GCHQ attempts to downplay amazing plaintext password blunder Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site. The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password …
Helped my brother-in-law to register on the Landlord Registration central online system for Scotland. Asks for a password, try one, sorry not long enough (and no, it was not "mypenis"). Try another, sorry must have numbers and both upper and lower case characters. Try a third to meet those security aspects and its is happy.
Then I get an email, absolutely unencrypted as you would expect, with both user name and password!
SECURITY FAIL! (to borrow from Eadon, but here it seems justified as being AC I can't use the icon)
The financial system of one of my (large, public sector, UK) clients I use to manage the purchase orders they place with my company requires a password. Helpfully it informs me that it must be "at least 1 character(s) long". I have pointed this out, several times, over several months....
I've written my PIN down before in amongst a lot of other numbers to disguise it, and then forgotten which 4 digits were the right ones, so I contacted the bank to let them know I'd forgotten it. They sent me a "here is your PIN" letter and it had the same PIN (the digits were in my note). So they must be storing PINs in plain text too.
Well, to a third party the salted passwords might be difficult but since the bank knows the mechanism for the salt and there are less than 10000 combinations, excluding non available combinations means they could brute force their own hashes very quickly. A test script I just ran which generated 9999 salted passwords and tests every single one vs the salted and hashed known value, generating the full 9999 for each test only took 90 seconds on a single core machine... of course in a real one you'll break out far earlier but you can really say if password usage was evenly distributed throughout the range an average on an ageing single core machine is 45 seconds... I suspect a bank can have that done in under a tenth of the time.
Banks use Hardware Security Modules (HSMs) to hold PINs which are heavily protected beasts.
Without physical access it's pretty much impossible to get anything out of them and then they normally have a myriad of access detection sensors which delete the memory if you try anything (I've tried kicking one, it got upset and deleted everything)
I wouldn't worry about these normally but I recently found that BarclayCard will display your PIN on the web site if you ask, that sounds very silly to me.
Heh. Yup, HSMs give the really awesome protection of having the private/secret key never leave the HSM, so barring someone physically stealing the HSM, the stuff encrypted by it is safe.
OTOH, if someone were to have direct access to the HSM *and* the config info to use it... Oopsie! (Hopefully, they're running it at FIPS 140-2 Level 3...)
I think my bank (Yorkshire) stores it's secret answers in non-encrypted format. The answers used to be case sensitive, then one day they ceased to be so. I used their internal ticketing to ask why the change. The answer was that too many people were forgetting case sensitivity so they turned it off. What worries me is the fact that I didn't have to change my password when they did this, and the fact that now I can WrITe My SecRET AnsWERS in ANY caSE I liKe tells me they arn't encrypted, and probably neither are the passwords.
A feeble excuse, and all the more feeble because they have been in the business of specifying best practice in security matters for a long, long time - far longer than they've been using this 'legacy' system, I'd wager.
I have a lot of respect for GCHQ, but they really do need to work on their public interface.
This post has been deleted by its author
"Should GCHQ want to recruit people who 'forget' their passwords?"
Everyone forgets their password from time to time. Or locks out their account. Or....
Just because a person is one of the best cryptanalysts in the world doesn't mean they don't have a memory like a sieve.
However, for an intelligence agency to be storing passwords in plain text is inexcusable. Even on a peripheral system. It doesn't matter whether they are sending out plain-text password reminders, as such. It is that they are storing them insecurely. Which is bad. Very bad.
Should GCHQ want to recruit people who 'forget' their passwords? Best regards .... Nigel Sedgewick
The sort of folk that GCHQ and Spookery need, are the sort of folk who recruit GCHQ and Spookery for their needs and feeds and seeds.
Best Regards .... and more anon as ProgramMING Programming proceeds.
Sincerely Yours,
GCHQ ICEnterprises
Is problem folk for problemed folk the right SMARTR answer which delivers change you can see in presentations rather that just hope and false dawns you are pimped to believe in and blindly support in ignorant servitude, which appears to be status quo establishment fare and their pathetic vapourware?
Answers in an email to ....... well, if it be to any status quo establishment systems it may as well be to Mars for all the good that they can provide, is what you will find to be too true to ignore as other than a fact which is hidden behind fictions and spinning tales of non daring do nothing creativity and mayhem.
"...it's GCHQ who are responsible for national security issues."
Except that the site in question has precisely zip in any form of national security information on it. It only has harmless information, such as your name, address, telephone number, all registration numbers, friends names and addresses, relatives names and addresses, etc.
Totally innocuous information. From a national security standpoint. ;)
Seriously though, at least all of the national security information is on its own segregated network.
Trying to remember the name for it now. The US starts with NIPRnet, SIPRnet and JWICS.
