Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Parliament Culls Public Wi-Fi Access After Email Hack

Posted by samzenpus on from the one-bad-apple dept.

hypnosec writes "A white hat hacker managed to break into multiple email accounts thereby forcing the European Parliament to cutoff its public Wi-Fi access. The French security researcher apparently performed man-in-the-middle attacks on multiple email accounts in a bid to expose the poor security at the Parliament. Through an internal mailer, members of the Parliament were informed that a 'hacker has captured the communication between private smartphones and the public Wi-Fi of the Parliament (EP-EXT Network).' The public Wi-Fi has been cut-off indefinitely and users at located at Brussels, Strasbourg and Luxembourg have been advised to apply for certificates and switch to more secure networks."

8 of 68 comments (clear)

  1. forcing them to cutoff access? by Gravis+Zero · · Score: 3, Insightful

    nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:forcing them to cutoff access? by Anonymous Coward · · Score: 5, Informative

      it seems the more rational response is the fix the problem instead of treating the symptom.

      On the medium term the Parliament will take additional measures to further secure the communication to the Parliament.

      It sounds like they're shutting off the public system and encouraging people to use a more secure private system until they can figure out how to fix it. There's no point leaving the vulnerable system running while you work on a fix.

    2. Re:forcing them to cutoff access? by Anonymous Coward · · Score: 5, Insightful

      nobody is forcing them to do anything. it seems the more rational response is the fix the problem instead of treating the symptom. if someone wants to hack your server, do you think something like removing wifi access will stop them?

      Why do you think they are not fixing the problem? The rational, first response is to stop the compromise getting any worse, as they have done. The next thing is to actually work out a proper and complete fix, which takes at least a little time. The geeky, fuckwitted, I'm-so-leet response would be to leave the public wifi up, slap on a simplistic set of changes quickly as possible and to miss some of the vulnerabilities.

  2. Certificates by Anonymous Coward · · Score: 3, Informative

    They already use certificates to connect to their private wifi.
    Why not use certificates to connec to their email? Then a public wifi shouldn't have any impact.
    TLS/SSL should be sufficient, right?

  3. what makes this white hat? by patrixmyth · · Score: 5, Insightful

    'Hey, I just kicked in your door to show how easy it is to kick in your door!'
    'Hey, I just graffitied your wall to show how easy it is to graffiti your wall!'
    'Hey, I just kicked you in the balls to show how easy it is kick you in the balls!'

    Calling yourself a security researcher doesn't magically give you rights to go dick with other people's networks.
    Email over a public wifi network is no less secure than a cellphone call, hallway conversation or written notes.

    A public wifi is a convenience and very useful for the right purposes. A white hat researcher reveals unknown vulnerabilities to the people who build protocols. This was an asshole with a script, a laptop and a desire for attention.

    --
    "Don't you know you're going to shock the monkey?"- Peter Gabriel
    1. Re:what makes this white hat? by j0ris · · Score: 4, Informative

      The included links of the submission don't provide any further details about this "white hat hacker".

      This link does: http://www.euractiv.com/specialreport-cybersecurity/eu-parliament-investigating-hack-news-531877

      "The hacker says his aim was simply to raise awareness about the vulnerability of the security system of the Parliament, at a time when the NSA spying scandal was shaking public opinion across Europe.

      The hacker sat in a public place near the Parliament building in Strasbourg and managed to make nearby smartphones and computers pass through the “wifi” of his computer to connect to the internet. That was the hardest part of the procedure, he explained.

      Then he accessed an application most MEPs use and which signals when new mail arrives in their inbox. The app does warn the user that an intruder is trying to access their data, but the message is “obscure”, the hacker said, and most users click OK, thereby giving access permission."

    2. Re:what makes this white hat? by Xest · · Score: 3, Insightful

      Yes but it's how you go about doing it. There's a difference between doing it and telling the world which is attention whoring, and just letting their IT team know, and if they don't fix it, escalating it to parliamentarians themselves.

      If you want fame you can still have it - wait until they've fixed it and then tell the world about how you found an exploit to access the e-mail of EU parliamentarians.

      The fact is, if you exploit without permission, you are by definition not a white hat, even if you do tell people they need to fix it afterwards.

  4. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion