Does this mean you can get a ProxyNotShell vote?
Electoral Commission had internet-facing server with unpatched vuln
The hacking of the UK’s Electoral Commission was potentially facilitated by the exploitation of a vulnerability in Microsoft Exchange, according to a security expert. Earlier this week, the election oversight body disclosed that its systems had been broken into, and the attackers had access to the servers that host the …
COMMENTS
-
-
Saturday 12th August 2023 01:47 GMT bo111
Never. Here is a solution
Let's think logically. Majority of businesses and organizations are not sufficiently secure. This will NEVER change.
So, lets delegate PII data management to a few highly specialized organizations. Those can be those already proven to do it well, such as banks, cloud providers or a special government service. Governments must pay the providers to handle the data. Entrusted companies must not mix the PII-handling services with their commercial operations.
For the rest of organizations requiring PII to do business, they will be LEGALLY forbidden to ask for PII, record or process PII, copy and analyse PII in their databases. No more passport photos sent by email or scanned in a corner shop. Indirect identification and authorization methods must be used through the entrusted third parties, similar to how already now users login with Google or Facebook credentials to other web-sites.
PROS: (1) PII can be easily modified and propagate to all the rest. (2) Distinct user ID can be issued to each non-PII handling organization. Thus will make it harder to do illegal data cross-analysis or tracking. (3) Majority of businesses will not have to spend on expensive privacy management or worry about PII loss. (4) Possibility to implement notifications on PII access for any transaction by a third party. (5) The PII-providers can implement multiple levels of data protection, throttling the traffic with physically slow routers etc., so that it is literally impossible to download GBs of PII of the whole country unnoticed. (6) Only a few PII providers can be easily audited and monitored for service quality. (7) Illegal data usage, such as for illegal immigration or social security fraud will be made hard.
CONS: (1) Single point of failure, supposedly, but this is no different to current ALMOST CERTAIN data leaks through thousands of small organizations with little IT or privacy experience. (2) Possibility of identity theft, but this can be dramatically reduced by the necessity of physical contact by post or in person with the PII handler.
-
Wednesday 30th August 2023 14:52 GMT Alan Brown
Re: Never. Here is a solution
"Majority of businesses and organizations are not sufficiently secure. This will NEVER change."
Personal legal liability of manglement for breaches would focus attention. One of the biggest problems IT bods face is that the people with the resources don't see the need for improving security until an event has already happened
-
Tuesday 5th September 2023 11:17 GMT bo111
> Personal legal liability
Will not happen. Most people are not smart enough. IT systems are becoming more complex each year. Else half of the country will end up in jail.
Small and mid size business workers stare at me in a shock and offer to stop a transaction when I point to potential mishandling my PII.
-
-
-
Friday 11th August 2023 13:13 GMT Pascal Monett
"highly privileged Active Directory accounts by default"
For am email server. How typical of Borkzilla.
We don't know how to do security efficiently, so let's just give email all the privileges and it will work. What's the worst that could happen ?
Hey Nadella, here's a challenge : get Exchange working on Linux.
That'll teach you a thing or two about actual security.
-
Friday 11th August 2023 14:37 GMT sitta_europea
"Exchange Server runs with highly privileged Active Directory accounts by default..."
What a great idea.
But when every day I see the amateurish borkage that Microsoft continually perpetrates in the name of email, I suppose I shouldn't be surprised.
Yesterday they told me that an email that I didn't send had failed SPF verification.
Jerks.
-
Friday 11th August 2023 14:41 GMT Andy The Hat
"the attackers had access to the servers that host ... copies of the electoral registers for the entire UK"
So have the electoral registers been trawled? If that is, or suspected to be the case, why have impacted persons (ie the whole of Britain) not been notified that their personal information has been compromised?
Think we need to watch the ICO starting procedures to sue the company - that would be the Government - for whatever percentage of annual turnover is allowed under the current GDPR-ish regulations ...
-
Sunday 13th August 2023 13:29 GMT Anonymous Coward
""the attackers had access to the servers that host ... copies of the electoral registers for the entire UK""
But one is still left wondering exactly WHY copies of the electoral register were stored (and hence accessible) on an internet facing server, powered by MS Exchange that had unpatched (at the time) vulnerabilities.
And if the Electoral Commission IT admins were aware that Exchange Server *had* unfixed problems, why they didn't take the electoral registers offline, even temporarily?
There are too many issues here that requires a root and branch analysis of exactly who was responsible and why they didn't take appropriate action BEFORE any hacking attempts were made...
-
-
Friday 11th August 2023 15:08 GMT jonha
Compare this with flying
If aircraft would be serviced, repaired and flown like servers are secured and maintained we would have the landscape full with crashed airplanes.
IT security is doable (OK, harder for zero days but even there a well-run outfit could think about possible mitigations before the fact). But as people usually don't die because of these idiots (alas, the PSNI leak may prove this to be wrong) we're fucked.
-
Friday 11th August 2023 15:15 GMT Tams
Re: Compare this with flying
Ultimately, it needs to be less accessible to everyone, with several people who know what they are doing checking what each other is doing.
Bu that costs money, is inconvenient, and would just be loudly complained about in the modern world of everything being instant.
-
-
-
Saturday 12th August 2023 08:08 GMT Anonymous Coward
Re: Simple question
> Are you siting on data which you would absolutely have to get back if it was leaked? Well, you can't get it back so the only option is to absolutely not let it leak.
How about encrypting the PII data that could only be decrypted by the presence of the correct credentials.
-
-
Saturday 12th August 2023 21:08 GMT gerryg
Don't blame Microsoft
They are just selling what they have always sold. The real problem is the over promoted tossers trapped in the headlights vaguely recalling that "no-one ever got sacked for buying IBM" and making a false read across.
There is no doubt that a Linux based is less convenient but as Obama said about something else, that's the point.
-
Monday 14th August 2023 12:06 GMT D Moss Esq
The art of briefing
Once you've read this ElReg article you know just how awful Microsoft Exchange is. It's dreadful and Microsoft are so remiss with maintenance that, frankly, no-one could possibly operate a safe installation. The Electoral Commission can hardly be blamed for sharing the personal information of 40 million people with unknown nefarious characters. In fact they're so innocent that, probably, it never happened, just like it didn't happen to millions of other MS Exchange shops.
That's the way to do it.