Kudos to Nadine Dorries, the British MP for Mid-Bedfordshire, who has bravely exposed the appalling computer security practices that she and her fellow politicians have in place.
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
— Nadine Dorries (@NadineDorries) December 2, 2017
Now, to be fair, Nadine probably though she was simply supporting First Secretary of State Damian Green after revelations by a retired detective that thousands of legal pornographic images were found on his Dell PC at Portcullis House in 2008.
Damian Green, who is deputy to British Prime Minister Theresa May (not to be confused with British glamour model Teresa May), says he has never watched or downloaded porn on the computer.
And Nadine Dorries attempted to support her colleague by explaining that she allowed her staff and interns to log into her computer with her password “everyday”.
When security-minded folks on Twitter began to criticise Nadine’s cavalier attitude to security (particularly pertinent in light of recent targeted computer attacks on Westminster) some of her colleagues jumped to *her* defence.
I certainly do. In fact I often forget my password and have to ask my staff what it is.
— Nick Boles (@NickBoles) December 3, 2017
Maybe someone might like to tell Nick Boles, the right honourable member for Grantham, that he is being needlessly reckless. The first rule of passwords is that you don’t share them.
As we have explained many times in the past, the solution to not being able to remember complicated, unique passwords is to use a password manager.
Maybe next time Nadine Dorries shouts “What’s the password?” across her office floor, she might want to remember that too.
All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’
— Nadine Dorries (@NadineDorries) December 2, 2017
Meanwhile, Will Quince, MP for Colchester, freely admits that he leaves his computer unlocked:
Less login sharing and more that I leave my machine unlocked so they can use it if needs be. My office manager does know my login though. Ultimately I trust my team.
— Will Quince MP 🇬🇧 (@willquince) December 3, 2017
It would perhaps be churlish to suggest that Will Quince is preparing his alibi should porn ever be found on his PC.
And, if Nadine Dorries is to be believed, Damian Green is not the only MP who may have to face awkward questions about porn being found on their PC. No, because over the weekend Nadine claimed that *every* single MP’s PC (including hers, presumably) has been used to access porn.
I’m sure if the computers of all MPs – including Labour ones, were investigated there would be a record of porn being accessed. There would, in all cases, be zero proof of who it was who accessed it.
— Nadine Dorries (@NadineDorries) December 2, 2017
Wow. That’s quite a claim. With all that porn swirling around parliamentary systems is it any wonder that the Brexit negotiations are proving to be quite a challenge?
I guess the beauty of letting any member of your staff access your computer with none of that password hassle is that they can easily peruse your porn if they need to in a hurry.
Nadine Dorries, meanwhile, is under the misapprehension that she simply isn’t interesting enough to be hacked.
I’m not the Gov. I’m an MP with a computer in a shared office upon which lives an email account. That’s as exciting as my computer gets
— Nadine Dorries (@NadineDorries) December 3, 2017
Oh dear… She’s wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they’d probably ignore the porn). It’s not just the personal information of the people she corresponds with, but also the fact that her PC, email and social media accounts could be used as a launchpad for attacks against others.
And what worries me from the above tweets is that Nadine Dorries doesn’t seem to be an isolated case. And it should worry you too if you’re a constituent of an MP who has adopted similarly lax IT security measures.
And it should worry us all if the very people who are tasked with legislating on internet privacy and security issues are proving to be so utterly clueless.
For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:
Smashing Security #056: 'Peeping Toms, prison hacks, and parliamentary passwords'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
Is anyone surprised about *anything* these idiots do (or say!)?
Here’s a more comprehensive article citing Parliamentary codes of practice, and how they were breached by password sharing, and teeets from other MPs.
https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/
It's even worse than that – Dorries used to be director of BUPA, the medical insurance company. So you would hope that she knew a thing or to about computer security.
*two
Send the OFFICIAL Teresa May off to negotiate EU trade deal.
Am I being cynical here – but a stream of MPs lining up to say, in public, that other people have access to their computers, sounds like they are preparing a line of defence for when someone leaks information on what is on their computer (and shouldn’t be).
No sane person would admit to being that stupid, unless they were trying to hide a bigger problem…
Wow! And these are the ones who say that the likes of the public shouldn't be allowed to use strong encryption.
Good to see that the Cabinet Office and Home Office spending on Cyber Streetwise has been such a resounding success in Westminster.
So far as many employers are concerned, possession of pornography on a work-provided computer is case for a disciplinary action up to and including dismissal. Or don't these sort of rules apply to MPs and their staff?
Graham Cluley said:-
"Oh dear… She's wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they'd probably ignore the pawn)."
pawn
noun
a chess piece of the smallest size and value, that moves one square forwards along its file if unobstructed (or two on the first move), or one square diagonally forwards when making a capture. Each player begins with eight pawns on the second rank, and can promote a pawn to become any other piece (typically a queen) if it reaches the opponent's end of the board.
a person used by others for their own purposes.
Or did you really mean that Graham? in which case I'm laughing out loud :)
John
Oh my. I spelt it as "pawn" rather than "porn".
What is *wrong* with me?
As only who listens to the podcast will know, I'm rather obsessed with chess. In fact, Mrs Cluley has said that she doesn't have to worry about me doing naughty things on the internet as whenever she catches me watching videos in the dead of the night it's almost always one of the chess tournaments on YouTube…
I spotted it too but thought it was intentional; i.e. the MP is somewhat inconsequential (i.e. a pawn) in the grand scheme of things.
All being said I don't believe that a password manager is the solution here. I agree with Troy Hunt: proper access delegation is what's needed.
My comment about the need for a password manager was directed at Nick Boles MP who says he can't ever remember what his password is.
I agree that delegation is the correct approach if you need more than one person to access your email.
And I apologise again for always having pawn on the brain.
What red-blooded male *isn't* interested in chesst?
What's scarier is that she's actually registered with the ICO as a Data Controller https://ico.org.uk/ESDWebPages/Entry/Z1716668 yet she then admits to using bad infosec security practices. Worse still, she considers that the information she processes has little value as she is not in government. Given the types of data mentioned in the Data Controller registration, I would certainly beg to differ.
Perhaps a hefty fine would help, the money could go to charity as an incentive.
Is her daughter still travelling from the Cotswolds to the constituency office each day?
Just asking,
Here in Denmark we had a case where sensitive information from a police database were leaked to the press. An investigation revealed that too much security was to blame… read on for an explanation.
The security was high. Only one or maybe two senior people had access to any kind of sensitive information, but in the course of the daily work other aspects of this information was needed by other officers. As the senior people often were away at meetings or tasks, and their access to information was needed on a daily basis, a culture of logging in early and staying logged in all day developed. The terminal was located near the service counter at most police stations and thus not only everybody working there (officers, office staff etc.) but also visitors coming in from the street, had access. It was left completely unlocked all day and had full access. The blame for the leak was never placed (could be anybody) but security procedures were updated and now everybody with terminal access has access to the sensitive information but it is logged exactly who searches for what and when, and idle users are logged out quickly.
None of this is a surprise for anyone that has worked in IT support at local gov or in private business with regulatory obligations and responsibilities. I've seen horrendous practises not just instigated but encouraged with the sole purpose of covering up the fact that staff are clueless (including manager level and beyond). Rather than acknowledge that training or hiring of competent people is required, it seems preferred to cover that fact up with crazy breaches of common sense like this. I have tried to be part of the solution – called it out, suggested / designed secure alternatives but you hear the same rejections – 'too difficult', 'too slow', or, my favourite – 'stop being a negative person'. It'll never change until the quality of staff does.