back to article UK parliamentary email compromised after 'sustained and determined cyber attack'

The Parliament of the United Kingdom has admitted it experienced a “sustained and determined cyber attack” over the weekend and says <90 email accounts have been compromised as a result. The event struck on Saturday and late that evening Parliament issued a ”Statement regarding cyber incident” admitting that “We have …

Page:

  1. Duffaboy

    Passwords must be

    Strong and stable

    1. Dan 55 Silver badge

      Re: Passwords must be

      Wrong advice: Strong and changeable is better.

      Note: Not weak and changeable. That applies to the current government.

      1. Anonymous Coward
        Anonymous Coward

        Re: Passwords must be

        With a bit of luck they will be changeable, the current one seems faulty.

      2. Tom Paine

        Re: Passwords must be

        Actually, no longer. Next time an auditor or similar riffraff demand to know your password expity rules, point them at this and watch their head explode.

        https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

        1. handleoclast

          Re: Passwords must be

          @Tom Paine

          Damn, I just posted that link, then read more comments and found you'd done the same.

          I'll leave mine up - it also has a little dig at the bureaucratic reorgs of CESG/NCSC/GCHQ which are little more than changing names of departments within a single organization for no good reason.

        2. Rustbucket

          Re: Passwords must be

          I believe the latest NIST suggestions on passwords also go against password expiry rules.

          http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

          Section 5.1

      3. handleoclast

        Re: Wrong advice

        Strong and changeable is better.

        Ummm, if you meant "frequently changeable" then no. Frequently changing your password was good advice back in the days when you worked with only one computer and it was used for classified work. These days, frequently changing your password is a bad idea.

        See this advice from CESG (which was part of GCHQ but which is now part of NCSC, which is part of GCHQ).

        1. Alan Brown Silver badge

          Re: Wrong advice

          "These days, frequently changing your password is a bad idea."

          But so is using the same password (or variants of) in any 2 locations, regardless of complexity.

    2. hplasm
      Coat

      Re: Passwords must be

      Strong and correct and battery and horsehouse...

    3. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      Strong and stable

      True, but there are ways in which you can counteract weak passwords including but not limited to running your own crackers to identify them. The problem is that Parliamentary email is probably a Microsoft setup which is a risk in itself (there is, for instance, a pretty massive and unfixed bug in Office 365/2016 which which you can convince Outlook to actually give you the password but Microsoft deems it a "feature").

      I reckon I could make that bullet proof in a month (well, quicker, but I like to test things before I migrate 9000 security sensitive users) - I already have quite a number of famous email domains that are under dictionary attacks and so far it appears that what we've cooked up works so well that even honeypot accounts with "test123" and "password" as password don't get hit (that's "not" as in "not at all").

      Before anyone says "fail2ban", no - the clever ones have worked that one out. If you monitor login attempts for accounts it now takes a bit of post-event correlation before you can see what is going on. Hackers now typically use botnets so you have distributed IP addresses from where attempts come. Over sufficient different IP addresses you can do this slow enough for default fail2ban settings to time out and so prevent IP blocks (so, fail2ban users: extend your timeouts - at least double them). We also see this with website login attempts. Some are not *that* clever - we've seen one Chinese outfit who simply looped thought their entire class C :).

      Reliance on strong passwords is a clear hint that this system has been developed by IT people for IT people, not end users. End users are not variables: they are a fixed, high level of risk. Changes to end users do not stick because they're humans, not machines - plan accordingly.

      1. Anonymous Coward
        Anonymous Coward

        Re: Passwords must be

        how did that AC up there with the lecture get all those downvotes?

        1. Anonymous Coward
          Anonymous Coward

          Re: Passwords must be

          "how did that AC up there with the lecture get all those downvotes?"

          Criticized Microsoft. That's almost as bad as criticizing Israel or praising Trump or Putin.

          1. AndyS

            Re: Passwords must be

            "how did that AC up there with the lecture get all those downvotes?"

