| ▲ | _nalply 8 months ago |
| They are exploiting that Wifi didn't have 2fa, because they couldn't overcome 2fa. A company accross the street had a machine that both was accessible by ethernet and wifi and they used that as a bridge. Conclusions: 1. Anything that doesn't have 2fa is leaking like a sieve. 2. The targeted company needs to implement 2fa for their Wifi as well. Not mentioned, but I assume that their 2fa is using specialised hardware gadgets like Yubikey and not texts or totp, because else they could target the cell phones, and like everything else they are leaking, or they are attacking the cell phone base stations. Final conclusion: A network is as strong as the weakest link. In that case Wifi was not protected by strong 2fa and could be used to breach. |
|
| ▲ | cortesoft 8 months ago | parent | next [-] |
| My conclusion is that being on the corporate Wi-Fi should not give you access to anything. There should not have been any advantage to getting on the Wi-Fi, it should be treated like the public internet. A separate VPN, with MFA, should be required to access anything. |
| |
| ▲ | alsetmusic 8 months ago | parent | next [-] | | My current org restricts wifi by user and by device in Active Directory. Thus you need to be whitelisted twice to get access. We use 2fa pretty much everywhere, but I don't think we use it there. But it certainly wouldn't hurt as yet another layer. Wifi adapters should be disabled via Group Policy for wired devices anyway. | | | |
| ▲ | UltraSane 8 months ago | parent | prev | next [-] | | When WiFi security was really bad I worked at a company that didn't use it at all. You connected to the WiFi without any authentication and then had to connect to a VPN server that used 2FA auth. | |
| ▲ | rocqua 8 months ago | parent | prev | next [-] | | Corporate WiFi based on a password and a device certificate is fine. For BYO devices, you have a separate WiFi network that does require a VPN to reach the corporate network. | |
| ▲ | legulere 8 months ago | parent | prev | next [-] | | Also a VPN is just another perimeter. You wouldn't want a single device like a printer getting successfully attacked leading to everything in your network getting compromised. The real solution is to use a zero trust architecture | |
| ▲ | sleepybrett 8 months ago | parent | prev [-] | | it should be a factor (defense in depth) but not the ONLY factor. |
|
|
| ▲ | Sesse__ 8 months ago | parent | prev | next [-] |
| > Final conclusion: A network is as strong as the weakest link. Final conclusion: Do not trust a device just because it happens to be on your local network. |
| |
| ▲ | coldpie 8 months ago | parent [-] | | Final, final conclusion: if a computer is networked, consider it and the data on it to be semi-public. Make decisions about what to do and store on that computer with that assumption in mind. | | |
| ▲ | EvanAnderson 8 months ago | parent [-] | | Final, final, final conclusion: Interacting with a computer makes it networked even if you're not intentionally using traditional networking technologies (TEMPEST attacks, arbitrary code execution through direct user input, etc). | | |
| ▲ | coldpie 8 months ago | parent | next [-] | | Physical access has always been game over. Having a networked computer means your threat model is literally everyone on the planet, which is a much bigger problem than keeping people from physically getting access. | | |
| ▲ | EvanAnderson 8 months ago | parent [-] | | Direct physical access by the attacker isn't strictly necessary (i.e. operation Olympic Games) to "network" a computer you otherwise believe isn't networked. Unless you're bootstrapping from nothing attackers have tons of potential "ins" (firmware, the operating system, application software) to introduce backdoors or side-channels. I've very nearly reached the point of just assuming all "modern" computers are effectively "networked", even if only by ultra-low bandwidth, exceedingly high-latency unidirectional side channels. Just bringing an "untrusted" computer into proximity of a "trusted" computer (say, having a smartphone in your pocket) might be enough to allow for exfiltration of data from the "trusted" system (assuming there's a side-channel in the "trusted" computer you're unaware of). | | |
| ▲ | coldpie 8 months ago | parent [-] | | Ooh! This is a fascinating approach. I'm still skeptical that this is widespread enough of an issue to warrant the same level of caution as connecting a computer to the Internet, but I'd love to read more about examples of this actually happening in the real world (ie not researchers with full control of the environment) if you have any. |
|
| |
| ▲ | DyslexicAtheist 8 months ago | parent | prev | next [-] | | Final, final, final, final conclusion: due to the complexity of computers, the only reliable way to achieve a moderate security in a system is to prevent it from being powered on. | | |
| ▲ | dotancohen 8 months ago | parent | next [-] | | The concept of C-I-A addresses this. Confidentiality, Integrity, Availability. If a system is not available for use then all the confidentiality of communications and integrity of data is useless. | |
| ▲ | EvanAnderson 8 months ago | parent | prev [-] | | "Pioneered method of keeping restrooms clean by keeping them locked during business hours." |
| |
| ▲ | 8 months ago | parent | prev [-] | | [deleted] |
|
|
|
|
| ▲ | akaiser 8 months ago | parent | prev | next [-] |
| Eludes me why they didn't have device-certificate-based auth for their Enterprise WiFi in addition to the username+password. Basically comes for free with AD and NPS. |
| |
| ▲ | eru 8 months ago | parent [-] | | 'Free' still means you need some expertise in setting it up and running it. |
|
|
| ▲ | eru 8 months ago | parent | prev | next [-] |
| > A network is as strong as the weakest link. Depends on how you look at it. We have end-to-end security with things like https, so we don't need to worry about the links in the middle. |
| |
| ▲ | Spivak 8 months ago | parent [-] | | The BeyondCorp strategy. It also means that network and endpoints can be off the shelf. Big fan of this strategy. | | |
| ▲ | eru 8 months ago | parent [-] | | Yes, and it's already the default in consumer electronics. That's also why I don't get all the pearl clutching over dodgy unencrypted wifi: if your security relies on your wifi operator being nice, you are doing it wrong. The main thing encrypting wifi does (or rather should do..) for you is keeping your neighbours from stealing all your bandwidth. |
|
|
|
| ▲ | Aloisius 8 months ago | parent | prev | next [-] |
| Being able to validate credentials via the public facing website without MFA was a considerable problem as well. Also not locking down accounts after failed attempted logins. Wifi with 802.1X and certs would have been fine here without MFA. |
|
| ▲ | ninalanyon 8 months ago | parent | prev [-] |
| Devices that are authorized to be on the corporate network should not need usernames and passwords to connect to the wifi. That should be controlled by certificates managed by the IT department. |
