Article posted: Jun 28, 2017
By Nick Budden, Versasec Technical Consultant
Notch another victory for hackers, courtesy of weak passwords. It appears hackers were able to take down the British Parliament's email system by identifying accounts with weak passwords and breaching them.
The Telegraph reported nearly 9,000 emails on Parliament's email server were attacked and brought down for nearly 12 hours on Friday, June 23. Many members of Parliament (MPs) took to Twitter to inform constituents that their emails and any constituent email correspondence may have been breached.
There's a lesson here. The British government must rethink its password protection strategy and adopt better ways to access sensitive data. It's likely that a strong password would not deter a hacker from accessing a system. In actuality, password strength is irrelevant; passwords must withstand an automated dictionary attack long enough for the attack to be detected, something that's not usually possible. Even unsophisticated hackers can accomplish dictionary attacks.
British MPs are just the latest victims to suffer a data breach. Hillary Clinton's Campaign Manager John Podesta had a similar breach and his emails contributed in dashing Mrs. Clinton's hopes of securing the United States presidency.
That's probably why more and more governments around the world are using two-factor identification, such as virtual smart cards, to access sensitive data to secure everything from defense plans to contractor emails. Versasec has seen tremendous growth in governments adding identity and access management solutions to its security portfolio.
So, why is two-factor ID a preferred security practice?
Two-factor authentication augments "something you know," (typically a user's password), with "something you have," which usually is a physical device in the user's or network's possession, such as a smart card or virtual smart card. Smart cards are ideal for security purposes because data stored on the card is not exportable. Smart cards and virtual smart cards provide a secure operating environment where the cryptographic operations inherent to information security take place. This environment is contained within a processor ("chip") on the card and it is impossible for an attacker to either monitor or manipulate what takes place within that processor.
For now, the assailant on British Parliament's email remains unknown. Henry Smith, the Tory MP, said: "Sorry no parliamentary email access today - we're under cyber-attack from Kim Jong Un, Putin or a kid in his mom's basement or something." And that's the issue, password attacks are so low-level that some "kid in his mom's basement" can take down a global superpower's email system. It's time for the British government to step up its security capabilities or password attacks will continue to be a common problem.