Clueless MPs make life easy for cyberattackers
In the absurdity sweepstakes this has been a winning week for the United Kingdom. I am not talking about the ways in which Brexit discussions seem to excel at stretching the boundaries of credulity, although that’s certainly part of it.
I am thinking more of several instances of jaw-dropping tech-related inanity on the security and privacy front. The kind of things that make you give one of those head-shaking, disbelieving laughs that are less out of amusement than out of “what the . . ?” bemusement.
The foolishness began on Saturday, when the Conservative MP Nadine Dorries tweeted: “My staff log on to my computer on my desk with my login every day. Including interns on exchange programmes.”
This was stated in defence of Damian Green, Theresa May’s first secretary of state – and so the UK’s deputy prime minister, essentially – after pornography was found on his office computer.
The apparent reasoning here is that, as many MPs are so careless with their work-PC passwords, anyone with office access could have downloaded that porn, and it was unfair to assume it was Green himself.
Just like anyone could log in and access constituents’ personal details and emails? Or an MP’s private correspondence? Or upload malware? Or compromise the account to access other government accounts?
But it gets more ridiculous. When critical tweets began to fly in – as you’d pretty much expect from the sentient – Dorries responded: “All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’ ”
I know. Her next curious line of defence was that it all didn’t matter anyway, because she wasn’t that important.
“Flattered by number of people on here who think I’m part of the government and have access to government docs. I’m a backbench MP – 2 Westminster-based computers in a shared office. On my computer, there is a shared email account. That’s it. Nothing else. Sorry to disappoint!”
This certainly disappoints logical reasoning. Given that this entire exchange began in defence of someone who, as first secretary of state, is part of the UK government, this wasn’t the best debating tactic.
But, wait, there’s more. A couple of other Tory MPs jumped in to say that they, too, shared their password with staff. Nick Boles tweeted that he “certainly” did, adding: “In fact, I often forget my password and have to ask my staff what it is.” Oh.
And, from Will Quince: “Less login sharing and more that I leave my machine unlocked so they can use it if needs be. My office manager does know my login though. Ultimately I trust my team.” Oh dear.
By this point privacy groups and security experts were noting how idiotic the practice was, even if it wasn’t strictly illegal. (More lunacy: it turns out that staff are forbidden from sharing passwords, but not MPs.) Especially when MP email accounts were targeted in a cyberattack last summer. How soon MPs seemingly forget.
Security consultant Graham Cluley noted in a blog post: “It should worry us all if the very people who are tasked with legislating on internet privacy and security issues are proving to be so utterly clueless.”
Incidentally, these are the same Westminster folk who, in the name of “security”, have supported allowing back doors into encrypted communications devices and software.
And who passed the UK’s troubling (and now recognised as unlawful) Investigatory Powers Act, the surveillance legislation also known as the snoopers’ charter.
But who seem put out at the notion of observing the most basic security and data-privacy guideline. Don’t. Share. Passwords.
Many of the most serious hacker exploits, including those undertaken by state actors, happen because of – yes – lax password security.
No need for fancy-schmancy hacking when you can use the accounts of lower-level employees to spread compromising malware, or infiltrate more secure accounts and networks using, oh, say, a government MP’s account to send convincing spoof emails.
And – awkward! – Damian Green has since said the mysterious porn is all over MPs’ PCs, not just his. Which would seem to suggest this password-sharing lark might be quite widespread and has created, at the very least, a perplexing porn problem.
Meanwhile, the previous Friday, the UK’s national cyber security centre more or less banned the use of Russian anti-virus software in government departments handling secret documents, just in case it might transfer sensitive data to the Kremlin.
Maybe the centre should consider instead a very basic, easy-to-understand security tutorial for national legislators, who have been exposed now as the lowest of the low-hanging fruit on the UK government infosecurity tree.
And what about TDs? We know some have riskily used Gmail accounts for personal business. Anyone over here want to confess that passwords are shared around the office?
‘‘ And what about TDs? Anyone over here want to confess that passwords are shared around the office?