            Gave an ill-timed & boastful lecture, as AC, in response to a joke he apparently didn't get?

        2. Anonymous Coward
          Anonymous Coward

          Re: Passwords must be

          how did that AC up there with the lecture get all those downvotes?

          I suspect because people assume that it is impossible to harden email accounts to the point that the traditional dictionary attacks no longer work. Although I appreciate the cynicism (no, really, there's enough nonsense being sold so I don't mind the downvotes), it happens to be true - there are a LOT of things you can do to email to make it considerably safer without immediately encumbering yourself with certificate management and I have been using email in one form or another for some 30 years now.

          When I started our development there was no money whatsoever - like Russians forced to become intelligent in using lower spec computers due to US embargoes, we were forced into being smart with what we had because we didn't have the luxury to buy anything. That's when it all got interesting, and is also the reason why I remain AC.

          There will be more after the summer holidays, but let's just say that I have already seen some very basic things they have to change at whatever service that hosts parliament.uk.

        3. Anonymous Coward
          Anonymous Coward

          Re: Passwords must be

          how did that AC up there with the lecture get all those downvotes?

          I think it may be this line:

          the kind of people who get tasked with setting this up tend to be cheap contractors that are just called "consultants" so they can be billed at £1200/day

          Maybe Microsoft "consultants" don't like to be outed.

      2. Tabor

        Re: Passwords must be

        "I reckon I could make that bullet proof in a month".

        Then why post as AC ? Those claims could make you a nice income, if you can live up to them... Unfortunately, even in small(ish) businesses, it takes many moons to even convince them that 2FA is a Good Thing. And even then, it will break "legacy" things.

        1. Anonymous Coward
          Anonymous Coward

          Re: Passwords must be

          Then why post as AC ? Those claims could make you a nice income, if you can live up to them... Unfortunately, even in small(ish) businesses, it takes many moons to even convince them that 2FA is a Good Thing. And even then, it will break "legacy" things.

          I post as AC because we're not ready yet. If we were a simple YAMT (Yet Another Me Too) in the security industry it would be easy to attract investment from Silicon Valley, but saturated markets are boring (I don't mind the money, of course, but I prefer sustained value over the mayfly nature of that market so we're not planning to play that game). I reckon we're a couple more months away from going live. We're already running a few services for friends which use what we developed and it is very entertaining to see dictionary attacks just bounce off test accounts which explicitly have "password" and "123456" set as password :)

      3. Flywheel

        Re: Passwords must be

        From what you say it might be easier and safer to change the users: hopefully we won't have to wait another 5 years though.

      4. Alan Brown Silver badge

        Re: Passwords must be

        "If you monitor login attempts for accounts it now takes a bit of post-event correlation before you can see what is going on."

        There are certain account names that the botnets always try. Once you spot the pattern you can insta-ban when they try it.

        1. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      Passwords must be

      Strong and stable

      It wouldn't let me have that, I had to use "Strong&Stable1"

    5. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      I'd bet 90% have "Corbyn4PM" as their password and that includes some Tories. The rest probably "MayBot", "MayColdBitch", "AmberRudderless" or something that references "Cold" or "Bitch" in some combo or other. Any number they use will likely be the margin/number of votes they won by.

      My suggestions are not meant to imply anything, regards my own point of view.

    6. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      is "coalitionofchaos" a strong enough password?

      or should I go for "thedinosaursdontexist"?

      or "gaysarebadandsoisabortion"

    7. Jason Bloomberg Silver badge
      Coat

      Re: Passwords must be

      "Covfefe".

      1. Alister
        Joke

        Re: Passwords must be

        Covfefe

        To be fair, it's not a dictionary word...

        Yet!

    8. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      ...and no password is better than a bad password.

      Wait...

    9. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      "Strong and stable" implies two-factor authentication

      If they had that, they wouldn't have this issue...

