FW: Reporting security issues in 802.1X Wi-Fi configuration instructions

["King, Ronald A." <raking () NSU EDU>]

More an FYI then actual questions:

Interesting one here. I deleted all the points of the lack of security in each's configuration and link to file. Really 
nothing new, but is this person really associated with University of Iowa and Syracuse? Is he trying to establish trust 
with the University? 

Thank you,
Ronald King
Director of OIT Security
 
With Office 365, you can report a message as phishing or junk. Using Outlook in a web browser or the mobile Outlook 
app, start by clicking/tapping "Junk/Report Junk!" 
 
Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu
www.nsu.edu
@NSUCISO (Twitter)


-----Original Message-----
From: hugohue () link cuhk edu hk <hugohue () link cuhk edu hk> 
Sent: Wednesday, August 4, 2021 2:22 AM
To: King, Ronald A. <raking () nsu edu>; 
Subject: Reporting security issues in 802.1X Wi-Fi configuration instructions

CAUTION:  This email originated from OUTSIDE of the organization. Do not click links or open attachments unless you 
recognize the sender and know the content is safe!

Dear Sir/Madam,

We are a group of security researchers from the Chinese University of Hong Kong (CUHK), the University of Iowa, and 
Syracuse University. We are writing to you regarding some potential security threats in the enterprise Wi-Fi 
configuration instructions prescribed by your institute. Specifically, when considering an attacker who sets up a rogue 
impersonating AP to pretend to be the campus/eduroam Wi-Fi, we found that there's a chance for users who follow the 
prescribed instruction to leak their SSO credentials. We inspected the Wi-Fi setup guides publicly available on the 
institute's website and would like to point out the issues on each OS-specific setting accordingly.

The following instructions prescribed are considered to be potentially insecure, ['Windows 10 (Campus Wi-Fi)', 'Windows 
7 (Campus Wi-Fi)', 'Android 7+ (Campus Wi-Fi)', 'Android 6- (Campus Wi-Fi)', 'iOS (Campus Wi-Fi)', 'Chrome OS (Campus 
Wi-Fi)', 'Windows 8 (Campus Wi-Fi)']

Windows 10 (Campus Wi-Fi): (Deleted)

Windows 7 (Campus Wi-Fi): (Deleted)

Android 7+ (Campus Wi-Fi): (Deleted)

Android 6- (Campus Wi-Fi): (Deleted)

iOS (Campus Wi-Fi): (Deleted)

Chrome OS (Campus Wi-Fi): (Deleted)

Windows 8 (Campus Wi-Fi): (Deleted)

Please find below the link to a set of sample configuration instructions suggested by our research team for mainstream 
operating systems including Windows 10, Windows 7, Android 6-, Android 7+, macOS, iOS, Chrome OS, to secure the 
connection of enterprise Wi-Fi with PEAP or EAP-TTLS.

If you think we have misunderstood the situation, or that you have any further follow-up questions, please feel free to 
reach out to us and we would be more than happy to discuss with you.

Thank you very much for your time.

Yours faithfully,
Hugo Hue

Contact: hugohue () link cuhk edu hk
Suggested instruction: https [://] drive [.] google.com/file/********************

=====================================
Research Assistant
Department of Information Engineering
Faculty of Engineering
The Chinese University of Hong Kong (CUHK) =====================================

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community