back to article UK Parliament hack: Really, a brute-force attack? Really?

Just under 90 Parliamentary email accounts were compromised by a brute force attack on the parliamentary network over the weekend. And there is a long-established technology which can normally see off this kind of attack. Two factor authentication (2FA) technology has been ubiquitous among enterprises as an verification …

  1. Fuzz

    Not only missing 2FA

    Sounds like missing 2FA and no lockouts for incorrect attempts. It's quite hard to brute force passwords if you're only allowed 3 attempts. Or 1 attempt every 15 minutes.

    1. Andrew Commons

      Re: Not only missing 2FA

      It's quite easy to lock out all accounts if you implement lockouts after a certain number of failures. Even lockouts that expire can be prodded to keep the account locked. So the malicious actor can't get in and neither can any of the users of the system.

      1. Flocke Kroes Silver badge

        @Andrew Commons

        This is for remote logins. I found dropping all connection attempts from the source IP address for only ten minutes was sufficient for the attacker try somewhere else. The attacker stood no chance as I disable password authentication before making a machine accessible over the internet. (The number of attempts to brute force user names and passwords was an annoying waste of bandwidth.)

        Good news! When May makes public key cryptography illegal I will have to go back to allowing password authentication. Come to think of it, the ban will include ssh and we will all have to go back to using telnet.

    2. Mark 78

      Re: Not only missing 2FA

      As someone who works in Local Government we are forced by Central Government to limit the amount of attempts before disabling an account (something we already did before there rules were brought in). But does this mean it's one rule for us, and a different one for them?

      1. Voland's right hand Silver badge

        Re: Not only missing 2FA

        But does this mean it's one rule for us, and a different one for them?

        I thought Animal Farm is part of the national curriculum.

        Remember? All Animals are equal, but some are more equal than others.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not only missing 2FA

        "But does this mean it's one rule for us, and a different one for them?"

        Yes. By and large parliament is not bound by the same rules as the rest of government. Parliament is literally a law unto itself.

        See also: smoking bans, subsidised bars etc. etc.

        1. J.G.Harston Silver badge

          Re: Not only missing 2FA

          "By and large parliament is not bound by the same rules as the rest of government"

          That's because Parliament is not part of Government. Government is part of Parliament, legally, the Government is a committee of Parliament.

    3. Frumious Bandersnatch Silver badge

      Re: Not only missing 2FA

      That was my first thought. My second is to only allow password-less logins via the MP creating a public/private key pair and handing over the public key to the IT guys in a controlled setting.

      Works fine for ssh (where I can upload my key and store it in the authorized_keys file, then disable login via a password), so I'm pretty sure that it should work for TLS/SSL as well (and is apparently resistant to MITM, with ssh, at least). You might have a bit more work to do with regard revocation of an authorised login key, but that's par for the course.

    4. Dr Dan Holdsworth

      Re: Not only missing 2FA

      All of this comes down to a trade-off between how strong the system can be, versus how much whine you are prepared to tolerate from the users. Since the users in this case are MPs who are trusted with state secrets and are almost the highest authority in the land, I rather suspect that it is they and their great power which is the main cause of trouble.

      From a sysadmin point of view, even just the simple TCP rate limit function provided by UFW is useful, in that it stops single IPs from banging away at a machine. Fail2Ban provides a much better level of protection, especially when the "findtime" is extended enough that somewhat more clever botnet attackers are detected and excluded. The problem with both is that a fat-fingered or dyslexic user will get passwords wrong, and will repeatedly get locked out until they demand that the security levels be decreased for them.

      This is why 2FA is so important and so essential; use 2FA and only the dozy users who cannot follow instructions get left behind, and the cure for them is simple: get their secretary to handle all the technology for them a la Tony Blair.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not only missing 2FA

        "This is why 2FA is so important and so essential; use 2FA and only the dozy users who cannot follow instructions get left behind, and the cure for them is simple: get their secretary to handle all the technology for them a la Tony Blair."

        Unless, of course, they have Most Secret clearance and therefore CAN'T use secretaries (because they don't have the clearance, eh?). Or the ministers only trust themselves and so on. AND they're in safe districts so you can't count on them being forced out.

      2. J.G.Harston Silver badge

        Re: Not only missing 2FA

        "Since the users in this case are MPs who are trusted with state secrets"

        Err... only about 20 of them. Or do you think that opposition backbenchers are made ministers of state? Not even *government* backbenchers have state secret access.

