European Parliament Culls Public Wi-Fi Access After Email Hack

hypnosec writes "A white hat hacker managed to break into multiple email accounts thereby forcing the European Parliament to cutoff its public Wi-Fi access. The French security researcher apparently performed man-in-the-middle attacks on multiple email accounts in a bid to expose the poor security at the Parliament. Through an internal mailer, members of the Parliament were informed that a 'hacker has captured the communication between private smartphones and the public Wi-Fi of the Parliament (EP-EXT Network).' The public Wi-Fi has been cut-off indefinitely and users at located at Brussels, Strasbourg and Luxembourg have been advised to apply for certificates and switch to more secure networks."

forcing them to cutoff access?

[Gravis+Zero]

nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

Re:forcing them to cutoff access?

nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

Why do you think they are not fixing the problem? The rational, first response is to stop the compromise getting any worse, as they have done. The next thing is to actually work out a proper and complete fix, which takes at least a little time. The geeky, fuckwitted, I'm-so-leet response would be to leave the public wifi up, slap on a simplistic set of changes quickly as possible and to miss some of the vulnerabilities.

Re:forcing them to cutoff access?

It makes 0 sense. He used a man-in-the-middle attach. Switching off the standard internet connection to the service under attack makes a man-in-the-middle attack _vastly easier_, not harder, since you do no longer have to compete against the legitimate service!
In the worst case, everyone would now flock to the attacker since it's the only place where they still get "free public wifi".
Sorry, but that is not a mitigation, it's idiocy.

what makes this white hat?

[patrixmyth]

'Hey, I just kicked in your door to show how easy it is to kick in your door!'
'Hey, I just graffitied your wall to show how easy it is to graffiti your wall!'
'Hey, I just kicked you in the balls to show how easy it is kick you in the balls!'

Calling yourself a security researcher doesn't magically give you rights to go dick with other people's networks.
Email over a public wifi network is no less secure than a cellphone call, hallway conversation or written notes.

A public wifi is a convenience and very useful for the right purposes. A white hat researcher reveals unknown vulnerabilities to the people who build protocols. This was an asshole with a script, a laptop and a desire for attention.

Re:what makes this white hat?

[Xest]

Yes but it's how you go about doing it. There's a difference between doing it and telling the world which is attention whoring, and just letting their IT team know, and if they don't fix it, escalating it to parliamentarians themselves.

If you want fame you can still have it - wait until they've fixed it and then tell the world about how you found an exploit to access the e-mail of EU parliamentarians.

The fact is, if you exploit without permission, you are by definition not a white hat, even if you do tell people they need to fix it afterwards.

Comment removed

[account_deleted]

Comment removed based on user account deletion