back to article National Cyber Security Centre boss: For the love of $DEITY, use 2FA on your emails, peeps

The chief exec of the National Cyber Security Centre – a branch of the UK's spy nerve-centre GCHQ – has called on everyone to enable two-factor authentication for their emails. This follows revelations that almost the entire population's details are available for sale on the dark web. Speaking at the Parliament and Internet …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Building those capabilities

    GCHQ will need to continue to build up its cybersecurity capability against Russia, Iran, China and North Korea – "that really sophisticated stuff hard to do at scale."

    So says our man. If you've got a degree in Maths, then GCHQ's graduate entry salary is £25,738. Meanwhile, join Aldi as a graduate, and you'll be on £42k. Potentially plus bonus and car.

    So, does that tell us that GCHQ like docile technocrats who are so absorbed in their work they'll work for a rubbish salary, despite having a Maths degree? Will those people have the intellectual horsepower to beat the best that the Russians, Chinese, and underworld can find? Admittedly the GCHQ offer is suspiciously near the average graduate salary for maths graduates, but makes me wonder why Aldi see so much more value from a graduate in any subject.

    1. Hans Neeson-Bumpsadese Silver badge

      Re: Building those capabilities

      I think your observation says more about Aldi than it does about GCHQ.

      Something that I've noticed is that a lot of graduates (with no appreciable real world experience) have rather high-flying aspirations for salary...based on nothing more than the fact that they have a degree. My advice to them is to stop thinking that you automatically deserve a £30K+ salary the moment you graduate - take something more realistic, gain some experience, and earn the right to progress to a higher salary.

      If you do happen to find someone like Aldo, who is prepared to be generous, then take advantage by all means, but don't use that as a yardstick by which to measure all job offers.

    2. Uberseehandel

      Re: Building those capabilities

      And Aldi is ultimately owned by a company from a country that values well qualified staff.

      There is a lot of OR than can be done in supermarkets, and supply chain stuff, that actually might be more interesting than what GCHQ has to offer. OR is still poorly applied in most organisations.

      1. Anonymous Coward
        Anonymous Coward

        Re: Building those capabilities

        "And Aldi is ultimately owned by a company from a country that values well qualified staff."

        Exactly.

        The best UK employer I had was ultimately German owned. Among other things they weren't scared of paying for top notch training courses.

    3. netminder

      Re: Building those capabilities

      It means that government job pay shit & the reason for that is because taxpayers whine when they are not paid shit. Same here in the US, demand the best, pay the least.

      1. SecOps

        Re: Building those capabilities

        Just curious if you have ever reviewed the public salary postings for what government jobs pay in the US. At least in some areas I wouldn't qualify it as crap. If you are interested you can lookup California ones via transparentcalifornia.com

        For 2016 in Riverside County the lowest paid Security Analyst made 94,766 and the highest paid made 151,657. Just to cherry pick a few others, a Security Analyst for the Modesto Irrigation District was paid 119,406 a Information Security engineer for Santa Clara Country 143,119.59 and so on. I'm not sure I would qualify any of these as paying the least having worked at a fortune 500 previously where I made less than all of these people in a security engineering role. And this is without benefits which tend to be better in general. I don't work for a government agency currently, but you can bet I'm not crossing them off the list for the future.

    4. Trollslayer Silver badge

      Re: Building those capabilities

      I had an interview at GCHQ - it's a shithole.

      HR are scared to say anything, racism is rampant toward staff from the Middle East, crap salaries and pensions frozen. If you are disabled then give up - the electric wheelchairs they are required to have have flat tyres to match the flat batteries.

      1. Anonymous Coward
        Anonymous Coward

        Re: Building those capabilities

        > I had an interview at GCHQ - it's a shithole.

        Whereas GDS have a shiny new HQ in Whitechapel with a "trendy atrium bar".

        Because "users first!!!!".

        A/C because I have to work with these fuckers occasionally.

    5. Anonymous Coward
      Anonymous Coward

      Re: Building those capabilities

      Perhaps they pay higher salaries when they come asking for you than when you go seeking a job from them. It's likely their more talented staff are in the former than the latter category.

