UK parliamentary email compromised after 'sustained and determined cyber attack' The Parliament of the United Kingdom has admitted it experienced a “sustained and determined cyber attack” over the weekend and says <90 email accounts have been compromised as a result. The event struck on Saturday and late that evening Parliament issued a ”Statement regarding cyber incident” admitting that “We have …
@Tom Paine
Damn, I just posted that link, then read more comments and found you'd done the same.
I'll leave mine up - it also has a little dig at the bureaucratic reorgs of CESG/NCSC/GCHQ which are little more than changing names of departments within a single organization for no good reason.
Strong and changeable is better.
Ummm, if you meant "frequently changeable" then no. Frequently changing your password was good advice back in the days when you worked with only one computer and it was used for classified work. These days, frequently changing your password is a bad idea.
See this advice from CESG (which was part of GCHQ but which is now part of NCSC, which is part of GCHQ).
Strong and stable
True, but there are ways in which you can counteract weak passwords including but not limited to running your own crackers to identify them. The problem is that Parliamentary email is probably a Microsoft setup which is a risk in itself (there is, for instance, a pretty massive and unfixed bug in Office 365/2016 which which you can convince Outlook to actually give you the password but Microsoft deems it a "feature").
I reckon I could make that bullet proof in a month (well, quicker, but I like to test things before I migrate 9000 security sensitive users) - I already have quite a number of famous email domains that are under dictionary attacks and so far it appears that what we've cooked up works so well that even honeypot accounts with "test123" and "password" as password don't get hit (that's "not" as in "not at all").
Before anyone says "fail2ban", no - the clever ones have worked that one out. If you monitor login attempts for accounts it now takes a bit of post-event correlation before you can see what is going on. Hackers now typically use botnets so you have distributed IP addresses from where attempts come. Over sufficient different IP addresses you can do this slow enough for default fail2ban settings to time out and so prevent IP blocks (so, fail2ban users: extend your timeouts - at least double them). We also see this with website login attempts. Some are not *that* clever - we've seen one Chinese outfit who simply looped thought their entire class C :).
Reliance on strong passwords is a clear hint that this system has been developed by IT people for IT people, not end users. End users are not variables: they are a fixed, high level of risk. Changes to end users do not stick because they're humans, not machines - plan accordingly.
how did that AC up there with the lecture get all those downvotes?
I suspect because people assume that it is impossible to harden email accounts to the point that the traditional dictionary attacks no longer work. Although I appreciate the cynicism (no, really, there's enough nonsense being sold so I don't mind the downvotes), it happens to be true - there are a LOT of things you can do to email to make it considerably safer without immediately encumbering yourself with certificate management and I have been using email in one form or another for some 30 years now.
When I started our development there was no money whatsoever - like Russians forced to become intelligent in using lower spec computers due to US embargoes, we were forced into being smart with what we had because we didn't have the luxury to buy anything. That's when it all got interesting, and is also the reason why I remain AC.
There will be more after the summer holidays, but let's just say that I have already seen some very basic things they have to change at whatever service that hosts parliament.uk.
how did that AC up there with the lecture get all those downvotes?
I think it may be this line:
the kind of people who get tasked with setting this up tend to be cheap contractors that are just called "consultants" so they can be billed at £1200/day
Maybe Microsoft "consultants" don't like to be outed.
"I reckon I could make that bullet proof in a month".
Then why post as AC ? Those claims could make you a nice income, if you can live up to them... Unfortunately, even in small(ish) businesses, it takes many moons to even convince them that 2FA is a Good Thing. And even then, it will break "legacy" things.
Then why post as AC ? Those claims could make you a nice income, if you can live up to them... Unfortunately, even in small(ish) businesses, it takes many moons to even convince them that 2FA is a Good Thing. And even then, it will break "legacy" things.
