Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site. The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Page:

Wednesday 27th March 2013 10:51 GMT Dodgy Geezer

...But GCHQ - whose CESG arm advises large corporations including banks and utilities on how to safeguard critical infrastructure systems, and which itself deals daily in absolutely critical national-security information belonging to the British and various other governments can reasonably be held to the highest possible standards....

Aha - I think I see the problem here.

WHAT 'absolutely critical national-security information' have we got?

We used to have a lot, when we ran half the world, and had a military that was equal to/better than the US. Those were the days when our position needed to be considered amongst the world's powers. Now, however, we are not really part of the game any more.

Perhaps someone might be thinking of attacking us, and needs some information on our defences? The Falklands showed how any real information passing through the intelligence system soon got ignored if it didn't conform to pre-determined government policy. At the moment we could be considered as 'under economic attack' from the Chinese. And what are we doing about it? Stuffing our own economy with green taxes in an attempt to de-industrialise.

We should only spend money on defences when we have something worth defending. Which, at the moment, we haven't...

4 1
This post has been deleted by its author
Wednesday 27th March 2013 11:10 GMT batfastad

Amateurs?

Amateurs? Or an amazing honeypot?

It's probably not an in-house package but there must be some bods at GCHQ who do the security auditing of code, right?

0 0
Wednesday 27th March 2013 11:20 GMT batfastad

The ones to worry about

The sites to worry about are those that enforce a low max length (<20 chars) and disallow special characters. If it's being hashed/crypted properly then the maximum length and any special characters are irrelevant.

Rather than that stupid cookie law crap how about a law requiring sites to display their password storage procedures with big fines for not telling the truth (proper big fines, not the stuff the ICO hand out at the moment for data breaches). It won't prevent idiots being in control of a computer and developing rubbish software though unfortunately.

Do we know what careers software this is and who the developers are?

0 1
Wednesday 27th March 2013 11:24 GMT Vladimir Plouzhnikov

It's all old news

I saw a documentary on this a few month back. Spies IDs list stolen, sky fell etc etc. There was one agent, he sorted it all out in the end. I think his name was Bomb or Bond or something...

4 0
1. Wednesday 27th March 2013 17:39 GMT PhilBuk
  
  Re: It's all old news
  
  Nah, it was Ethan Hunt.
  
  Phil.
  
  0 0
Wednesday 27th March 2013 11:25 GMT Benchops

This is no blunder

They're distracting attention away from something else!!

0 0
Wednesday 27th March 2013 12:17 GMT Anonymous Coward

Upgraded my broadband service with my ISP - which is a big UK one. Gobsmacked to receive a confirmation email which included my existing password in plain text. As it was one I had set myself a while ago then they obviously store them in an unsafe way.

1 0
Wednesday 27th March 2013 12:46 GMT 0perat0r

"Password retrieval isn't even possible where login credentials are stored only as encrypted and salted hashes, so it's evident that in this case they weren't." On the basis that they know their own keys/salts:

http://www.theregister.co.uk/2013/03/26/our_crypto_kind_of_sucks/

1 0
This post has been deleted by its author
Wednesday 27th March 2013 14:20 GMT Mr Spock

Pay peanuts, get monkeys.

This is the same GCHQ that couldn't understand why hardcore tech gurus weren't flocking to work for them for £25,000 a year. Hardly surprising they can't employ someone with a clue about password security, then.

4 0
Wednesday 27th March 2013 14:53 GMT Anonymous Coward

Oops!!

That is all.....

0 0
Wednesday 27th March 2013 16:26 GMT Al Jones

Password Retrieval vs Password Reset

If the concern is that passwords are sent in e-mail that can be intercepted, then password reset links are just as vulnerable..

If the concern is that hacker can get access to a plaintext list of usernames and passwords on the website, then they've probably already gotten access to the far more valuable personal information that has been uploaded to the website.

GCHQ should do better, but if you're worried that someone might get access to data on their webserver, and your concern is that you used the same password for GCHQ as you used for your Amazon account, then I think you're missing the forest for the trees!

