Feeds

GCHQ attempts to downplay amazing plaintext password blunder

IDs of all our future spooks get pwned? No big deal

Website security in corporate America

Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site.

The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password by email after filling out its forgotten password form. Farrall only got round to blogging about the issue this week, two months after the offending email.

Incredibly the signals intelligence agency had done nothing in the weeks in-between to address such well understood security bad practice on its careers site.

Website passwords should be stored by organisations only as encrypted and salted hashes. And password reminders shouldn't be sent in unencrypted emails. Instead it's far better to apply a password reset procedure. Password retrieval isn't even possible where login credentials are stored only as encrypted and salted hashes, so it's evident that in this case they weren't.

Mistakes on these lines are all too commonplace. Plain Text Offenders, a site that aims to name and shame sites following such insecure practices, estimates 30 per cent of sites store plaintext passwords.

Last July supermarket giant Tesco was taken to task by software developer Troy Hunt over its storage of users passwords in plain text and plain text password reminders.

So plaintext passwords are commonplace, and in some cases may not be that big a deal. But GCHQ - whose CESG arm advises large corporations including banks and utilities on how to safeguard critical infrastructure systems, and which itself deals daily in absolutely critical national-security information belonging to the British and various other governments can reasonably be held to the highest possible standards.

GCHQ's career site is, of course, not part of its core mission and might even be run by a third-party agency but that's a weak excuse for not setting the best possible example in the case of such an agency. Apart from anything else, it is likely to seriously put off recruits of the calibre and security savvy the agency needs.

In response to queries from El Reg, GCHQ supplied a statement acknowledging and downplaying the issue, which it ascribes to a legacy system it's in the process of changing anyway.

The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it. Only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data.

Plaintext password reminders are a problem not just because emails can be intercepted. Unless login credentials are stored as encrypted AND salted hashes then any breach on servers is liable to allow hackers to recover user passwords. Storing login credentials as hashes alone isn't good enough because they are still vulnerable to brute-force (try every probable combination) attacks using readily available rainbow tables and other password-cracking tools. Insecure backups pose the same type of risk.

Hacktivists like Anonymous and LulzSec have shown an appetite for nobbling secondary websites run on behalf of national-security and police organisations like GCHQ, before leaking the data. They care little about collateral damage to individuals whose private details have been exposed - which might in this case include people who go on to become GCHQ personnel and could then be targeted by anyone from hacktivists all the way up to hostile human-intelligence agencies.

And, as Farrall points out, the potential harm that can come if anyone nobbled GCHQ's career site is far worse than might normally be the case because applicants are expected to submit a great deal of private information for use in security vetting.

"For those that don’t think this matters, bear in mind the type of information you're submitting," he write. "Names, dates, family members, passport numbers, housing information. With this type of information identity theft is a major concern."

Quite apart from the privacy issues it's a real eye opener that GCHQ is not taking greater care of the personal details of people who may one day go on to become the UK government's penetration testers. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.