Parliament Account Security Advisory

For the first time in history, Parliament was hacked.

According to the Parliamentary Digital Service, the accounts compromised didn’t conform to the password security guidance that they issued. Some of the accounts that were comprised reused their social media login passwords and some passwords were later leaked on the government open data website.

I contacted parliaments’ cyber team after this happened to raise my concerns and suggested that they restrict email access to parliament VPN users, doing that alone would have prevented this and the second attack that took place on Scotlands Parliament a few days ago.

Although given that the passwords were leaked onto the governments Open Data website, it’s possible that this was done by an inside actor, and if that is the case then a VPN alone wouldn’t have prevented this. Therefore, I’m giving additional security advice to ensure that there is never a repeat of this.

This shouldn’t have been possible for several reasons:

1) Two-factor authentication is pretty standard and all accounts should have this enabled.

2) Strong passwords should be enforced via active directory, rather than leaving it up to individuals to voluntarily follow the issued password security guidance.

3) Nobody should be able to log into any government accounts over the Internet without first connecting to the government VPN.

4) Accounts should be forced to use a two-factor hardware key, such as a FIDO 2FA.

5) Ideally, accounts should use Multi-Factor-Authentication and be locked down with an individual certificate issued by the Parliament PKI server and secured with a strong password stored in the keychain on their FIDO device. This would prevent anyone from logging in, even if their FIDO authentication device was stolen and the person that took it had access to the government VPN. It’s worthwhile looking into using a YubiHSM device for storing private keys. — Using certificates and FIDO or HSM devices prevent passwords from being obtained from keyloggers.

6) Outlook Web access should be disabled to prevent any browser toolbars or plugins from accessing data once logged in or capturing the login passwords. Another option is enforcing Content-Security-Policy headers, which can be used to prevent browser plugins from loading.

I would like to see NCSC take a more active role in protecting Parliaments network and ensuring that a repeat of this never happens again.

Whoever was behind these two brute force attacks should be prosecuted to the full extent of the law.

How to Protect against #WannaCry and Similar Ransomware Attacks and Why VPNs Can be Less Safe

Recently a malicious computer worm called WannaCry hit a wide range of computers across the Internet, infecting computers running Windows without any requiring interaction on the user’s behalf.

This particular worm is a type known as Ransomware, it infects Windows computers remotely using an SMB/CIFS exploit developed by the NSA.

The are various strategies that one can use to protect themselves from this particular Ransomware threat and future ones.

  1. Apply Microsoft patch MS17–010 — https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  2. Turn on Windows updates
  3. Disable SMBv1 — https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
  4. Turn on the Windows Firewall

All workstations i.e computers that aren’t servers, should enable the Windows firewall to protect themselves from future SMB based attacks or other attacks that depend on incoming IP connections to the client. This will provide protection even if they aren’t patched, enabling the Windows firewall to block incoming connections.

Enabling the Windows Firewall, is especially important if you connect to a VPN.

Most computers are behind a hardware firewall at home or at the office, which NATs your IP address, so SMB ports cannot receive incoming traffic from the Internet; once you connect to a VPN other computers that are using the same VPN provider can directly communicate with your computer and infect it with malware; if it doesn’t have its firewall enabled.

Advice specific to organisations that use an Active Directory server

If you’re an organisation that uses an Active Directory server, the administrator should set a GPO policy to force every client in the organisation to enable the firewall and turn on automatic Windows updates.

This GPO policy will override any settings that the local administrator attempts to enforce. Doing this will prevent, users from disabling the firewall and putting their machine at risk.

How to enable Windows updates via GPO Policy
https://technet.microsoft.com/en-us/library/cc720539(v=ws.10).aspx

How to enable Windows Firewall via GPO Policy http://www.techrepublic.com/blog/the-enterprise-cloud/managing-windows-firewall-through-group-policy/