back to article UK parliamentary email compromised after 'sustained and determined cyber attack'

The Parliament of the United Kingdom has admitted it experienced a “sustained and determined cyber attack” over the weekend and says <90 email accounts have been compromised as a result. The event struck on Saturday and late that evening Parliament issued a ”Statement regarding cyber incident” admitting that “We have …

  1. Duffaboy

    Passwords must be

    Strong and stable

    1. Dan 55 Silver badge

      Re: Passwords must be

      Wrong advice: Strong and changeable is better.

      Note: Not weak and changeable. That applies to the current government.

      1. Anonymous Coward
        Anonymous Coward

        Re: Passwords must be

        With a bit of luck they will be changeable, the current one seems faulty.

      2. Tom Paine

        Re: Passwords must be

        Actually, no longer. Next time an auditor or similar riffraff demand to know your password expity rules, point them at this and watch their head explode.

        https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

        1. handleoclast

          Re: Passwords must be

          @Tom Paine

          Damn, I just posted that link, then read more comments and found you'd done the same.

          I'll leave mine up - it also has a little dig at the bureaucratic reorgs of CESG/NCSC/GCHQ which are little more than changing names of departments within a single organization for no good reason.

        2. Rustbucket

          Re: Passwords must be

          I believe the latest NIST suggestions on passwords also go against password expiry rules.

          http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

          Section 5.1

      3. handleoclast

        Re: Wrong advice

        Strong and changeable is better.

        Ummm, if you meant "frequently changeable" then no. Frequently changing your password was good advice back in the days when you worked with only one computer and it was used for classified work. These days, frequently changing your password is a bad idea.

        See this advice from CESG (which was part of GCHQ but which is now part of NCSC, which is part of GCHQ).

        1. Alan Brown Silver badge

          Re: Wrong advice

          "These days, frequently changing your password is a bad idea."

          But so is using the same password (or variants of) in any 2 locations, regardless of complexity.

    2. hplasm
      Coat

      Re: Passwords must be

      Strong and correct and battery and horsehouse...

    3. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      Strong and stable

      True, but there are ways in which you can counteract weak passwords including but not limited to running your own crackers to identify them. The problem is that Parliamentary email is probably a Microsoft setup which is a risk in itself (there is, for instance, a pretty massive and unfixed bug in Office 365/2016 which which you can convince Outlook to actually give you the password but Microsoft deems it a "feature").

      I reckon I could make that bullet proof in a month (well, quicker, but I like to test things before I migrate 9000 security sensitive users) - I already have quite a number of famous email domains that are under dictionary attacks and so far it appears that what we've cooked up works so well that even honeypot accounts with "test123" and "password" as password don't get hit (that's "not" as in "not at all").

      Before anyone says "fail2ban", no - the clever ones have worked that one out. If you monitor login attempts for accounts it now takes a bit of post-event correlation before you can see what is going on. Hackers now typically use botnets so you have distributed IP addresses from where attempts come. Over sufficient different IP addresses you can do this slow enough for default fail2ban settings to time out and so prevent IP blocks (so, fail2ban users: extend your timeouts - at least double them). We also see this with website login attempts. Some are not *that* clever - we've seen one Chinese outfit who simply looped thought their entire class C :).

      Reliance on strong passwords is a clear hint that this system has been developed by IT people for IT people, not end users. End users are not variables: they are a fixed, high level of risk. Changes to end users do not stick because they're humans, not machines - plan accordingly.

      1. Anonymous Coward
        Anonymous Coward

        Re: Passwords must be

        how did that AC up there with the lecture get all those downvotes?

        1. Anonymous Coward
          Anonymous Coward

          Re: Passwords must be

          "how did that AC up there with the lecture get all those downvotes?"

          Criticized Microsoft. That's almost as bad as criticizing Israel or praising Trump or Putin.

          1. AndyS

            Re: Passwords must be

            "how did that AC up there with the lecture get all those downvotes?"

            Gave an ill-timed & boastful lecture, as AC, in response to a joke he apparently didn't get?

        2. Anonymous Coward
          Anonymous Coward

          Re: Passwords must be

          how did that AC up there with the lecture get all those downvotes?

          I suspect because people assume that it is impossible to harden email accounts to the point that the traditional dictionary attacks no longer work. Although I appreciate the cynicism (no, really, there's enough nonsense being sold so I don't mind the downvotes), it happens to be true - there are a LOT of things you can do to email to make it considerably safer without immediately encumbering yourself with certificate management and I have been using email in one form or another for some 30 years now.

          When I started our development there was no money whatsoever - like Russians forced to become intelligent in using lower spec computers due to US embargoes, we were forced into being smart with what we had because we didn't have the luxury to buy anything. That's when it all got interesting, and is also the reason why I remain AC.

          There will be more after the summer holidays, but let's just say that I have already seen some very basic things they have to change at whatever service that hosts parliament.uk.

        3. Anonymous Coward
          Anonymous Coward

          Re: Passwords must be

          how did that AC up there with the lecture get all those downvotes?

          I think it may be this line:

          the kind of people who get tasked with setting this up tend to be cheap contractors that are just called "consultants" so they can be billed at £1200/day

          Maybe Microsoft "consultants" don't like to be outed.

      2. Tabor

        Re: Passwords must be

        "I reckon I could make that bullet proof in a month".

