They are exploiting that Wifi didn't have 2fa, because they couldn't overcome 2fa. A company accross the street had a machine that both was accessible by ethernet and wifi and they used that as a bridge.
Conclusions:
1. Anything that doesn't have 2fa is leaking like a sieve.
2. The targeted company needs to implement 2fa for their Wifi as well.
Not mentioned, but I assume that their 2fa is using specialised hardware gadgets like Yubikey and not texts or totp, because else they could target the cell phones, and like everything else they are leaking, or they are attacking the cell phone base stations.
Final conclusion:
A network is as strong as the weakest link. In that case Wifi was not protected by strong 2fa and could be used to breach.
My conclusion is that being on the corporate Wi-Fi should not give you access to anything. There should not have been any advantage to getting on the Wi-Fi, it should be treated like the public internet.
A separate VPN, with MFA, should be required to access anything.
My current org restricts wifi by user and by device in Active Directory. Thus you need to be whitelisted twice to get access.
We use 2fa pretty much everywhere, but I don't think we use it there. But it certainly wouldn't hurt as yet another layer.
Wifi adapters should be disabled via Group Policy for wired devices anyway.
When WiFi security was really bad I worked at a company that didn't use it at all. You connected to the WiFi without any authentication and then had to connect to a VPN server that used 2FA auth.
Corporate WiFi based on a password and a device certificate is fine. For BYO devices, you have a separate WiFi network that does require a VPN to reach the corporate network.
Also a VPN is just another perimeter. You wouldn't want a single device like a printer getting successfully attacked leading to everything in your network getting compromised. The real solution is to use a zero trust architecture
> Final conclusion: A network is as strong as the weakest link.
Final conclusion: Do not trust a device just because it happens to be on your local network.
Final, final conclusion: if a computer is networked, consider it and the data on it to be semi-public. Make decisions about what to do and store on that computer with that assumption in mind.
Final, final, final conclusion: Interacting with a computer makes it networked even if you're not intentionally using traditional networking technologies (TEMPEST attacks, arbitrary code execution through direct user input, etc).
Final, final, final, final conclusion: due to the complexity of computers, the only reliable way to achieve a moderate security in a system is to prevent it from being powered on.
The concept of C-I-A addresses this. Confidentiality, Integrity, Availability. If a system is not available for use then all the confidentiality of communications and integrity of data is useless.
"Pioneered method of keeping restrooms clean by keeping them locked during business hours."
Physical access has always been game over. Having a networked computer means your threat model is literally everyone on the planet, which is a much bigger problem than keeping people from physically getting access.
Direct physical access by the attacker isn't strictly necessary (i.e. operation Olympic Games) to "network" a computer you otherwise believe isn't networked. Unless you're bootstrapping from nothing attackers have tons of potential "ins" (firmware, the operating system, application software) to introduce backdoors or side-channels.
I've very nearly reached the point of just assuming all "modern" computers are effectively "networked", even if only by ultra-low bandwidth, exceedingly high-latency unidirectional side channels. Just bringing an "untrusted" computer into proximity of a "trusted" computer (say, having a smartphone in your pocket) might be enough to allow for exfiltration of data from the "trusted" system (assuming there's a side-channel in the "trusted" computer you're unaware of).
Ooh! This is a fascinating approach. I'm still skeptical that this is widespread enough of an issue to warrant the same level of caution as connecting a computer to the Internet, but I'd love to read more about examples of this actually happening in the real world (ie not researchers with full control of the environment) if you have any.
> A network is as strong as the weakest link.
Depends on how you look at it. We have end-to-end security with things like https, so we don't need to worry about the links in the middle.
The BeyondCorp strategy. It also means that network and endpoints can be off the shelf. Big fan of this strategy.
Yes, and it's already the default in consumer electronics.
That's also why I don't get all the pearl clutching over dodgy unencrypted wifi: if your security relies on your wifi operator being nice, you are doing it wrong.
The main thing encrypting wifi does (or rather should do..) for you is keeping your neighbours from stealing all your bandwidth.
Being able to validate credentials via the public facing website without MFA was a considerable problem as well. Also not locking down accounts after failed attempted logins.
Wifi with 802.1X and certs would have been fine here without MFA.
Devices that are authorized to be on the corporate network should not need usernames and passwords to connect to the wifi. That should be controlled by certificates managed by the IT department.