For the first time in history, Parliament was hacked.
According to the Parliamentary Digital Service, the accounts compromised didn’t conform to the password security guidance that they issued. Some of the accounts that were comprised reused their social media login passwords and some passwords were later leaked on the government open data website.
I contacted parliaments’ cyber team after this happened to raise my concerns and suggested that they restrict email access to parliament VPN users, doing that alone would have prevented this and the second attack that took place on Scotlands Parliament a few days ago.
Although given that the passwords were leaked onto the governments Open Data website, it’s possible that this was done by an inside actor, and if that is the case then a VPN alone wouldn’t have prevented this. Therefore, I’m giving additional security advice to ensure that there is never a repeat of this.
This shouldn’t have been possible for several reasons:
1) Two-factor authentication is pretty standard and all accounts should have this enabled.
2) Strong passwords should be enforced via active directory, rather than leaving it up to individuals to voluntarily follow the issued password security guidance.
3) Nobody should be able to log into any government accounts over the Internet without first connecting to the government VPN.
4) Accounts should be forced to use a two-factor hardware key, such as a FIDO 2FA.
5) Ideally, accounts should use Multi-Factor-Authentication and be locked down with an individual certificate issued by the Parliament PKI server and secured with a strong password stored in the keychain on their FIDO device. This would prevent anyone from logging in, even if their FIDO authentication device was stolen and the person that took it had access to the government VPN. It’s worthwhile looking into using a YubiHSM device for storing private keys. — Using certificates and FIDO or HSM devices prevent passwords from being obtained from keyloggers.
6) Outlook Web access should be disabled to prevent any browser toolbars or plugins from accessing data once logged in or capturing the login passwords. Another option is enforcing Content-Security-Policy headers, which can be used to prevent browser plugins from loading.
I would like to see NCSC take a more active role in protecting Parliaments network and ensuring that a repeat of this never happens again.
Whoever was behind these two brute force attacks should be prosecuted to the full extent of the law.