Clue­less MPs make life easy for cy­ber­at­tack­ers

The Irish Times - - Technology & Innovation - Kar­lin Lilling­ton

In the ab­sur­dity sweep­stakes this has been a win­ning week for the United King­dom. I am not talk­ing about the ways in which Brexit dis­cus­sions seem to ex­cel at stretch­ing the bound­aries of credulity, al­though that’s cer­tainly part of it.

I am think­ing more of sev­eral in­stances of jaw-drop­ping tech-re­lated inanity on the se­cu­rity and pri­vacy front. The kind of things that make you give one of those head-shak­ing, dis­be­liev­ing laughs that are less out of amuse­ment than out of “what the . . ?” be­muse­ment.

The fool­ish­ness be­gan on Satur­day, when the Con­ser­va­tive MP Na­dine Dor­ries tweeted: “My staff log on to my com­puter on my desk with my lo­gin ev­ery day. In­clud­ing in­terns on ex­change pro­grammes.”

This was stated in de­fence of Damian Green, Theresa May’s first sec­re­tary of state – and so the UK’s deputy prime min­is­ter, es­sen­tially – after pornog­ra­phy was found on his of­fice com­puter.

The ap­par­ent rea­son­ing here is that, as many MPs are so care­less with their work-PC pass­words, any­one with of­fice ac­cess could have down­loaded that porn, and it was un­fair to as­sume it was Green him­self.


Just like any­one could log in and ac­cess con­stituents’ per­sonal de­tails and emails? Or an MP’s pri­vate cor­re­spon­dence? Or upload mal­ware? Or com­pro­mise the ac­count to ac­cess other govern­ment ac­counts?

But it gets more ridicu­lous. When crit­i­cal tweets be­gan to fly in – as you’d pretty much ex­pect from the sen­tient – Dor­ries re­sponded: “All my staff have my lo­gin de­tails. A fre­quent shout when I man­age to sit at my desk my­self is, ‘what is the pass­word?’ ”

I know. Her next cu­ri­ous line of de­fence was that it all didn’t mat­ter any­way, be­cause she wasn’t that im­por­tant.

“Flat­tered by num­ber of peo­ple on here who think I’m part of the govern­ment and have ac­cess to govern­ment docs. I’m a back­bench MP – 2 West­min­ster-based com­put­ers in a shared of­fice. On my com­puter, there is a shared email ac­count. That’s it. Noth­ing else. Sorry to dis­ap­point!”

This cer­tainly dis­ap­points log­i­cal rea­son­ing. Given that this en­tire ex­change be­gan in de­fence of some­one who, as first sec­re­tary of state, is part of the UK govern­ment, this wasn’t the best de­bat­ing tac­tic.

But, wait, there’s more. A cou­ple of other Tory MPs jumped in to say that they, too, shared their pass­word with staff. Nick Boles tweeted that he “cer­tainly” did, adding: “In fact, I of­ten for­get my pass­word and have to ask my staff what it is.” Oh.

And, from Will Quince: “Less lo­gin shar­ing and more that I leave my ma­chine unlocked so they can use it if needs be. My of­fice man­ager does know my lo­gin though. Ul­ti­mately I trust my team.” Oh dear.

By this point pri­vacy groups and se­cu­rity ex­perts were not­ing how id­i­otic the prac­tice was, even if it wasn’t strictly il­le­gal. (More lu­nacy: it turns out that staff are for­bid­den from shar­ing pass­words, but not MPs.) Es­pe­cially when MP email ac­counts were tar­geted in a cy­ber­at­tack last sum­mer. How soon MPs seem­ingly for­get.

Se­cu­rity con­sul­tant Graham Clu­ley noted in a blog post: “It should worry us all if the very peo­ple who are tasked with leg­is­lat­ing on in­ter­net pri­vacy and se­cu­rity is­sues are prov­ing to be so ut­terly clue­less.”

In­ci­den­tally, these are the same West­min­ster folk who, in the name of “se­cu­rity”, have sup­ported al­low­ing back doors into en­crypted com­mu­ni­ca­tions de­vices and soft­ware.

And who passed the UK’s trou­bling (and now recog­nised as un­law­ful) In­ves­ti­ga­tory Pow­ers Act, the surveil­lance leg­is­la­tion also known as the snoop­ers’ char­ter.

But who seem put out at the no­tion of ob­serv­ing the most ba­sic se­cu­rity and data-pri­vacy guide­line. Don’t. Share. Pass­words.

Many of the most se­ri­ous hacker ex­ploits, in­clud­ing those un­der­taken by state ac­tors, hap­pen be­cause of – yes – lax pass­word se­cu­rity.

No need for fancy-schmancy hack­ing when you can use the ac­counts of lower-level em­ploy­ees to spread com­pro­mis­ing mal­ware, or in­fil­trate more se­cure ac­counts and net­works us­ing, oh, say, a govern­ment MP’s ac­count to send con­vinc­ing spoof emails.

And – awk­ward! – Damian Green has since said the mys­te­ri­ous porn is all over MPs’ PCs, not just his. Which would seem to sug­gest this pass­word-shar­ing lark might be quite wide­spread and has cre­ated, at the very least, a per­plex­ing porn prob­lem.

Mean­while, the pre­vi­ous Fri­day, the UK’s na­tional cy­ber se­cu­rity cen­tre more or less banned the use of Rus­sian anti-virus soft­ware in govern­ment de­part­ments han­dling secret doc­u­ments, just in case it might trans­fer sen­si­tive data to the Krem­lin.

Maybe the cen­tre should con­sider in­stead a very ba­sic, easy-to-un­der­stand se­cu­rity tu­to­rial for na­tional leg­is­la­tors, who have been ex­posed now as the low­est of the low-hang­ing fruit on the UK govern­ment in­fos­e­cu­rity tree.

And what about TDs? We know some have riskily used Gmail ac­counts for per­sonal busi­ness. Any­one over here want to con­fess that pass­words are shared around the of­fice?

‘‘ And what about TDs? Any­one over here want to con­fess that pass­words are shared around the of­fice?

Newspapers in English

Newspapers from Ireland

© PressReader. All rights reserved.