    10. Alan Brown Silver badge

      Re: Passwords must be

      Servers should be running software which looks for crack attacks and locks out the attempting systems

      It's not as if fail2ban or denyhosts haven't existed for around 20 years and it's not as if they don't pay attention to imap/smtp failures as well as ssh.

      That an attack like this is actually "news" speaks more about the lack of competence of the people running the parliamentary email system than it does about the attacks - which have been a feature of the Net for more than 20 years. If I turn off denyhosts I get hundreds of breakin attempts per minute on SSH alone.

      And yes, botnets try to go slow and not trigger these watchers (extend the timeouts), but they always try the same account names and this can be used to insta-ban the IP. (Check your logs, you'll see the patterns. I have 244 usernames which will generate an instant ban.)

  2. Dan 55 Silver badge
    WTF?

    Just one password preventing the whole of the Internet getting in?

    I was expecting that all devices which needed access to a Commons e-mail account to have a certificate installed or something. The right honerable gentlemen are hardly going to need an Internet cafe for access.

    1. Doctor_Wibble
      Boffin

      Re: Just one password preventing the whole of the Internet getting in?

      On a system that they want to be available from anywhere, this is inevitable to an extent, making it only via VPN would at least help but still ultimately be the same problem but shifted a bit.

      MPs/milords/staff account names will surely be guessable, so 2000+ accounts, a list of several thousand passwords to try, and a botnet of however-many drones all trying the same thing, is definitely going to count as 'serious attack'. Do it in one big lump starting on a Friday afternoon and hope nobody notices what's actually happening before you've managed to get a few.

  3. tfewster
    Facepalm

    Everything our elected MPs say and do is apparently so important and sensitive that they're exempted from the Snoopers charter etc. Yet their email doesn't require 2FA or lock them out after multiple failed logins? Oh, sorry, I forgot they were too important to be bothered with plebian matters like that.

    I guess the ones who were still able to access emails had auto-forwarded them to hotmail

    1. Anonymous Coward
      Devil

      If you add all that 2FA or certificate stuff...

      .... they will set up their own mail servers like Hillary Clinton did - or use Gmail - because all that "stuff" is to complex for the average MP/assistant/etc.

      1. Dr Dan Holdsworth
        FAIL

        Re: If you add all that 2FA or certificate stuff...

        Done properly 2FA isn't difficult either for sysadmins or for users. Banks have successfully managed to get their customers to remember strong passwords and use 2FA dongles, and have managed it without much in the way of screams of agony from mentally-challenged lusers.

        2FA for email is similarly not rocket science, and it is also not beyond the bounds of possibility to produce small, laminated instruction cards (laminated to prevent the poor dears writing their password on the card) which detail how to log in using the 2FA dongle. Tricks like this work wonders when you have thick users, or so I am told.

        2FA plus Fail2Ban with suitably long time outs on the IP logger, together with intelligently-designed supplementary rule-sets such as a blanket ban on all Chinese, Russian and North Korean IP ranges and a strong and secure VPN for access from foreign climes which relies partly on ssh keys for authentication. Do that, and yes, any random script kiddie can have a pop at a dictionary attack, but no, said random script kiddie isn't going to actually get anywhere.

        1. Anonymous Coward
          Anonymous Coward

          Re: If you add all that 2FA or certificate stuff...

          Done properly 2FA isn't difficult either for sysadmins or for users. Banks have successfully managed to get their customers to remember strong passwords and use 2FA dongles, and have managed it without much in the way of screams of agony from mentally-challenged lusers.

          With all due respect, 2FA isn't the answer here - at least not in its current implementation. Do you want all these tablets and smartphones ask for a 2FA code every time they poll (which is generally 15 minutes or less)? 2FA is OK for an interactive login process like webmail, but sucks for automated retrieval.

          There are many ways to address this, but just blindly declaring 2FA as the solution is giving in to root cause seduction without having looked at the whole picture. I can tell you one thing: I am 98% certain I know EXACTLY why these people chose simple passwords, and that is a problem that can only be fixed in multiple stages. I think I may need to give them a call later.