        Then why post as AC ? Those claims could make you a nice income, if you can live up to them... Unfortunately, even in small(ish) businesses, it takes many moons to even convince them that 2FA is a Good Thing. And even then, it will break "legacy" things.

        1. Anonymous Coward
          Anonymous Coward

          Re: Passwords must be

          Then why post as AC ? Those claims could make you a nice income, if you can live up to them... Unfortunately, even in small(ish) businesses, it takes many moons to even convince them that 2FA is a Good Thing. And even then, it will break "legacy" things.

          I post as AC because we're not ready yet. If we were a simple YAMT (Yet Another Me Too) in the security industry it would be easy to attract investment from Silicon Valley, but saturated markets are boring (I don't mind the money, of course, but I prefer sustained value over the mayfly nature of that market so we're not planning to play that game). I reckon we're a couple more months away from going live. We're already running a few services for friends which use what we developed and it is very entertaining to see dictionary attacks just bounce off test accounts which explicitly have "password" and "123456" set as password :)

      3. Flywheel

        Re: Passwords must be

        From what you say it might be easier and safer to change the users: hopefully we won't have to wait another 5 years though.

      4. Alan Brown Silver badge

        Re: Passwords must be

        "If you monitor login attempts for accounts it now takes a bit of post-event correlation before you can see what is going on."

        There are certain account names that the botnets always try. Once you spot the pattern you can insta-ban when they try it.

        1. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      Passwords must be

      Strong and stable

      It wouldn't let me have that, I had to use "Strong&Stable1"

    5. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      I'd bet 90% have "Corbyn4PM" as their password and that includes some Tories. The rest probably "MayBot", "MayColdBitch", "AmberRudderless" or something that references "Cold" or "Bitch" in some combo or other. Any number they use will likely be the margin/number of votes they won by.

      My suggestions are not meant to imply anything, regards my own point of view.

    6. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      is "coalitionofchaos" a strong enough password?

      or should I go for "thedinosaursdontexist"?

      or "gaysarebadandsoisabortion"

    7. Jason Bloomberg Silver badge
      Coat

      Re: Passwords must be

      "Covfefe".

      1. Alister
        Joke

        Re: Passwords must be

        Covfefe

        To be fair, it's not a dictionary word...

        Yet!

    8. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      ...and no password is better than a bad password.

      Wait...

    9. Anonymous Coward
      Anonymous Coward

      Re: Passwords must be

      "Strong and stable" implies two-factor authentication

      If they had that, they wouldn't have this issue...

    10. Alan Brown Silver badge

      Re: Passwords must be

      Servers should be running software which looks for crack attacks and locks out the attempting systems

      It's not as if fail2ban or denyhosts haven't existed for around 20 years and it's not as if they don't pay attention to imap/smtp failures as well as ssh.

      That an attack like this is actually "news" speaks more about the lack of competence of the people running the parliamentary email system than it does about the attacks - which have been a feature of the Net for more than 20 years. If I turn off denyhosts I get hundreds of breakin attempts per minute on SSH alone.

      And yes, botnets try to go slow and not trigger these watchers (extend the timeouts), but they always try the same account names and this can be used to insta-ban the IP. (Check your logs, you'll see the patterns. I have 244 usernames which will generate an instant ban.)

  2. Dan 55 Silver badge
    WTF?

    Just one password preventing the whole of the Internet getting in?

    I was expecting that all devices which needed access to a Commons e-mail account to have a certificate installed or something. The right honerable gentlemen are hardly going to need an Internet cafe for access.

    1. Doctor_Wibble
      Boffin

      Re: Just one password preventing the whole of the Internet getting in?

      On a system that they want to be available from anywhere, this is inevitable to an extent, making it only via VPN would at least help but still ultimately be the same problem but shifted a bit.

      MPs/milords/staff account names will surely be guessable, so 2000+ accounts, a list of several thousand passwords to try, and a botnet of however-many drones all trying the same thing, is definitely going to count as 'serious attack'. Do it in one big lump starting on a Friday afternoon and hope nobody notices what's actually happening before you've managed to get a few.

  3. tfewster
    Facepalm

    Everything our elected MPs say and do is apparently so important and sensitive that they're exempted from the Snoopers charter etc. Yet their email doesn't require 2FA or lock them out after multiple failed logins? Oh, sorry, I forgot they were too important to be bothered with plebian matters like that.

    I guess the ones who were still able to access emails had auto-forwarded them to hotmail

    1. Anonymous Coward
      Devil

      If you add all that 2FA or certificate stuff...

      .... they will set up their own mail servers like Hillary Clinton did - or use Gmail - because all that "stuff" is to complex for the average MP/assistant/etc.

      1. Dr Dan Holdsworth
        FAIL

        Re: If you add all that 2FA or certificate stuff...

        Done properly 2FA isn't difficult either for sysadmins or for users. Banks have successfully managed to get their customers to remember strong passwords and use 2FA dongles, and have managed it without much in the way of screams of agony from mentally-challenged lusers.

        2FA for email is similarly not rocket science, and it is also not beyond the bounds of possibility to produce small, laminated instruction cards (laminated to prevent the poor dears writing their password on the card) which detail how to log in using the 2FA dongle. Tricks like this work wonders when you have thick users, or so I am told.

        2FA plus Fail2Ban with suitably long time outs on the IP logger, together with intelligently-designed supplementary rule-sets such as a blanket ban on all Chinese, Russian and North Korean IP ranges and a strong and secure VPN for access from foreign climes which relies partly on ssh keys for authentication. Do that, and yes, any random script kiddie can have a pop at a dictionary attack, but no, said random script kiddie isn't going to actually get anywhere.

