Tech journalist from the Netherlands joins secret EU conference after finding the login details on twitter

[Mad153]

Summary

 Daniel Verlaan, who works for RTL, noticed that, in a now deleted tweet by Dutch Defence Minister Ank Bijleveld,  of a picture of a private conference hosted online between EU defence ministers, the meeting id and 5 out of the 6 digits of the pin were in the picture. 

 

Having guessed the last digit, He then joined and said hello. 

Quotes

Quote

BBC:

Mr Verlaan managed to access the meeting after Dutch Defence Minister Ank Bijleveld tweeted a photo that contained the login address and part of the PIN code.

 

"After a number of attempts, RTL Nieuws succeeded in guessing the PIN code of the secret consultation, because five of the six digits of the pin code were visible in the photo," the news outlet said.

 

Quote

DW:

Dutch Prime Minister Mark Rutte has since reacted to the security blunder with a jab at his defense minister.

 

"This shows once again that ministers need to realize how careful you have to be with Twitter," Rutte said in the Hague.

 

An official with the Dutch Defense Ministry described the incident as a "stupid mistake."

 

Quote

The reporter's twitter:

(Translated)

The fact that the EU is reporting my action to the authorities makes two things clear:

> as a journalist you have to come up with hard evidence otherwise you will be lied to ('no, there is extra security, you will not be given access')

>they would rather harm a journalist than fix their s**t

My thoughts

I'm surprised this hasn't happened sooner. So many systems work on outdated legacy software such as windows XP in ATMs, I'm not really surprised this happened. Sure, this conference software is quite new, but the execution of software (no 2fa) is still very old school, especially for a conference of such importance. 

 

i believe this really is a wake up call for companies and governments during this pandemic to make sure that their accounts and therefore meetings are secure.

 

Sources

https://www.google.com/amp/s/amp.dw.com/en/dutch-reporter-hacks-eu-defense-ministers-meeting/a-55682752

 

https://www.bbc.com/news/amp/world-europe-55027641

 

https://twitter.com/danielverlaan/status/1329835134879719426?s=19

 

 

[jaslion]

Also it's just 6 digits that is easy to crack. That and the dude could guess it so there is basically no timout on tries then.

[RainingTacco]

Even a best security system is defeated with enough stupidity of its users. You can make much simpler and safe system for users that are knowledgeable, but if you have bunch of illiterate normies who will use even the best system, they will still spill the beans somewhere. 

1. Keycards, encrypted pendrives -if user lose it because he/she is forgetful 

2. Two factor authentication -same for forgetful users

3. Phishing, gaining personal information to reset the passwords, get clues -if users are naive, uninformed, stupid

4. Server storage methods that depends on it specialist input and mainteneace -negligence and laziness

5. Truly automated systems that can be circumvented by only inside knowledge -blackmail

6. Multiple layers, automated security systems -hardware spy chip hoisted that will nullify any encryption taking place

 

Therefore a good system has multiple layers of security. The fact that they don't used such system means they are either stupid, or truth be told -the meeting didn't have REALLY important information after all

[Mad153]

3 minutes ago, RainingTacco said:

truth be told -the meeting didn't have REALLY important information after all

I'd really hope so! Although I'm not sure that that's a great excuse though for such an obvious failure in security.

 

I completely agree that it's hard for some users to use another layer of security, but when you're in charge of a somewhat important government, I think having secure accounts / operating 2fa equipment of some sort should be a required skill for the job.

[Mad153]

I didn't put this in the main post because it's not really needed, but the video of inside the call is hillarious 

 

 

[RainingTacco]

4 minutes ago, Mad153 said:

I didn't put this in the main post because it's not really needed, but the video of inside the call is hillarious 

 

 

Oh so it's EU defence minister meetings? EU doesn't have an army or any military jurisdiction and power over that matters. That's pretty nonrelevant, nothing of value could be gained by hacking such conference -just a chit chat with big words like they do in EU parliament. NATO on the other hand...

[Bombastinator]

Taking this as anything other than a massive derp by whatever minister broadcast the locking code seems silly.  Using it to attack atm stuff seems more than ridiculous. Atm stuff might be bad but this has zero to do with that.

[Kisai]

1 hour ago, jaslion said:

Also it's just 6 digits that is easy to crack. That and the dude could guess it so there is basically no timout on tries then.

