European Parliament Culls Public Wi-Fi Access After Email Hack

hypnosec writes "A white hat hacker managed to break into multiple email accounts thereby forcing the European Parliament to cutoff its public Wi-Fi access. The French security researcher apparently performed man-in-the-middle attacks on multiple email accounts in a bid to expose the poor security at the Parliament. Through an internal mailer, members of the Parliament were informed that a 'hacker has captured the communication between private smartphones and the public Wi-Fi of the Parliament (EP-EXT Network).' The public Wi-Fi has been cut-off indefinitely and users at located at Brussels, Strasbourg and Luxembourg have been advised to apply for certificates and switch to more secure networks."

forcing them to cutoff access?

[Gravis Zero]

nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

Re:forcing them to cutoff access?

[Anonymous Coward]

it seems the more rational response is the fix the problem instead of treating the symptom.

On the medium term the Parliament will take additional measures to further secure the communication to the Parliament.

It sounds like they're shutting off the public system and encouraging people to use a more secure private system until they can figure out how to fix it. There's no point leaving the vulnerable system running while you work on a fix.

Re:

[ciaran_o_riordan]

> until they can figure out how to fix it.

It says "indefinitely".

Re:

[Anonymous Coward]

> until they can figure out how to fix it.

It says "indefinitely".

Which is not the same as "permanently". "Indefinitely" can easily mean "Until we fix it, but as we don't have an ETA on that we're just going to say indefinitely so that people aren't constantly nagging us about whether it's going to be back tomorrow, next week or next month because we'd rather do a good job than rush it".

Re:

[durin]

You're way to gullible.
"Indefinitely" in political terms is more or less equivalent to "permanently".

Re:

[findoutmoretoday]

So you're the guy who's going to cut of a few hundreds of MPs permanently?

Re:

[phayes]

The MP's will move onto the WIFI protected with client certificates that the EU IT infrastructure will be deploying. For the public, indefinitely probably means permanently.

Re:

[mjwalshe]

Should not there have been two separate systems with the staff one protected by certificates and a radius server - though after the fiasco of the cookie law it seems the eu it staff know as little about IT as the MEP's

Re:forcing them to cutoff access?

[Anonymous Coward]

nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

Why do you think they are not fixing the problem? The rational, first response is to stop the compromise getting any worse, as they have done. The next thing is to actually work out a proper and complete fix, which takes at least a little time. The geeky, fuckwitted, I'm-so-leet response would be to leave the public wifi up, slap on a simplistic set of changes quickly as possible and to miss some of the vulnerabilities.

Re:

[Anonymous Coward]

They took the most appropriate answer. Nobody attempted to hack a server. The vulnerability is bound to the use of wireless accesses and the possibility of social engineering. The most rational answer is to cut wireless until a secure alternative can be set to work.

Re:

[Anonymous Coward]

It makes 0 sense. He used a man-in-the-middle attach. Switching off the standard internet connection to the service under attack makes a man-in-the-middle attack _vastly easier_, not harder, since you do no longer have to compete against the legitimate service!
In the worst case, everyone would now flock to the attacker since it's the only place where they still get "free public wifi".
Sorry, but that is not a mitigation, it's idiocy.

Re:

[VortexCortex]

nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

They're simply following RFC 1925: [ietf.org]

(6) It is easier to move a problem around (for example, by moving
the problem to a different part of the overall network
architecture) than it is to solve it.

(6a) (corollary). It is always possible to add another level of
indirection.

Re:

[beelsebob]

Certainly as a temporary measure, but you would hope that what they would eventually (fairly quickly) do is make the email server inaccessible to the public internet, and require use of a VPN to check email. Then this problem doesn't simply move to starbucks.

Certificates

[Anonymous Coward]

They already use certificates to connect to their private wifi.
Why not use certificates to connec to their email? Then a public wifi shouldn't have any impact.
TLS/SSL should be sufficient, right?