  2. Tascam Holiday
    Coat

    Misread the memo

    Instead of putting in 2FS they put in SFA.

  3. Scott Broukell

    90 . . mmm . . does that constitute a working majority in the house? Can we expect details of all policy matters under discussion to be emailed to every UK citizen at least 50 times a day. Is this how eGovernment works? Questions must be asked.

    1. Anonymous Coward
      Anonymous Coward

      Apparently the hacker is asking a mere 1 billion Pounds, to make sure only emails agreeing with the government get through.

      Theresa has agreed to the policy and looks forwarding to working with them for the next few years.

      1. John Brown (no body) Silver badge
        Joke

        "Theresa has agreed to the policy and looks forwarding to working with them for the next few years."

        Are you saying it was the DUP that hacked them?

        1. Colin Millar
          Joke

          Re: Are you saying it was the DUP that hacked them?

          If the UDA DUP are going to be doing any hacking they'll be using a machete

  4. Anonymous Coward
    Anonymous Coward

    Classic.

    "which manages logins for remote access and introduced changes that limited the ability of the hackers to keep trying passwords"."

    Horse, bolts and stables anyone?

    1. Locky Silver badge
      Coat

      Re: Classic.

      Horse, battery and staples, shirley?

      1. Stumpy

        Re: Classic.

        Correct.

        1. Jo_seph_B

          Re: Classic.

          Told all our users about this once. Pulled the AD hashes a week later. 50 users had literally followed the instructions!

          You can't help some people.

  5. Anonymous Coward
    Anonymous Coward

    If only they had used hashtags.

  6. cm13

    Who's heard that the email creds were for sale last week? Not so brute-force, if true.

  7. Anonymous Coward
    Anonymous Coward

    Email != Webmail

    Again, this article appears to make the assumption that Email is a web based login.

    It is not possible to apply 2FA to email clients that use IMAP, SMTP, MAPI or EAS logins, which means that accessing your email by Thunderbird, Outlook, or smartphone Mail Apps, you can't use 2FA.

    If access to the mail server was only possible over a VPN, then you can apply 2FA to the VPN logins, but that's not what happened here.

    1. Fuzz

      Re: Email != Webmail

      I access my gmail over imap and I have 2FA enabled. You don't access email over SMTP. MAPI is a programming interface. EAS can be secured using certificates thereby making the device the something you have.

      1. Anonymous Coward
        Anonymous Coward

        Re: Email != Webmail

        I access my gmail over imap and I have 2FA enabled.

        Yes, that's because the IMAP protocol is tacked on to a web-based email service. Pure IMAP has no facility to provide 2FA.

        You don't access email over SMTP

        No, my bad, I meant POP3. However, if a server is using POP-before-SMTP, then it is possible to enumerate logins over SMTP.

        MAPI is a programming interface.

        Not just a programming interface, MAPI/RPC is the protocol used by older Outlook clients to talk to Exchange servers.

        EAS can be secured using certificates thereby making the device the something you have.

        a certificate is NOT 2FA, it's too easy to proxy.

        1. wheelybird

          Re: Email != Webmail

          There's no reason why IMAP can't accept OTP. It's not something I've looked into, but I imagine it's possible to, for example, get Dovecot to use PAM for authentication and then configure the Google Authenticator PAM module.

          Dovecot does seem to have a built-in OTP mechanism, but a very brief search in their documentation doesn't give any details on how it works.

          If you used the PAM approach above you'd be able to configure to accept the OTP code by appending it to your password. That way you avoid having to modify the IMAP protocol in any way.

          1. beddo

            Re: Email != Webmail

            There is one reason - failed logins.

            Consider the following.

            1) you have a mobile device set to snychronise every 30 mins, 1 hour or couple of hours

            2) it is doing that in the background to give you notifications

            3) 2FA is enabled to change your password

            At some point, you are going to have a mail client trying to check your emails in the background using an old 2FA password. Whether that be because your sync time exceeds the 2FA timeout or maybe you go out of signal for a while and come back without opening your phone to update the password.

            You then open your phone to check your emails and find yourself locked out because your client has been using the wrong 2FA password.

            I think the point of this is that any attempt at 2FA is a bodge unless you have a client that supports it natively, or the client is wrapped up in something else that handles the 2FA before allowing you access to your email.

            1. coconuthead

              Re: Email != Webmail

              @beddo: I don't know what you mean by "2FA password", but I assume it's the token. And it is *not required at all* with an application password. The "something you have" is the device itself, which is why a separate application password is issued for each device and not recorded (you copy it straight into the device and then close the web page that generated it).