    2. Nick Ryan Silver badge

      Of course not. However even without 2FA, all they'd need is a half decent security approach, however given the government's approach to anything recently, IT related or not, it's no wonder that the parliamentary IT system follows the same principle.

      2FA is a good idea, let down by reality and usually compromised by the implementation and hamstringing convenience. Sending access codes to a device that the user is likely to have in hand doesn't really increase security much, likewise codes sent to other devices or accounts - the end result is often a syste, that's so inconvenient that users try to avoid using it. Poor mobile support for 2FA, e.g. so users can use modern technology and standard(ish) applications to access their email or documents doesn't help either - seriously, a secure email application doesn't have to be an unusable PoS compared to the ones supplied for free by Apple, Google or Microsoft.

      Remote email clients can easily be protected with client certificates - this doesn't help much when losing the device, or access to the device, but it does help prevent non-authorised connections which is what this is all about.

      This is before smart stuff can be done on the server side, for example rate limiting incorrect logins - the technique has been around for years through simply steadily increasing the delay between allowed login attempts. This can be enhanced through reducing or bypassing the delay for expected originating IP addresses as this can reduce the DoS prospect.

      Nothing hard, and as another poster has noted - why do they not run dictionary attacks against their own accounts? It's a simple process and greatly reduces the use of poor passwords.

  4. Anonymous Coward
    Anonymous Coward

    If they got access I fully expect the Jimmy Savilles of the current political class to be named.

    Paedo's, rapists, murderers, the lot of them.

    1. Anonymous Coward
      Anonymous Coward

      I see I have some down votes, colour me surprised.

      Ted Heath

      Cyril Smith

      Lord Brittan

      To name but a few.

      I see some people must think that people in power will no longer abuse their positions.

      I'm glad you all live in your hairy fairy world of joy and happiness.

      1. Primus Secundus Tertius

        @ coloured surprised

        The allegations against Edward Heath and Lord Brittan (both deceased) remain unproved and unlikely.

        When I was a small child I was very angry when some grown-ups ignored my views just because I was a child. But there are some people whose vews should be ignored. In the history of these child abuse allegations, there have been too many cases where the uncorroborated evidence of one person has led to proceedings that have come unstuck.

        Yes, there have been cases, for example in Rotherham, where police have ignored justified allegations. But the eventual convictions came after testimony from several parties. And the guilty men were ordinary criminals, not politicians.

        Where police have acted, or inacted, wrongly they should be censured for lack of judgement, not failure to follow procedures.

        1. Anonymous Coward
          Anonymous Coward

          @Primus

          "The allegations against Edward Heath and Lord Brittan (both deceased) remain unproved and unlikely."

          I'll agree with you on Heath but I will never agree on that peado Brittan. He dodged the police for decades then claimed dementia while still claiming his lords money.

          Also one has to question the funding of "PIE" in the 80's by the home office.

          https://en.wikipedia.org/wiki/Paedophile_Information_Exchange

          Still don't think there were more or are more?

          1. Anonymous Coward
            Anonymous Coward

            I'll agree with you on Heath but I will never agree on that peado Brittan. He dodged the police for decades then claimed dementia while still claiming his lords money.

            I don't believe there's any credible public domain reason to conclude that Brittan was probably a paedophile. I suspect you're thinking of Greville Janner, Labour MP for Leicester West, where there were ample accusations from multiple sources across at least two decades, and the governments, Clown Prosecution Service and police deliberately looked the other way.

      2. Anonymous Coward
        Anonymous Coward

        "To name but a few."

        I presume you have submitted the evidence you obviously have to the police?

        1. Bernard M. Orwell

          "I presume you have submitted the evidence you obviously have to the police?"

