact is, if you exploit without permission, you are by definition not a white hat, even if you do tell people they need to fix it afterwards.

        • There's a difference between doing it and telling the world which is attention whoring, and just letting their IT team know, and if they don't fix it, escalating it to parliamentarians themselves.

          I think you have misunderstood the summary. The second link implies the whitehat didn't go public because it was the IT services who made it public [epfsug.eu].

    • by Anonymous Coward

      'Hey, I just kicked in your door to show how easy it is to kick in your door!'

      Thanks for letting me know instead of just coming in and helping yourself to all my stuff.
      I'll just block off this doorway until I can find a more secure door that will stop you kicking it in.

      Isn't that what makes it white hat?

    • by Anonymous Coward

      Email is not a secure protocol. SMTP is not generally secured by TLS (you can configure a mail server to require it but some organizations will not be able to communicate with you).

      So for standard emails, anyone that has access to the equipment sending your information can read your emails.

    • This may not be a unknown or "zero day" vulnerability, but it's quite a serious security problem. If The WiFi systems inside the EU buildings were not properly secured and known script-kiddie level attacks were possible, it's good that somebody came forward and proved that this is a real problem. Administrators were aware, or should have been and did not act.

      Hacking accounts using MitM and selling the information to governments interested in this sort of information is what a black hat would have done. Thi

    • by j0ris (893806) on Friday November 29, 2013 @07:56AM (#45554511)

      The included links of the submission don't provide any further details about this "white hat hacker".

      This link does: http://www.euractiv.com/specialreport-cybersecurity/eu-parliament-investigating-hack-news-531877 [euractiv.com]

      "The hacker says his aim was simply to raise awareness about the vulnerability of the security system of the Parliament, at a time when the NSA spying scandal was shaking public opinion across Europe.

      The hacker sat in a public place near the Parliament building in Strasbourg and managed to make nearby smartphones and computers pass through the “wifi” of his computer to connect to the internet. That was the hardest part of the procedure, he explained.

      Then he accessed an application most MEPs use and which signals when new mail arrives in their inbox. The app does warn the user that an intruder is trying to access their data, but the message is “obscure”, the hacker said, and most users click OK, thereby giving access permission."

    • by Yvanhoe (564877)
      You don't understand how abyssmal is the consideration for communication security here. People here really learned from Snowden that NSA intercepts internet traffic. Sarkozy and Merkel were exchanging information through f$cking SMS! MEPs have to be hit repeatedly and very hard with a cluebat to understand anything.

      This guy, before being a white hat, was a concerned citizen. Yes, it is more about education and public perception than security research, but we are talking about people who are highly valuab
    • I must disagree with this. The hacker did a very useful service, and not because he hacked a public network, but because he proved that members of the Parliament were not taking the necessary precautions in dealing with very sensitive information, such as emails and their own passwords. The real story is not a guy setting up a fake access point, anyone can do that; it's government data being trivially snooped because of weak security policy. I see this all the time in eduroam (an international wireless roam

  • by Anonymous Coward

    As we've learned from our American counterparts, the proper response is... OMFG ARREST THE BASTARD

    • by mjwalshe (1680392)
      When they have asked their nephews pen friend from the USA what these boxes with blinky lights on actually do - as that seems to be the level of technical advice they have been given.
  • by ArsenneLupin (766289) on Friday November 29, 2013 @09:52AM (#45555139)
    Might help more to educate the users what a certificate is, and why it is bad to simply ignore/dismiss those dialog boxes that say "certification authority for this certificate not know. Clicking 'ignore' could potentially allow a malicious person to eavesdrop on your conversation with the server, including passwords, dirty laundry, ..."

    I'm 99% percent sure that the hacker didn't attempt anything smarter than set up his own doctored openwrt Wifi access point in a well-traveled location, with a man-in-the-middle on it, and without even bothering to make a particularly good forgery of the mail server's certificate.

    • by TheP4st (1164315)

      Might help more to educate the users what a certificate is.

      Many of those users fall into the category that believe the CD tray is a cup holder, that Internet Explorer is the Internet and that Pass1234 is a secure password. Good luck educating them, I've tried and on more than one occasion left with the feeling of having dropped a few IQ points.

      • But in any case, shutting down the public Wifi at the European Parliament will not help with this problem. They'll fall into the same trap in their hotel room, when they mistake the router that the hacker in the room next door has put up for the "official" Wifi of the hotel, even if the hotel never actually had an official Wifi...
    • Certificate forgery? Not even close to being that sophisticate. In the mailing list messages linked in TFA, it says that he put on a spoof captive-portal authentication page in pure HTTP (instead of the original HTTPS one).
  • members of the Parliament are using the public network to check their mail ? That alone is a breach of security...split that. members of the Parliament should use a private secure network (vpn, ssl, etc etc)...not the same network as mister and misses on the street lol. Just for starters the wifi is hidden to the public and thats only a first on the big list of security we implemented here and the security should be high even if people don't like it...it's your system, not theirs so its the admin's job to p

"If that makes any sense to you, you have a big problem." -- C. Durance, Computer Science 234

Working...