        1. Anonymous Coward
          Anonymous Coward

          Re: If you add all that 2FA or certificate stuff...

          Done properly 2FA isn't difficult either for sysadmins or for users. Banks have successfully managed to get their customers to remember strong passwords and use 2FA dongles, and have managed it without much in the way of screams of agony from mentally-challenged lusers.

          With all due respect, 2FA isn't the answer here - at least not in its current implementation. Do you want all these tablets and smartphones ask for a 2FA code every time they poll (which is generally 15 minutes or less)? 2FA is OK for an interactive login process like webmail, but sucks for automated retrieval.

          There are many ways to address this, but just blindly declaring 2FA as the solution is giving in to root cause seduction without having looked at the whole picture. I can tell you one thing: I am 98% certain I know EXACTLY why these people chose simple passwords, and that is a problem that can only be fixed in multiple stages. I think I may need to give them a call later.

    2. Nick Ryan

      Of course not. However even without 2FA, all they'd need is a half decent security approach, however given the government's approach to anything recently, IT related or not, it's no wonder that the parliamentary IT system follows the same principle.

      2FA is a good idea, let down by reality and usually compromised by the implementation and hamstringing convenience. Sending access codes to a device that the user is likely to have in hand doesn't really increase security much, likewise codes sent to other devices or accounts - the end result is often a syste, that's so inconvenient that users try to avoid using it. Poor mobile support for 2FA, e.g. so users can use modern technology and standard(ish) applications to access their email or documents doesn't help either - seriously, a secure email application doesn't have to be an unusable PoS compared to the ones supplied for free by Apple, Google or Microsoft.

      Remote email clients can easily be protected with client certificates - this doesn't help much when losing the device, or access to the device, but it does help prevent non-authorised connections which is what this is all about.

      This is before smart stuff can be done on the server side, for example rate limiting incorrect logins - the technique has been around for years through simply steadily increasing the delay between allowed login attempts. This can be enhanced through reducing or bypassing the delay for expected originating IP addresses as this can reduce the DoS prospect.

      Nothing hard, and as another poster has noted - why do they not run dictionary attacks against their own accounts? It's a simple process and greatly reduces the use of poor passwords.

  4. Anonymous Coward
    Anonymous Coward

    If they got access I fully expect the Jimmy Savilles of the current political class to be named.

    Paedo's, rapists, murderers, the lot of them.

    1. Anonymous Coward
      Anonymous Coward

      I see I have some down votes, colour me surprised.

      Ted Heath

      Cyril Smith

      Lord Brittan

      To name but a few.

      I see some people must think that people in power will no longer abuse their positions.

      I'm glad you all live in your hairy fairy world of joy and happiness.

      1. Primus Secundus Tertius

        @ coloured surprised

        The allegations against Edward Heath and Lord Brittan (both deceased) remain unproved and unlikely.

        When I was a small child I was very angry when some grown-ups ignored my views just because I was a child. But there are some people whose vews should be ignored. In the history of these child abuse allegations, there have been too many cases where the uncorroborated evidence of one person has led to proceedings that have come unstuck.

        Yes, there have been cases, for example in Rotherham, where police have ignored justified allegations. But the eventual convictions came after testimony from several parties. And the guilty men were ordinary criminals, not politicians.

        Where police have acted, or inacted, wrongly they should be censured for lack of judgement, not failure to follow procedures.

        1. Anonymous Coward
          Anonymous Coward

          @Primus

          "The allegations against Edward Heath and Lord Brittan (both deceased) remain unproved and unlikely."

          I'll agree with you on Heath but I will never agree on that peado Brittan. He dodged the police for decades then claimed dementia while still claiming his lords money.

          Also one has to question the funding of "PIE" in the 80's by the home office.

          https://en.wikipedia.org/wiki/Paedophile_Information_Exchange

          Still don't think there were more or are more?

          1. Anonymous Coward
            Anonymous Coward

            I'll agree with you on Heath but I will never agree on that peado Brittan. He dodged the police for decades then claimed dementia while still claiming his lords money.

            I don't believe there's any credible public domain reason to conclude that Brittan was probably a paedophile. I suspect you're thinking of Greville Janner, Labour MP for Leicester West, where there were ample accusations from multiple sources across at least two decades, and the governments, Clown Prosecution Service and police deliberately looked the other way.

      2. Anonymous Coward
        Anonymous Coward

        "To name but a few."

        I presume you have submitted the evidence you obviously have to the police?

        1. Bernard M. Orwell

          "I presume you have submitted the evidence you obviously have to the police?"

          How about a tacit confession of collusion? Buckle up and watch this BBC clip. Once you've done so, understand that it was part of the body of evidence against parliamentarians that caused an inquest to be opened. An inquest that was deliberately derailed by T. May and co. She "lost" records more than once, had the chairperson removed at least twice and finally, quietly closed down the inquiry.

          yeah, pretty sure there was sufficient evidence for plod to proceed.

          https://www.youtube.com/watch?v=GwkOWPauu_A

          [Transcript for those who can't watch YouTube right now]

          A short extract from the Michael Cockerell documentary 'Westminster's Secret Service' broadcast by the BBC in 1995.