              In my case, the 2FA token is valid for only around a minute, because it uses TOTP. I log in weekly using the web interface to have a look at the spam folder and to read some less important messages that I sort to IMAP folders using a server-side sieve script. Normally I read mail on a desktop using a client which has an application password twice daily, and I don't need my phone near me for a TOTP token. If the machine were to be stolen, it could not be used to access my email, because when I'm away it's locked using my Mac login password, and this "locks" the encrypted macOS keychain on which the mail client stored the application password. Although my Mac login password is reasonably strong, it still needs to be memorable so isn't as strong as some others I use. So, if the machine is stolen, the reasonable login password should slow the perpetrator down long enough for me to invalidate the application password using the server's web interface and I'm golden. And after I do that, I can still use all my other devices (and their application passwords), or my master password and TOTP, to read my mail.

        2. Fuzz

          Re: Email != Webmail

          "MAPI/RPC is the protocol used by older Outlook clients"

          RPC is the protocol, MAPI is a programming interface. Outlook shouldn't be connecting directly to exchange over the Internet, there should be a VPN involved.

          "a certificate is NOT 2FA, it's too easy to proxy."

          Not sure I follow you. The server holds the public key, client holds the private key. This key pair is unique to the user/client combination. If the device is lost/compromised the key is revoked. How does a proxy affect this?

          The point here is that you can force some form of 2FA for all email users. If you say you can't because you need to support xyz crappy outdated client then you don't have a secure system. Security vs usability is always a balancing act. If you're the government you should probably be tipping the scales towards security

          1. CrazyOldCatMan Silver badge

            Re: Email != Webmail

            Outlook shouldn't be connecting directly to exchange over the Internet, there should be a VPN involved.

            Outlook Anywhere doesn't require a VPN at all.. and uses MAPI over https (I think). You need Exchange >= 2013 for it to work though.

            1. Fuzz

              Re: Email != Webmail

              Outlook anywhere is in 2010, not sure about 2007. No MAPI (MAPI) is a programming interface. I'm guessing you mean RPC over HTTPS. It doesn't use that either though. Outlook anywhere doesn't support any kind of 2FA (as far as I know). Outlook anywhere is very convenient, but it's not particularly secure as it's only protected by a password. If you're using Outlook you should use a VPN.

    2. WolfFan Silver badge

      Re: Email != Webmail

      t is not possible to apply 2FA to email clients that use IMAP, SMTP, MAPI or EAS logins, which means that accessing your email by Thunderbird, Outlook, or smartphone Mail Apps, you can't use 2FA.

      Errm... I'm looking at my 2FA-protected (it is to laugh!) iPad at this very moment. Apple Mail is 'guarded' by 2FA, though in Apple's case this is purest security theatre. Should I log into Mail from somewhere not 'trusted', or should a 'trusted' device be suspicious of my login attempt, 2FA kicks out a challenge and I must say that I am really me, and then 2FA sends six numbers to all 'trusted' devices, including the one that I'm attempting to log in from, and I need merely enter those six numbers in the indicated space. Yes, Apple really does send the 2FA challenge/reply pair to the device you're logging in from. Madness.

      Now, if they didn't do that, then 2FA would actually work. And we'd have an actual working, 2FA-protected, email client using IMAP and SMTP.

      Microsoft tries to protect Outlook.com email, and screws that up, just not the same way that Apple does. There are many, many, MANY ways to get this wrong, so I'm not surprised that people think that it can't be done.

    3. coconuthead

      Re: Email != Webmail

      It doesn't matter if there's no 2FA support in your IMAP/POP client, because 2FA systems typically require an "application password" for those clients that is automatically generated and then copied into the client's configuration. Because the user doesn't get to choose the application password, if properly implemented it will never be weak. Because it can be invalidated or reset from the server without affecting the master password/2FA pair, the user doesn't even need to know what it is or record it.

      This isn't theory: the paid email service I use works exactly like this. And, it isn't Gmail, but I believe that works the same way.

  8. Tony Haines

    horse & door

    //The incident raises bigger questions - for the private sector as well as government - around how it's often the case that adequate defences are only put in after an attack.//

    Often? It's practically always, for everything.

    People can complain about something for years, but it isn't important until an entire towerblock burns.