      1. Anonymous Coward
        Anonymous Coward

        Re: Building those capabilities

        Still a government agency so pay grades rule. They could start someone on a higher pay grade, yes, but the best way to earn market rates from a government job is to be a contractor they can't do without.

  2. Khaptain Silver badge

    "Some cybercriminals would pass a Harvard MBA test, if it wasn't for the rampant criminality,".

    Why bother with a Harvard MBA degree which guarantees "nothing", except for an increase in Harvard's own bank account, whereas a successful hacker can earn good money, pay no taxes and live anywhere he pleases without having to climb the corporate ladder...

    The idea that a hacker is just some numpty in his basement has long been passed. Cyber-Criminality can bring in masses of wealth and as such has itself become a business.

    I honestly get the feeling that parliament lives in a previous century, they really do need to wake up and realise that the "Old Boys Clubs" are a relic of the past, as is their thinking.

    1. Anonymous Coward
      Anonymous Coward

      "Some cybercriminals would pass a Harvard MBA test, if it wasn't for the rampant criminality,".

      Why the idea that a Harvard MBA precludes criminality? I can think of several examples including whole industries where criminality at that level is endemic.

      1. Anonymous Coward
        Anonymous Coward

        I read this the other way - that cyber criminals were put off by the rampant criminality evident in the Harvard MBA test. Even criminals have some morals. Well, sometimes.

      2. veti Silver badge

        Why the idea that a Harvard MBA precludes criminality?

        A Harvard MBA test precludes criminality. The business plan you submit will be disqualified for blatant criminality.

        What the MBA gets up to after they've passed their test, or before it for that matter (provided they can keep it out of the test itself) - that's another matter entirely.

    2. Uberseehandel

      A Harvard MBA is one of the biggest boosts to salary for early/mid career professionals, it also gets the attention of those that matter in an organisation. There are many other B-schools that are of little or no assistance as far a careers and salaries are concerned.

    3. Anonymous Coward
      Anonymous Coward

      "Some cybercriminals would pass a Harvard MBA test,"

      2 words.

      "Poppy Adams."

      I passed an accountancy ethics exam expected to last 2 hours in 15 minutes.

      I'll leave you to think about what that says about how ethical my behavior will actually be.

  3. Jason Bloomberg Silver badge
    Paris Hilton

    2FA on emails

    "We recommend that everyone puts 2FA on their emails"

    Maybe it's because it's cold outside and not all of me has warmed up; but what does that even mean?

    1. VinceH Silver badge

      Re: 2FA on emails

      Given that he apparently said that because "nearly everyone's email addresses are available on the dark web" I'm not entirely sure he himself knows what it means. If nearly everyone's email log-ins were available, that would be a different matter. (Though he may be right for anyone that uses ABCD1234 (etc) as their password).

      However, that's based purely on El Reg's reporting; there's no link to a transcript of the speech. A quick search suggests the Parliament and Internet Conference referred to is taking place today - so it's probably something he said today, with no transcript available online yet.

  4. Anonymous Coward
    Anonymous Coward

    Absolutely missing the point

    As I have said before, 2FA is not needed to improve email security.

    2FA merely ensures that people now run around with tokens and are no longer really online - email already has all the mechanisms required to properly protect it if. you. have. actually. a. clue. what. you. are. doing.

    Of course, implementing 2FA as a solution will make a consultancy a solid lump of money, just as the National ID card thing did. And just like the National ID card scam, sorry, scheme it will not deliver. I know of quite a number of people who tried, for instance, ProtonMail which is technically a beautiful solution, but they gave up in weeks because of the usability factor.

    That said, these are presumably the same people who had parliament.uk running through MessageLabs where even a cursory assessment would have shown that one of the servers was actually based in the US so please don't tell me they know what they're doing. If they want thoroughness and really *fix* the problem, they're not quite there yet. Going public with an idea that works for logins but at best only for webmail is, umm, not a good signal to those in the know, so I look forward to this getting handed to <fill in current favourite consultancy who have must talked them into this> and see end users who can barely operate a phone go effectively offline as a result.

