So, as I understand it, you 0wn a machine in one organization, then use it to tunnel over to Wi-Fi in the building next door, 0wn another machine there, rinse and repeat until you've created the world's least consensual mesh network?
They are exploiting that Wifi didn't have 2fa, because they couldn't overcome 2fa. A company accross the street had a machine that both was accessible by ethernet and wifi and they used that as a bridge.
Conclusions:
1. Anything that doesn't have 2fa is leaking like a sieve.
2. The targeted company needs to implement 2fa for their Wifi as well.
Not mentioned, but I assume that their 2fa is using specialised hardware gadgets like Yubikey and not texts or totp, because else they could target the cell phones, and like everything else they are leaking, or they are attacking the cell phone base stations.
Final conclusion:
A network is as strong as the weakest link. In that case Wifi was not protected by strong 2fa and could be used to breach.
My conclusion is that being on the corporate Wi-Fi should not give you access to anything. There should not have been any advantage to getting on the Wi-Fi, it should be treated like the public internet.
A separate VPN, with MFA, should be required to access anything.
My current org restricts wifi by user and by device in Active Directory. Thus you need to be whitelisted twice to get access.
We use 2fa pretty much everywhere, but I don't think we use it there. But it certainly wouldn't hurt as yet another layer.
Wifi adapters should be disabled via Group Policy for wired devices anyway.
When WiFi security was really bad I worked at a company that didn't use it at all. You connected to the WiFi without any authentication and then had to connect to a VPN server that used 2FA auth.
Corporate WiFi based on a password and a device certificate is fine. For BYO devices, you have a separate WiFi network that does require a VPN to reach the corporate network.
Also a VPN is just another perimeter. You wouldn't want a single device like a printer getting successfully attacked leading to everything in your network getting compromised. The real solution is to use a zero trust architecture
> Final conclusion: A network is as strong as the weakest link.
Final conclusion: Do not trust a device just because it happens to be on your local network.
Final, final conclusion: if a computer is networked, consider it and the data on it to be semi-public. Make decisions about what to do and store on that computer with that assumption in mind.
Final, final, final conclusion: Interacting with a computer makes it networked even if you're not intentionally using traditional networking technologies (TEMPEST attacks, arbitrary code execution through direct user input, etc).
Final, final, final, final conclusion: due to the complexity of computers, the only reliable way to achieve a moderate security in a system is to prevent it from being powered on.
The concept of C-I-A addresses this. Confidentiality, Integrity, Availability. If a system is not available for use then all the confidentiality of communications and integrity of data is useless.
"Pioneered method of keeping restrooms clean by keeping them locked during business hours."
Physical access has always been game over. Having a networked computer means your threat model is literally everyone on the planet, which is a much bigger problem than keeping people from physically getting access.
Direct physical access by the attacker isn't strictly necessary (i.e. operation Olympic Games) to "network" a computer you otherwise believe isn't networked. Unless you're bootstrapping from nothing attackers have tons of potential "ins" (firmware, the operating system, application software) to introduce backdoors or side-channels.
I've very nearly reached the point of just assuming all "modern" computers are effectively "networked", even if only by ultra-low bandwidth, exceedingly high-latency unidirectional side channels. Just bringing an "untrusted" computer into proximity of a "trusted" computer (say, having a smartphone in your pocket) might be enough to allow for exfiltration of data from the "trusted" system (assuming there's a side-channel in the "trusted" computer you're unaware of).
Ooh! This is a fascinating approach. I'm still skeptical that this is widespread enough of an issue to warrant the same level of caution as connecting a computer to the Internet, but I'd love to read more about examples of this actually happening in the real world (ie not researchers with full control of the environment) if you have any.
> A network is as strong as the weakest link.
Depends on how you look at it. We have end-to-end security with things like https, so we don't need to worry about the links in the middle.
The BeyondCorp strategy. It also means that network and endpoints can be off the shelf. Big fan of this strategy.
Yes, and it's already the default in consumer electronics.
That's also why I don't get all the pearl clutching over dodgy unencrypted wifi: if your security relies on your wifi operator being nice, you are doing it wrong.
The main thing encrypting wifi does (or rather should do..) for you is keeping your neighbours from stealing all your bandwidth.
Being able to validate credentials via the public facing website without MFA was a considerable problem as well. Also not locking down accounts after failed attempted logins.
Wifi with 802.1X and certs would have been fine here without MFA.
Devices that are authorized to be on the corporate network should not need usernames and passwords to connect to the wifi. That should be controlled by certificates managed by the IT department.
The goal here was to circumvent 2FA on devices located inside the Org A office.
On-prem systems prompt for 2FA. So the attacker knew a user/password combo, but couldn't leverage it directly because they would have triggered 2FA.
But the 802.1x didn't have 2FA enabled. So using the user/password combo they already had, they just needed to approach the target network over WiFi in order to bypass the 2FA requirement.
From thousands of kilometers away, to make attribution/legal issues even more complex.
why do you type 0wn (zero) instead of own?
I think it nicely demonstrates the difference between "own" (legally and appropriately) and "0wn" taking control by hacking but exerting as much control as "own".
Putting the "hacker" back in Hacker News, I guess
Excuse me I thought this was business news? I want my zero money back.
Adding a serious response in case [0] it's a serious question: "0wn" is a kind of in-joke among hacker/security communities. [1] In particular, it differs from "own" in that it connotes "forcibly taking control of", rather than formal legal ownership. Another version is "pwn" which is a marginally newer and more-associated with online gaming.
> "0wn" is a kind of in-joke among hacker/security communities.
In my experience, the security community says "pop".