    1. John G Imrie Silver badge
      FAIL

      Re: horse & door

      The reason is down to cost, which is up front and comes out of my budget and benefits which are nebulous and will probably be reaped by some other department.

      Anyway the system works so why spend money on something that will be perceived by users and upper management as another bloody thing IT have done to stop me doing my work.

      1. Charles 9 Silver badge
        FAIL

        Re: horse & door

        In other words, who pays for surge capacity when it's never used?

  9. Your alien overlord - fear me

    Labour MPs passwords are labour or wannabe, Tory passwords are tory or brexit, Welsh MPs are aneurin

    Not very hard to guess !!!!

    1. Anonymous Coward
      Anonymous Coward

      Bet There's at least one cabinet minister with "Enoch" & at least one shadow with "JosephVissarionovich"

  10. Anonymous Coward
    Anonymous Coward

    Can I be the first to point out the stupidity of this hack.

    So you brute force parliamentary passwords setting off an alarm in the process letting them know you are brute forcing passwords.

    What's going to happen next?

    Do they really think they are not going to get everyone to change passwords and potentially upgrade the system?

    I'm just waiting for someone to claim backdoors in encryption will stop this sort of thing from happening.

    1. Andy The Hat Silver badge

      not necessarily stupid ...

      generally while you're brute forcing the passwords in an obvious way and giving the techs the runaround to sort that out, they're too busy to notice you discretely dropping trojans or hacking the system somewhere else ...

      More likely to be an idiot script-kiddie though and, as a terrorist act involving a computer, we'll need to ban encryption obviously ...

    2. Destroy All Monsters Silver badge

      > What's going to happen next?

      Fingerpointing followed by security theatre, then nothing.

      Bruteforcing can be restarted next month.

    3. This post has been deleted by its author

    4. Cuddles Silver badge

      "Can I be the first to point out the stupidity of this hack.

      So you brute force parliamentary passwords setting off an alarm in the process letting them know you are brute forcing passwords.

      What's going to happen next?"

      Not sure I'm seeing the stupidity here. What's already happened is they read and probably downloaded all the emails from the accounts they've managed to access. What happens next is they sell them to the highest bidder, hand them over to journalists and/or wikileaks, or just keep it to themselves for the next time their agency/diplomats need some leverage. What doesn't happen next is that the people who already stole a load of data care in the slightest that it might be harder for someone else to do the same thing. Changing passwords and upgrading the system isn't going to uncompromise the data that was already taken.

  11. WonkoTheSane Silver badge
    Facepalm

    Dear Teresa,

    THIS is why you shouldn't have backdoors in encryption!

  12. Christoph Silver badge

    They are already putting the fix for this in place. Once strong encryption is outlawed and everything is backdoored, there will be no need for anyone to bother with brute-forcing passwords any more - problem solved!

  13. ilmari

    Out of interest, how much would it cost to set up 2FA for a single user on a single server (raspberry pi) with mentioned Rsaid?

  14. FuzzyWuzzys
    Facepalm

    Right so they're politicians, safe to assume they all used their last name, their wife's maiden name, or their dog's name as passwords and they wonder how they got pwned?

    Just like most people in their position, the minute the IT lacky said they needed a password with min 10 chars, one upper case, one number and a symbol they boomed, "Do you know who I am?! I haven't got time to remember all that. Now make it simple or else!".

    1. Anonymous Coward
      Anonymous Coward

      'the minute the IT lacky said they needed a password with min 10 chars, one upper case, one number and a symbol they boomed, "Do you know who I am?! I haven't got time to remember all that. Now make it simple or else!".'

      I speak from experience - This is 100% true. Entirely. Exactly this.

  15. Scroticus Canis
    Facepalm

    And these "wise" people run the country and make laws?

    Oy shit!

    1. Dan 55 Silver badge

      Re: And these "wise" people run the country and make laws?

      Well, just look at today? The DUP agreement and the EU citizens' rights counter offer which is just ILR plus getting ID cards in through the back door.

      A masterclass in fucking up the country.

  16. Ken Hagan Gold badge

    Liability?

    If the member is the responsible party, does that mean that nearly a hundred MPs might now be facing prosecution for something where a conviction might mean a by-election? Brenda's not going to like that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Liability?

      - All staff working in the parliamentary estate use the system, not just MPs. That includes over 2,000 staff of Parliament itself and however many staff members are employed by individual MPs.

      - As an internal operational matter of the operations of Parliament this is likely to be covered by parliamentary privilege, so short of some resulting major criminal breach no action will be taken.