Indeed. Like showing 5 of 6 digits means there was a 10% chance of guessing it by chance.

 

People forget that the URL or username is part of the entropy. 

 

The clear mistake made here was that:

a) Someone leaked enough of the login info, that is super-stupid and on the fault of that person

b) If this was not intended to be a publicly accessible meeting, then someone should with administrative/moderator privileges should be monitoring join/leave notifications.

 

Like you see this kind of thing happen a lot with game streaming (eg Among Us, Jackbox.tv ) where the actual codes to get into the room have low entropy, and twitch/youtube's own features let you grab the code even if it was exposed for 2 frames.

 

Ideally moderation tools will straight-up put "name has joined/name has left" messages on everyone's screen to know when undesired participants are in the stream. 

[PocketNerd]

A human is ALWAYS the weakest link in a security system.

[Arika]

i like how some outlets are saying he "hacked" in. No, their "password" was just shit....and twitter

[bit]

21 minutes ago, Arika S said:

i like how some outlets are saying he "hacked" in. No, their "password" was just shit....and twitter

what would you call gaining unauthorized access to something by guessing a password?

[Arika]

1 minute ago, bit said:

what would you call gaining unauthorized access to something by guessing a password?

"guessing a password"

but more accurately

"guessing 1 digit of a password because the rest was tweeted"

[bit]

1 minute ago, Arika S said:

"guessing a password"

but more accurately

"guessing 1 digit of a password because the rest was tweeted"

Doesn't matter how much was provided, it was still gaining unauthorized access to something by guessing a password.

[Bombastinator]

7 minutes ago, bit said:

Doesn't matter how much was provided, it was still gaining unauthorized access to something by guessing a password.

This is a point.  Any lock can be picked.  Some are much easier than others and this one was pretty trivial because of stupidity on the part of the official.  Doesn’t change the fact though.  There used to be “luggage locks” on suitcases.  Silly little trivial to pick things.  Doing so though had the same legal effect as if it was a high security lock though. 

[Trik'Stari]

And yet you know that these same idiots still think encryption should be banned.

 

I think we really need to start requiring more in the way of qualifications in regards to technology literacy, for elected and appointed officials. This is intended as a non-political, and entirely practical statement.

[Nowak]

11 minutes ago, Trik'Stari said:

I think we really need to start requiring more in the way of qualifications in regards to technology literacy, for elected and appointed officials. This is intended as a non-political, and entirely practical statement.

Honestly. It's far more important now than it was, say, 30 years ago, when a lot of these officials were elected.

[Results45]

2 hours ago, Trik'Stari said:

And yet you know that these same idiots still think encryption should be banned.

 

I think we really need to start requiring more in the way of qualifications in regards to technology literacy, for elected and appointed officials. This is intended as a non-political, and entirely practical statement.

 

Not only technology literacy, but a willingness to use it readily and engage the wider public in policy-making as well.

 

Look up Audrey Tang and vTaiwan.

[leadeater]

4 hours ago, bit said:

what would you call gaining unauthorized access to something by guessing a password?

I would call it unauthorized access, in the same way trespassing is not breaking and entering.

[Master Disaster]

So this just reaffirms the what almost all IT & security experts have known for years, the weakest link in any security chain is the soft squishy bit sat behind the keyboard.

[Master Disaster]

5 hours ago, bit said:

what would you call gaining unauthorized access to something by guessing a password?

Simple, the journalist accessed the meeting and was not authorised to do so.

[Trik'Stari]

3 hours ago, Master Disaster said:

So this just reaffirms the what almost all IT & security experts have known for years, the weakest link in any security chain is the soft squishy bit sat behind the keyboard.

Not just behind the keyboard, but behind the keyboard at the highest levels lol.

[Trik'Stari]

5 hours ago, leadeater said:

I would call it unauthorized access, in the same way trespassing is not breaking and entering.

Perfect analogy.

[jagdtigger]

And these tech illiterate idiots are the ones who want to regulate the internet.....

[AlTech]

15 hours ago, Arika S said:

i like how some outlets are saying he "hacked" in. No, their "password" was just shit....and twitter

If we’re going by the dictionary definition then gaining unauthorised access to a computer system even by guessing a mostly revealed password is hacking.

[Drama Lama]

Hackerman