Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Tech journalist from the Netherlands joins secret EU conference after finding the login details on twitter

Summary

 Daniel Verlaan, who works for RTL, noticed that, in a now deleted tweet by Dutch Defence Minister Ank Bijleveld,  of a picture of a private conference hosted online between EU defence ministers, the meeting id and 5 out of the 6 digits of the pin were in the picture. 

 

Having guessed the last digit, He then joined and said hello. 

Quotes

Quote

BBC:

Mr Verlaan managed to access the meeting after Dutch Defence Minister Ank Bijleveld tweeted a photo that contained the login address and part of the PIN code.

 

"After a number of attempts, RTL Nieuws succeeded in guessing the PIN code of the secret consultation, because five of the six digits of the pin code were visible in the photo," the news outlet said.

 

Quote

DW:

Dutch Prime Minister Mark Rutte has since reacted to the security blunder with a jab at his defense minister.

 

"This shows once again that ministers need to realize how careful you have to be with Twitter," Rutte said in the Hague.

 

An official with the Dutch Defense Ministry described the incident as a "stupid mistake."

 

Quote

The reporter's twitter:

(Translated)

The fact that the EU is reporting my action to the authorities makes two things clear:

> as a journalist you have to come up with hard evidence otherwise you will be lied to ('no, there is extra security, you will not be given access')

>they would rather harm a journalist than fix their s**t

My thoughts

I'm surprised this hasn't happened sooner. So many systems work on outdated legacy software such as windows XP in ATMs, I'm not really surprised this happened. Sure, this conference software is quite new, but the execution of software (no 2fa) is still very old school, especially for a conference of such importance. 

 

i believe this really is a wake up call for companies and governments during this pandemic to make sure that their accounts and therefore meetings are secure.

 

Sources

https://www.google.com/amp/s/amp.dw.com/en/dutch-reporter-hacks-eu-defense-ministers-meeting/a-55682752

 

https://www.bbc.com/news/amp/world-europe-55027641

 

https://twitter.com/danielverlaan/status/1329835134879719426?s=19

 

 

Please mark as helpful and informative so my profile looks better.

quote or reply to me if you want me to reply to you.

Thanks

Link to post
Share on other sites

Even a best security system is defeated with enough stupidity of its users. You can make much simpler and safe system for users that are knowledgeable, but if you have bunch of illiterate normies who will use even the best system, they will still spill the beans somewhere. 

1. Keycards, encrypted pendrives -if user lose it because he/she is forgetful 

2. Two factor authentication -same for forgetful users

3. Phishing, gaining personal information to reset the passwords, get clues -if users are naive, uninformed, stupid

4. Server storage methods that depends on it specialist input and mainteneace -negligence and laziness

5. Truly automated systems that can be circumvented by only inside knowledge -blackmail

6. Multiple layers, automated security systems -hardware spy chip hoisted that will nullify any encryption taking place

 

Therefore a good system has multiple layers of security. The fact that they don't used such system means they are either stupid, or truth be told -the meeting didn't have REALLY important information after all ;)

Link to post
Share on other sites
3 minutes ago, RainingTacco said:

truth be told -the meeting didn't have REALLY important information after all ;)

I'd really hope so! Although I'm not sure that that's a great excuse though for such an obvious failure in security.

 

I completely agree that it's hard for some users to use another layer of security, but when you're in charge of a somewhat important government, I think having secure accounts / operating 2fa equipment of some sort should be a required skill for the job.

Please mark as helpful and informative so my profile looks better.

quote or reply to me if you want me to reply to you.

Thanks

Link to post
Share on other sites

I didn't put this in the main post because it's not really needed, but the video of inside the call is hillarious 

 

 

Please mark as helpful and informative so my profile looks better.

quote or reply to me if you want me to reply to you.

Thanks

Link to post
Share on other sites
4 minutes ago, Mad153 said:

I didn't put this in the main post because it's not really needed, but the video of inside the call is hillarious 

 

 

Oh so it's EU defence minister meetings? EU doesn't have an army or any military jurisdiction and power over that matters. That's pretty nonrelevant, nothing of value could be gained by hacking such conference -just a chit chat with big words like they do in EU parliament. NATO on the other hand...

Link to post
Share on other sites

Taking this as anything other than a massive derp by whatever minister broadcast the locking code seems silly.  Using it to attack atm stuff seems more than ridiculous. Atm stuff might be bad but this has zero to do with that.

Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to post
Share on other sites
1 hour ago, jaslion said:

Also it's just 6 digits that is easy to crack. That and the dude could guess it so there is basically no timout on tries then.

Indeed. Like showing 5 of 6 digits means there was a 10% chance of guessing it by chance.

 

People forget that the URL or username is part of the entropy. 

 

The clear mistake made here was that:

a) Someone leaked enough of the login info, that is super-stupid and on the fault of that person

b) If this was not intended to be a publicly accessible meeting, then someone should with administrative/moderator privileges should be monitoring join/leave notifications.

 

Like you see this kind of thing happen a lot with game streaming (eg Among Us, Jackbox.tv ) where the actual codes to get into the room have low entropy, and twitch/youtube's own features let you grab the code even if it was exposed for 2 frames.

