Over the weekend it was widely reported that the approx. 90 email accounts in the UK Parliament had been compromised, in a brute force attack that looked to exploit accounts ‘protected’ by weak passwords, an example of which might be Westminster123 or JohnSmithMP!
According to reports, these 90 accounts represent less than 1% of the email accounts in use, however, the damage a motivated cybercriminal can inflict with just one compromised account could be significant. What’s more, it is unlikely to stop at email, after all, if a weak password is being used for their email account (because it is easy to remember) then would be fair to assume that it is probably being reused as the gateway to other applications either professionally, or personally such as social networks. Gaining access to an MP’s email is bad enough but, having free reign over their Twitter that could be a catastrophic PR disaster!
This latest compromise, combined with the WannaCry ransomware attack that devastated the NHS in May highlights the fragile vulnerability of many public-sector IT systems. These two incidents are both very different in nature, but what they have in common is their simplicity and ease of prevention. WannaCry was not a sophisticated cyber attack, infecting unpatched machines using older versions of Windows. Meanwhile, a brute force attack is one of the most rudimentary forms of attack.
There will be calls for using ‘stronger’ passwords and protocols that insist they are changed periodically, but for email accounts such as these, that will undoubtedly contain confidential information, that simply isn’t enough to prevent a determined attacker. It may slow them down, but not for long. The fact is that if you want to prevent password-based security from being breached you need to replace passwords, and unlike upgrading every Windows machine in the NHS to the latest version, it needn’t cost very much money.
Author: Steven Hope, CEO of Authlogics