from the reason-why-we-can't-have-nice-things dept.
Trafficked data could lead to subsequent attacks, agency warns:
The FBI on Friday said that thousands of compromised credentials harvested from US college and university networks are circulating on online crime forums in Russia and elsewhere—and could lead to breaches that install ransomware or steal data.
[...] Login names and passwords are routinely harvested in phishing attacks, which may use fake claims of an account breach or a COVID-themed pitch to lure victims. Often, the threat actors who conduct these attacks sell the data on crime forums. The data can then be scooped up by fellow threat actors who focus on server infections for purposes of ransomware, cryptojacking, or espionage.
[...] "The FBI is informing academic partners of identified US college and university credentials advertised for sale on online criminal marketplaces and publicly accessible forums," the agency said.
[Ed. question: Is username/password the primary way VPN access is given at these schools with thousands of transient students from all over the world? Wouldn't requiring a physical token, such as adding PKI certs to their student ID cards, be a far superior and secure solution? --hubie]
(Score: 3, Funny) by SomeGuy on Friday June 03 2022, @12:35AM
But that doesn't require a smartphone. Why would anyone want something that does not require a smartphone? Why do you hate progress?
(Score: -1, Spam) by Anonymous Coward on Friday June 03 2022, @12:46AM (1 child)
every. single. one. and they taste like garlic mixed with onions.
(Score: -1, Offtopic) by Anonymous Coward on Friday June 03 2022, @01:03AM
Then stop eating pussy and suck coclk - fess up and submit to your god's calling.
(Score: 0) by Anonymous Coward on Friday June 03 2022, @02:06AM (3 children)
The real problem is them russkies will sell that info to the Chinese. China has the money and infrastructure to exploit advanced research material from elite US universities, unlike Russia whose best and brightest are fleeing the country.
Putin just might be the character that breaks up the Russian empire.
(Score: 2) by maxwell demon on Friday June 03 2022, @05:15AM (2 children)
If the VPN access provided to students is sufficient to siphon advanced research material, then you have bigger issues already. After all, Chinese students can simply apply to US universities. That way they even get the VPN access legally.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Friday June 03 2022, @04:48PM (1 child)
The problem is that it gets them a legit looking outside connection to the university network. A student on site doesn't have the resources or expertise of a team of professional hackers.
(Score: 2) by maxwell demon on Friday June 03 2022, @06:39PM
You seem to have the delusion that one cannot be at the same time a student and part of (or working together with) a team of professional hackers.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Interesting) by Immerman on Friday June 03 2022, @03:02AM (2 children)
Correct me if I'm wrong, but isn't a PKI cert just a chunk of data? As such, storing it on ID card doesn't create a required physical token any more than saving it to a USB drive.
Perhaps it's a bit nit-picky, but I think it's important to understand the nature of a physical token for security purposes, especially as they're frequently used in the context of two-factor authorization.
Data of any sort falls under the "something you know" category - it can be copied without your knowledge through a wide range of means (including the mentioned phishing), many of which can be done over the internet, and "knowing" 10 things still only qualifies as one chunk of "something you know" - e.g. a username and password is no more secure than just a long password.
A physical token on the other hand is "something you have" - an attacker needs *physical* access to it in order to steal it, and it *cannot* be copied (at least not easily) so you're very likely to notice the theft. Ideally that's something like a decryption device with an embedded private key that can't be extracted that can turn a challenge code into the appropriate response code - though as a poor substitute you can use something like a phone that receives a limited-time authorization code (a very poor substitute, since a phone number can be readily stolen using only "something-you-know" information - but at least you're likely to notice the number theft fairly soon).
(Score: 0) by Anonymous Coward on Friday June 03 2022, @04:43AM (1 child)
Passwords by themselves are likely to be phished. But, cert private keys would be vulnerable if a client is compromised, so things like wireguard are not so great for random end users (only cert, and worse, with wireguard, the cert does not expire).
Both cert + password is better e.g., openvpn openprotect+ocserv, etc. (with short validity to signed certs / CRL), but setting up PKI might be too large a hurdle for many sites. And, you also need clients to handle certificate updates without user intervention (most users will fail if you make them handle such details, and they will be annoyed at you for imposing on them, even if they can handle it).
I wrote a custom PKI (openssl doing the heavy lifting), to accomplish this (fully automated) at old job when the pandemic hit. We only had a few hundred users, but manually managing cert signing etc., would have been too much of a hassle for the limited staff. With 10s of thousands of students, without an automated PKI component, the only practical option would be username+password by itself-- doing the PKI bits manually at such scale would be impractical.
(Score: 2) by Immerman on Friday June 03 2022, @11:16PM
Is there some reason updating private-key certs is more difficult than changing passwords?
I'm not well-versed in specific security systems, but it seems like it should be basically the same thing. Users just have to submit a new public key rather than a new password - easily done behind the scenes on a regular schedule or when prompted by the server.
(Score: 2) by Immerman on Friday June 03 2022, @03:05AM (1 child)
How exactly is a certificate on their student ID useful for VPN?
Unless I'm deeply misunderstanding something, the idea of the VPN is to allow students to remotely connect to the university network (e.g. when working from home). And how many people have an an ID scanner at home so they can successfully connect?
(Score: 3, Informative) by hubie on Friday June 03 2022, @05:21AM
I was thinking of a variety of smart cards that have certs on them and a PIN. The readers for them are built into a lot of laptops as it is, or USB ones are pretty cheap because there is an ISO standard that the cards are designed to. I've even seen them built into keyboards for a desktop machine. You can set up VPN to authenticate to the cert on the card and PIN. A lot of colleges already use some variant of a smart card for their student IDs and is used for almost everything (building entry, vending machines, even local town vendors use them in lieu of credit cards). They could easily set up their VPNs to require smart card authentication as it is done in many companies and governments.