    Which, I guess, is one way to make it more secure in the same way that a strong laxative will fix a persistent cough (you daren't).

    Meanwhile, my sales@(not going to tell you) account still has "password" as password. Despite dictionary attacks it still has not been breached, and I think we're coming up to 3 years now. New technology required to make that happen: none. No, seriously, none. And yes, I do get spam that then gets filtered out, but a login breach? Nope.

    Dammit, that's my rant quota gone for the month.

    1. David Nash Silver badge

      Re: Absolutely missing the point

      "if. you. have. actually. a. clue. what. you. are. doing."

      Well of course Joe average email user doesn't. They just want things to work.

      1. Anonymous Coward
        Anonymous Coward

        Re: Absolutely missing the point

        Well of course Joe average email user doesn't. They just want things to work.

        I was talking about the people setting up the service. User error is a given, so you must plan for that and there is a direct correlation between ease of use and diversion from use-as-usual and user mistakes. Adding 2FA is too far a departure from established use for your average end user, especially for what lurks in parliament. Some of those users have barely adapted to the loss of parchment, ink and quills.

    2. Anonymous Coward
      Anonymous Coward

      Re: Absolutely missing the point

      Meanwhile, my sales@(not going to tell you) account still has "password" as password. Despite dictionary attacks it still has not been breached, and I think we're coming up to 3 years now

      You are Jeremy Clarkson AICMFP.

  5. Uberseehandel

    Smart Meters - Don't make me laugh

    "It would need to be three simultaneous state-level attacks to do national harm [to smart meters]," he said.

    In other words trivial for a state actor.

    1. Sir Runcible Spoon Silver badge

      Re: Smart Meters - Don't make me laugh

      I've been less worried about people hacking the meter than I have been about the energy companies deciding to either cut me off, reduce the amount of juice I can draw, or just simply ramp up the bill without notice.

      1. Anonymous Coward
        Anonymous Coward

        Re: Smart Meters - Don't make me laugh

        I've been less worried about people hacking the meter than I have been about the energy companies deciding to either cut me off, reduce the amount of juice I can draw, or just simply ramp up the bill without notice.

        I'm more worried about unreported measuring errors. They are in charge of ALL the factors that lead to your bill: the meters, their calibration and their reading, and all of that is but a hack away from being adjusted (the mechanical ones would take at l east a physical visit).

        If that "adjustment" is in the user's favour you can be sure they'll be on it like a fly on dead meat, but I am not so trusting that they will own up if they have been overcharging people - you'd never find out unless you add your own device in the pipe.

        You'd almost need a regular, random audit by an independent entity.

    2. cantankerous swineherd Silver badge

      Re: Smart Meters - Don't make me laugh

      a north Korean teenager will be along once the target is juicy enough.

  6. Anonymous Coward
    Anonymous Coward

    Lets hope the 2FA isn't a question because next year it will be 3FA then 4FA until you have to recite your entire life story just to log on.

    1. Fred Flintstone Gold badge

      Lets hope the 2FA isn't a question because next year it will be 3FA then 4FA until you have to recite your entire life story just to log on.

      It appears Monsters vs Aliens was WAY ahead of us.

      :)

  7. Hollerithevo Silver badge

    Does Russia want to bring us all down?

    I thought that Russia wanted a fully-working western financial system, because how else are they going to extract every rouble from their country to pay for their off-shore mansions etc? I do think they want to suppress the Panama Papers/Paradise Papers leaks, as these remind us how much money is going from every poor slob's pockets to the level of the super-rich.

    1. DougS Silver badge

      Re: Does Russia want to bring us all down?

      The theory is that Russia knows they will never match the US, EU or Chinese economies and will forever be behind. But if they can throw wrenches into them and limit their growth or even shrink them a bit, while they still can't match them, they will be more comparable in size and stature.