Re:

[EvilAlphonso]

Imagine a large corporation where every department has its own IT department, where no embedded IT department trusts any other embedded IT department and where few people trust the centralized IT. Throw in the fact that most of the IT is managed from Luxembourg, the political impossibility to enforce rules across the network, the relatively low salary for the IT people not on the paper pusher path (becoming internal would have cost me a whole third of my salary), the insanity of the promotion rules, core se

Re:

[Lennie]

Maybe people clicked through the warning ?

Re:

[Krneki]

TLS/SSL should be sufficient, right?

It is, as long as you disable clear text connections and disable the user possibility to accept a different certificate pop-up. This means the user can only connect to the "work" email system if they use a device you provided and properly configured.

It's time to secure the phones in the same way we secure PC/laptops.

what makes this white hat?

[patrixmyth]

'Hey, I just kicked in your door to show how easy it is to kick in your door!'
'Hey, I just graffitied your wall to show how easy it is to graffiti your wall!'
'Hey, I just kicked you in the balls to show how easy it is kick you in the balls!'

Calling yourself a security researcher doesn't magically give you rights to go dick with other people's networks.
Email over a public wifi network is no less secure than a cellphone call, hallway conversation or written notes.

A public wifi is a convenience and very useful for the right purposes. A white hat researcher reveals unknown vulnerabilities to the people who build protocols. This was an asshole with a script, a laptop and a desire for attention.

Re:

[Seumas]

This is a pretty useless submission as the things it links to offer no more information, as it is. However, I think people here are making a lot of unfounded assumptions, since the article doesn't indicate that the penetration tester was unauthorized. For all we know, it was someone contracted to perform the service and when he reported the issues, they took action.

Re:

[patrixmyth]

Excellent point. It's an assumption of mine that no request to check vulnerabilities was made. That would make all the difference.
My other assumption is that people on a public wifi network are informed they should be using it for only routine non-secure tasks.
If the public network was being used for official business, then that's a problem, but it's not a technical problem. It's a training and education problem.
Public Wifi is never secure.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:what makes this white hat?

[Xest]

Yes but it's how you go about doing it. There's a difference between doing it and telling the world which is attention whoring, and just letting their IT team know, and if they don't fix it, escalating it to parliamentarians themselves.

If you want fame you can still have it - wait until they've fixed it and then tell the world about how you found an exploit to access the e-mail of EU parliamentarians.

The fact is, if you exploit without permission, you are by definition not a white hat, even if you do tell people they need to fix it afterwards.

Re:

[tiagosousa]

There's a difference between doing it and telling the world which is attention whoring, and just letting their IT team know, and if they don't fix it, escalating it to parliamentarians themselves.

I think you have misunderstood the summary. The second link implies the whitehat didn't go public because it was the IT services who made it public [epfsug.eu].

Re:

[Lennie]

One part of being a white hat hacker would be to report the problem after you found the problem.

Instead of just abusing the hell out of it, hoping it won't get discovered.

Re:

[cyborg_zx]

If this were equivalent to doing so I might agree. However it's not. It's like looking at a lock made out of paper and pointing out to the people who own the house that paper locks don't keep out bad guys.

Re:

[Anonymous Coward]

'Hey, I just kicked in your door to show how easy it is to kick in your door!'

Thanks for letting me know instead of just coming in and helping yourself to all my stuff.
I'll just block off this doorway until I can find a more secure door that will stop you kicking it in.

Isn't that what makes it white hat?

Re: what makes this white hat?

[Anonymous Coward]

Email is not a secure protocol. SMTP is not generally secured by TLS (you can configure a mail server to require it but some organizations will not be able to communicate with you).

So for standard emails, anyone that has access to the equipment sending your information can read your emails.

The fact that he told and didn't sell

[dutchwhizzman]

This may not be a unknown or "zero day" vulnerability, but it's quite a serious security problem. If The WiFi systems inside the EU buildings were not properly secured and known script-kiddie level attacks were possible, it's good that somebody came forward and proved that this is a real problem. Administrators were aware, or should have been and did not act.

Hacking accounts using MitM and selling the information to governments interested in this sort of information is what a black hat would have done. Thi

Re:what makes this white hat?

[j0ris]

The included links of the submission don't provide any further details about this "white hat hacker".