 

Ideally moderation tools will straight-up put "name has joined/name has left" messages on everyone's screen to know when undesired participants are in the stream. 

Link to post
Share on other sites

i like how some outlets are saying he "hacked" in. No, their "password" was just shit....and twitter

Judge the product by its own merits, not by the Company that created it.

 

Don't dilute <good thing> by always trying to focus on, and drag conversation back to, <bad thing>.

Link to post
Share on other sites
21 minutes ago, Arika S said:

i like how some outlets are saying he "hacked" in. No, their "password" was just shit....and twitter

what would you call gaining unauthorized access to something by guessing a password?

Link to post
Share on other sites
1 minute ago, bit said:

what would you call gaining unauthorized access to something by guessing a password?

"guessing a password"

but more accurately

"guessing 1 digit of a password because the rest was tweeted"

Judge the product by its own merits, not by the Company that created it.

 

Don't dilute <good thing> by always trying to focus on, and drag conversation back to, <bad thing>.

Link to post
Share on other sites
1 minute ago, Arika S said:

"guessing a password"

but more accurately

"guessing 1 digit of a password because the rest was tweeted"

Doesn't matter how much was provided, it was still gaining unauthorized access to something by guessing a password.

Link to post
Share on other sites
7 minutes ago, bit said:

Doesn't matter how much was provided, it was still gaining unauthorized access to something by guessing a password.

This is a point.  Any lock can be picked.  Some are much easier than others and this one was pretty trivial because of stupidity on the part of the official.  Doesn’t change the fact though.  There used to be “luggage locks” on suitcases.  Silly little trivial to pick things.  Doing so though had the same legal effect as if it was a high security lock though. 

Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to post
Share on other sites

And yet you know that these same idiots still think encryption should be banned.

 

I think we really need to start requiring more in the way of qualifications in regards to technology literacy, for elected and appointed officials. This is intended as a non-political, and entirely practical statement.

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to post
Share on other sites
11 minutes ago, Trik'Stari said:

I think we really need to start requiring more in the way of qualifications in regards to technology literacy, for elected and appointed officials. This is intended as a non-political, and entirely practical statement.

Honestly. It's far more important now than it was, say, 30 years ago, when a lot of these officials were elected.

Mechanical keyboard aficionado, professional fox

Mechanical Keyboard Club | Don't buy "gaming" keyboards, yo

Please quote me so I can see that you replied.

 

Be proud of who you are.

Link to post
Share on other sites
2 hours ago, Trik'Stari said:

And yet you know that these same idiots still think encryption should be banned.

 

I think we really need to start requiring more in the way of qualifications in regards to technology literacy, for elected and appointed officials. This is intended as a non-political, and entirely practical statement.

 

Not only technology literacy, but a willingness to use it readily and engage the wider public in policy-making as well.

 

Look up Audrey Tang and vTaiwan.

Link to post
Share on other sites
4 hours ago, bit said:

what would you call gaining unauthorized access to something by guessing a password?

I would call it unauthorized access, in the same way trespassing is not breaking and entering.

Link to post
Share on other sites

So this just reaffirms the what almost all IT & security experts have known for years, the weakest link in any security chain is the soft squishy bit sat behind the keyboard.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Windows 10 Pro X64 |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to post
Share on other sites
5 hours ago, bit said:

what would you call gaining unauthorized access to something by guessing a password?

Simple, the journalist accessed the meeting and was not authorised to do so.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Windows 10 Pro X64 |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to post
Share on other sites
3 hours ago, Master Disaster said:

So this just reaffirms the what almost all IT & security experts have known for years, the weakest link in any security chain is the soft squishy bit sat behind the keyboard.

Not just behind the keyboard, but behind the keyboard at the highest levels lol.

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to post
Share on other sites
5 hours ago, leadeater said:

I would call it unauthorized access, in the same way trespassing is not breaking and entering.

Perfect analogy.

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to post
Share on other sites
15 hours ago, Arika S said:

i like how some outlets are saying he "hacked" in. No, their "password" was just shit....and twitter

If we’re going by the dictionary definition then gaining unauthorised access to a computer system even by guessing a mostly revealed password is hacking.

How to setup MSI Afterburner OSD | How to make your AMD Radeon GPU more efficient with Radeon Chill

iPhone 8 Plus (Mid 2019 to present)

Samaritan XL (Early 2018 - present with 2019 GPU upgrade and 2020 RAM upgrade and 2020 HDD upgrade) - AMD Ryzen 7 1700X (8C/16T) , MSI X370 Gaming Pro Carbon, Corsair 32GB Vengeance LPX DDR4-2666 (2020) ,  Asus ROG Strix RX Vega 56 , Corsair RM850i PSU, Corsair H100i v2 CPU Cooler, Samsung 860 EVO 500GB SSD, Seagate BarraCuda 6TB HDD (2020) , NZXT S340 Elite, Corsair ML 120 Pro, Corsair ML 140 Pro

Link to post
Share on other sites

Hackerman

Hi

 

Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler

Hi

 

 

 

 

 

 

 

 

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×