Feeds

Malware infested MPs' PCs inflate leak risk

Four in five Parliamentary machines pwned in last year

Using blade systems to cut costs and sharpen efficiencies

Comment "That's one of those irregular verbs, isn't it? I give confidential security briefings. You leak. He has been charged under section 2a of the Official Secrets Act." (Bernard Woolley, Yes Minister)

The ongoing MPs' expenses row has brought public opinion of politics and politicians in the UK, never very high, towards unplumbed depths.

Embarrassing disclosures about how politicians across the political spectrum subsidised their living expense from the public purse follow hard on the heels of leaked emails regarding a proposed New Labour smear campaign against senior Tories, cobbled together by spin doctors Derek Draper and Brown aide Damian McBride in the style of In the Loop's Malcolm Tucker.

In both cases the emails and leaked files were probably obtained by someone with access to the information, who subsequently attempted to auction it off to national newspapers. The incidents illustrate the fact that all manner of sensitive and potentially embarrassing information is held on the PCs of MPs, ministers and their advisers.

Given the career-threatening implications of data leaks, it's therefore surprising how lax politicians and their advisors are when it comes to data security.

We know that parliamentary computers were infected with the Conficker superworm in March. Conficker hasn't been activated to do anything but it remains of concern that Parliament can be so easily compromised in the first place, something that's happened numerous times in the last twelve months. In March, for example, we reported that police failed to record a crime, still less investigate, when Alun Michael MP discovered a malware infection on his office PC. Michael was able to detect and remove the unidentified malware himself.

These incidents are far from isolated. In response to questions in parliament on Wednesday, Nick Harvey, a Lib Dem member of the House of Commons Commission said that the vast majority of the 5,000 PCs in use around the Palace of Westminster had been hit by malware over the last year.

In the past 12 months 86 per cent of computers on the estate have been attacked by malware, 78 per cent of which were cleaned automatically by Parliament's anti-virus software, with 8 per cent needing a visit by an engineer. There are 4,991 computers on the estate.

The security of parliamentary PCs ought to be more important than those of a regular office system, because of the confidentiality of MPs' work with their constituents, not to mention the potential for leaks of embarrassing information. Malware-infected computers are certainly no help to the general smooth running of parliamentary business, either.

In fairness, staff running the House of Commons IT systems have their work cut out for them. One security expert compared the system to a University campus network in terms of the institutional lack of control. It's probably even worse than that, because of the sensitivity of the data in question, not to mention the bolshieness - if not arrogance - of some of our elected representatives and their advisors.

The Conficker infection prompted a temporary ban on mass storage devices, including MP3 players, on parliamentary systems. Security experts we've spoken to reckon that more needs to be done, such as the introduction of access controls and encryption across parliamentary systems. The possible application of data loss prevention technology also comes to mind.

Wider use of PGP by politicians might be a good start, except for the fact the parliamentary BOFHs recently told users that PGP is incompatible with its remote access software, for reasons even PGP has been unable to fathom thus far.

The lamentable state of PC security in the mother of parliaments creates a real risk of leaks of sensitive information in the future, even if this has not happened already. MPs ignore such possibilities at their peril.

Politicians - typically lawyers or lecturers by trade, with little awareness of computers much less information security - need to get up to speed with the internet or else risk looking as hapless as fictional politicians like Hugh Abbot and Jim Hacker. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.