          How about a tacit confession of collusion? Buckle up and watch this BBC clip. Once you've done so, understand that it was part of the body of evidence against parliamentarians that caused an inquest to be opened. An inquest that was deliberately derailed by T. May and co. She "lost" records more than once, had the chairperson removed at least twice and finally, quietly closed down the inquiry.

          yeah, pretty sure there was sufficient evidence for plod to proceed.

          https://www.youtube.com/watch?v=GwkOWPauu_A

          [Transcript for those who can't watch YouTube right now]

          A short extract from the Michael Cockerell documentary 'Westminster's Secret Service' broadcast by the BBC in 1995.

          Tim Fortescue was a Whip under Edward Heath between 1970 and 1973. In the documentary it was revealed that the Chief Whip kept a little black 'dirt book' which contained information about MPs, and this was used as a method of political control.

          "Anyone with any sense who was in trouble would come to the Whips and tell them the truth, and say now, "I'm in a jam, can you help?" It might be debt, it might be a scandal involving small boys, or any kind of scandal which a member seemed likely to be mixed up in, they'd come and ask if we could help. And if we could, we did. We would do everything we can because we would store up brownie points. That sounds a pretty nasty reason but one of the reasons is, if we can get a chap out of trouble, he'll do as we ask forever more."

      3. Anonymous Coward
        Anonymous Coward

        I see I have some down votes, colour me surprised.

        I'm not one of them, but I could theorise that that is because such people would not use their parliamentary email account for that. There's no accounting for stupidity, of course, but evil people tend to be good at hiding things so that they can continue doing evil things.

        Just a theory.

    2. Anonymous Coward
      Anonymous Coward

      > If they got access I fully expect the Jimmy Savilles of the current political class to be named.

      Perhaps, but not publicly. They'd just become targets for real blackmail "Do this or else this evidence gets out..."

      None of which is helpful to the general public.

    3. rh587

      Paedo's, rapists, murderers, the lot of them.

      By "the lot of them", I can only conclude that you are telling us the late Jo Cox was a paedo, rapist and/or murderer?

      Seems unlikely.

  5. Voland's right hand Silver badge

    If it did not have 2FA or certs it was asking to be hacked

    No 2FA? No certs? No failed login limits? In 2017?

    What f*** state sponsored bullshit are these cretins talking about? A kid can assemble the scripts to mount the attack on this on his desk. It is 20 years out of date in terms of security policy - this could be attacked by a scripting kiddies in 1997 same as it can be attacked by anyone today.

    I thought the parliament bought into Office365. If that is still the case which cretin DISABLED the failed login limit which comes by default with the cloudy version of Exchange and Outlook? Can the idiot be named, shamed and publicly take responsibility.

    By the way - this is literally a reprint of what Graunidad and other news outlets have already posted. I would have expected el-reg at least to be able to update us on what are they using and which idiot did they outsource the maintenance to.

    1. Anonymous Coward
      Anonymous Coward

      Re: If it did not have 2FA or certs it was asking to be hacked

      "determined and sustained" search for "weak passwords" sounds like a bog-standard brute force to me.

      1. Voland's right hand Silver badge

        Re: If it did not have 2FA or certs it was asking to be hacked

        "determined and sustained" search for "weak passwords" sounds like a bog-standard brute force to me.

        It sounds like "a day in the strife" for me - there is a constant trickle of brute force attempts in my logs. The current fashion is to try SMTP auth for that.

        1. AndrueC Silver badge
          WTF?

          Re: If it did not have 2FA or certs it was asking to be hacked

          there is a constant trickle of brute force attempts in my logs.

          Same here although I wonder at the intelligence of some of the script writers. A quick check shows attempts to log in to my server using the user names:

          xdfrieortu

          cbmoiwueu

          xbvwtywefo

          pjkiuyl

          qwkoud

          ..before my server put the source IP address on the naughty step.

          If they at least cycled through the character set it might make sense. But random sequences of characters? Is this some clever hacking trick I have missed?

          1. Doctor Syntax Silver badge

            Re: If it did not have 2FA or certs it was asking to be hacked

            "But random sequences of characters?"

            That looks like random keyboard mashing than anything computer generated. Look at the pairs of adjacent keys in there.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like