Ah, I remember now! BBCnet.
I once did an application for a similar type of organisation. There was a very clear warning at the beginning. If you got the password wrong three times, your account would be locked out. And there was no password recovery option. That's how you do proper security, and weed out applicants who can't remember a password.
that some bloke in the comments said that no intelligence agency would keep the list and details of their agents on a machine connected to the computer, no way, cause like, they're too smart to stumble for such an obvious risk? Well, he severely underestimated the power of the human mind!
You think that's bad I was once allowed into GCHQ showing a sausage roll to the security guard rather than my ID pass. I had only been working there for a few months so he didn't know my face either. We also often swapped ID badges to see if it would be spotted. This was at the Oakley site perhaps Benhall was different.
This post has been deleted by its author
Maybe he thought you were simply showing your 'lunch' as an explanation to where you've been, then probably shaking his head after you've gone passed.
GCHQ's just a couple of miles from me, maybe I'll get a pizza, and try my luck getting through the gate with a cheesy smile, a red peaked cap and a little wave of the pizza box! OK, maybe I won't - 'tis a boring place.
More ID card stories from colleagues.
1. Driving onto site and realised ID card was in the boot. Waved a piece of toast at guard and waved onto site.
2. Pasted a picture of a gorilla onto ID card. Took it off a week later 'cos no-one had challenged it.
Hi to all at T42. Hope you are still whipping up a storm.
"Names, dates, family members, passport numbers, housing information". Not just that.
If this is used to provide information for security vetting, it is basically everything needed for complete identity theft.
Full names addresses and dates of birth for all family members back to Grandparents including Maiden names. All addresses for the last 10 years. All schooling and all past employers. All bank account and investment details. About the only thing they do not ask for is the Dog's name.
Tell me how many places ask Security questions based on this information. Then tell me how serious this isn't?
...But GCHQ - whose CESG arm advises large corporations including banks and utilities on how to safeguard critical infrastructure systems, and which itself deals daily in absolutely critical national-security information belonging to the British and various other governments can reasonably be held to the highest possible standards....
Aha - I think I see the problem here.
WHAT 'absolutely critical national-security information' have we got?
We used to have a lot, when we ran half the world, and had a military that was equal to/better than the US. Those were the days when our position needed to be considered amongst the world's powers. Now, however, we are not really part of the game any more.
Perhaps someone might be thinking of attacking us, and needs some information on our defences? The Falklands showed how any real information passing through the intelligence system soon got ignored if it didn't conform to pre-determined government policy. At the moment we could be considered as 'under economic attack' from the Chinese. And what are we doing about it? Stuffing our own economy with green taxes in an attempt to de-industrialise.
We should only spend money on defences when we have something worth defending. Which, at the moment, we haven't...
This post has been deleted by its author
The sites to worry about are those that enforce a low max length (<20 chars) and disallow special characters. If it's being hashed/crypted properly then the maximum length and any special characters are irrelevant.
Rather than that stupid cookie law crap how about a law requiring sites to display their password storage procedures with big fines for not telling the truth (proper big fines, not the stuff the ICO hand out at the moment for data breaches). It won't prevent idiots being in control of a computer and developing rubbish software though unfortunately.
Do we know what careers software this is and who the developers are?
This post has been deleted by its author
If the concern is that passwords are sent in e-mail that can be intercepted, then password reset links are just as vulnerable..
If the concern is that hacker can get access to a plaintext list of usernames and passwords on the website, then they've probably already gotten access to the far more valuable personal information that has been uploaded to the website.
GCHQ should do better, but if you're worried that someone might get access to data on their webserver, and your concern is that you used the same password for GCHQ as you used for your Amazon account, then I think you're missing the forest for the trees!
Nothing new here. Back in the day when I worked for a major US defense contractor, we had a 90 day password change requirement for their IT access control system. The change rules were quite onerous and woe to anyone who just tried to roll from 'password01' to 'password02'. Changes deemed 'too simple' were rejected.
My best guess is that they stored passwords in plaintext and tested changes against the old version*. Compromised systems were par for the course at this outfit.
*Easy work around: The validation algorithm could only look at the present password, so it was a simple matter of remembering two different ones and switching back and forth every three months.
You might want to check with the lady above left about how secure such systems are.
Anybody who cares can probably find all the answers to a typical company's "security questions" for any person who even has a presence on the Internet. (My first use of the Paris icon, but then, you don't have Ms Palin)
When Mossad agents mysteriously materialise in a Mediterranean hotel and casually top a high ranking Palestinian they don't like the look of, the fake passports they use will need some quality details. What better way of obtaining the data for such a project from their obliging chums at GCHQ, all easily bind-alleyed by blaming a legacy contractor?
