Chuck Leaver – Sort Out Your Security UK Parliament Email Attack

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


In the online world the sheep get shorn, chumps get chomped, dupes get fooled, and pawns get pwned. We have actually seen another excellent example of this in the recent attack on the UK Parliament email system.

Instead of admitting to an e-mail system that was not secure by design, the official statement read:

Parliament has robust procedures in place to protect all our accounts and systems.

Yeah, right. The one protective procedure we did see at work was deflecting the blame – pin it on the Russians, that always works, while implicating the victims for their policy offenses. While details of the attack are scarce, combing various sources does help to assemble a minimum of the gross scenario. If these accounts are reasonably close, the UK Parliament email system failings are scandalous.

What failed in this case?

Depend on single factor authentication

“Password security” is an oxymoron – anything password secured alone is insecure, that’s it, irrespective of the password strength. Please, no 2FA here, may hamper attacks.

Do not enforce any limitation on unsuccessful login attempts

Assisted by single aspect authentication, this permits easy brute force attacks, no ability needed. However when violated, blame elite foreign hackers – nobody can validate.

Do not carry out brute force attack detection

Allow opponents to conduct (otherwise trivially noticeable) brute force attacks for extended periods (twelve hours against the United Kingdom Parliament system), to maximize account compromise scope.

Do not enforce policy, treat it as simply tips

Combined with single element authentication, no limit on failed logins, and no brute force attack detection, do not impose any password strength validation. Supply opponents with very low hanging fruit.

Rely on anonymous, unencrypted email for sensitive interactions

If opponents do succeed in jeopardizing e-mail accounts or sniffing your network traffic, provide plenty of opportunity for them to score high worth message content totally withput obstruction. This also conditions constituents to trust readily spoofable e-mail from Parliament, developing an ideal constituent phishing environment.

Lessons learned

In addition to adding “Sound judgment for Dummies” to their summer reading lists, the United Kingdom Parliament email system admin may wish to take further actions. Strengthening weak authentication practices, imposing policies, improving network and end point visibility with constant monitoring and anomaly detection, and entirely reconsidering safe and secure messaging are suggested actions. Penetration screening would have revealed these fundamental weaknesses while staying far from media attention.

Even a couple of clever high schoolers with a free weekend might have duplicated this violation. And finally, stop blaming Russia for your own security failings. Assume that any weaknesses in your security architecture and policy structure will be probed and exploited by some party someplace throughout the international internet. All the more incentive to find and repair those weak points prior to the hackers do, so turn those pen testers loose. And after that if your defenders don’t have visibility to the attacks in progress, update your tracking and analytics.