The sound you hear
is that of crypto-experts past (Alan Turing included) spinning in their graves
Hilarious blunder, especially coming from GCHQ
Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site. The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password …
Helped my brother-in-law to register on the Landlord Registration central online system for Scotland. Asks for a password, try one, sorry not long enough (and no, it was not "mypenis"). Try another, sorry must have numbers and both upper and lower case characters. Try a third to meet those security aspects and its is happy.
Then I get an email, absolutely unencrypted as you would expect, with both user name and password!
SECURITY FAIL! (to borrow from Eadon, but here it seems justified as being AC I can't use the icon)
The financial system of one of my (large, public sector, UK) clients I use to manage the purchase orders they place with my company requires a password. Helpfully it informs me that it must be "at least 1 character(s) long". I have pointed this out, several times, over several months....
I've written my PIN down before in amongst a lot of other numbers to disguise it, and then forgotten which 4 digits were the right ones, so I contacted the bank to let them know I'd forgotten it. They sent me a "here is your PIN" letter and it had the same PIN (the digits were in my note). So they must be storing PINs in plain text too.
Well, to a third party the salted passwords might be difficult but since the bank knows the mechanism for the salt and there are less than 10000 combinations, excluding non available combinations means they could brute force their own hashes very quickly. A test script I just ran which generated 9999 salted passwords and tests every single one vs the salted and hashed known value, generating the full 9999 for each test only took 90 seconds on a single core machine... of course in a real one you'll break out far earlier but you can really say if password usage was evenly distributed throughout the range an average on an ageing single core machine is 45 seconds... I suspect a bank can have that done in under a tenth of the time.
Banks use Hardware Security Modules (HSMs) to hold PINs which are heavily protected beasts.
Without physical access it's pretty much impossible to get anything out of them and then they normally have a myriad of access detection sensors which delete the memory if you try anything (I've tried kicking one, it got upset and deleted everything)
I wouldn't worry about these normally but I recently found that BarclayCard will display your PIN on the web site if you ask, that sounds very silly to me.
Heh. Yup, HSMs give the really awesome protection of having the private/secret key never leave the HSM, so barring someone physically stealing the HSM, the stuff encrypted by it is safe.
OTOH, if someone were to have direct access to the HSM *and* the config info to use it... Oopsie! (Hopefully, they're running it at FIPS 140-2 Level 3...)
I think my bank (Yorkshire) stores it's secret answers in non-encrypted format. The answers used to be case sensitive, then one day they ceased to be so. I used their internal ticketing to ask why the change. The answer was that too many people were forgetting case sensitivity so they turned it off. What worries me is the fact that I didn't have to change my password when they did this, and the fact that now I can WrITe My SecRET AnsWERS in ANY caSE I liKe tells me they arn't encrypted, and probably neither are the passwords.
A feeble excuse, and all the more feeble because they have been in the business of specifying best practice in security matters for a long, long time - far longer than they've been using this 'legacy' system, I'd wager.
I have a lot of respect for GCHQ, but they really do need to work on their public interface.
This post has been deleted by its author
"Should GCHQ want to recruit people who 'forget' their passwords?"
Everyone forgets their password from time to time. Or locks out their account. Or....
Just because a person is one of the best cryptanalysts in the world doesn't mean they don't have a memory like a sieve.
However, for an intelligence agency to be storing passwords in plain text is inexcusable. Even on a peripheral system. It doesn't matter whether they are sending out plain-text password reminders, as such. It is that they are storing them insecurely. Which is bad. Very bad.
Should GCHQ want to recruit people who 'forget' their passwords? Best regards .... Nigel Sedgewick
The sort of folk that GCHQ and Spookery need, are the sort of folk who recruit GCHQ and Spookery for their needs and feeds and seeds.
Best Regards .... and more anon as ProgramMING Programming proceeds.
Is problem folk for problemed folk the right SMARTR answer which delivers change you can see in presentations rather that just hope and false dawns you are pimped to believe in and blindly support in ignorant servitude, which appears to be status quo establishment fare and their pathetic vapourware?
Answers in an email to ....... well, if it be to any status quo establishment systems it may as well be to Mars for all the good that they can provide, is what you will find to be too true to ignore as other than a fact which is hidden behind fictions and spinning tales of non daring do nothing creativity and mayhem.
"...it's GCHQ who are responsible for national security issues."
Except that the site in question has precisely zip in any form of national security information on it. It only has harmless information, such as your name, address, telephone number, all registration numbers, friends names and addresses, relatives names and addresses, etc.
Totally innocuous information. From a national security standpoint. ;)
Seriously though, at least all of the national security information is on its own segregated network.
Trying to remember the name for it now. The US starts with NIPRnet, SIPRnet and JWICS.
Ah, I remember now! BBCnet.
I once did an application for a similar type of organisation. There was a very clear warning at the beginning. If you got the password wrong three times, your account would be locked out. And there was no password recovery option. That's how you do proper security, and weed out applicants who can't remember a password.
that some bloke in the comments said that no intelligence agency would keep the list and details of their agents on a machine connected to the computer, no way, cause like, they're too smart to stumble for such an obvious risk? Well, he severely underestimated the power of the human mind!
You think that's bad I was once allowed into GCHQ showing a sausage roll to the security guard rather than my ID pass. I had only been working there for a few months so he didn't know my face either. We also often swapped ID badges to see if it would be spotted. This was at the Oakley site perhaps Benhall was different.
This post has been deleted by its author
Maybe he thought you were simply showing your 'lunch' as an explanation to where you've been, then probably shaking his head after you've gone passed.
GCHQ's just a couple of miles from me, maybe I'll get a pizza, and try my luck getting through the gate with a cheesy smile, a red peaked cap and a little wave of the pizza box! OK, maybe I won't - 'tis a boring place.
More ID card stories from colleagues.
1. Driving onto site and realised ID card was in the boot. Waved a piece of toast at guard and waved onto site.
2. Pasted a picture of a gorilla onto ID card. Took it off a week later 'cos no-one had challenged it.
Hi to all at T42. Hope you are still whipping up a storm.
"Names, dates, family members, passport numbers, housing information". Not just that.
If this is used to provide information for security vetting, it is basically everything needed for complete identity theft.
Full names addresses and dates of birth for all family members back to Grandparents including Maiden names. All addresses for the last 10 years. All schooling and all past employers. All bank account and investment details. About the only thing they do not ask for is the Dog's name.
Tell me how many places ask Security questions based on this information. Then tell me how serious this isn't?
Biting the hand that feeds IT © 1998–2020