I post as AC because we're not ready yet. If we were a simple YAMT (Yet Another Me Too) in the security industry it would be easy to attract investment from Silicon Valley, but saturated markets are boring (I don't mind the money, of course, but I prefer sustained value over the mayfly nature of that market so we're not planning to play that game). I reckon we're a couple more months away from going live. We're already running a few services for friends which use what we developed and it is very entertaining to see dictionary attacks just bounce off test accounts which explicitly have "password" and "123456" set as password :)
This post has been deleted by its author
I'd bet 90% have "Corbyn4PM" as their password and that includes some Tories. The rest probably "MayBot", "MayColdBitch", "AmberRudderless" or something that references "Cold" or "Bitch" in some combo or other. Any number they use will likely be the margin/number of votes they won by.
My suggestions are not meant to imply anything, regards my own point of view.
Servers should be running software which looks for crack attacks and locks out the attempting systems
It's not as if fail2ban or denyhosts haven't existed for around 20 years and it's not as if they don't pay attention to imap/smtp failures as well as ssh.
That an attack like this is actually "news" speaks more about the lack of competence of the people running the parliamentary email system than it does about the attacks - which have been a feature of the Net for more than 20 years. If I turn off denyhosts I get hundreds of breakin attempts per minute on SSH alone.
And yes, botnets try to go slow and not trigger these watchers (extend the timeouts), but they always try the same account names and this can be used to insta-ban the IP. (Check your logs, you'll see the patterns. I have 244 usernames which will generate an instant ban.)
On a system that they want to be available from anywhere, this is inevitable to an extent, making it only via VPN would at least help but still ultimately be the same problem but shifted a bit.
MPs/milords/staff account names will surely be guessable, so 2000+ accounts, a list of several thousand passwords to try, and a botnet of however-many drones all trying the same thing, is definitely going to count as 'serious attack'. Do it in one big lump starting on a Friday afternoon and hope nobody notices what's actually happening before you've managed to get a few.
Everything our elected MPs say and do is apparently so important and sensitive that they're exempted from the Snoopers charter etc. Yet their email doesn't require 2FA or lock them out after multiple failed logins? Oh, sorry, I forgot they were too important to be bothered with plebian matters like that.
I guess the ones who were still able to access emails had auto-forwarded them to hotmail
Done properly 2FA isn't difficult either for sysadmins or for users. Banks have successfully managed to get their customers to remember strong passwords and use 2FA dongles, and have managed it without much in the way of screams of agony from mentally-challenged lusers.
2FA for email is similarly not rocket science, and it is also not beyond the bounds of possibility to produce small, laminated instruction cards (laminated to prevent the poor dears writing their password on the card) which detail how to log in using the 2FA dongle. Tricks like this work wonders when you have thick users, or so I am told.
2FA plus Fail2Ban with suitably long time outs on the IP logger, together with intelligently-designed supplementary rule-sets such as a blanket ban on all Chinese, Russian and North Korean IP ranges and a strong and secure VPN for access from foreign climes which relies partly on ssh keys for authentication. Do that, and yes, any random script kiddie can have a pop at a dictionary attack, but no, said random script kiddie isn't going to actually get anywhere.
Done properly 2FA isn't difficult either for sysadmins or for users. Banks have successfully managed to get their customers to remember strong passwords and use 2FA dongles, and have managed it without much in the way of screams of agony from mentally-challenged lusers.
With all due respect, 2FA isn't the answer here - at least not in its current implementation. Do you want all these tablets and smartphones ask for a 2FA code every time they poll (which is generally 15 minutes or less)? 2FA is OK for an interactive login process like webmail, but sucks for automated retrieval.
There are many ways to address this, but just blindly declaring 2FA as the solution is giving in to root cause seduction without having looked at the whole picture. I can tell you one thing: I am 98% certain I know EXACTLY why these people chose simple passwords, and that is a problem that can only be fixed in multiple stages. I think I may need to give them a call later.
Of course not. However even without 2FA, all they'd need is a half decent security approach, however given the government's approach to anything recently, IT related or not, it's no wonder that the parliamentary IT system follows the same principle.
2FA is a good idea, let down by reality and usually compromised by the implementation and hamstringing convenience. Sending access codes to a device that the user is likely to have in hand doesn't really increase security much, likewise codes sent to other devices or accounts - the end result is often a syste, that's so inconvenient that users try to avoid using it. Poor mobile support for 2FA, e.g. so users can use modern technology and standard(ish) applications to access their email or documents doesn't help either - seriously, a secure email application doesn't have to be an unusable PoS compared to the ones supplied for free by Apple, Google or Microsoft.
