Feeds

GCHQ attempts to downplay amazing plaintext password blunder

IDs of all our future spooks get pwned? No big deal

Reducing security risks from open source software

Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site.

The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password by email after filling out its forgotten password form. Farrall only got round to blogging about the issue this week, two months after the offending email.

Incredibly the signals intelligence agency had done nothing in the weeks in-between to address such well understood security bad practice on its careers site.

Website passwords should be stored by organisations only as encrypted and salted hashes. And password reminders shouldn't be sent in unencrypted emails. Instead it's far better to apply a password reset procedure. Password retrieval isn't even possible where login credentials are stored only as encrypted and salted hashes, so it's evident that in this case they weren't.

Mistakes on these lines are all too commonplace. Plain Text Offenders, a site that aims to name and shame sites following such insecure practices, estimates 30 per cent of sites store plaintext passwords.

Last July supermarket giant Tesco was taken to task by software developer Troy Hunt over its storage of users passwords in plain text and plain text password reminders.

So plaintext passwords are commonplace, and in some cases may not be that big a deal. But GCHQ - whose CESG arm advises large corporations including banks and utilities on how to safeguard critical infrastructure systems, and which itself deals daily in absolutely critical national-security information belonging to the British and various other governments can reasonably be held to the highest possible standards.

GCHQ's career site is, of course, not part of its core mission and might even be run by a third-party agency but that's a weak excuse for not setting the best possible example in the case of such an agency. Apart from anything else, it is likely to seriously put off recruits of the calibre and security savvy the agency needs.

In response to queries from El Reg, GCHQ supplied a statement acknowledging and downplaying the issue, which it ascribes to a legacy system it's in the process of changing anyway.

The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it. Only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data.

Plaintext password reminders are a problem not just because emails can be intercepted. Unless login credentials are stored as encrypted AND salted hashes then any breach on servers is liable to allow hackers to recover user passwords. Storing login credentials as hashes alone isn't good enough because they are still vulnerable to brute-force (try every probable combination) attacks using readily available rainbow tables and other password-cracking tools. Insecure backups pose the same type of risk.

Hacktivists like Anonymous and LulzSec have shown an appetite for nobbling secondary websites run on behalf of national-security and police organisations like GCHQ, before leaking the data. They care little about collateral damage to individuals whose private details have been exposed - which might in this case include people who go on to become GCHQ personnel and could then be targeted by anyone from hacktivists all the way up to hostile human-intelligence agencies.

And, as Farrall points out, the potential harm that can come if anyone nobbled GCHQ's career site is far worse than might normally be the case because applicants are expected to submit a great deal of private information for use in security vetting.

"For those that don’t think this matters, bear in mind the type of information you're submitting," he write. "Names, dates, family members, passport numbers, housing information. With this type of information identity theft is a major concern."

Quite apart from the privacy issues it's a real eye opener that GCHQ is not taking greater care of the personal details of people who may one day go on to become the UK government's penetration testers. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.