UK Parliament hack: Really, a brute-force attack? Really?
Two words: Sweet 2FA
Comment Just under 90 Parliamentary email accounts were compromised by a brute force attack on the parliamentary network over the weekend. And there is a long-established technology which can normally see off this kind of attack.
Two factor authentication (2FA) technology has been ubiquitous among enterprises as an verification technique for more than two decades. It has been in use by some governments for just as long.
For example, astronaut turned US Senator John Glenn used Security Dynamics (since renamed as RSA) SecureID token in *space* on a space shuttle mission in October 1998. The authentication technology was used to access senate email accounts.
Without both a password and login credential from a token or software app running on a smartphone, access to a protected account would not be possible unless the 2FA authentication had been defeated (possible but difficult) or was optional for account-holders. Pen testing firms consistently tell El Reg that one of the simplest and most effective means of protecting sensitive corporate systems such as email is to mandate the use of 2FA. It's easy for users but a real pain for hackers to defeat.
Either the hackers in last weekend's attack found a way around the authentication technology parliament had in place or, more likely, either no such protection was in place or it was optional.
Official guidance (PDF) to MPs says a "Member is the data controller for all personal data that is handled by their office and they have overall responsibility for ensuring that this is done in accordance with the DPA". The same document also offers "further guidance on ICT security" from an internal network. A Parliamentary spokesman has already said "weak passwords that did not conform to guidance issued by the Parliamentary Digital Service" were to blame.
In an updated statement, the House of Commons press office told El Reg that it does not comment on the specifics of its security procedures adding "we closed down the system which manages logins for remote access and introduced changes that limited the ability of the hackers to keep trying passwords".
Who might be behind the assault on the mother of parliaments has to be a matter of speculation. The apparent lack of sophistication means that mischief-making hacktivists can't be ruled out even though state-sponsored actors from either Russia or North Korea are more likely suspects.
Russia, and more particularly its GRU military intelligence arm (AKA Fancy Bear, APT28), is the more potent threat. The elite Russian hacking squad was blamed for the hack and subsequent release of data harvested from the email systems of the US Democrats during last year's US presidential elections. The same group is also blamed on an attack against the German Parliament (Bundestag) back in 2015.
Aware of the threat, "Team [French presidential candidate Emmanuel] Macron" used honeypot techniques and other approaches to feed hackers with false information during this year's leadership election in France. Team Macron still got hacked in May, but the damage was much less than it might have been had deception technology not been in play.
In a statement, the House of Commons press office said "we have made a series of technology changes to increase user account security and will continue to assess and improve our risk mitigation measures".
If compulsory 2FA is introduced as part of these changes, then some good might have come of the attack. The incident raises bigger questions - for the private sector as well as government - around how it's often the case that adequate defences are only put in after an attack.
The House of Commons has unnecessarily become the latest poster child for lax password security, at least until the next headline-grabbing breach comes along. ®