          Tim Fortescue was a Whip under Edward Heath between 1970 and 1973. In the documentary it was revealed that the Chief Whip kept a little black 'dirt book' which contained information about MPs, and this was used as a method of political control.

          "Anyone with any sense who was in trouble would come to the Whips and tell them the truth, and say now, "I'm in a jam, can you help?" It might be debt, it might be a scandal involving small boys, or any kind of scandal which a member seemed likely to be mixed up in, they'd come and ask if we could help. And if we could, we did. We would do everything we can because we would store up brownie points. That sounds a pretty nasty reason but one of the reasons is, if we can get a chap out of trouble, he'll do as we ask forever more."

      3. Anonymous Coward
        Anonymous Coward

        I see I have some down votes, colour me surprised.

        I'm not one of them, but I could theorise that that is because such people would not use their parliamentary email account for that. There's no accounting for stupidity, of course, but evil people tend to be good at hiding things so that they can continue doing evil things.

        Just a theory.

    2. Anonymous Coward
      Anonymous Coward

      > If they got access I fully expect the Jimmy Savilles of the current political class to be named.

      Perhaps, but not publicly. They'd just become targets for real blackmail "Do this or else this evidence gets out..."

      None of which is helpful to the general public.

    3. rh587 Silver badge

      Paedo's, rapists, murderers, the lot of them.

      By "the lot of them", I can only conclude that you are telling us the late Jo Cox was a paedo, rapist and/or murderer?

      Seems unlikely.

  5. Voland's right hand Silver badge

    If it did not have 2FA or certs it was asking to be hacked

    No 2FA? No certs? No failed login limits? In 2017?

    What f*** state sponsored bullshit are these cretins talking about? A kid can assemble the scripts to mount the attack on this on his desk. It is 20 years out of date in terms of security policy - this could be attacked by a scripting kiddies in 1997 same as it can be attacked by anyone today.

    I thought the parliament bought into Office365. If that is still the case which cretin DISABLED the failed login limit which comes by default with the cloudy version of Exchange and Outlook? Can the idiot be named, shamed and publicly take responsibility.

    By the way - this is literally a reprint of what Graunidad and other news outlets have already posted. I would have expected el-reg at least to be able to update us on what are they using and which idiot did they outsource the maintenance to.

    1. Anonymous Coward
      Anonymous Coward

      Re: If it did not have 2FA or certs it was asking to be hacked

      "determined and sustained" search for "weak passwords" sounds like a bog-standard brute force to me.

      1. Voland's right hand Silver badge

        Re: If it did not have 2FA or certs it was asking to be hacked

        "determined and sustained" search for "weak passwords" sounds like a bog-standard brute force to me.

        It sounds like "a day in the strife" for me - there is a constant trickle of brute force attempts in my logs. The current fashion is to try SMTP auth for that.

        1. AndrueC Silver badge
          WTF?

          Re: If it did not have 2FA or certs it was asking to be hacked

          there is a constant trickle of brute force attempts in my logs.

          Same here although I wonder at the intelligence of some of the script writers. A quick check shows attempts to log in to my server using the user names:

          xdfrieortu

          cbmoiwueu

          xbvwtywefo

          pjkiuyl

          qwkoud

          ..before my server put the source IP address on the naughty step.

          If they at least cycled through the character set it might make sense. But random sequences of characters? Is this some clever hacking trick I have missed?

          1. Doctor Syntax Silver badge

            Re: If it did not have 2FA or certs it was asking to be hacked

            "But random sequences of characters?"

            That looks like random keyboard mashing than anything computer generated. Look at the pairs of adjacent keys in there.

          2. Anonymous Coward
            Anonymous Coward

            Re: If it did not have 2FA or certs it was asking to be hacked

            Same here although I wonder at the intelligence of some of the script writers. A quick check shows attempts to log in to my server using the user names:

            xdfrieortu

            cbmoiwueu

            xbvwtywefo

            pjkiuyl

            qwkoud

            ..before my server put the source IP address on the naughty step.

            You may be looking at someone trying to see if you have ALREADY been hacked. The fun thing about hackers is that they also compete for resources, and that list may be a set of defaults set up by ANOTHER breach attempt that is maybe based on a zero day, or a reverse engineering of a recently revealed MS patch.

            You don't need many systems online to see that there's all sorts of filth roaming the Net trying to steal your facilities or breach them. This is why the guys from Parliamentary Digital Services will face a bit of a grilling - if you run a State service it stands to reason you're up against competing State actors. That demands effort, so I hope it's down to resource shortage rather than the sort of beginners' mistakes I've come across.

          3. Wensleydale Cheese

            Unrealistic user names

            "If they at least cycled through the character set it might make sense. But random sequences of characters? Is this some clever hacking trick I have missed?"

            The reason for an attack isn't always obvious.

            But now they know that your server will blacklist the source IP address. If your server did it itself, they now have an idea of how long it took your server to respond to that attack.

            Are you sure they haven't used that form of attack to divert your attention away from other attacks? Filling logs up with nonsense is one way of hiding a specific attack. Do you see failed logins for your accounts department in there, for example? Those could happen hours earlier or later of course, but if your attention has been diverted to the attack involving nonsense usernames, you might miss those events.

            1. Anonymous Coward
              Anonymous Coward

              Re: Unrealistic user names

              Filling logs up with nonsense is one way of hiding a specific attack.

              Yup - we had to apply filters to our logs to make sure we kept seeing the wood for the trees. There are some nasty sh*ts out there, and they really don't care about the damage they cause.