Remote email clients can easily be protected with client certificates - this doesn't help much when losing the device, or access to the device, but it does help prevent non-authorised connections which is what this is all about.
This is before smart stuff can be done on the server side, for example rate limiting incorrect logins - the technique has been around for years through simply steadily increasing the delay between allowed login attempts. This can be enhanced through reducing or bypassing the delay for expected originating IP addresses as this can reduce the DoS prospect.
Nothing hard, and as another poster has noted - why do they not run dictionary attacks against their own accounts? It's a simple process and greatly reduces the use of poor passwords.
@ coloured surprised
The allegations against Edward Heath and Lord Brittan (both deceased) remain unproved and unlikely.
When I was a small child I was very angry when some grown-ups ignored my views just because I was a child. But there are some people whose vews should be ignored. In the history of these child abuse allegations, there have been too many cases where the uncorroborated evidence of one person has led to proceedings that have come unstuck.
Yes, there have been cases, for example in Rotherham, where police have ignored justified allegations. But the eventual convictions came after testimony from several parties. And the guilty men were ordinary criminals, not politicians.
Where police have acted, or inacted, wrongly they should be censured for lack of judgement, not failure to follow procedures.
@Primus
"The allegations against Edward Heath and Lord Brittan (both deceased) remain unproved and unlikely."
I'll agree with you on Heath but I will never agree on that peado Brittan. He dodged the police for decades then claimed dementia while still claiming his lords money.
Also one has to question the funding of "PIE" in the 80's by the home office.
https://en.wikipedia.org/wiki/Paedophile_Information_Exchange
Still don't think there were more or are more?
I'll agree with you on Heath but I will never agree on that peado Brittan. He dodged the police for decades then claimed dementia while still claiming his lords money.
I don't believe there's any credible public domain reason to conclude that Brittan was probably a paedophile. I suspect you're thinking of Greville Janner, Labour MP for Leicester West, where there were ample accusations from multiple sources across at least two decades, and the governments, Clown Prosecution Service and police deliberately looked the other way.
"I presume you have submitted the evidence you obviously have to the police?"
How about a tacit confession of collusion? Buckle up and watch this BBC clip. Once you've done so, understand that it was part of the body of evidence against parliamentarians that caused an inquest to be opened. An inquest that was deliberately derailed by T. May and co. She "lost" records more than once, had the chairperson removed at least twice and finally, quietly closed down the inquiry.
yeah, pretty sure there was sufficient evidence for plod to proceed.
https://www.youtube.com/watch?v=GwkOWPauu_A
[Transcript for those who can't watch YouTube right now]
A short extract from the Michael Cockerell documentary 'Westminster's Secret Service' broadcast by the BBC in 1995.
Tim Fortescue was a Whip under Edward Heath between 1970 and 1973. In the documentary it was revealed that the Chief Whip kept a little black 'dirt book' which contained information about MPs, and this was used as a method of political control.
"Anyone with any sense who was in trouble would come to the Whips and tell them the truth, and say now, "I'm in a jam, can you help?" It might be debt, it might be a scandal involving small boys, or any kind of scandal which a member seemed likely to be mixed up in, they'd come and ask if we could help. And if we could, we did. We would do everything we can because we would store up brownie points. That sounds a pretty nasty reason but one of the reasons is, if we can get a chap out of trouble, he'll do as we ask forever more."
I see I have some down votes, colour me surprised.
I'm not one of them, but I could theorise that that is because such people would not use their parliamentary email account for that. There's no accounting for stupidity, of course, but evil people tend to be good at hiding things so that they can continue doing evil things.
Just a theory.
No 2FA? No certs? No failed login limits? In 2017?
What f*** state sponsored bullshit are these cretins talking about? A kid can assemble the scripts to mount the attack on this on his desk. It is 20 years out of date in terms of security policy - this could be attacked by a scripting kiddies in 1997 same as it can be attacked by anyone today.
I thought the parliament bought into Office365. If that is still the case which cretin DISABLED the failed login limit which comes by default with the cloudy version of Exchange and Outlook? Can the idiot be named, shamed and publicly take responsibility.
