Feeds

Malware infested MPs' PCs inflate leak risk

Four in five Parliamentary machines pwned in last year

Protecting against web application threats using SSL

Comment "That's one of those irregular verbs, isn't it? I give confidential security briefings. You leak. He has been charged under section 2a of the Official Secrets Act." (Bernard Woolley, Yes Minister)

The ongoing MPs' expenses row has brought public opinion of politics and politicians in the UK, never very high, towards unplumbed depths.

Embarrassing disclosures about how politicians across the political spectrum subsidised their living expense from the public purse follow hard on the heels of leaked emails regarding a proposed New Labour smear campaign against senior Tories, cobbled together by spin doctors Derek Draper and Brown aide Damian McBride in the style of In the Loop's Malcolm Tucker.

In both cases the emails and leaked files were probably obtained by someone with access to the information, who subsequently attempted to auction it off to national newspapers. The incidents illustrate the fact that all manner of sensitive and potentially embarrassing information is held on the PCs of MPs, ministers and their advisers.

Given the career-threatening implications of data leaks, it's therefore surprising how lax politicians and their advisors are when it comes to data security.

We know that parliamentary computers were infected with the Conficker superworm in March. Conficker hasn't been activated to do anything but it remains of concern that Parliament can be so easily compromised in the first place, something that's happened numerous times in the last twelve months. In March, for example, we reported that police failed to record a crime, still less investigate, when Alun Michael MP discovered a malware infection on his office PC. Michael was able to detect and remove the unidentified malware himself.

These incidents are far from isolated. In response to questions in parliament on Wednesday, Nick Harvey, a Lib Dem member of the House of Commons Commission said that the vast majority of the 5,000 PCs in use around the Palace of Westminster had been hit by malware over the last year.

In the past 12 months 86 per cent of computers on the estate have been attacked by malware, 78 per cent of which were cleaned automatically by Parliament's anti-virus software, with 8 per cent needing a visit by an engineer. There are 4,991 computers on the estate.

The security of parliamentary PCs ought to be more important than those of a regular office system, because of the confidentiality of MPs' work with their constituents, not to mention the potential for leaks of embarrassing information. Malware-infected computers are certainly no help to the general smooth running of parliamentary business, either.

In fairness, staff running the House of Commons IT systems have their work cut out for them. One security expert compared the system to a University campus network in terms of the institutional lack of control. It's probably even worse than that, because of the sensitivity of the data in question, not to mention the bolshieness - if not arrogance - of some of our elected representatives and their advisors.

The Conficker infection prompted a temporary ban on mass storage devices, including MP3 players, on parliamentary systems. Security experts we've spoken to reckon that more needs to be done, such as the introduction of access controls and encryption across parliamentary systems. The possible application of data loss prevention technology also comes to mind.

Wider use of PGP by politicians might be a good start, except for the fact the parliamentary BOFHs recently told users that PGP is incompatible with its remote access software, for reasons even PGP has been unable to fathom thus far.

The lamentable state of PC security in the mother of parliaments creates a real risk of leaks of sensitive information in the future, even if this has not happened already. MPs ignore such possibilities at their peril.

Politicians - typically lawyers or lecturers by trade, with little awareness of computers much less information security - need to get up to speed with the internet or else risk looking as hapless as fictional politicians like Hugh Abbot and Jim Hacker. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.