          4. Alan Brown Silver badge

            Re: If it did not have 2FA or certs it was asking to be hacked

            "Is this some clever hacking trick I have missed?"

            Yes, it's seeing what the answers are for accounts which are almost guaranteed not to exist - and the delay in getting such answers, compared to the one you get (and the delay getting it) from using a bad password on a known good account.

            This is why it's critically important to ensure the answers don't vary (unknown user vs bad password) and the delay in answering doesn't vary. Padding out the fail delay helps a lot.

            1. Wensleydale Cheese

              Login failure delays

              "This is why it's critically important to ensure the answers don't vary (unknown user vs bad password) and the delay in answering doesn't vary. Padding out the fail delay helps a lot."

              I saw an example of this several years ago.

              Invalid username / invalid password : a delay of several seconds

              valid username / invalid password: no delay

              It doesn't matter which way around those are, that difference in delay was telling an attacker when they had found a valid username.

    2. Anonymous Coward
      Anonymous Coward

      Re: If it did not have 2FA or certs it was asking to be hacked

      No 2FA?

      Not on automated IMAP or Exchange logins (most of these peopel read email on devices, not on a website).

      No certs?

      If they had fixed some pretty basic fundamentals, certs would have been overkill anyway. Also, the kind of people who get tasked with setting this up tend to be cheap contractors that are just called "consultants" so they can be billed at £1200/day, but they are (in my personal experience) just about hanging on. Don't expect sophistication beyond the HOWTOs they can look up online..

      No failed login limits? In 2017?

      Here you hit again a skills issue. The best people to set up network focused protection are people that really know about networks, but especially MS Exchange setups are usually done with people who know about applications, but little beyond the basics to get a network connection and a DNS lookup working. Heck, if you'd ask them about what strata time server they use for sync you'd get a blank look. They will thus work with default settings for timeout, and intelligent hackers adjust for that. We've spent some good time with test hosts and wireshark to see what would wander in, and I can tell you that the days of dumb script kiddies that were trivial to keep out are gone.

      1. Anonymous Coward
        Anonymous Coward

        "if you'd ask them about what strata time server they use for sync"

        Which shows you don't understand Windows domains.... Exchange needs a domain controller, and will sync its time with it, you won't sync it separately, because if the domain controller (which also works as the KDC) and the Exchange server time drifts apart too much you'll get problems.

        PS: you don't usually use IMAP with Exchange, unless your device can't use ActiveSync, and ActiveSync does support certificate-based authentication for increased security.

        1. Dan 55 Silver badge

          Re: "if you'd ask them about what strata time server they use for sync"

          So does IMAP.

        2. Anonymous Coward
          Anonymous Coward

          Re: "if you'd ask them about what strata time server they use for sync"

          PS: you don't usually use IMAP with Exchange, unless your device can't use ActiveSync, and ActiveSync does support certificate-based authentication for increased security.

          I used the time server as an example, btw, not as an Exchange feature you must know - if you source time, you must understand some of the basics to assess the risks associated with it, that's all.

          That aside, I see IMAP use generally as a hint that someone has been intelligent enough to stick to Open Standards. In my experience, a Microsoft setup will try to avoid any possible use of Open Standards to avoid the risk that someone would be able to demonstrate something else works better. So it's either IMAP or <anything Microsoft>. Ditto for carddav and caldav, but to be honest, Thunderbird requires plugins for both too (yes, even carddav).

    3. This post has been deleted by its author

    4. Dan 55 Silver badge

      Re: If it did not have 2FA or certs it was asking to be hacked

      I thought the parliament bought into Office365. If that is still the case which cretin DISABLED the failed login limit which comes by default with the cloudy version of Exchange and Outlook? Can the idiot be named, shamed and publicly take responsibility.

      He probably did it to preserve his sanity, with the likes of Rees-Mogg taking 20 tries to get the password right. If he were only allowed three tries he'd send Nanny around.

      1. Andy The Hat Silver badge

        Re: If it did not have 2FA or certs it was asking to be hacked

        "If he were only allowed three tries he'd send Nanny around."

        Nanny, Nanny? How did you know that was his password? And it's got a capital and everything to make it hard for Mater to guess ...

    5. jdoe.700101

      Re: If it did not have 2FA or certs it was asking to be hacked

      The problem with failed login limits, is that it makes for the perfect denial of service attack. Ideally you take out the access control admins first, and then everyone else.

      1. Anonymous Coward
        Anonymous Coward

        Re: If it did not have 2FA or certs it was asking to be hacked

        The problem with failed login limits, is that it makes for the perfect denial of service attack. Ideally you take out the access control admins first, and then everyone else.

        That's why you do not time out accounts per sé, but account/IP pairs. If you get 3 failures for "some.member@parliament.uk" from IP 123.123.123.123, you block that IP for a bit as that also stops them from trying other accounts. That still leaves it accessible from other IP addresses.

        As I said earlier, hackers now try to avoid that by using botnet proxies so they can try multiple times, and by the time they've used all the bots, the first one in the queue has already had its ban timed out and can try again. The simplest way to counter that is to step away from default timeouts and make them a bit sharper, like 2 failed attempts before blocking, and 2 hour timeout per block.

        The issue with defence mechanisms is that they must be maintained and tuned - there's no such thing as a static threat.