1 0
Wednesday 27th March 2013 17:43 GMT PhilBuk

Patronising Twats

Love the patronising bit in the reply, "This comes with clear instructions of how to protect their data."

It's not them that that should be protecting the data - it's your job!

Phil.

1 0
Wednesday 27th March 2013 17:49 GMT Paul Hovnanian

Plaintext storage

Nothing new here. Back in the day when I worked for a major US defense contractor, we had a 90 day password change requirement for their IT access control system. The change rules were quite onerous and woe to anyone who just tried to roll from 'password01' to 'password02'. Changes deemed 'too simple' were rejected.

My best guess is that they stored passwords in plaintext and tested changes against the old version*. Compromised systems were par for the course at this outfit.

*Easy work around: The validation algorithm could only look at the present password, so it was a simple matter of remembering two different ones and switching back and forth every three months.

1 0
Wednesday 27th March 2013 18:14 GMT Mike 16

Password reset?

You might want to check with the lady above left about how secure such systems are.

Anybody who cares can probably find all the answers to a typical company's "security questions" for any person who even has a presence on the Internet. (My first use of the Paris icon, but then, you don't have Ms Palin)

0 0
Wednesday 27th March 2013 20:35 GMT Anonymous Coward

perfect cover

When Mossad agents mysteriously materialise in a Mediterranean hotel and casually top a high ranking Palestinian they don't like the look of, the fake passports they use will need some quality details. What better way of obtaining the data for such a project from their obliging chums at GCHQ, all easily bind-alleyed by blaming a legacy contractor?

After the man in a suitcase clusterfuck, I wouldn't put any kind of Machiavellian weirdness past our erstwhile black helicopter drivers.

1 0
Wednesday 27th March 2013 23:36 GMT Joe Montana

FAIL?

What's strange is that GCHQ put a website online available to the public without it being pentested first, usually government sites must be tested by a company that's a part of the government pentest scheme (operated by CESG). Either that, or whoever tested the site missed something so ridiculous?

Incidentally, while storing plaintext passwords is generally regarded as a bad thing, every windows system does exactly this - stores plaintext passwords in memory as well as letting you authenticate using the hash itself (ie the hash becomes plaintext equivalent). If anyone else did something so stupid their products would be banned, but ms gets a free pass.

0 0
Thursday 28th March 2013 04:48 GMT JaitcH

GCHQ, another Mad MAY operation

Seems like the all time ministrial loser of all time, Mad MAY, is failing again.

I wonder what part of her extensive purview actually functions? And she wants the ability to bug the whole of the UK?

0 0
1. Thursday 28th March 2013 05:35 GMT amanfromMars 1
  
  Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments
  
  ..... or is that a MkUltraSensitive and Secret Intelligence Service Virtualised, Phormed and Established and Never Ever .... well, Hardly Ever unless Need to Know Requires IT, .... to be Officially Recognised and Touted like some Sort of Spooky First Class Upper Class Pro Hooker?
  
  We should only spend money on defences when we have something worth defending. Which, at the moment, we haven't… …. Dodgy Geezer Posted Wednesday 27th March 2013 10:51 GMT
  
  And, Dodgy Geezer, as any DODGI Cyber Systems Warrior/AIMODified Virtual Pioneer worth the wearing of the moniker knows, one cannot successfully defend unless one knows how to win win with attacks, and whenever one knows how to win win with attacks, is defense not nearly as attractive and exciting and lucrative as successful Anonymous Almighty Attacks ….. AAAssaults?
  
  Which is and has been, and will be most probably always continue to be, in a System of Primitive Primary Protocols, something of an Abiding Enigma which Exercises IntelAIgent Community Enterprises with Exploitation and Advancement through Zeroday Vulnerabilities and Systemic Program Weaknesses …… which are always controlled by failing humans and thus always an Open Source Window and PerlyGatesPython Door ajar for stealthy virile trojan entry into the sweet sticky core that drivers their follies and foibles/passions and vices/sins and dreams.
  
