back to article Electoral Commission had internet-facing server with unpatched vuln

The hacking of the UK’s Electoral Commission was potentially facilitated by the exploitation of a vulnerability in Microsoft Exchange, according to a security expert. Earlier this week, the election oversight body disclosed that its systems had been broken into, and the attackers had access to the servers that host the …

  1. Korev Silver badge
    Coat

    Does this mean you can get a ProxyNotShell vote?

    1. Androgynous Cupboard Silver badge

      Not only the first comment, probably the best comment. You win the internet for today.

  2. Mr Dogshit
    FAIL

    Sigh

    When will they learn?

    1. Tams

      Re: Sigh

      Never.

    2. bo111

      Never. Here is a solution

      Let's think logically. Majority of businesses and organizations are not sufficiently secure. This will NEVER change.

      So, lets delegate PII data management to a few highly specialized organizations. Those can be those already proven to do it well, such as banks, cloud providers or a special government service. Governments must pay the providers to handle the data. Entrusted companies must not mix the PII-handling services with their commercial operations.

      For the rest of organizations requiring PII to do business, they will be LEGALLY forbidden to ask for PII, record or process PII, copy and analyse PII in their databases. No more passport photos sent by email or scanned in a corner shop. Indirect identification and authorization methods must be used through the entrusted third parties, similar to how already now users login with Google or Facebook credentials to other web-sites.

      PROS: (1) PII can be easily modified and propagate to all the rest. (2) Distinct user ID can be issued to each non-PII handling organization. Thus will make it harder to do illegal data cross-analysis or tracking. (3) Majority of businesses will not have to spend on expensive privacy management or worry about PII loss. (4) Possibility to implement notifications on PII access for any transaction by a third party. (5) The PII-providers can implement multiple levels of data protection, throttling the traffic with physically slow routers etc., so that it is literally impossible to download GBs of PII of the whole country unnoticed. (6) Only a few PII providers can be easily audited and monitored for service quality. (7) Illegal data usage, such as for illegal immigration or social security fraud will be made hard.

      CONS: (1) Single point of failure, supposedly, but this is no different to current ALMOST CERTAIN data leaks through thousands of small organizations with little IT or privacy experience. (2) Possibility of identity theft, but this can be dramatically reduced by the necessity of physical contact by post or in person with the PII handler.

      1. Alan Brown Silver badge

        Re: Never. Here is a solution

        "Majority of businesses and organizations are not sufficiently secure. This will NEVER change."

        Personal legal liability of manglement for breaches would focus attention. One of the biggest problems IT bods face is that the people with the resources don't see the need for improving security until an event has already happened

        1. bo111

          > Personal legal liability

          Will not happen. Most people are not smart enough. IT systems are becoming more complex each year. Else half of the country will end up in jail.

          Small and mid size business workers stare at me in a shock and offer to stop a transaction when I point to potential mishandling my PII.

  3. Pascal Monett Silver badge
    Flame

    "highly privileged Active Directory accounts by default"

    For am email server. How typical of Borkzilla.

    We don't know how to do security efficiently, so let's just give email all the privileges and it will work. What's the worst that could happen ?

    Hey Nadella, here's a challenge : get Exchange working on Linux.

    That'll teach you a thing or two about actual security.

    1. Binraider Silver badge

      Re: "highly privileged Active Directory accounts by default"

      MS employees downvoting you I see!

      Exchange and AD on Linux are the two major remaining blockers to Linux Office desktop. And as everything office enterprise is subscription based licenses anyway....

    2. Doctor Syntax Silver badge

      Re: "highly privileged Active Directory accounts by default"

      "That'll teach you a thing or two about actual security."

      I'm not sure it would and I don't like to contemplate the consequences.

    3. katrinab Silver badge
      Alert

      Re: "highly privileged Active Directory accounts by default"

      Will it?

      You could run a server as root, and pipe query parameters directly to the shell.

      Obviously you shouldn't, but you could, and that is essentially what MS was doing with Exchange.

      1. Alan Brown Silver badge

        Re: "highly privileged Active Directory accounts by default"

        The absolute irony being that Windows NT is based on VMS (Cutler etc) and that has vastly better security design baked in than Unix does - MS threw it all out

  4. sitta_europea Silver badge

    "Exchange Server runs with highly privileged Active Directory accounts by default..."

    What a great idea.

    But when every day I see the amateurish borkage that Microsoft continually perpetrates in the name of email, I suppose I shouldn't be surprised.

    Yesterday they told me that an email that I didn't send had failed SPF verification.

    Jerks.

    1. katrinab Silver badge
      Flame

      Google does that as well.

  5. Andy The Hat Silver badge

    "the attackers had access to the servers that host ... copies of the electoral registers for the entire UK"

    So have the electoral registers been trawled? If that is, or suspected to be the case, why have impacted persons (ie the whole of Britain) not been notified that their personal information has been compromised?

    Think we need to watch the ICO starting procedures to sue the company - that would be the Government - for whatever percentage of annual turnover is allowed under the current GDPR-ish regulations ...

    1. Anonymous Coward
      Anonymous Coward

      ""the attackers had access to the servers that host ... copies of the electoral registers for the entire UK""

      But one is still left wondering exactly WHY copies of the electoral register were stored (and hence accessible) on an internet facing server, powered by MS Exchange that had unpatched (at the time) vulnerabilities.

      And if the Electoral Commission IT admins were aware that Exchange Server *had* unfixed problems, why they didn't take the electoral registers offline, even temporarily?

      There are too many issues here that requires a root and branch analysis of exactly who was responsible and why they didn't take appropriate action BEFORE any hacking attempts were made...

  6. jonha

    Compare this with flying

    If aircraft would be serviced, repaired and flown like servers are secured and maintained we would have the landscape full with crashed airplanes.

    IT security is doable (OK, harder for zero days but even there a well-run outfit could think about possible mitigations before the fact). But as people usually don't die because of these idiots (alas, the PSNI leak may prove this to be wrong) we're fucked.

    1. Tams

      Re: Compare this with flying

      Ultimately, it needs to be less accessible to everyone, with several people who know what they are doing checking what each other is doing.

      Bu that costs money, is inconvenient, and would just be loudly complained about in the modern world of everything being instant.

    2. ChoHag Silver badge

      Re: Compare this with flying

      ... don't die *directly*.

  7. Doctor Syntax Silver badge

    Simple question

    Are you siting on data which you would absolutely have to get back if it was leaked?

    Well, you can't get it back so the only option is to absolutely not let it leak.

    1. t245t Silver badge
      Facepalm

      Re: Simple question

      > Are you siting on data which you would absolutely have to get back if it was leaked? Well, you can't get it back so the only option is to absolutely not let it leak.

      How about encrypting the PII data that could only be decrypted by the presence of the correct credentials.

  8. gerryg

    Don't blame Microsoft

    They are just selling what they have always sold. The real problem is the over promoted tossers trapped in the headlights vaguely recalling that "no-one ever got sacked for buying IBM" and making a false read across.

    There is no doubt that a Linux based is less convenient but as Obama said about something else, that's the point.

  9. D Moss Esq

    The art of briefing

    Once you've read this ElReg article you know just how awful Microsoft Exchange is. It's dreadful and Microsoft are so remiss with maintenance that, frankly, no-one could possibly operate a safe installation. The Electoral Commission can hardly be blamed for sharing the personal information of 40 million people with unknown nefarious characters. In fact they're so innocent that, probably, it never happened, just like it didn't happen to millions of other MS Exchange shops.

    That's the way to do it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like