    2. Adam 52 Silver badge

      Re: Liability?

      That statement about liability seemed like a pale attempt a buck passing to me. If Parliamentary IT control access, dictate terms and gave root access then there's no way that they can dodge liability like that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Liability?

        Sure they can. They MAKE the laws, remember? Closest thing to sovereign immunity without involving the Crown.

  17. Anonymous Coward
    Anonymous Coward

    There are several software equivilents to fail2ban for shite operating systems too.

    But, maybe the operators of said shite email systems are shite too.

  18. MandyNunnes1

    Looks like famous hacker Captain Crunch has chimed in: https://goo.gl/2kEvLF

    Apparently he has a new biography coming out soon :D

  19. This post has been deleted by a moderator

  20. Camilla Smythe
    FAIL

    All of your communications with @parliament.uk are gifted to Symantec via Messagelabs.

    Send an e-mail with a link to content on your own Web Server to an @parliament.uk address. Wait two minutes and check the web server logs. The content of your e-mail and any attached document will be scanned and you will get a visit from Germany, the US or London to check the contents of any links provided. Apparently it is 'a service' provided by MessageLabs. I would be more concerned about that than some Russian trying to hack passwords. America already has full access to your personal discussions with a member of Parliament or a member of The House of Lords.

    1. Anonymous Coward
      Anonymous Coward

      Re: All of your communications with @parliament.uk are gifted to Symantec via Messagelabs.

      So, I emailed Parliament, as I did yesterday, but this time I sent my server link.

      It took a whole minute and then

      70.39.157.193 - - [27/Jun/2017:11:38:12 +0200] "GET / HTTP/1.1" 200 616 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "-"

      apparently Windows 7 32bit/64bit Internet Explorer 9, maybe

      CustName: GTT, Tier-1 Cloud, City: McLean, StateProv: VA, PostalCode: US-22102 assigned to PacketExchange vaguely located in Wauconda, Illinois?

      a thorough sniff c/o http://anti-hacker-alliance.com/index.php?ip=70.39.157.193

      shows that only 1 anti-spam org out of 96 blocks this sensor I.P.v4, and that reputationally speaking there are only nine bad nearby I.P.v4's. I don't think this is too bad service, at least it employs a few guys in IT, and hopefully it will stop clowns opening poisoned pdfs, eh adobe?

      1. Camilla Smythe

        Re: All of your communications with @parliament.uk are gifted to Symantec via Messagelabs.

        Yup.. GTT. That's one of them. Presumably related to,

        http://static.symanteccloud.com/estore/Datasheets/en/Product/SHAV_SHAS/AV_AS_Datasheet.pdf

        Anti Spam and Anti Virus.

        "Unique ‘Link following’ feature (scanning of URLs within emails for potential links to malware), providing an additional layer of protection for your business."

        It will/does download pdfs but does not scan links within them so you could still manage to provide a link within a document that would/could lead the recipient to a nasty. As such it is not bullet proof.

        OK Fine it's a 'useful' service but it is still gifting what might be potentially sensitive and ideally privileged information about your communications with your parliamentary representatives.

  21. razorfishsl

    IT Techs too worried about being assassinated from their cushy jobs by psychopathic MP's that are too old & senile too remember their passwords.

  22. pitrh

    Feeding them false info, rate limiting, blackholing, etc, all would likely have helped

    I've been doing all of these for a while with various systems in my care.

    And as the article points out, these techniques have been around for quite a while, and if whoever was in charge of PM's mail etc systems didn't bother to use any of them, that's very bad practice indeed.

    One moderately laughable piece I wrote recently focuses mainly on auto-clobbering bruteforcers, but has pointers to other resources too: http://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html

  23. Anonymous Coward
    Anonymous Coward

    Nope

    "weak passwords that did not conform to guidance issued by the Parliamentary Digital Service"

    The problem wasn't weak passwords, the problem was allowing weak passwords in the first place, and in the second instance, not detecting them by running your own hashing/cracking attempts on them. That's before we get on to 2FA etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nope

      And what if they were OVERRIDDEN? How do you say no to the minister who's your BOSS?

  24. Anonymous Coward
    Anonymous Coward

    Since the Reg just published this story of an SME being find because they did no peentration testing and some other things

    (https://www.theregister.co.uk/2017/06/27/boomerang_video_hack_ico_fine/)

    How much will the ICO be able to fine Whitehall?

    Or will Whitehall argue they outsourced penetration testing to North Korea?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019