Access Management , Governance & Risk Management , Identity & Access Management
Parliament Pwnage: Talk Weak Passwords, Not 'Cyberattack'Poor Passwords Remain a Gift to Attackers
Opportunistic attackers may have breached Parliament - apparently by brute-force guessing their way into email accounts with weak passwords (see British Parliament Targeted by Brute-Force Email Hackers).
See Also: How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward
But such a breach is hardly the "cyberattack" some are making it out to be, and suggestions that this-or-that government may have been behind the attack appear unfounded, at best.
"You wouldn't leave your door open at night."
Here's what is clear: Up to 90 email accounts on the "parliament.uk" domain used by members of the House of Commons, peers in the House of Lords, as well as parliamentary staff and civil servants, appear to have been breached. A statement issued by Parliament says all of the breached accounts were "compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service," which provides IT support to Parliament.
Official communications from Parliament have also variously described the attempted penetration of Parliament email accounts as both a "cyber incident" as well as a "cyberattack."
Updated statement regarding cyber incident pic.twitter.com/c7JMvBWUgk— Commons Press Office (@HoCPress) June 25, 2017
Many initial media reports have likewise been quick to label the breach as being a cyberattack.
"Parliament cyberattack 'hit up to 90 users,'" the BBC reported. "Cyberattack on Parliament: Dozens of email accounts hacked," broadcaster Sky reported. "Cyber-attack on UK parliament: Russia is suspected culprit," the Guardian headline reads.
The term cyberattack is open to interpretation, but earlier this year, the Associated Press Stylebook - the final arbiter of all things grammatical for many newsrooms - argued that use of the term should be limited. "We caution that the word cyberattack should be used only for significant and widespread destruction," Paula Froke, lead editor for the AP Stylebook, said in March.
Security watchers say the Parliament incident hardly qualifies as widespread destruction.
"Trying to brute force a list of email address passwords is not a sustained and deadly cyber attack, at best it's weaponized shenanigans," says Jake Davis, the former Anonymous and LulzSec teen hacker known as "Topiary," via Twitter.
"If someone used 0days to gain long-term persistent access to Parliament then maybe that's a cyber attack, but this definitely isn't," he says. "We need to stop calling everything a 'cyber attack.' It spreads ignorance."
Some kid could just spend $20 on a server, launch a weak DDoS attack against a random .gov site, and leave a .jpg pointing to North Korea— Jake Davis (@DoubleJake) June 26, 2017
Polite Reminder: Attribution is Tough
Besides over-use of the term "cyberattack," after any high-profile breach, multiple media outlets invariably quote unnamed government sources, who will suggest that the attack must have been sponsored by a nation-state.
"It was a brute force attack. It appears to have been state-sponsored," one source tells the Guardian, before adding this telling caveat: "The nature of cyberattacks means it is notoriously difficult to attribute an incident to a specific actor."
In other words, the source has no idea.
While British security service sources may be more guarded in these appraisals than their American counterparts, it's important to remember that many supposed nation-state attacks turn out to be anything but.
For example, U.S. government sources initially blamed the 2014 hack attack against JP Morgan Chase and other U.S. financial giants on Russia, perhaps in retaliation for sanctions imposed over Moscow's Ukraine meddling. Based on charges ultimately filed the U.S. Department of Justice, however, the attack was allegedly carried out by a gang of Americans and Israelis harvesting contact details for high-value bank clients, then targeting them as part of pump-and-dump stock schemes (see Report: Spammers Tied To JPMorgan Chase Hack).
Do MPs Take Security Seriously?
One takeaway from the Parliament breach is that it will serve as a "warning to everyone we need more security and better passwords," Liam Fox, a Tory MP who serves in the cabinet as Britain's international trade secretary, tells ITV News. "You wouldn't leave your door open at night."
In fact, you'd probably also lock your door, although Fox stops short of saying that. Could it be that it might lead to a comparison between the safety afforded by locking your door at night and the use of strong crypto to "lock" important data and communications? (See British Home Secretary Demands Backdoored Communications)
Regardless, one obvious response is that of course MPs would not leave their door open at night. So why won't they secure their email accounts?
Are Parliament's Security Rules Enforced?
In the wake of the unauthorized email account access, Parliament issued a statement: "Parliament has robust measures in place to protect all of our accounts and systems, and we are taking the necessary steps to protect and secure our network."
But what are those robust measures, and are they enforced? I pressed Parliament for answers to those questions, asking specifically if two-factor authentication was available, as well as if it is mandatory - as it should be, for parliamentarians.
What's also unclear is why parliament.uk email account holders were not forced to comply with "guidance issued by the Parliamentary Digital Service."
A spokesman for Parliament declined to comment, citing the ongoing investigation.
As Thomas Rid, a professor of war studies at King's College London, notes, it should by now be clear that outside attackers - be they foreign powers amassing intelligence or opportunistic cybercriminals looking for information with resale value - have targeted lawmakers' email accounts.
Infosec in Parliament (all parliaments) is more important than ever. Yet problems persist. A big one: many MPs not taking security seriously— Thomas Rid (@RidT) June 24, 2017
The lack of enforced strong passwords or two-factor authentication has dangerous implications for British society.
But what's the next step? Should parliamentarians with weak information security mojo be named and shamed? Should whatever "robust" measures are supposedly in place actually be enforced? And if parliament.uk email accountholders can't use email securely, is tough love the answer, meaning they should not be entrusted with an official email account?
When Parliament's email system can be breached due to weak passwords, clearly, something needs to change.