man-in-the-middle attack on the EP Wi-Fi

La solicitud fue exitosa.

Dear Madame/Sir,

As a security expert I am worried by the man-in-the-middle attack on the Wi-Fi provided by the European Parliament as reported in the media[0] and in the 2012 Discharge Resolution[1]. I am therefore supporting the Resolution's demand for "an independent third party ICT security audit" and "a clear roadmap towards a more robust ICT security policy in 2015".

Security can only be robust and independently audited if
procedures for its implementation are public. It is impossible to
augment security based on secret procedures. Further, a proper application of the rule that the EP "shall ensure that its activities are conducted with the utmost transparency"[2] would not exclude procedures relating to access and use of the EP's ICT facilities.

Therefore, under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001,I would like to have access to all documents relating to access and use of the EP's ICT facilities - in particular relating to access and use of Wi-Fi by MEPs, EP staff and assistants, journalists, accredited guests, lobbyists and the public in general - as they existed before the man-in-the-middle attack (November 2013) and as they exist today (May 2014).

Yours faithfully,

Joris Vanhove

[0]
http://www.mediapart.fr/journal/internat...
http://www.theregister.co.uk/2013/11/26/...
http://www.euractiv.com/specialreport-cy...

[1] 90. Is deeply worried that personal and confidential individual
mail-boxes of selected Members, parliamentary assistants and officials have been compromised after the Parliament has been subject to a man-in-the-middle attack where a hacker has captured the communication between private smartphones and the public Wi-Fi of the Parliament; insists that an independent third party ICT security audit be carried out on all parliamentary ICT and telecommunications systems in accordance with the specifications referred to in paragraph 99 with a view to completing a clear roadmap towards a more robust ICT security policy in 2015;
Link:
http://www.europarl.europa.eu/sides/getD...

[2] Rule 103 : Transparency of Parliament's activities
1. Parliament shall ensure that its activities are conducted with the
utmost transparency, in accordance with the second paragraph of Article
1 of the Treaty on European Union, Article 15 of the Treaty on the
Functioning of the European Union and Article 42 of the Charter of
Fundamental Rights of the European Union.
Link:
http://www.europarl.europa.eu/sides/getD...

Registre, Parlamento Europeo

Ref : A(2014)6318

Dear Mr Vanhove,

We acknowledge receipt of your request. You will receive a reply within 15 working days.

TRANSPARENCY ACCESS TO DOCUMENTS

European Parliament
European Parliamentary Research Service
Transparency Unit
Directorate for the Library

mostrar partes citadas

Registre, Parlamento Europeo

3 Adjuntos

OUR REF: A(2014)6318

Dear Mr Vanhove,

In reply to your request, we would like to inform you that following the recommendations in the EP 2012 Discharge resolution and in the context of the EP ICT strategy, DG ITEC continues its efforts to reinforce the already robust ICT security measures in place at the EP .

Alongside this line, DG ITEC dedication to a continuous improvement of Parliament ICT security is being pursued in particular through the implementation of measures included in paragraph 101 of the Resolution on Electronic Mass Surveillance adopted by the Plenary on 21 February 2014:

http://www.europarl.europa.eu/sides/getD...

DG ITEC regularly reports on advancements made in these areas to Parliament's authorities and ICT governance bodies.

As far as EP ICT facilities in a broader context , these "services" are provided in line with the objectives laid down in the ICT Medium term Strategy (MTS) set by Parliament's competent authority (see annex 1):

…" establish and maintain sustainable and high quality service in the usage of ICT, for its institutional communication with the European citizens, for providing support to its Members and for the functioning of its administration. ICT therefore has to provide reliable, customer orientated and professional ICT services and solutions supported by a well-designed and efficient and secure ICT infrastructure. The infrastructure must support the day to day working (tools) and be designed in a way that is flexible and powerful whilst being able to integrate future short term and medium term needs of its clients in line with European Parliament EMAS objectives.
The second objective is to deliver ICT products for the political guidelines for 'Making full use of the new Lisbon Treaty in view of empowering MEPs to exercise their mandate' to 'Enhancing mobile communication, connectivity, mobility and interoperability' and to 'Strengthening the institutional communication with national Parliaments, European citizens and civil society'..."

In this context, Wi-Fi access and use is managed as an internal service destined to MEPs, Accredited Parliamentary Assistants (APA) and staff activities (Chapter II.2 of MTS). As regards other users (i.e. journalists, accredited guests, lobbyists and the general public), they can benefit from the existing service and facilities only if duly accredited to the EP.

The service is extended to these target groups in order to allow participation in EP's activities and to access Parliament information and resources during the visit/stay (i.e. EP website etc..).

Before the "man-in-the-middle" attack, the EP had two Wi-Fi services available for users (see annex 2&3):

1. A corporate Wi-Fi network (EP Private) requiring a certificate with EP credentials (valid corporate email address) to access the service (this network is encrypted and secure; it is for the exclusive use of MEPs, APAs and staff;
2. Open public Wi-Fi network accessible to any user without certificate or EP credentials;

Following the "man-in-the-middle "attack, in December 2013 the competent authority (Bureau) adopted additional measures to be implemented in order to reinforce the EP ICT security, including:

- Installation of EP Wi-Fi Certificate on all MEPs, APA and Staff mobile devices in order to be connected to the EP private network only;
- Closing of the EP public network: any user not falling under the above category must be accredited to the EP and can request a Wi-Fi code by presenting a valid ID card;

We hope this information is useful to you. Please let us know if we can assist you further

ACCESS TO DOCUMENTS TRANSPARENCY

European Parliament
European Parliamentary Research Service
Directorate for the Library

mostrar partes citadas