Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Parliament Culls Public Wi-Fi Access After Email Hack

Posted by samzenpus on from the one-bad-apple dept.

hypnosec writes "A white hat hacker managed to break into multiple email accounts thereby forcing the European Parliament to cutoff its public Wi-Fi access. The French security researcher apparently performed man-in-the-middle attacks on multiple email accounts in a bid to expose the poor security at the Parliament. Through an internal mailer, members of the Parliament were informed that a 'hacker has captured the communication between private smartphones and the public Wi-Fi of the Parliament (EP-EXT Network).' The public Wi-Fi has been cut-off indefinitely and users at located at Brussels, Strasbourg and Luxembourg have been advised to apply for certificates and switch to more secure networks."

68 comments

  1. forcing them to cutoff access? by Gravis+Zero · · Score: 3, Insightful

    nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:forcing them to cutoff access? by Anonymous Coward · · Score: 5, Informative

      it seems the more rational response is the fix the problem instead of treating the symptom.

      On the medium term the Parliament will take additional measures to further secure the communication to the Parliament.

      It sounds like they're shutting off the public system and encouraging people to use a more secure private system until they can figure out how to fix it. There's no point leaving the vulnerable system running while you work on a fix.

    2. Re:forcing them to cutoff access? by Anonymous Coward · · Score: 5, Insightful

      nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

      Why do you think they are not fixing the problem? The rational, first response is to stop the compromise getting any worse, as they have done. The next thing is to actually work out a proper and complete fix, which takes at least a little time. The geeky, fuckwitted, I'm-so-leet response would be to leave the public wifi up, slap on a simplistic set of changes quickly as possible and to miss some of the vulnerabilities.

    3. Re:forcing them to cutoff access? by Anonymous Coward · · Score: 0

      Totally illogical and thoughtless comment. Now, think again if your attention span is more than 1 second.

    4. Re:forcing them to cutoff access? by Anonymous Coward · · Score: 1

      They took the most appropriate answer. Nobody attempted to hack a server. The vulnerability is bound to the use of wireless accesses and the possibility of social engineering. The most rational answer is to cut wireless until a secure alternative can be set to work.

    5. Re:forcing them to cutoff access? by ciaran_o_riordan · · Score: 0

      > until they can figure out how to fix it.

      It says "indefinitely".

      --
      Expert in software patents or patent law? Contribute to the ESP wiki!
    6. Re:forcing them to cutoff access? by Anonymous Coward · · Score: 2, Insightful

      It makes 0 sense. He used a man-in-the-middle attach. Switching off the standard internet connection to the service under attack makes a man-in-the-middle attack _vastly easier_, not harder, since you do no longer have to compete against the legitimate service!
      In the worst case, everyone would now flock to the attacker since it's the only place where they still get "free public wifi".
      Sorry, but that is not a mitigation, it's idiocy.

    7. Re:forcing them to cutoff access? by Anonymous Coward · · Score: 2, Informative

      > until they can figure out how to fix it.

      It says "indefinitely".

      Which is not the same as "permanently". "Indefinitely" can easily mean "Until we fix it, but as we don't have an ETA on that we're just going to say indefinitely so that people aren't constantly nagging us about whether it's going to be back tomorrow, next week or next month because we'd rather do a good job than rush it".

    8. Re:forcing them to cutoff access? by durin · · Score: 0

      You're way to gullible.
      "Indefinitely" in political terms is more or less equivalent to "permanently".

      --
      Why, yes! I AM new here.
    9. Re: forcing them to cutoff access? by Anonymous Coward · · Score: 0

      In political terms, maybe... So? This isn't a political decision.

    10. Re:forcing them to cutoff access? by findoutmoretoday · · Score: 1

      So you're the guy who's going to cut of a few hundreds of MPs permanently?

    11. Re:forcing them to cutoff access? by Anonymous Coward · · Score: 0

      I personally mix that word to "permanently", cause "indefinitely" just sounds like it's gone forever. Something in that word just rings "permanently" in my ear. I wish "temporarely" would be used more, but that would suggest it actually is temporary, "indefinitely" could go either way.