This link does: http://www.euractiv.com/specialreport-cybersecurity/eu-parliament-investigating-hack-news-531877 [euractiv.com]

"The hacker says his aim was simply to raise awareness about the vulnerability of the security system of the Parliament, at a time when the NSA spying scandal was shaking public opinion across Europe.

The hacker sat in a public place near the Parliament building in Strasbourg and managed to make nearby smartphones and computers pass through the “wifi” of his computer to connect to the internet. That was the hardest part of the procedure, he explained.

Then he accessed an application most MEPs use and which signals when new mail arrives in their inbox. The app does warn the user that an intruder is trying to access their data, but the message is “obscure”, the hacker said, and most users click OK, thereby giving access permission."

Re:

[mjwalshe]

so its a MITM attack

Re:

[ArsenneLupin]

Personally, I'd guess acceptance of bogus mail server certificates rather than unencrypted protocol.

Nice job marketers! You've managed to completely confuse users what a certificate is for, and why it matters. Hint: it's not about trusting the server that you're talking to, it's about trusting the path from you to the server!

Re:

[Yvanhoe]

You don't understand how abyssmal is the consideration for communication security here. People here really learned from Snowden that NSA intercepts internet traffic. Sarkozy and Merkel were exchanging information through f$cking SMS! MEPs have to be hit repeatedly and very hard with a cluebat to understand anything.

This guy, before being a white hat, was a concerned citizen. Yes, it is more about education and public perception than security research, but we are talking about people who are highly valuab

Re:

[tiagosousa]

I must disagree with this. The hacker did a very useful service, and not because he hacked a public network, but because he proved that members of the Parliament were not taking the necessary precautions in dealing with very sensitive information, such as emails and their own passwords. The real story is not a guy setting up a fake access point, anyone can do that; it's government data being trivially snooped because of weak security policy. I see this all the time in eduroam (an international wireless roam

Re:

[findoutmoretoday]

Rather send the lobbyists and there MP back to Strasbourg and keep them there.

ARREST HIM

[Anonymous Coward]

As we've learned from our American counterparts, the proper response is... OMFG ARREST THE BASTARD

Re:

[mjwalshe]

When they have asked their nephews pen friend from the USA what these boxes with blinky lights on actually do - as that seems to be the level of technical advice they have been given.

Re:

[ArsenneLupin]

Yes there is. Pay attention to the certificates. They are there for a reason.

Classical man-in-the-middle

[ArsenneLupin]

Might help more to educate the users what a certificate is, and why it is bad to simply ignore/dismiss those dialog boxes that say "certification authority for this certificate not know. Clicking 'ignore' could potentially allow a malicious person to eavesdrop on your conversation with the server, including passwords, dirty laundry, ..."

I'm 99% percent sure that the hacker didn't attempt anything smarter than set up his own doctored openwrt Wifi access point in a well-traveled location, with a man-in-the-middle on it, and without even bothering to make a particularly good forgery of the mail server's certificate.

Re:

[TheP4st]

Might help more to educate the users what a certificate is.

Many of those users fall into the category that believe the CD tray is a cup holder, that Internet Explorer is the Internet and that Pass1234 is a secure password. Good luck educating them, I've tried and on more than one occasion left with the feeling of having dropped a few IQ points.

Re:

[ArsenneLupin]

But in any case, shutting down the public Wifi at the European Parliament will not help with this problem. They'll fall into the same trap in their hotel room, when they mistake the router that the hacker in the room next door has put up for the "official" Wifi of the hotel, even if the hotel never actually had an official Wifi...

Re:

[fph il quozientatore]

Certificate forgery? Not even close to being that sophisticate. In the mailing list messages linked in TFA, it says that he put on a spoof captive-portal authentication page in pure HTTP (instead of the original HTTPS one).

Wait what ?

[fluffythedestroyer]

members of the Parliament are using the public network to check their mail ? That alone is a breach of security...split that. members of the Parliament should use a private secure network (vpn, ssl, etc etc)...not the same network as mister and misses on the street lol. Just for starters the wifi is hidden to the public and thats only a first on the big list of security we implemented here and the security should be high even if people don't like it...it's your system, not theirs so its the admin's job to p