        1. My Alter Ego

          Re: If it did not have 2FA or certs it was asking to be hacked

          I appreciate that we're a small business, but I run a ban policy of 1day when 3 fails are caught over 1hr. For MPs and their "acolytes" you'd likely hit false positives, but I'd expect* parliament to err on the side of security, not ease of access.

          For me, it's a case of making sure our IP reputation doesn't tank if somebody brute forces a user's password. Our mailboxes are mostly un-confidential data, amazon orders and bigoted jokes**.

          * That is, if I weren't so bloody cynical.

          ** I truly wish I were joking about that - <sigh>

        2. Alan Brown Silver badge

          Re: If it did not have 2FA or certs it was asking to be hacked

          "The simplest way to counter that is to step away from default timeouts and make them a bit sharper, like 2 failed attempts before blocking, and 2 hour timeout per block."

          And permbans after a couple of set of failures.

          And using the distributed fail2ban/denyhosts IP lists

          And using the DNSBLs of open proxies.

          1. Anonymous Coward
            Anonymous Coward

            Re: If it did not have 2FA or certs it was asking to be hacked

            And using the DNSBLs of open proxies.

            To be frank, running an email service without is plain irresponsible IMHO, and Spamhaus does quite a good job (still, which is quite impressive). Also ensuring your SPF records are set is a good way to make things safer, but I am getting less and less convinced about DKIM. Every email I get from a Microsoft managed email account is 50k bigger because all the DKIM trash in the header. It appears Microsoft has transferred its multiple decades waste of IT resources to its services.

            I also saw that Maxmind was selling a database with anonymisers but when I asked them for a price they got all cagey and wanted to know why I wanted it, so I dropped the conversation.

      2. Anonymous Coward
        Anonymous Coward

        "is that it makes for the perfect denial of service attack"

        Not if it also logs the IP the attacks come from - even my hmailserver does that when it blocks too many logon attempts. And hope you have still ways to access the server from a VPN and internal IPs that can't be easily DoSsed...

  6. Harry the Bastard

    that'll be mps' passwords such as...

    lovelyexpenses

    paidjollys

    yesmrmurdoch

    yesmrdacre

    lookafterno1

    moredirectorships

    dodgetax

    gongsforus

    etc.

    1. Fred Flintstone Gold badge

      Re: that'll be mps' passwords such as...

      You forgot "duckhouse"

      :)

      1. Korev Silver badge
        Coat

        Re: that'll be mps' passwords such as...

        And remoat access

  7. KOST

    I bet Boris's password is fine. I doubt the attackers use 16th century dictionaries as the source for their attacks. And if it's not an archaic word, then he's probably still fine. No-one knows how to literally spell a brainfart.

  8. Adam 52 Silver badge

    "says <90 email accounts"

    This was pretty much copied verbatim from the BBC report (or the BBC copied it from here), and it was stupid there too.

    The statement said fewer than 1% of 9000. That's obviously a rough guess, converting it to 90 users just implies precision that wasn't there. They'd likely have described anything from 10 to 90 as fewer than 1%.

  9. 0laf Silver badge

    2FA

    I think other have hit the nail on the head with out parliamentarians being too important to be bothered with trivialities such as 2FA.

    They'll be no different to any other senior manager (or teacher or doctor) with a chip on their shoulder. It isn't the first time they've had security policy bent to suit their opinion or desire (demanded iPads and iPhones years ago before they were close to being suitable).

    I hope that whomever allowed them to carry on with shite passwords and no 2FA has kept the email chain where they strongly recommended against any downgrade of security. If not I doubt the door will hit your arse on the way out.

    1. Alister

      Re: 2FA

      I think others have hit the nail on the head with our parliamentarians being too important to be bothered with trivialities such as 2FA.

      Well, I don't. If you use an email client, the last thing you want is a text, phone call or other 2FA process every time the client connects to the server.

      As far as I know this is not an attack on a web based mail account we are talking about, it is repeated authentication attempts against a server using SMTP, IMAP or other mail protocol. It would be most unusual to have 2FA on that sort of connection.

    2. DebitShield

      Re: 2FA

      You're being very generous saying that they are "too important" to be bothered with 2FA - I would have guessed at "too incompetent".

  10. WibbleMe

    Well if they do find something it will just be Bull S....

  11. WibbleMe

    Who would have though that the password for an email password box where it says "INSERT password" would be been "pigshead"

  12. Anonymous Coward
    Anonymous Coward

    For security changes politicians should be issues a cardboard box with a screen drawn on them

    1. Anonymous Coward
      Anonymous Coward

      I think they've been upgraded to an etch-a-sketch. Maybe that's why it all went sideways..

  13. Alan J. Wylie

    Is it related to last week's news that Russian hackers are trading MP's credentials?

    Russian hackers trading stolen email addresses and passwords of 1,000 British MPs and top officials online

  14. Doctor Syntax Silver badge

    OK, it's fun to make fun of MPs. But we should be able to do better than that. We should be turning this into a teaching opportunity.

    For instance Liam Fox, who is a minister, is reported by the Beeb as saying "And it's a warning to everybody, whether they are in Parliament or elsewhere, that they need to do everything possible to maintain their own cyber-security." El Reg should ask him - or reach out to him if they really must - what part he sees end-to-end encryption playing in this. Because I doubt more than the minutest handful of them realise the role that has to play in securing everyday services that we all use.

    1. Anonymous Coward
      Anonymous Coward

      We should be turning this into a teaching opportunity.

