Feeds

GCHQ attempts to downplay amazing plaintext password blunder

IDs of all our future spooks get pwned? No big deal

Top three mobile application threats

Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site.

The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password by email after filling out its forgotten password form. Farrall only got round to blogging about the issue this week, two months after the offending email.

Incredibly the signals intelligence agency had done nothing in the weeks in-between to address such well understood security bad practice on its careers site.

Website passwords should be stored by organisations only as encrypted and salted hashes. And password reminders shouldn't be sent in unencrypted emails. Instead it's far better to apply a password reset procedure. Password retrieval isn't even possible where login credentials are stored only as encrypted and salted hashes, so it's evident that in this case they weren't.

Mistakes on these lines are all too commonplace. Plain Text Offenders, a site that aims to name and shame sites following such insecure practices, estimates 30 per cent of sites store plaintext passwords.

Last July supermarket giant Tesco was taken to task by software developer Troy Hunt over its storage of users passwords in plain text and plain text password reminders.

So plaintext passwords are commonplace, and in some cases may not be that big a deal. But GCHQ - whose CESG arm advises large corporations including banks and utilities on how to safeguard critical infrastructure systems, and which itself deals daily in absolutely critical national-security information belonging to the British and various other governments can reasonably be held to the highest possible standards.

GCHQ's career site is, of course, not part of its core mission and might even be run by a third-party agency but that's a weak excuse for not setting the best possible example in the case of such an agency. Apart from anything else, it is likely to seriously put off recruits of the calibre and security savvy the agency needs.

In response to queries from El Reg, GCHQ supplied a statement acknowledging and downplaying the issue, which it ascribes to a legacy system it's in the process of changing anyway.

The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it. Only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data.

Plaintext password reminders are a problem not just because emails can be intercepted. Unless login credentials are stored as encrypted AND salted hashes then any breach on servers is liable to allow hackers to recover user passwords. Storing login credentials as hashes alone isn't good enough because they are still vulnerable to brute-force (try every probable combination) attacks using readily available rainbow tables and other password-cracking tools. Insecure backups pose the same type of risk.

Hacktivists like Anonymous and LulzSec have shown an appetite for nobbling secondary websites run on behalf of national-security and police organisations like GCHQ, before leaking the data. They care little about collateral damage to individuals whose private details have been exposed - which might in this case include people who go on to become GCHQ personnel and could then be targeted by anyone from hacktivists all the way up to hostile human-intelligence agencies.

And, as Farrall points out, the potential harm that can come if anyone nobbled GCHQ's career site is far worse than might normally be the case because applicants are expected to submit a great deal of private information for use in security vetting.

"For those that don’t think this matters, bear in mind the type of information you're submitting," he write. "Names, dates, family members, passport numbers, housing information. With this type of information identity theft is a major concern."

Quite apart from the privacy issues it's a real eye opener that GCHQ is not taking greater care of the personal details of people who may one day go on to become the UK government's penetration testers. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.