UK Email Security Breach Highlights Design Insecurities – Charles Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

 

In the online world the sheep get shorn, chumps get chewed, dupes get deceived, and pawns get pwned. We’ve seen another great example of this in the recent attack on the UK Parliament email system.

Rather than admit to an e-mail system that was insecure by design, the official declaration read:

Parliament has robust steps in place to safeguard all of our accounts and systems.

Tell us another one. The one protective procedure we did see at work was blame deflection – the Russians did it, that always works, while implicating the victims for their policy infractions. While information of the attack are limited, combing numerous sources does help to assemble a minimum of the gross outlines. If these descriptions are fairly close, the UK Parliament email system failings are atrocious.

What went wrong in this case?

Rely on single aspect authentication

“Password security” is an oxymoron – anything password protected alone is insecure, that’s it, irrespective of the strength of the password. Please, no 2FA here, might hinder attacks.

Do not enforce any limit on failed login attempts

Helped by single element authentication, this permits easy brute force attacks, no skill needed. But when violated, blame elite foreign hackers – nobody can confirm.

Do not carry out brute force violation detection

Allow opponents to perform (otherwise trivially noticeable) brute force attacks for prolonged periods (12 hours against the United Kingdom Parliament system), to maximize account compromise scope.

Do not implement policy, treat it as merely recommendations

Combined with single element authentication, no limitation on unsuccessful logins, and no brute force violation detection, do not impose any password strength validation. Provide attackers with really low hanging fruit.

Rely on unsigned, unencrypted e-mail for delicate communications

If opponents are successful in jeopardizing e-mail accounts or sniffing your network traffic, provide lots of opportunity for them to score high value message material entirely in the clear. This likewise conditions constituents to trust readily spoofable e-mail from Parliament, developing a perfect constituent phishing environment.

Lessons learned

In addition to adding “Good sense for Dummies” to their summer reading lists, the United Kingdom Parliament e-mail system administrators might want to take additional actions. Reinforcing weak authentication practices, implementing policies, improving network and endpoint visibility with constant tracking and anomaly detection, and totally reconsidering secure messaging are recommended actions. Penetration testing would have revealed these fundamental weak points while staying outside the news headlines.

Even a few intelligent high-schoolers with a totally free weekend might have replicated this attack. And lastly, stop blaming the Russians for your very own security failings. Assume that any weak points in your security architecture and policy structure will be penetrated and made use of by some cyber criminals somewhere throughout the global internet. Even more incentive to discover and fix those weak points before the hackers do, so get started immediately. And after that if your defenders don’t cannot see the attacks in progress, upgrade your tracking and analytics.

Leave a Reply

Your email address will not be published. Required fields are marked *