By the way - this is literally a reprint of what Graunidad and other news outlets have already posted. I would have expected el-reg at least to be able to update us on what are they using and which idiot did they outsource the maintenance to.
"determined and sustained" search for "weak passwords" sounds like a bog-standard brute force to me.
It sounds like "a day in the strife" for me - there is a constant trickle of brute force attempts in my logs. The current fashion is to try SMTP auth for that.
there is a constant trickle of brute force attempts in my logs.
Same here although I wonder at the intelligence of some of the script writers. A quick check shows attempts to log in to my server using the user names:
xdfrieortu
cbmoiwueu
xbvwtywefo
pjkiuyl
qwkoud
..before my server put the source IP address on the naughty step.
If they at least cycled through the character set it might make sense. But random sequences of characters? Is this some clever hacking trick I have missed?
Same here although I wonder at the intelligence of some of the script writers. A quick check shows attempts to log in to my server using the user names:
xdfrieortu
cbmoiwueu
xbvwtywefo
pjkiuyl
qwkoud
..before my server put the source IP address on the naughty step.
You may be looking at someone trying to see if you have ALREADY been hacked. The fun thing about hackers is that they also compete for resources, and that list may be a set of defaults set up by ANOTHER breach attempt that is maybe based on a zero day, or a reverse engineering of a recently revealed MS patch.
You don't need many systems online to see that there's all sorts of filth roaming the Net trying to steal your facilities or breach them. This is why the guys from Parliamentary Digital Services will face a bit of a grilling - if you run a State service it stands to reason you're up against competing State actors. That demands effort, so I hope it's down to resource shortage rather than the sort of beginners' mistakes I've come across.
"If they at least cycled through the character set it might make sense. But random sequences of characters? Is this some clever hacking trick I have missed?"
The reason for an attack isn't always obvious.
But now they know that your server will blacklist the source IP address. If your server did it itself, they now have an idea of how long it took your server to respond to that attack.
Are you sure they haven't used that form of attack to divert your attention away from other attacks? Filling logs up with nonsense is one way of hiding a specific attack. Do you see failed logins for your accounts department in there, for example? Those could happen hours earlier or later of course, but if your attention has been diverted to the attack involving nonsense usernames, you might miss those events.
"Is this some clever hacking trick I have missed?"
Yes, it's seeing what the answers are for accounts which are almost guaranteed not to exist - and the delay in getting such answers, compared to the one you get (and the delay getting it) from using a bad password on a known good account.
This is why it's critically important to ensure the answers don't vary (unknown user vs bad password) and the delay in answering doesn't vary. Padding out the fail delay helps a lot.
"This is why it's critically important to ensure the answers don't vary (unknown user vs bad password) and the delay in answering doesn't vary. Padding out the fail delay helps a lot."
I saw an example of this several years ago.
Invalid username / invalid password : a delay of several seconds
valid username / invalid password: no delay
It doesn't matter which way around those are, that difference in delay was telling an attacker when they had found a valid username.
No 2FA?
Not on automated IMAP or Exchange logins (most of these peopel read email on devices, not on a website).
No certs?
If they had fixed some pretty basic fundamentals, certs would have been overkill anyway. Also, the kind of people who get tasked with setting this up tend to be cheap contractors that are just called "consultants" so they can be billed at £1200/day, but they are (in my personal experience) just about hanging on. Don't expect sophistication beyond the HOWTOs they can look up online..
No failed login limits? In 2017?
Here you hit again a skills issue. The best people to set up network focused protection are people that really know about networks, but especially MS Exchange setups are usually done with people who know about applications, but little beyond the basics to get a network connection and a DNS lookup working. Heck, if you'd ask them about what strata time server they use for sync you'd get a blank look. They will thus work with default settings for timeout, and intelligent hackers adjust for that. We've spent some good time with test hosts and wireshark to see what would wander in, and I can tell you that the days of dumb script kiddies that were trivial to keep out are gone.
Which shows you don't understand Windows domains.... Exchange needs a domain controller, and will sync its time with it, you won't sync it separately, because if the domain controller (which also works as the KDC) and the Exchange server time drifts apart too much you'll get problems.
