By John P. Mello Jr.
Jun 27, 2017 9:56 AM PT
The United Kingdom’s Parliament on Monday reported a cyberattack on its email system over the weekend, when hackers attempted to access user accounts without authorization.
Due to the “robust measures” in place to protect the legislative body’s accounts and networks, fewer than 1 percent of the 9,000 accounts on the network were compromised, officials said in a statement.
Accounts that were compromised had weak passwords that did not conform to guidance on creating strong passwords from the Parliamentary Digital Service, according to the statement.
Individuals with compromised accounts have been notified and investigators are determining if the victims lost any data.
It’s unlikely that any data that might have been lost would have included any information gems.
“Big secrets are usually shared through unofficial email accounts,” said Csaba Krasznay, a product evangelist with Balabit.
“An attack against some Gmail accounts promises much bigger gain,” he told TechNewsWorld.
The attack on its networks doesn’t appear to have been very sophisticated, based on the information Parliament has released so far.
“They used a brute force attack to find users on the system with weak passwords,” said Asaf Cidon, vice president for content security services at Barracuda Networks.
“Any teenager who knows how to download a script from the Web could do this. It’s one of the most classic attacks in the book,” he told TechNewsWorld.
“The Parliament attack was like going door to door and trying doorknobs until you find an open door,” noted Lastline CTO Giovanni Vigna.
As organizations have moved to cloud email and collaboration platforms, attackers have adapted their tradecraft away from targeting networks to targeting people and their credentials, explained Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint.
“As we’ve seen in prior attacks on governments and politicians,” he told TechNewsWorld, “few things are as valuable as a compromised email account.”
A Preventable Attack
One way to foil attacks like the one on Parliament is to deploy two-factor authentication. That method requires something in addition to a user name and password to get into an account — typically a six-digit number sent to a mobile phone in a text message.
“I am surprised Parliament isn’t using two-factor authentication, which is something that would have removed the problem even in the case of weak passwords,” Lastline’s Vigna told TechNewsWorld.
“That’s because in order to compromise your email account, they also have to compromise your phone, which raises the bar considerably,” he explained.
Although Parliament has guidance in place for stronger passwords, requiring strong passwords would be more effective, Barracuda’s Cidon pointed out.
“You can have your email system reject a password automatically if it’s not strong enough,” he said.
“There really is no excuse for not enforcing a policy for ensuring that passwords are of a minimum length and complexity to help prevent a brute-force attack like this, especially for a communications system that contains highly sensitive data,” observed Patrick Tiquet, director of security and architecture at Keeper Security.
“Any email system that does not enforce strong passwords or enforce multifactor authentication is vulnerable to this kind of attack,” he told TechNewsWorld.
This attack on Parliament’s email network is an outcome of a continual lack of investment by government in security strategies that have become standard operating procedure in the private sector, maintained Spencer Young, regional vice president for Europe, the Middle East and Africa at Imperva.
“This attack was unfortunately just a matter of time,” he told TechNewsWorld.
The cyberattack on the UK’s Parliament raises the specter of a possible attack on the U.S. Congress.
Since, like Parliament, Congress is comprised of a group of humans — and members of both groups likely have bad password habits — this type of attack easily could hit the U.S. as well, suggested Jonathan Sander, CTO of Stealthbits Technologies.
“This attack is like a break-in targeting a house in a wealthy neighborhood where the bad guys expect that there is something worth stealing inside,” he told TechNewsWorld.
“You can easily see that the UK Parliament is only one house on that block,” Sander continued, “and the U.S. Congress may as well be right across the street.”
Even with good security hygiene, any institution is vulnerable to determined attackers.
The attack on Parliament was very simple compared to something like the Russia-backed theft of the emails of John Podesta, former chairman of the 2016 presidential campaign for Hillary Clinton. The Podesta theft included a targeted phishing campaign and a domain scheme to capture information.
“If the Chinese can hack the F-35, the Russians can hack Capitol Hill, which is a much softer target,” said Kenneth Geers, a senior research scientist at Comodo.
“Cybersecurity is more Sun Tzu than Stalingrad,” he told TechNewsWorld, “and politicians are easier prey than soldiers.”