| ▲ | _nalply 10 months ago |
| They are exploiting that Wifi didn't have 2fa, because they couldn't overcome 2fa. A company accross the street had a machine that both was accessible by ethernet and wifi and they used that as a bridge. Conclusions: 1. Anything that doesn't have 2fa is leaking like a sieve. 2. The targeted company needs to implement 2fa for their Wifi as well. Not mentioned, but I assume that their 2fa is using specialised hardware gadgets like Yubikey and not texts or totp, because else they could target the cell phones, and like everything else they are leaking, or they are attacking the cell phone base stations. Final conclusion: A network is as strong as the weakest link. In that case Wifi was not protected by strong 2fa and could be used to breach. |
|
| ▲ | cortesoft 10 months ago | parent | next [-] |
| My conclusion is that being on the corporate Wi-Fi should not give you access to anything. There should not have been any advantage to getting on the Wi-Fi, it should be treated like the public internet. A separate VPN, with MFA, should be required to access anything. |
| |
| ▲ | alsetmusic 10 months ago | parent | next [-] | | My current org restricts wifi by user and by device in Active Directory. Thus you need to be whitelisted twice to get access. We use 2fa pretty much everywhere, but I don't think we use it there. But it certainly wouldn't hurt as yet another layer. Wifi adapters should be disabled via Group Policy for wired devices anyway. | | | |
| ▲ | UltraSane 10 months ago | parent | prev | next [-] | | When WiFi security was really bad I worked at a company that didn't use it at all. You connected to the WiFi without any authentication and then had to connect to a VPN server that used 2FA auth. | |
| ▲ | rocqua 10 months ago | parent | prev | next [-] | | Corporate WiFi based on a password and a device certificate is fine. For BYO devices, you have a separate WiFi network that does require a VPN to reach the corporate network. | |
| ▲ | legulere 10 months ago | parent | prev | next [-] | | Also a VPN is just another perimeter. You wouldn't want a single device like a printer getting successfully attacked leading to everything in your network getting compromised. The real solution is to use a zero trust architecture | |
| ▲ | sleepybrett 10 months ago | parent | prev [-] | | it should be a factor (defense in depth) but not the ONLY factor. |
|
|
| ▲ | Sesse__ 10 months ago | parent | prev | next [-] |
| > Final conclusion: A network is as strong as the weakest link. Final conclusion: Do not trust a device just because it happens to be on your local network. |
| |
| ▲ | coldpie 10 months ago | parent [-] | | Final, final conclusion: if a computer is networked, consider it and the data on it to be semi-public. Make decisions about what to do and store on that computer with that assumption in mind. | | |
| ▲ | EvanAnderson 10 months ago | parent [-] | | Final, final, final conclusion: Interacting with a computer makes it networked even if you're not intentionally using traditional networking technologies (TEMPEST attacks, arbitrary code execution through direct user input, etc). | | |
| ▲ | coldpie 10 months ago | parent | next [-] | | Physical access has always been game over. Having a networked computer means your threat model is literally everyone on the planet, which is a much bigger problem than keeping people from physically getting access. | | |
| ▲ | EvanAnderson 10 months ago | parent [-] | | Direct physical access by the attacker isn't strictly necessary (i.e. operation Olympic Games) to "network" a computer you otherwise believe isn't networked. Unless you're bootstrapping from nothing attackers have tons of potential "ins" (firmware, the operating system, application software) to introduce backdoors or side-channels. I've very nearly reached the point of just assuming all "modern" computers are effectively "networked", even if only by ultra-low bandwidth, exceedingly high-latency unidirectional side channels. Just bringing an "untrusted" computer into proximity of a "trusted" computer (say, having a smartphone in your pocket) might be enough to allow for exfiltration of data from the "trusted" system (assuming there's a side-channel in the "trusted" computer you're unaware of). | | |
| ▲ | coldpie 10 months ago | parent [-] | | Ooh! This is a fascinating approach. I'm still skeptical that this is widespread enough of an issue to warrant the same level of caution as connecting a computer to the Internet, but I'd love to read more about examples of this actually happening in the real world (ie not researchers with full control of the environment) if you have any. |
|
| |
| ▲ | DyslexicAtheist 10 months ago | parent | prev | next [-] | | Final, final, final, final conclusion: due to the complexity of computers, the only reliable way to achieve a moderate security in a system is to prevent it from being powered on. | | |
| ▲ | dotancohen 10 months ago | parent | next [-] | | The concept of C-I-A addresses this. Confidentiality, Integrity, Availability. If a system is not available for use then all the confidentiality of communications and integrity of data is useless. | |
| ▲ | EvanAnderson 10 months ago | parent | prev [-] | | "Pioneered method of keeping restrooms clean by keeping them locked during business hours." |
| |
| ▲ | 10 months ago | parent | prev [-] | | [deleted] |
|
|
|
|
| ▲ | akaiser 10 months ago | parent | prev | next [-] |
| Eludes me why they didn't have device-certificate-based auth for their Enterprise WiFi in addition to the username+password. Basically comes for free with AD and NPS. |
| |
| ▲ | eru 10 months ago | parent [-] | | 'Free' still means you need some expertise in setting it up and running it. |
|
|
| ▲ | eru 10 months ago | parent | prev | next [-] |
| > A network is as strong as the weakest link. Depends on how you look at it. We have end-to-end security with things like https, so we don't need to worry about the links in the middle. |
| |
| ▲ | Spivak 10 months ago | parent [-] | | The BeyondCorp strategy. It also means that network and endpoints can be off the shelf. Big fan of this strategy. | | |
| ▲ | eru 10 months ago | parent [-] | | Yes, and it's already the default in consumer electronics. That's also why I don't get all the pearl clutching over dodgy unencrypted wifi: if your security relies on your wifi operator being nice, you are doing it wrong. The main thing encrypting wifi does (or rather should do..) for you is keeping your neighbours from stealing all your bandwidth. |
|
|
|
| ▲ | Aloisius 10 months ago | parent | prev | next [-] |
| Being able to validate credentials via the public facing website without MFA was a considerable problem as well. Also not locking down accounts after failed attempted logins. Wifi with 802.1X and certs would have been fine here without MFA. |
|
| ▲ | ninalanyon 10 months ago | parent | prev [-] |
| Devices that are authorized to be on the corporate network should not need usernames and passwords to connect to the wifi. That should be controlled by certificates managed by the IT department. |