      How? They're all a collection of pompous, self-obsessed, talent free clowns, with no relevant education or experience in any area of science, technology and most areas of important business. They are beyond teaching the error of their ways.

      1. chelonautical

        > How? They're all a collection of pompous, self-obsessed, talent

        > free clowns, with no relevant education or experience

        One of the core problems with politics is that democracy and psychology can combine to produce problematic outcomes.

        Most people vote for politicians who appear the most confident and certain in their beliefs. In an increasingly complex world, confidence and certainty are reassuring characteristics in leaders. Therefore we end up with politicians who are above all else confident, regardless of their actual ability or knowledge. Most voters probably don't mean to choose a brash ignoramus to represent them (and not every MP is one) it's just frequently a side-effect of how the system works.

        But the Dunning-Kruger effect means that many of our leaders are over-confident in their own abilities and understanding. If they aren't aware of a particular threat or problem then they don't see any point in doing anything about it and it wouldn't occur to them to ask anyone else because they are already convinced that they know everything (e.g. see Gove's remarks about experts). In the abstract they know that national security is very important, but most of them don't know how that translates into technical and administrative controls.

        There are a few good smart people who manage to get into politics, people who listen to others and seek expert input before forming opinions and policies. They just happen to be the minority exception to the general rule.

        For these reasons it's unlikely that lessons will be learned by everyone who need to learn them. However, that doesn't mean we shouldn't try to educate our politicians to do better. Also we need skilled experts to design and implement better systems, in order to be less reliant on the knowledge and whims of the individuals concerned. I'm going to hope for the best, while still dreading the worst (as per usual really).

      2. Doctor Syntax Silver badge

        "How? They're all a collection of pompous, self-obsessed, talent free clowns,"

        Generalise much? I agree the Lords are somewhat better, as some of them are appointed specifically for expertise elsewhere.

        But even accepting your description at face value they're currently a collection of pompous, self-obsessed, talent free clowns who have just had a nasty shock about their online security and are, therefore, likely to be receptive to being told about such things right now.

        BTW, why not improve the quality of Parliament by standing yourself? Or would being dismissed out of hand as a pompous, self-obsessed and talent free clown put you off?

        1. Bernard M. Orwell

          "would being dismissed out of hand as a pompous, self-obsessed and talent free clown put you off?"

          Didn't stop May, Trump, Hunt, Farage, BoJo.... etc. etc.

    2. gnasher729 Silver badge

      The problems that not only the politicians have: It would be really good if honest citizens had a way to use the internet with perfect encryption so nobody can hack them. And it would be really good if the police could read everything that terrorists are doing on the internet. AND YOU CANT HAVE BOTH.

  15. Anonymous Coward
    Anonymous Coward

    By defintion

    This will hit the more "important" people because:

    1. If you are intelligent enough to use a decent password you are not much use as an MP (scruples etc.)

    2. once you get to a certain level of control nobody tells you about efing horses, batteries or any of that other green shit.

  16. Tom Paine
    FAIL

    Doesn't add up

    1. Surely not even UK Parliament have remote access or webmail that doesn't lock out after ten failed logins. Brute force is useless except as a simple-minded DoS of the helldesk as everyone tries to get their accounts unlocked.

    2. Wot no 2fa?!?>? in 2017? For PARLIAMENT???

    ...no, seriously?!???

    3. If the "brute force" was guessing from a shortlist of ten passwords per user leaked from the various big credential dumps over the last few years, that implies 90 users have reused ancient, known compromised, passwords. Colour me unsurprised, I suppose, but if so they really deserve an arse-kicking

    4. Unclear whether this was /remote access/, as they've said (ie a VPN endpoint) or some sort of webmail, OWA presumably. Blame sloppy use of technical terms by journalists and press officers.

    If it's a VPN, presumably successful attack gave access to more than just mail. If just webmail, why'd they call it "remote access"?

    5. Ohhhh, those Russians.

    1. Anonymous Coward
      Anonymous Coward

      Re: Doesn't add up

      5. Ohhhh, those Russians.

      It's definitely those Russians, all of the MSM news outlets are saying it.

      They cant all be lying right? I mean that would imply a conspiracy.

      Of course I jest with you, conspiracies are as common as collaborations, which is just another word describing the same thing. Due to the disingenuous nature of money, people collaborate / conspire in all kinds of nasty things.

      If I could hit the nail on the head with a single word describing the whole setup, it would be sycophancy

      That is what drives alot of this shit, plain old sycophancy

  17. Anonymous Coward
    Anonymous Coward

    Machiavellianism

    Many of you may have noticed that there is a persistent theme / narrative being pushed out into the public consciousness by the MSM, and it usually involves some appointed bogeyman to point a finger at.

    All the world's a stage

    Be the change you want to see in the world, or to put it in a slightly more insinuating way; Create problem, offer solution, profit.

    I am willing to bet that the "brute force" attempts being described here are just attempts at using passwords gleaned from a hacked 3rd party web service database dump, to which there are many. Ashley Madison for example.

    Brute force attacks have been around for a long time, mitigations include IP blocking, account lockout for a set period, and the best one of all 2FA, or even 3FA (something you know, something you have, something you are). One would assume they automatically block known TOR exit nodes. So really, what the actual fuck is this non-story about?

    It's about forcing a policy desire onto the public through Machiavellian methods, that's what this is about

    1. CustardGannet
      Joke

      Re: Machiavellianism

      You can't seriously believe that *any* of the Honourable Members were users of the Ashley Madison website ?