    12. Re:forcing them to cutoff access? by phayes · · Score: 1

      The MP's will move onto the WIFI protected with client certificates that the EU IT infrastructure will be deploying. For the public, indefinitely probably means permanently.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    13. Re:forcing them to cutoff access? by Anonymous Coward · · Score: 0

      The French security researcher apparently performed man-in-the-middle attacks on multiple email accounts in a bid to expose the poor security at the Parliament.

      Apparently calling yourself a researcher is a free get out of jail card for anyone "hacking" into computer systems. But I doubt the US Government would treat the act as anything less than terrorism with associated penalties.

    14. Re:forcing them to cutoff access? by VortexCortex · · Score: 1

      nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

      They're simply following RFC 1925:

      (6) It is easier to move a problem around (for example, by moving
          the problem to a different part of the overall network
          architecture) than it is to solve it.

          (6a) (corollary). It is always possible to add another level of
              indirection.

    15. Re:forcing them to cutoff access? by beelsebob · · Score: 1

      Certainly as a temporary measure, but you would hope that what they would eventually (fairly quickly) do is make the email server inaccessible to the public internet, and require use of a VPN to check email. Then this problem doesn't simply move to starbucks.

    16. Re:forcing them to cutoff access? by mjwalshe · · Score: 1

      Should not there have been two separate systems with the staff one protected by certificates and a radius server - though after the fiasco of the cookie law it seems the eu it staff know as little about IT as the MEP's

  2. Apparently... by Anonymous Coward · · Score: 0

    his hat wasn't so white.

    1. Re:Apparently... by Anonymous Coward · · Score: 0

      Howso? How could he have done anything better?

  3. Certificates by Anonymous Coward · · Score: 3, Informative

    They already use certificates to connect to their private wifi.
    Why not use certificates to connec to their email? Then a public wifi shouldn't have any impact.
    TLS/SSL should be sufficient, right?

    1. Re:Certificates by Anonymous Coward · · Score: 0

      Yes, but people don't do this voluntarily.

      What we found is that you have to disable non-SSL access so that most insecure accesses turn into "It doesn't work" and they call the helpdesk

      And then you have to conduct occasional audits where you verify that they're using SSL securely to prevent MitM attacks by interposing such a MitM and watching to see which people authenticate against the fake server and which email helpdesk to say they can't connect. We do those about once per year, usually get a few people who've turned off certificate checks.

      If you use Group Policy you can enforce some of this stuff on peons so that they can't fuck it up. But what works on peons isn't always suitable for the kind of people who do infrastructure work themselves, that's why you need proactive stuff like I listed above. It's AMAZING how many connections to a fake server will come from people who are "too clever" to give their credentials to bad guys and thus don't think the rules apply to them.

    2. Re:Certificates by Lennie · · Score: 1

      Maybe people clicked through the warning ?

      --
      New things are always on the horizon
    3. Re:Certificates by Krneki · · Score: 1

      TLS/SSL should be sufficient, right?

      It is, as long as you disable clear text connections and disable the user possibility to accept a different certificate pop-up. This means the user can only connect to the "work" email system if they use a device you provided and properly configured.

      It's time to secure the phones in the same way we secure PC/laptops.

      --
      Love many, trust a few, do harm to none.
    4. Re:Certificates by EvilAlphonso · · Score: 1

      Imagine a large corporation where every department has its own IT department, where no embedded IT department trusts any other embedded IT department and where few people trust the centralized IT. Throw in the fact that most of the IT is managed from Luxembourg, the political impossibility to enforce rules across the network, the relatively low salary for the IT people not on the paper pusher path (becoming internal would have cost me a whole third of my salary), the insanity of the promotion rules, core services being outsourced to the lowest bidder every five years... and you've got the recipe for the mess they're in.

      The technical solutions to fix the EP IT issues are known and easy, the problem is getting the political support to make them stick.

  4. what makes this white hat? by patrixmyth · · Score: 5, Insightful

    'Hey, I just kicked in your door to show how easy it is to kick in your door!'
    'Hey, I just graffitied your wall to show how easy it is to graffiti your wall!'
    'Hey, I just kicked you in the balls to show how easy it is kick you in the balls!'

    Calling yourself a security researcher doesn't magically give you rights to go dick with other people's networks.
    Email over a public wifi network is no less secure than a cellphone call, hallway conversation or written notes.

    A public wifi is a convenience and very useful for the right purposes. A white hat researcher reveals unknown vulnerabilities to the people who build protocols. This was an asshole with a script, a laptop and a desire for attention.