PS: you don't usually use IMAP with Exchange, unless your device can't use ActiveSync, and ActiveSync does support certificate-based authentication for increased security.
PS: you don't usually use IMAP with Exchange, unless your device can't use ActiveSync, and ActiveSync does support certificate-based authentication for increased security.
I used the time server as an example, btw, not as an Exchange feature you must know - if you source time, you must understand some of the basics to assess the risks associated with it, that's all.
That aside, I see IMAP use generally as a hint that someone has been intelligent enough to stick to Open Standards. In my experience, a Microsoft setup will try to avoid any possible use of Open Standards to avoid the risk that someone would be able to demonstrate something else works better. So it's either IMAP or <anything Microsoft>. Ditto for carddav and caldav, but to be honest, Thunderbird requires plugins for both too (yes, even carddav).
This post has been deleted by its author
I thought the parliament bought into Office365. If that is still the case which cretin DISABLED the failed login limit which comes by default with the cloudy version of Exchange and Outlook? Can the idiot be named, shamed and publicly take responsibility.
He probably did it to preserve his sanity, with the likes of Rees-Mogg taking 20 tries to get the password right. If he were only allowed three tries he'd send Nanny around.
The problem with failed login limits, is that it makes for the perfect denial of service attack. Ideally you take out the access control admins first, and then everyone else.
That's why you do not time out accounts per sé, but account/IP pairs. If you get 3 failures for "some.member@parliament.uk" from IP 123.123.123.123, you block that IP for a bit as that also stops them from trying other accounts. That still leaves it accessible from other IP addresses.
As I said earlier, hackers now try to avoid that by using botnet proxies so they can try multiple times, and by the time they've used all the bots, the first one in the queue has already had its ban timed out and can try again. The simplest way to counter that is to step away from default timeouts and make them a bit sharper, like 2 failed attempts before blocking, and 2 hour timeout per block.
The issue with defence mechanisms is that they must be maintained and tuned - there's no such thing as a static threat.
I appreciate that we're a small business, but I run a ban policy of 1day when 3 fails are caught over 1hr. For MPs and their "acolytes" you'd likely hit false positives, but I'd expect* parliament to err on the side of security, not ease of access.
For me, it's a case of making sure our IP reputation doesn't tank if somebody brute forces a user's password. Our mailboxes are mostly un-confidential data, amazon orders and bigoted jokes**.
* That is, if I weren't so bloody cynical.
** I truly wish I were joking about that - <sigh>
"The simplest way to counter that is to step away from default timeouts and make them a bit sharper, like 2 failed attempts before blocking, and 2 hour timeout per block."
And permbans after a couple of set of failures.
And using the distributed fail2ban/denyhosts IP lists
And using the DNSBLs of open proxies.
And using the DNSBLs of open proxies.
To be frank, running an email service without is plain irresponsible IMHO, and Spamhaus does quite a good job (still, which is quite impressive). Also ensuring your SPF records are set is a good way to make things safer, but I am getting less and less convinced about DKIM. Every email I get from a Microsoft managed email account is 50k bigger because all the DKIM trash in the header. It appears Microsoft has transferred its multiple decades waste of IT resources to its services.
I also saw that Maxmind was selling a database with anonymisers but when I asked them for a price they got all cagey and wanted to know why I wanted it, so I dropped the conversation.
"says <90 email accounts"
This was pretty much copied verbatim from the BBC report (or the BBC copied it from here), and it was stupid there too.
The statement said fewer than 1% of 9000. That's obviously a rough guess, converting it to 90 users just implies precision that wasn't there. They'd likely have described anything from 10 to 90 as fewer than 1%.
I think other have hit the nail on the head with out parliamentarians being too important to be bothered with trivialities such as 2FA.
They'll be no different to any other senior manager (or teacher or doctor) with a chip on their shoulder. It isn't the first time they've had security policy bent to suit their opinion or desire (demanded iPads and iPhones years ago before they were close to being suitable).
I hope that whomever allowed them to carry on with shite passwords and no 2FA has kept the email chain where they strongly recommended against any downgrade of security. If not I doubt the door will hit your arse on the way out.