  8. Anonymous Coward
    Anonymous Coward

    Last week an associate of mine was relieved of a significant sum of money from their bank account because an e-mail he sent to his bookkeeper, who used a different e-mail system without 2FA enabled, telling them to pay an invoice was intercepted by thieves and changed. The bookkeeper's e-mail account password had been compromised (likely because it was used for multiple online services), so that was all the thieves needed in order to log into the bookkeeper's e-mail account and wait, probably for weeks, for something interesting to pass by. When the invoice e-mail was sent by my associate, the thieves changed the details on the attachment so that the bank account the bookkeeper was paying into was different. The bookkeeper paid because the e-mail was still from my associate (who has 2FA enabled on the account they sent the e-mail from) and was related to business they both new about and had prevuiously discussed verbally so the bookkeeper had no reason to be suspicious of the instruction.

    If a well implemented 2FA system had been active on the bookkeeper's e-mail account then the 2nd factor would have prevented the thieves from logging into the bookkeeper's e-mail, even with the compromised password. So I absolutely cannot agree that 2FA doesn't improve e-mail security. I agree 2FA (and particularly SMS based 2FA) is not a silver bullet but think of it this way; with so many easy targets out there, if yours is a little more difficult, hackers are more likely to go elsewhere (unless yours is a high value target of course). Put another way:-

    Two men are walking through the African savanna when they are spotted by a lion. One of the men starts running while the other one, knowing the lion if too close and too fast, is frozen stiff. He shouts to the man running away that they're never going to be able to out run the lion. The man running away shouts back "Yes I know. But I can out run you!".

    1. Anonymous Coward
      Anonymous Coward

      Sounds like a claim against the bookkeeper's business risk insurance then. Followed by hiring a better bookkeeper. Your associate shouldn't be left out of pocket as a result of a breach at his bookkeeper - though of course, in the real world losses often can't be recovered, unfair though that may be.

      1. Anonymous Coward
        Anonymous Coward

        I would have made a claim against the bookkeeper and never used them again myself. My associate was more forgiving and set them up with a mailbox on their mail system, with 2FA enabled of course, and sent them some IT and accountancy best practice reading. I don't know if the money has been recovered but yes, the chances are slim as it's probably better travelled than Alan Whicker and even the most sympathetic of banks would I'm sure resist reimbursing in these circumstances.

    2. Anonymous Coward
      Anonymous Coward

      While 2FA might have prevented hijacking of the account it would have done nothing to protect the emailed instructions from being tampered with. The sender should have used some means to ensure tampering would fail.

      1. Anonymous Coward
        Anonymous Coward

        2FA would have prevented the thieves from accessing the bookkeeper's e-mail account, which is where the thieves amended the instructions. It is true that a message can be altered in transit but that is not what happened in this case and in any event, altering a message as it passes through mail servers and routers is much harder to do than hacking a poorly configured endpoint account.

  9. Anonymous Coward
    Anonymous Coward

    So, how do I add 2FA to my POP server?

    1. Anonymous Coward
      Anonymous Coward

      Not the point ....

      I *think* the nice man meant to ensure that all services that you use online have 2FA enabled in addition to using your email address.

      So any attempt to log into a service using your email address and correct password triggers a 2FA call (say SMS, but any number of authentication services are available).

      I am well aware that SMS has been shown to be less than secure, but for most people it's better than nothing (as the above bookkeeper would have found).

      1. Paul Crawford Silver badge

        Re: Not the point ....

        "SMS has been shown to be less than secure"

        I think a big issue is that many people use their phone for both web/email, and of course SMS. So get root on that device, probably no longer patched of course, and you are laughing while they are not.

        Of course we can all see this approach is then really 1FA (or SFA in some cases).

        1. Anonymous Coward
          Anonymous Coward

          Re: Not the point ....

          Yes, phone based 2FA is a compromise - a separate, hardware based authentication device is best - but phone based 2FA is good enough against a remote, account level hack, which I think covers the majority of hacks. SMS based 2FA will I think be all but a thing of the past within a few years with the likes of Google phasing it out already though.

