Charles Leaver – Attack On UK Parliament Email System Highlights Insecurities

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

 

In the online world the sheep get shorn, chumps get chewed, dupes get duped, and pawns get pwned. We’ve seen another terrific example of this in the current attack on the United Kingdom Parliament email system.

Rather than admit to an e-mail system that was not secure by design, the main statement read:

Parliament has strong procedures in place to secure all our accounts and systems.

Yeah, right. The one protective measure we did see in action was blame deflection – the Russians did it, that constantly works, while implicating the victims for their policy infractions. While details of the attack are limited, combing various sources does assist to assemble at least the gross scenario. If these accounts are reasonably close, the UK Parliament email system failings are atrocious.

What failed in this scenario?

Rely on single element authentication

“Password security” is an oxymoron – anything password protected alone is insecure, period, irrespective of the strength of the password. Please, no 2FA here, may hinder attacks.

Do not impose any limit on unsuccessful login efforts

Facilitated by single factor authentication, this enables basic brute force attacks, no ability required. However when violated, blame elite state-sponsored hackers – nobody can verify.

Do not carry out brute force violation detection

Allow opponents to perform (otherwise trivially detectable) brute force violations for extended periods (12 hours against the United Kingdom Parliament system), to maximize account compromise scope.

Do not enforce policy, treat it as merely recommendations

Integrated with single element authentication, no limit on failed logins, and no brute force violation detection, do not impose any password strength recognition. Supply attackers with very low hanging fruit.

Count on anonymous, unencrypted email for delicate interactions

If assailants do succeed in compromising email accounts or sniffing your network traffic, provide lots of opportunity for them to score high value message material completely without obstruction. This also conditions constituents to trust easily spoofable e-mail from Parliament, developing a perfect constituent phishing environment.

Lessons discovered

In addition to adding “Sound judgment for Dummies” to their summertime reading lists, the UK Parliament e-mail system administrators may want to take further actions. Strengthening weak authentication practices, enforcing policies, enhancing network and endpoint visibility with constant monitoring and anomaly detection, and completely reassessing secure messaging are advised actions. Penetration testing would have revealed these foundational weaknesses while remaining far from media attention.

Even a few sharp high schoolers with a complimentary weekend might have replicated this violation. And lastly, stop blaming Russia for your own security failings. Assume that any weaknesses in your security architecture and policy framework will be probed and exploited by some cyber criminals somewhere throughout the global internet. All the more incentive to discover and fix those weaknesses prior to the opponents do, so get started immediately. Then if your defenders don’t cannot see the attacks in progress, upgrade your monitoring and analytics.