This weekend, the British Parliament’s email system fell victim to a sustained brute-force attack. Over Saturday evening, an unknown adversary (believed to be either Russia or North Korea, because obviously) bombarded the British government’s email system with thousands of login attempts, and ultimately gained access to 90 accounts with weak credentials.
In response, the security services have limited access to the email system, forcing parliamentarians, peers, and support staff to rely on other unconventional communications systems to conduct government business, like text messages.
This attack has raised several troubling questions that call into doubt the overall security of vital government IT systems.
- Why was the attacker able to launch a brute-force attack in the first place? A good security rule-of-thumb is that accounts should be locked after several failed attempts, and IPs that make excessive failed login attempts should be blocked.
- Although imperfect, two-factor authentication (2FA) is a good defence against these attacks. Why wasn’t it enabled on the UK Parliament’s email accounts?
- The Hacker News says the attack lasted for twelve hours. Given brute-force attacks are inherently noisy, and therefore easy to detect, why wasn’t it stopped sooner?
- How did the attacker manage to gain access to 90 accounts? What kind of password strength rules are in place? Crucially, what policies are there on re-use of passwords, and how often must staffers update them?
This type of attack simply wouldn’t work on a commercial-grade webmail product. When a vital government IT system is less secure than, say, Gmail, you know things are bad.
Ilia Kolochenko, CEO of High Tech Bridge, shares my thoughts that this attack was entirely avoidable.
A simple brute force attack can normally be detected and blocked within a minute. This incident highlights once again that cybersecurity fundamentals are ignored even by the governments of leading countries. Today, two-factor authentication (2FA), advanced IP filtering and anomalies detection systems are a must-have for critical systems accessible from the Internet. Strict password policies, regular audits for weak and non-compliant passwords are also vital for corporate security. However, apparently, none of these simple but efficient security controls were properly implemented.
Damning stuff. While the incumbent Conservative government almost certainly has nothing to do with the day-to-day running of the parliamentary IT systems, it is in a position to influence legislation and spending, in order to ensure this type of thing doesn’t happen.
Which leads me to the biggest question: how can we trust the British government to create robust policies regarding computer and information security, when it can’t even keep its own house in order? When it says it wants to ban end-to-end encryption, how do we know it understands the serious security implications of that?
The answer, obviously, is that we can’t, and we don’t. And that’s really, really scary.