By Al Hartmann

Insecure By Design—The UK Parliament Email Attack

In cyberspace the sheep get shorn, chumps get chomped, dupes get duped, and pawns get pwned. We’ve seen another great example of this in the recent attack on the UK Parliament email system. Here are three links to more information on this attack if you haven’t already seen them:

http://www.parliament.uk/business/news/2017/june/cyber-incident/

https://www.theguardian.com/politics/2017/jun/25/cyber-attack-on-uk-parliament-russia-is-suspected-culprit

https://www.computerworld.com.au/article/621102/hackers-hit-uk-parliament/?fp=16&fpid=1

Rather than admit to an email system that was insecure by design, the official statement read:

Parliament has robust measures in place to protect all of our accounts and systems.

Yeah, right. The one protective measure we did see in action was blame deflection—pin it on the Russians, that always works, while accusing the victims for their policy violations. While details of the attack are scarce, combing various sources does help to assemble at least the gross outlines. If these descriptions are reasonably close, the UK Parliament email system failings are egregious.

What went wrong in this case?

  1. 1. Rely on single factor authentication
    “Password security” is an oxymoron—anything password protected alone is insecure, period, no matter the password strength. Please, no 2FA here, might impede attacks.
  2. 2. Do not impose any limit on failed login attempts
    Facilitated by single factor authentication, this allows simple brute force attacks, no skill required. But when attacked, blame elite state-sponsored hackers—no one can verify.
  3. 3. Do not implement brute force attack detection
    Allow attackers to conduct (otherwise trivially detectible) brute force attacks for extended periods (12 hours against the UK Parliament system), to maximize account compromise scope.
  4. 4. Do not enforce policy, treat it as merely suggestions
    Combined with single factor authentication, no limit on failed logins, and no brute force attack detection, do not impose any password strength validation. Provide attackers with very low hanging fruit.
  5. 5. Rely on unsigned, unencrypted email for sensitive communications
    If attackers do succeed in compromising email accounts or sniffing your network traffic, provide plenty of opportunity for them to score high value message content entirely in the clear. This also conditions constituents to trust readily spoofable email from Parliament, creating an ideal constituent phishing environment.

Lessons learned

In addition to adding “Common Sense for Dummies” to their summer reading lists, the UK Parliament email system administrators may wish to take further actions. Strengthening weak authentication practices, enforcing policies, improving network and endpoint visibility with continuous monitoring and anomaly detection, and entirely rethinking secure messaging are recommended steps. Penetration testing would have uncovered these foundational weaknesses while remaining outside the news headlines. Even a few sharp high-schoolers with a free weekend could have duplicated this attack. And finally, stop blaming the Russians for your own security failings. Assume that any weaknesses in your security architecture and policy framework will be probed and exploited by some party somewhere across the global internet. All the more incentive to find and fix those weaknesses before the attackers do, so turn those pen testers loose. And then if your defenders don’t have visibility to the attacks in progress, upgrade your monitoring and analytics. As usual, rinse and repeat.

Get the General Here