        2. Anonymous Coward
          Anonymous Coward

          Re: Not the point ....

          "SMS has been shown to be less than secure"

          Email is insecure once it leaves your email provider.

          You may need a secure sign into your mail provider, but once any email leaves their server, it can be read any mail router or network it passes through.

          Unless both you and the recipient are using PGP or the like, but that's notoriously hard to set up.

          1. Mike Pellatt

            Re: Not the point ....

            (your mail) can be read any mail router or network it passes through.

            Not if the communicating MTAs are both using enforced or opportunistic encryption. At that point it's primarily your data-at-rest within the MTAs where you're at risk if the content itself isn't encrypted.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not the point ....

        It's 2017; you should enable 2FA on any and every system or account that provides it. If your e-mail system doesn't have 2FA you need to move to one that does as a matter of urgency. If it does and you're not using it, you should assume that someone else is accessing your mailbox no matter how strong your password is because without 2FA if someone else logs in you'd never know unless you caught them in the act (or an audit log revealed it) or they made a change that you noticed. Of course e-mail admins, line managers etc could be logging in without your knowledge, even with 2FA enabled.

        The days of hackers logging into mailboxes just to send out spam are fading fast. Now they sit and wait for something interesting and then quietly manipulate it.

      3. Wensleydale Cheese Silver badge

        Re: Not the point ....

        "So any attempt to log into a service using your email address and correct password triggers a 2FA call (say SMS, but any number of authentication services are available)"

        I don't use webmail.

        My various email clients scan the IMAP server for incoming messages every 10 minutes, and whenever I send an email.

        Please tell me how 2FA is going to work there.

    2. David Gosnell

      Oh, and there was me thinking they'd just dropped in "2FA" as part of a game of buzzword bingo, being all the rage in security circles even if no-one directly involved has a clue what it actually means, let alone how to implement it.

  10. Trollslayer Silver badge
    Flame

    FTFY

    "Some cybercriminals would pass a Harvard MBA test, thanks to the rampant criminality,"

  11. Anonymous Coward
    Anonymous Coward

    Before we get started on TFA...

    let's all make a bit more effort with DKIM, DMARC and SPF...

    TFA is all well and good, but the mobile network is insecure, so don'y use a telephone number, and if someone can spoof a "decision maker"'s email address to you, and you work in the same organisation, it's only a question of time before you get spearphished....

    (and unless I'm mistaken, advice from yahoo at the time of that "slight hack" was to disable TFA....)

    One final point. If any of you have decision making responsibility for DNS at some of the major domains I have been investigating email delivery problems from recently:

    Shame on you. You are an embarrasment to the profession.

  12. DrRobert

    Do I put 2FA in the subject line or in the body?

  13. Adrian 4 Silver badge

    Oops

    Was I supposed to keep my email address a secret ? I've been giving it out to all sorts of people. Some of them even work at dodgy places like Hanslope Park.

  14. Anonymous Coward
    Anonymous Coward

    'GCHQ needs to build cybersecurity capability against'

    Who exactly?

    Just Russia, Iran, China and North Korea....??? Yeah right! We know for a fact that targets also include EU diplomats negotiating Brexit / Activists / Protestors / Investigative-journalists and Human-Rights-Activists etc....

    Who believes in the mission anymore, who wants to, who do you really serve?

    The five-eyes have fucked themselves... They're an elite / elitist bunch of lying f*cks, who are programmed to serve the needs of the 'glorious leaders' and connected 'rich elite', while simultaneously trampling over the rights of everyone else in the pleb class. Get Stuffed Government droids!

  15. ThatOne Bronze badge
    WTF?

    WTF?

    2FA for mail doesn't look like the right solution, except maybe for very specific low-volume/high-risk accounts. And yet.

    The obvious solution for important emails is digital signatures: Check the message and signature with the sender's public key and you'll know instantly if something is wrong. Safer than 2FA too.

    Signatures are maybe (unfortunately) beyond the average Joe's capacity, but remember, I said "for important emails", like invoices and such. For unimportant everyday things you can easily spare the effort.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019