    --
    "Don't you know you're going to shock the monkey?"- Peter Gabriel
    1. Re:what makes this white hat? by Seumas · · Score: 2

      This is a pretty useless submission as the things it links to offer no more information, as it is. However, I think people here are making a lot of unfounded assumptions, since the article doesn't indicate that the penetration tester was unauthorized. For all we know, it was someone contracted to perform the service and when he reported the issues, they took action.

    2. Re:what makes this white hat? by Anonymous Coward · · Score: 0

      Or possibly a foreign agent. There's no indication that this wasn't a malicious attack.

    3. Re:what makes this white hat? by Anonymous Coward · · Score: 1

      'Hey, I just kicked in your door to show how easy it is to kick in your door!'

      Thanks for letting me know instead of just coming in and helping yourself to all my stuff.
      I'll just block off this doorway until I can find a more secure door that will stop you kicking it in.

      Isn't that what makes it white hat?

    4. Re: what makes this white hat? by Anonymous Coward · · Score: 1

      Email is not a secure protocol. SMTP is not generally secured by TLS (you can configure a mail server to require it but some organizations will not be able to communicate with you).

      So for standard emails, anyone that has access to the equipment sending your information can read your emails.

    5. Re:what makes this white hat? by Anonymous Coward · · Score: 0

      The same thing that makes this guy a "hacker": His say-so, proving once again that he really hasn't a clue.

      Very few in the security biz, either side of the fence, are in fact capable of the excelling in creativity with technology that is what defines "hacking", and so they're claiming a label that is not rightfully theirs. Same thing with "ethical" --which again neither really are-- nor the whole thing with hat colours. "Hacking" isn't solely, or even mainly, about security and finding holes therein. That the term got hijacked merely means exactly that, abuse of language. Along with the abuse of computers, money, people, and so on. These "consultants and entrepeneurs" simply make too much money to be part of the solution.

      Time to stop calling this "hacking", and forget about the hats entirely.

    6. Re:what makes this white hat? by Lennie · · Score: 2

      One part of being a white hat hacker would be to report the problem after you found the problem.

      Instead of just abusing the hell out of it, hoping it won't get discovered.

      --
      New things are always on the horizon
    7. Re:what makes this white hat? by patrixmyth · · Score: 1

      Excellent point. It's an assumption of mine that no request to check vulnerabilities was made. That would make all the difference.
      My other assumption is that people on a public wifi network are informed they should be using it for only routine non-secure tasks.
      If the public network was being used for official business, then that's a problem, but it's not a technical problem. It's a training and education problem.
      Public Wifi is never secure.

      --
      "Don't you know you're going to shock the monkey?"- Peter Gabriel
    8. Re:what makes this white hat? by Anonymous Coward · · Score: 0

      Why don't they get an actual job as a security consultant or auditor?
      That way they can legally do this stuff and get paid for it.
      I don't go around picking peoples locks and telling them how insecure they are.

    9. Re:what makes this white hat? by j0ris · · Score: 4, Informative

      The included links of the submission don't provide any further details about this "white hat hacker".

      This link does: http://www.euractiv.com/specialreport-cybersecurity/eu-parliament-investigating-hack-news-531877

      "The hacker says his aim was simply to raise awareness about the vulnerability of the security system of the Parliament, at a time when the NSA spying scandal was shaking public opinion across Europe.

      The hacker sat in a public place near the Parliament building in Strasbourg and managed to make nearby smartphones and computers pass through the “wifi” of his computer to connect to the internet. That was the hardest part of the procedure, he explained.

      Then he accessed an application most MEPs use and which signals when new mail arrives in their inbox. The app does warn the user that an intruder is trying to access their data, but the message is “obscure”, the hacker said, and most users click OK, thereby giving access permission."

    10. Re:what makes this white hat? by Anonymous Coward · · Score: 0

      The problem is not the public wifi but the use of unencrypted mail protocols or acceptance of bogus mail server certificates.

    11. Re:what makes this white hat? by Xest · · Score: 3, Insightful

      Yes but it's how you go about doing it. There's a difference between doing it and telling the world which is attention whoring, and just letting their IT team know, and if they don't fix it, escalating it to parliamentarians themselves.