After the man in a suitcase clusterfuck, I wouldn't put any kind of Machiavellian weirdness past our erstwhile black helicopter drivers.
What's strange is that GCHQ put a website online available to the public without it being pentested first, usually government sites must be tested by a company that's a part of the government pentest scheme (operated by CESG). Either that, or whoever tested the site missed something so ridiculous?
Incidentally, while storing plaintext passwords is generally regarded as a bad thing, every windows system does exactly this - stores plaintext passwords in memory as well as letting you authenticate using the hash itself (ie the hash becomes plaintext equivalent). If anyone else did something so stupid their products would be banned, but ms gets a free pass.
..... or is that a MkUltraSensitive and Secret Intelligence Service Virtualised, Phormed and Established and Never Ever .... well, Hardly Ever unless Need to Know Requires IT, .... to be Officially Recognised and Touted like some Sort of Spooky First Class Upper Class Pro Hooker?
We should only spend money on defences when we have something worth defending. Which, at the moment, we haven't… …. Dodgy Geezer Posted Wednesday 27th March 2013 10:51 GMT
And, Dodgy Geezer, as any DODGI Cyber Systems Warrior/AIMODified Virtual Pioneer worth the wearing of the moniker knows, one cannot successfully defend unless one knows how to win win with attacks, and whenever one knows how to win win with attacks, is defense not nearly as attractive and exciting and lucrative as successful Anonymous Almighty Attacks ….. AAAssaults?
Which is and has been, and will be most probably always continue to be, in a System of Primitive Primary Protocols, something of an Abiding Enigma which Exercises IntelAIgent Community Enterprises with Exploitation and Advancement through Zeroday Vulnerabilities and Systemic Program Weaknesses …… which are always controlled by failing humans and thus always an Open Source Window and PerlyGatesPython Door ajar for stealthy virile trojan entry into the sweet sticky core that drivers their follies and foibles/passions and vices/sins and dreams.
Who Dares and All That, in All of That, Win Wins and Always Loses FailSafe. ….. Capiche?!.
Comprendez, GCHQ/MI5/MI6/CESG/OCSIA …… or does IT need to be spelled out in words of a few syllables for y'all, to more easily understand that which confronts and presently prevents you from progressing further into harm in a future space which can do you immeasurable harm if even considered for abusive selfish use ……. although surely, even the slowest and dimmest of wits in such fields as are tilled here would accept that which has just been said, as that which quite adequately describes that which confronts and presently prevents you from progressing further into harm in a future space which can do you immeasurable harm if even considered for abusive selfish use.
And I think all of that, Dodgy Geezer, is something worth spending defence money on ..... and exporting to any who have need of cyber defence which can successfully attack with AAAssaults ...... and the multi-billion dollar question is ..... Whose defence money/Which currency will lead, for any and all have equal attraction and value in the great scheme of things.
Oh, and you might want to know, for one might need to know, that all of the above is quite important to understand and be able to act with impunity upon/with, as the money control system which is hacked and in crisis and cracked and collapsing, and some would even say, already collapsed and just twitching in its death throes, and which is used to enslave the ignorant masses to the whims of the arrogant few, battles in vain to render flash cash a thing of the past and a cold war relic which will be able to purchase nothing of value in bulk, secretly.
Good luck with that operation, but one has to admit, it does appear to be more of a crazy desperate notion rather than anything better and spectacularly good, and there are so many ways in which one can purchase whatever one needs for whatever someone else wants.
Long live free enterprise on the open market place and in the virtual commercial space.
I hate to be the one to break it to you but I'm pretty sure most of us do what I do.
That is instantly realise it's you posting and don't bother to read on. I say this because you clearly expend a lot of effort on your posts here. Sometimes it's amusing to attempt to decipher your "thoughts". Mainly it's not. Start a blog. Or request a soft tipped pen and paper next time they come in with your medication.
Very droll, DijitulSupport, but there is nothing new there to report and everything by Registered post is already logged and displayed wwworld-wide for peer review, which I suppose would be quite similar to it being blogged too.
And many times, which can be most times, can a great deal more be clearly revealed and learned whenever something which one would have expected a response to, is not replied to, and in such cases is there the added bonus that one is not spending and/or wasting time in sharing the obvious with those who maybe more interested in one not racing on ahead without their being given instruction on what, because they know not what to do on their own to maintain their position and sustain the status quo.
And if you really do do what you do, do you miss all the good bits that you need to understand and accept to be better equipped to deal with what the future has in store for humanity. And you will only have yourself to blame and beat up over it.
It saves on the cost of the writeable optical media with personal information on personnel that they'd otherwise have to leave on a train.
It just shows they're doing their bit for Britain in cutting back public expenditure.....
Actually on reflection I'm not sure about the icon.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