I think others have hit the nail on the head with our parliamentarians being too important to be bothered with trivialities such as 2FA.
Well, I don't. If you use an email client, the last thing you want is a text, phone call or other 2FA process every time the client connects to the server.
As far as I know this is not an attack on a web based mail account we are talking about, it is repeated authentication attempts against a server using SMTP, IMAP or other mail protocol. It would be most unusual to have 2FA on that sort of connection.
OK, it's fun to make fun of MPs. But we should be able to do better than that. We should be turning this into a teaching opportunity.
For instance Liam Fox, who is a minister, is reported by the Beeb as saying "And it's a warning to everybody, whether they are in Parliament or elsewhere, that they need to do everything possible to maintain their own cyber-security." El Reg should ask him - or reach out to him if they really must - what part he sees end-to-end encryption playing in this. Because I doubt more than the minutest handful of them realise the role that has to play in securing everyday services that we all use.
We should be turning this into a teaching opportunity.
How? They're all a collection of pompous, self-obsessed, talent free clowns, with no relevant education or experience in any area of science, technology and most areas of important business. They are beyond teaching the error of their ways.
> How? They're all a collection of pompous, self-obsessed, talent
> free clowns, with no relevant education or experience
One of the core problems with politics is that democracy and psychology can combine to produce problematic outcomes.
Most people vote for politicians who appear the most confident and certain in their beliefs. In an increasingly complex world, confidence and certainty are reassuring characteristics in leaders. Therefore we end up with politicians who are above all else confident, regardless of their actual ability or knowledge. Most voters probably don't mean to choose a brash ignoramus to represent them (and not every MP is one) it's just frequently a side-effect of how the system works.
But the Dunning-Kruger effect means that many of our leaders are over-confident in their own abilities and understanding. If they aren't aware of a particular threat or problem then they don't see any point in doing anything about it and it wouldn't occur to them to ask anyone else because they are already convinced that they know everything (e.g. see Gove's remarks about experts). In the abstract they know that national security is very important, but most of them don't know how that translates into technical and administrative controls.
There are a few good smart people who manage to get into politics, people who listen to others and seek expert input before forming opinions and policies. They just happen to be the minority exception to the general rule.
For these reasons it's unlikely that lessons will be learned by everyone who need to learn them. However, that doesn't mean we shouldn't try to educate our politicians to do better. Also we need skilled experts to design and implement better systems, in order to be less reliant on the knowledge and whims of the individuals concerned. I'm going to hope for the best, while still dreading the worst (as per usual really).
"How? They're all a collection of pompous, self-obsessed, talent free clowns,"
Generalise much? I agree the Lords are somewhat better, as some of them are appointed specifically for expertise elsewhere.
But even accepting your description at face value they're currently a collection of pompous, self-obsessed, talent free clowns who have just had a nasty shock about their online security and are, therefore, likely to be receptive to being told about such things right now.
BTW, why not improve the quality of Parliament by standing yourself? Or would being dismissed out of hand as a pompous, self-obsessed and talent free clown put you off?
The problems that not only the politicians have: It would be really good if honest citizens had a way to use the internet with perfect encryption so nobody can hack them. And it would be really good if the police could read everything that terrorists are doing on the internet. AND YOU CANT HAVE BOTH.
This will hit the more "important" people because:
1. If you are intelligent enough to use a decent password you are not much use as an MP (scruples etc.)
2. once you get to a certain level of control nobody tells you about efing horses, batteries or any of that other green shit.
1. Surely not even UK Parliament have remote access or webmail that doesn't lock out after ten failed logins. Brute force is useless except as a simple-minded DoS of the helldesk as everyone tries to get their accounts unlocked.
2. Wot no 2fa?!?>? in 2017? For PARLIAMENT???
...no, seriously?!???
3. If the "brute force" was guessing from a shortlist of ten passwords per user leaked from the various big credential dumps over the last few years, that implies 90 users have reused ancient, known compromised, passwords. Colour me unsurprised, I suppose, but if so they really deserve an arse-kicking
4. Unclear whether this was /remote access/, as they've said (ie a VPN endpoint) or some sort of webmail, OWA presumably. Blame sloppy use of technical terms by journalists and press officers.