      If you want fame you can still have it - wait until they've fixed it and then tell the world about how you found an exploit to access the e-mail of EU parliamentarians.

      The fact is, if you exploit without permission, you are by definition not a white hat, even if you do tell people they need to fix it afterwards.

    12. Re:what makes this white hat? by cyborg_zx · · Score: 1

      If this were equivalent to doing so I might agree. However it's not. It's like looking at a lock made out of paper and pointing out to the people who own the house that paper locks don't keep out bad guys.

    13. Re:what makes this white hat? by ArsenneLupin · · Score: 1
      Personally, I'd guess acceptance of bogus mail server certificates rather than unencrypted protocol.

      Nice job marketers! You've managed to completely confuse users what a certificate is for, and why it matters. Hint: it's not about trusting the server that you're talking to, it's about trusting the path from you to the server!

    14. Re:what makes this white hat? by Anonymous Coward · · Score: 0

      This was an asshole with a script, a laptop and a desire for attention.

      Yes, and he's probably a pedophile hiding in exile in Russia now too right?

      When are we going to stop shooting the messenger and start holding people responsible for bad security, I don't know responsible?

      Do you think the 'real' bad guys are going to show you how easy it is to kick you in the balls? They know better than to get caught. Be thankful you haven't lifted yourself up from the floor with taste of testicles in your mouth wondering wtf just happened.

      Parliament had no business creating insecure public Wi-Fi access. Burn them at the stake for this screw up and continue burning them until they take security seriously and get it right.

    15. Re:what makes this white hat? by Yvanhoe · · Score: 1

      You don't understand how abyssmal is the consideration for communication security here. People here really learned from Snowden that NSA intercepts internet traffic. Sarkozy and Merkel were exchanging information through f$cking SMS! MEPs have to be hit repeatedly and very hard with a cluebat to understand anything.

      This guy, before being a white hat, was a concerned citizen. Yes, it is more about education and public perception than security research, but we are talking about people who are highly valuable target to lobbyists and who don't understand that their smartphone are not a secure way to receive their emails.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    16. Re:what makes this white hat? by Anonymous Coward · · Score: 0

      'Hey, I just kicked in your door to show how easy it is to kick in your door!'

      More along the lines of "Hey, I've noticed your lock's broken. You might want to fix it."

    17. Re:what makes this white hat? by mjwalshe · · Score: 1

      so its a MITM attack

    18. Re:what makes this white hat? by Anonymous Coward · · Score: 0

      But the fundamental problem is that anyone can create their own wifi zone with the same ESSID with the same name as the official zone, and crack username/passkeys that way.

    19. Re:what makes this white hat? by tiagosousa · · Score: 1

      There's a difference between doing it and telling the world which is attention whoring, and just letting their IT team know, and if they don't fix it, escalating it to parliamentarians themselves.

      I think you have misunderstood the summary. The second link implies the whitehat didn't go public because it was the IT services who made it public.

    20. Re:what makes this white hat? by tiagosousa · · Score: 1

      I must disagree with this. The hacker did a very useful service, and not because he hacked a public network, but because he proved that members of the Parliament were not taking the necessary precautions in dealing with very sensitive information, such as emails and their own passwords. The real story is not a guy setting up a fake access point, anyone can do that; it's government data being trivially snooped because of weak security policy. I see this all the time in eduroam (an international wireless roaming service for students), which despite being WPA2-Enterprise (802.1x), most people don't bother setting up the security certificate and/or prefer connecting to hassle-free open wifi networks. It's bad enough that students do this, but utterly unacceptable for politicians.

      The fact that the hacker exposed this to IT services (and it was the IT services who went public) instead of selling intelligence to foreign powers, makes him a whitehat.

  5. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  6. "cut off" are two words... by Anonymous Coward · · Score: 0

    Idiots.

    'Cutoff' is a noun.

  7. Strasbourg by Anonymous Coward · · Score: 0

    They could continue and shut down the Strasbourg location all together.
    It's a massive waste of resources(money and nature) and totally idiotic to maintain 2 locations and have all travel between the 2 just to keep France happy.

    1. Re:Strasbourg by findoutmoretoday · · Score: 1

      Rather send the lobbyists and there MP back to Strasbourg and keep them there.