  Who Dares and All That, in All of That, Win Wins and Always Loses FailSafe. ….. Capiche?!.
  
  Comprendez, GCHQ/MI5/MI6/CESG/OCSIA …… or does IT need to be spelled out in words of a few syllables for y'all, to more easily understand that which confronts and presently prevents you from progressing further into harm in a future space which can do you immeasurable harm if even considered for abusive selfish use ……. although surely, even the slowest and dimmest of wits in such fields as are tilled here would accept that which has just been said, as that which quite adequately describes that which confronts and presently prevents you from progressing further into harm in a future space which can do you immeasurable harm if even considered for abusive selfish use.
  
  And I think all of that, Dodgy Geezer, is something worth spending defence money on ..... and exporting to any who have need of cyber defence which can successfully attack with AAAssaults ...... and the multi-billion dollar question is ..... Whose defence money/Which currency will lead, for any and all have equal attraction and value in the great scheme of things.
  
  0 1
  1. Thursday 28th March 2013 08:36 GMT amanfromMars 1
    
    Re: Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments
    
    Oh, and you might want to know, for one might need to know, that all of the above is quite important to understand and be able to act with impunity upon/with, as the money control system which is hacked and in crisis and cracked and collapsing, and some would even say, already collapsed and just twitching in its death throes, and which is used to enslave the ignorant masses to the whims of the arrogant few, battles in vain to render flash cash a thing of the past and a cold war relic which will be able to purchase nothing of value in bulk, secretly.
    
    Good luck with that operation, but one has to admit, it does appear to be more of a crazy desperate notion rather than anything better and spectacularly good, and there are so many ways in which one can purchase whatever one needs for whatever someone else wants.
    
    Long live free enterprise on the open market place and in the virtual commercial space.
    
    0 1
    1. Thursday 28th March 2013 09:20 GMT Anonymous Coward
      
      Re: Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments
      
      I hate to be the one to break it to you but I'm pretty sure most of us do what I do.
      
      That is instantly realise it's you posting and don't bother to read on. I say this because you clearly expend a lot of effort on your posts here. Sometimes it's amusing to attempt to decipher your "thoughts". Mainly it's not. Start a blog. Or request a soft tipped pen and paper next time they come in with your medication.
      
      1 0
      1. Thursday 28th March 2013 09:26 GMT Anonymous Coward
        
        Re: Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments
        
        You... do know you're replying to a bot, right?
        
        0 0
      2. Thursday 28th March 2013 15:07 GMT amanfromMars 1
        
        Re: Responsible Cyber Defence Services in Live Operational Virtual Environments
        
        Very droll, DijitulSupport, but there is nothing new there to report and everything by Registered post is already logged and displayed wwworld-wide for peer review, which I suppose would be quite similar to it being blogged too.
        
        And many times, which can be most times, can a great deal more be clearly revealed and learned whenever something which one would have expected a response to, is not replied to, and in such cases is there the added bonus that one is not spending and/or wasting time in sharing the obvious with those who maybe more interested in one not racing on ahead without their being given instruction on what, because they know not what to do on their own to maintain their position and sustain the status quo.
        
        And if you really do do what you do, do you miss all the good bits that you need to understand and accept to be better equipped to deal with what the future has in store for humanity. And you will only have yourself to blame and beat up over it.
        
        0 1
Thursday 28th March 2013 09:45 GMT Anonymous Coward

He won't get a job there

When registering he agreed the the T&Cs, one of which sates that he'll tell no one about his communications with them. How do I know? Oh bugger, quick, tick the "Post anonymously" box...

0 0
Thursday 28th March 2013 10:03 GMT M7S

you're all missing the point about this "insecurity" - its a financial issue.

It saves on the cost of the writeable optical media with personal information on personnel that they'd otherwise have to leave on a train.

It just shows they're doing their bit for Britain in cutting back public expenditure.....

Actually on reflection I'm not sure about the icon.

0 0