If it's a VPN, presumably successful attack gave access to more than just mail. If just webmail, why'd they call it "remote access"?
5. Ohhhh, those Russians.
5. Ohhhh, those Russians.
It's definitely those Russians, all of the MSM news outlets are saying it.
They cant all be lying right? I mean that would imply a conspiracy.
Of course I jest with you, conspiracies are as common as collaborations, which is just another word describing the same thing. Due to the disingenuous nature of money, people collaborate / conspire in all kinds of nasty things.
If I could hit the nail on the head with a single word describing the whole setup, it would be sycophancy
That is what drives alot of this shit, plain old sycophancy
Many of you may have noticed that there is a persistent theme / narrative being pushed out into the public consciousness by the MSM, and it usually involves some appointed bogeyman to point a finger at.
All the world's a stage
Be the change you want to see in the world, or to put it in a slightly more insinuating way; Create problem, offer solution, profit.
I am willing to bet that the "brute force" attempts being described here are just attempts at using passwords gleaned from a hacked 3rd party web service database dump, to which there are many. Ashley Madison for example.
Brute force attacks have been around for a long time, mitigations include IP blocking, account lockout for a set period, and the best one of all 2FA, or even 3FA (something you know, something you have, something you are). One would assume they automatically block known TOR exit nodes. So really, what the actual fuck is this non-story about?
It's about forcing a policy desire onto the public through Machiavellian methods, that's what this is about
I'm sorry, but I have to downvote you for a Trumpism. Trump uses MSM because his hands are too small to type long words, but also because it's a generic term whose definition is so unspecific that he can smear a whole industry with it. I think we ought to refrain from copying neither word use as well as approach.
"A simple MX lookup shows messagelabs provides the service."
No, it doesn't. Messageslabs are simply a bastion service
Messagelabs' business operation is to MX and filter. Once they've finished processing the mail it gets sent to the _real_ servers (which should be protected against direct connections from hosrs other than the MX, but frequently aren't)
A simple MX lookup shows messagelabs provides the service.
MessageLabs provides the filtering service, but I am not going to try and figure out who and what runs the actual MTA via a telnet HELO to port 25 at a time when every sniffer in the country is trying to pick up non-standard connection attempts :).
Is everybody posting on here less than 20 years old?
There seems to be an unwarranted assumption that "Email" means a web login.
All this talk about "should have had 2FA" is bollocks, it simply isn't practical to apply 2FA to a mail client like Thunderbird or Outlook, or a smartphone's Mail client App.
Whether they use POP3, IMAP, MAPI or EAS, the client will be logging in to the server every few minutes. Imagine having to answer 2FA prompts all the time?
What happened here was repeated authorisation attempts to an email server within the Parliamentary network, from a widely spanning bot-net with thousands of IPs.
2FA, Fail2Ban or limited login attempts and all the other peurile suggestions are not going to stop that from happening.
Why are limited login attempts not going to stop that happening?
Every time I change my work network password, I have to first stop my phone and email client auto-syncing with the server, otherwise I get locked out of my email for too many bad password attempts.
And if logins are automated, all the more reason for using long and complex passwords.
There is 2FA per device and/or software.
From a new device or location -
To log in from this account you will need to type the code on your registered mobile.
Not saying it needs to be done every few minutes but I assume they are not trying to log in from his existing devices or is that puerile too?
Why are limited login attempts not going to stop that happening?
Because the algorithms which are used to limit logins usually take into account the IP from which the attempt is made. If you have a large number of IPs, (such as using a bot-net) then login limitations based on IP will not work.
Because the algorithms which are used to limit logins usually take into account the IP from which the attempt is made
Well don't use those algorithms then.
(I know, you could lock a legitimate user out of their account in that case, but maybe you could design some way to mitigate the impact of that, e.g. require a user to log in from a separate web system using decent 2FA or whatever to unlock their account in that case).
<rant>
From the statement: "...is putting plans in place to resume its wider IT service."
Who other than government even speaks like that?!? Writing "...is planning to..." would be more readable. But that would also sound stupid, which in turn shows that the entire line isn't needed. Because of course they're planning to resume service. Why the *$%^@ wouldn't they?
</rant>
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