      Joke icon, for obvious reasons.

    2. Anonymous Coward
      Anonymous Coward

      Re: Machiavellianism

      I'm sorry, but I have to downvote you for a Trumpism. Trump uses MSM because his hands are too small to type long words, but also because it's a generic term whose definition is so unspecific that he can smear a whole industry with it. I think we ought to refrain from copying neither word use as well as approach.

  18. Anonymous Coward
    Anonymous Coward

    Office 365

    Didn't they outsource to Office 365?

    https://www.theregister.co.uk/2014/07/11/ministers_this_office_365_migration_is_proving_extremely_difficult/

  19. adam payne

    "sustained and determined cyber attack"

    Is that the same sustained and determined cyber attack which actually turned out to be people opening things they really shouldn't have.

    One password and you're in? seriously?

  20. Anonymous Coward
    Trollface

    Hacked password list

    Expenses123

    Maybot

    Mayhem

  21. handleoclast

    Why all the speculation?

    Why all the speculation about what MTA is running?

    A simple MX lookup shows messagelabs provides the service.

    1. Tom Wood

      Re: Why all the speculation?

      So? Messagelabs provide the first MTA, I expect mail passes through a bunch of other servers before it reaches the users.

    2. Alan Brown Silver badge

      Re: Why all the speculation?

      "A simple MX lookup shows messagelabs provides the service."

      No, it doesn't. Messageslabs are simply a bastion service

      Messagelabs' business operation is to MX and filter. Once they've finished processing the mail it gets sent to the _real_ servers (which should be protected against direct connections from hosrs other than the MX, but frequently aren't)

      1. Anonymous Coward
        Anonymous Coward

        Re: Why all the speculation?

        Messagelabs' business operation is to MX and filter.

        Worth noting that that also puts them in world's best position to copy incoming and outgoing emails for any third party - and they're American..

    3. Anonymous Coward
      Anonymous Coward

      Re: Why all the speculation?

      A simple MX lookup shows messagelabs provides the service.

      MessageLabs provides the filtering service, but I am not going to try and figure out who and what runs the actual MTA via a telnet HELO to port 25 at a time when every sniffer in the country is trying to pick up non-standard connection attempts :).

  22. Anonymous Coward
    Anonymous Coward

    Email != Webmail

    Is everybody posting on here less than 20 years old?

    There seems to be an unwarranted assumption that "Email" means a web login.

    All this talk about "should have had 2FA" is bollocks, it simply isn't practical to apply 2FA to a mail client like Thunderbird or Outlook, or a smartphone's Mail client App.

    Whether they use POP3, IMAP, MAPI or EAS, the client will be logging in to the server every few minutes. Imagine having to answer 2FA prompts all the time?

    What happened here was repeated authorisation attempts to an email server within the Parliamentary network, from a widely spanning bot-net with thousands of IPs.

    2FA, Fail2Ban or limited login attempts and all the other peurile suggestions are not going to stop that from happening.

    1. Tom Wood

      Re: Email != Webmail

      Why are limited login attempts not going to stop that happening?

      Every time I change my work network password, I have to first stop my phone and email client auto-syncing with the server, otherwise I get locked out of my email for too many bad password attempts.

      And if logins are automated, all the more reason for using long and complex passwords.

      1. Anonymous Coward
        Anonymous Coward

        Re: Email != Webmail

        There is 2FA per device and/or software.

        From a new device or location -

        To log in from this account you will need to type the code on your registered mobile.

        Not saying it needs to be done every few minutes but I assume they are not trying to log in from his existing devices or is that puerile too?

      2. Anonymous Coward
        Anonymous Coward

        Re: Email != Webmail

        Why are limited login attempts not going to stop that happening?

        Because the algorithms which are used to limit logins usually take into account the IP from which the attempt is made. If you have a large number of IPs, (such as using a bot-net) then login limitations based on IP will not work.

        1. Tom Wood

          Re: Email != Webmail

          Because the algorithms which are used to limit logins usually take into account the IP from which the attempt is made

          Well don't use those algorithms then.

          (I know, you could lock a legitimate user out of their account in that case, but maybe you could design some way to mitigate the impact of that, e.g. require a user to log in from a separate web system using decent 2FA or whatever to unlock their account in that case).

  23. Spearchucker Jones

    <rant>

    From the statement: "...is putting plans in place to resume its wider IT service."

    Who other than government even speaks like that?!? Writing "...is planning to..." would be more readable. But that would also sound stupid, which in turn shows that the entire line isn't needed. Because of course they're planning to resume service. Why the *$%^@ wouldn't they?

    </rant>

    1. Richard Parkin

      GCHQ NO BETTER

      On the linked Cyber Security page it reads "and advise on the necessary mitigating actions.”. It should read "tell them to use better passwords".

  24. Anonymous Coward
    Anonymous Coward

    Just think...

    ...some of the people who will have weak passwords will previously have blindly voted for ID cards, RIPA, DRIPA and are gagging for backdoors into encryption.

  25. Stevie

    Bah!

    'sustained and determined cyber attack'

    So, three log in attempts then?

  26. Anonymous Coward
    Anonymous Coward

    Is MI5 fingering Matuska? Or is it as fingerless as our Supo?

  27. Anonymous Coward
    Anonymous Coward

    Fix that before...

    ... you try to read your citizens email -ILLEGALLY.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like