In-brief: Password security remains a thorn in the side of security experts as once again proven by the cyberattack on U.K. Parliament, which focused on gaining access to members’ e-mail accounts merely by guessing their passwords.
The recent cyberattack on U.K.’s Parliament shows once again that passwords— the most basic way users have historically protected their online accounts from unauthorized access—continue to be a serious security vulnerability if used as the sole line of defense for systems that deal with sensitive data.
On Friday, members of British Parliament suffered what was deemed a “sustained and determined attack” against the mailboxes of the 650 members and their staff. Some reports blamed Russia for the attack, which seem to have directly targeted “less than 90” mailboxes in a “brute force” attack, which try to gain access merely by guessing passwords.
“According to reports, this attack worked for dozens of members of the Parliament, which suggests these members were using simple, easy-to-guess passwords,” said Frederik Mennes, senior manager of market and security strategy at cybersecurity technology provider VASCO Data Security.
In the end, it could have been a lot worse—but Parliament IT officials shut down external access to e-mail accounts to prevent further intrusion after 12 hours of sustained attack, action that mitigated the damage.
“The good news is that the responsible team identified the attack just in time,” said Csaba Krasznay, product evangelist at security intelligence provider Balabit. “Most users were aware of the threat and didn’t become victims. The bad news is that there’s still 1 percent of the users who lost their passwords.”
Indeed, the incident once again shines a light on the inherent insecurity of passwords that are used even by government institutions to protect systems handling sensitive information and material, security experts said.
There are a number of reasons the nature of the attack is so troubling in terms of system access, Mennes said. Firstly, it shows that the security of the system is based on static passwords, “the weaknesses of which are broadly and widely known,” he said.
“It is very questionable to use this security mechanism to protect the highly sensitive e-mail accounts of members of the Parliament,” Mennes said.
It also appears that there are no complexity rules in place for these passwords, giving users free rein to choose their own without IT administrator supervision. This often results in easy-to-guess passwords–such as even the word “password” itself, he said.
Additionally, due to the sustained nature of the attack, it seems the system’s authentication servers don’t have proper limits in place to protect against the type of attack that was delivered, Mennes said.
“Authentication servers normally protect against brute-force attacks by limiting the maximum number of password-guessing attempts,” he said. “Given that the attack succeeded for dozens of users, it might be questioned whether the authentication servers had proper password-guessing thresholds.”
The problem goes beyond merely gaining access to e-mail systems, Krasznay said. If compromised users have the same password for multiple system, it’s possible for attackers to gain access to other services as well, he said.
Ultimately, the attack proves that passwords, when not properly protected, should not be used as the primary way to defend systems that deal with sensitive information or are gateways to access other IT systems–especially if too much is left to human carelessness or error, said Jonathan Sanders, CTO of data-security technology provider STEALTHbits Technologies.
“This tells us that the U.K. Parliament is staffed by humans with the same bad habits as pretty much every other network,” he said. “While we all knew this, no one likes to be reminded that their bad password habits are likely the same as everyone else’s–and it may mean the systems they trust in the public and private sector are at risk.”
To prevent such an attack in the future, the Parliament’s e-mail systems—and other enterprise, commercial and public-sector systems that rely on password protection—should be secured with strong authentication mechanisms, such as ones that ensure passwords are only valid for a limited amount of time or that they are essentially impossible to guess, Mennes said.