The Guardian reports that the British Houses of Parliament were targeted yesterday by hackers who attempted to break into email accounts of MPs and their staff.
The team responsible for securing the Houses of Parliament’s IT systems are said to have taken steps to block hackers from accessing accounts, but this apparently has blocked MPs from remotely accessing email inboxes.
The Guardian quoted an email which it claimed had been sent to affected users:
“Earlier this morning, we discovered unusual activity and evidence of an attempted cyber-attack on our computer network. Closer investigation by our team confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords.”
“These attempts specifically were trying to gain access to our emails. We have been working closely with the National Cyber Security Centre to identify the method of the attack and have made changes to prevent the attackers gaining access, however our investigation continues.”
The attack comes just days after it was being reported that online criminals were offering for sale the passwords of government officials – seemingly gleaned from the massive LinkedIn data breach of 2012 – although it’s too early to say whether this attack is definitely linked.
Statement regarding cyber incident. pic.twitter.com/fAbDkAfdbj
— Commons Press Office (@HoCPress) June 24, 2017
Details of the cyber attack on the Houses of Parliament email systems are presently sketchy, but it would be bonkers if any MP or their staff was not following these sensible precautions:
- Use a unique, hard-to-crack, complicated password to access your email account. Using an easy-to-guess password, or using the same password on different sites is a recipe for disaster.
- Enable two-factor authentication (or two-step verification) to better defend their account, making it harder for a criminal to break in even if they did manage to determine your password. If it’s good enough for the cast of Game of Thrones it should be good enough for you.
- Exercise caution over opening unsolicited email attachments, or entering login credentials without being certain that you were on a legitimate site.
- Listen to our “Smashing Security” podcast about securing webmail (helpfully embedded below), where we describe numerous tips that can be used to better defend your email account from hackers.
Smashing Security #014: 'Protecting webmail – a Smashing Security splinter'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
Update: On Sunday evening, the House of Commons press office issued an updated statement on the incident:
Parliament’s first priority has been to protect the parliamentary network and systems from the sustained and determined cyber attack to ensure that the business of the Houses can continue. This has been achieved and both Houses will meet as planned tomorrow.
Investigations are ongoing, but it has become clear that significantly fewer than 1% of the 9,000 accounts on the parliamentary network have been compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service. As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way.
Parliament is now putting in place plans to resume its wider IT services.
1% of 9000 accounts? That feels to me a little like some positive spin is attempting to be put on some lousy security.
As well as reminding users that it is essential to have strong, hard-to-crack and unique passwords, it would also be sensible for the Houses of Parliament to enforce two-factor authentication when logging in remotely to access email accounts, and to put in place some rate-limiting to prevent attackers from trying to brute force their way into accounts.
Someone trying to brute force passwords on a mail server doesn't really seem that unusual to me. Happens every day on every mail server in the world as far as I know!
Maybe they only just noticed it, which is far scarier. It means they weren't monitoring it before …
What's going on?
Weak passwords – why are they not using complexity rules?
Brute force attacks – why are they not using lockout policies?
Passwords stolen from 2012 LinkedIn hack – Why are they not using password renewal policies and training people properly in password management?
Based on this information and if true, seems like and epic fail for H of P IT management. I mean, it is not as if it is anything important they are protecting!!!
Just errors in the very basics again.
I run 2 email servers, and I can see hack attempts every day on the logs. However, the software I use (Mailtraq) is excellent and automatically sin-bins any IP address thrashing passwords at it repeatedly.
Likewise, in my case Fail2ban bans the 2nd failed authentication attempt.
Also, 2FA is in-place, install the latest patches, etc…
I would have thought that they'd all have keyfobs generating one time codes for their access.
"…but it would be bonkers if any MP or their staff was not following these sensible precautions:"
Hum, that's expecting MP's to be aware of course. I remember one MP stating that to prevent spam the sender should provide their postcode, that happened a few years ago but expecting a certain number of MP's to be up to date with modern tech, seems wishful thinking.