  8. ARREST HIM by Anonymous Coward · · Score: 1

    As we've learned from our American counterparts, the proper response is... OMFG ARREST THE BASTARD

    1. Re:ARREST HIM by mjwalshe · · Score: 1

      When they have asked their nephews pen friend from the USA what these boxes with blinky lights on actually do - as that seems to be the level of technical advice they have been given.

  9. Knock knock by Anonymous Coward · · Score: 0

    Who's there?
    NSA / Not NSA
    "Oh please come in dear US overlords" / "SHUTDOWN EVERYTHING!!! CALL THE NEWS"

  10. The fact that he told and didn't sell by dutchwhizzman · · Score: 1

    This may not be a unknown or "zero day" vulnerability, but it's quite a serious security problem. If The WiFi systems inside the EU buildings were not properly secured and known script-kiddie level attacks were possible, it's good that somebody came forward and proved that this is a real problem. Administrators were aware, or should have been and did not act.

    Hacking accounts using MitM and selling the information to governments interested in this sort of information is what a black hat would have done. This guy just hacked a few accounts and then came forward to make certain that the obvious leak would be fixed. Just telling them would probably given a response of "That's not possible, because we use encrypted WiFi" or something similar. As far as we know, no secrets were revealed or leaked and no "private" e-mail was looked at, so there was no real damage.

    --
    I was promised a flying car. Where is my flying car?
  11. They did the right thing! by Anonymous Coward · · Score: 0

    This is abolutely a reasonable response.

    There is no secure way to use public WiFi without a VPN in between and as long as this is not mandated, KILL THE PUBLIC WIFI.

    1. Re:They did the right thing! by ArsenneLupin · · Score: 1

      Yes there is. Pay attention to the certificates. They are there for a reason.

  12. Classical man-in-the-middle by ArsenneLupin · · Score: 2
    Might help more to educate the users what a certificate is, and why it is bad to simply ignore/dismiss those dialog boxes that say "certification authority for this certificate not know. Clicking 'ignore' could potentially allow a malicious person to eavesdrop on your conversation with the server, including passwords, dirty laundry, ..."

    I'm 99% percent sure that the hacker didn't attempt anything smarter than set up his own doctored openwrt Wifi access point in a well-traveled location, with a man-in-the-middle on it, and without even bothering to make a particularly good forgery of the mail server's certificate.

    1. Re:Classical man-in-the-middle by TheP4st · · Score: 1

      Might help more to educate the users what a certificate is.

      Many of those users fall into the category that believe the CD tray is a cup holder, that Internet Explorer is the Internet and that Pass1234 is a secure password. Good luck educating them, I've tried and on more than one occasion left with the feeling of having dropped a few IQ points.

      --
      "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
    2. Re:Classical man-in-the-middle by ArsenneLupin · · Score: 1

      But in any case, shutting down the public Wifi at the European Parliament will not help with this problem. They'll fall into the same trap in their hotel room, when they mistake the router that the hacker in the room next door has put up for the "official" Wifi of the hotel, even if the hotel never actually had an official Wifi...

    3. Re:Classical man-in-the-middle by fph+il+quozientatore · · Score: 1

      Certificate forgery? Not even close to being that sophisticate. In the mailing list messages linked in TFA, it says that he put on a spoof captive-portal authentication page in pure HTTP (instead of the original HTTPS one).

      --
      My first program:

      Hell Segmentation fault

  13. Wait what ? by fluffythedestroyer · · Score: 1

    members of the Parliament are using the public network to check their mail ? That alone is a breach of security...split that. members of the Parliament should use a private secure network (vpn, ssl, etc etc)...not the same network as mister and misses on the street lol. Just for starters the wifi is hidden to the public and thats only a first on the big list of security we implemented here and the security should be high even if people don't like it...it's your system, not theirs so its the admin's job to provide security for this type of situation.

  14. LOL by Anonymous Coward · · Score: 0

    Idiots In Charge.

    NSA and a thousand other "snake heads" have been feeding off them for years for sure.

    Most basic of safe guards not in place ... the Idiot mentality (super human intelligence) of EU on display to all.

    QED

  15. Not secure enough by Anonymous Coward · · Score: 0

    And do they really and actually upgrade to a safer wireless communication? Heck no! They are regular people in there working, so there will be a very few people that will upgrade to a better safety protocols.