Scottish Parliament Repels Brute-Force Email HackersAttackers Probe for Weak Passwords; No Accounts Compromised
Hackers have been targeting the Scottish Parliament in a "brute force cyberattack," parliament officials say.
See Also: Case Study: The Road to Zero Trust
The Scottish Parliament, known as Holyrood - for the section of Edinburgh in which it is located - this week alerted the 129 Members of the Scottish Parliament, or MSPs, as well as staff, that their email accounts were being targeted in unauthorized login attempts.
The attacks remain ongoing, IT systems remain fully functional and that there is no evidence that any of the unauthorized access attempts have succeeded, a spokeswoman for Holyrood tells Information Security Media Group.
As soon as the attack was detected, "various cybersecurity measures were quickly deployed to combat this and, as a result, we have seen the frequency of failed log-ins and account lockouts decrease," Paul Grice, chief executive of the parliament, said in a Tuesday warning to MSPs and staff, which Holyrood shared with ISMG.
"At this point there is no evidence to suggest that the attack has breached our defenses and our IT systems continue to be fully operational," Grice added. "Users should be aware, however, that this attack remains ongoing. It is not uncommon for brute force attacks to be sustained over a period of days so it is essential that IT account users are vigilant and report any suspicious issues to the [help desk]."
Britain's computer emergency response team, the National Cyber Security Center - part of the GCHQ intelligence agency - has been assisting in the response effort. "The NCSC is aware of a cyber incident involving the Scottish Parliament and has been working with their digital security team," the agency says in a statement.
The email accounts targeted in the attacks, which use the "parliament.scot" domain, are Office 365 accounts hosted by Microsoft, Holyrood tells ISMG.
"This looks to a be a fairly standard scanning attack on accounts, where a tool continually tries different passwords for given logins," Bill Buchanan, a professor of computing at Edinburgh Napier University, tells ISMG. "The system will normally give a lock-out on a number of incorrect logins, and, if not managed correctly, will also lock-out the user for a given amount of time - or permanently, until there is a reset on the account, in some cases."
Grice says the parliament is looking at strengthening its defenses and that "analysis is taking place to better understand the origin of the attack and to assess its overall impact."
Defenses: Firewalls, Whitelisting, Authentication
Buchanan says that defenses should be easy to put in place.
"To defend against this, normally a firewall rule is written which blocks a given source from accessing the email system and which would lock out the IP address for a given time - or permanently," he says. "Government officials should also always make sure that their passwords are not guessable, and system administrators need to make sure there's a lockout on IP addresses for a given number of incorrect passwords."
Buchanan says any upstream service providers that have been relaying attack traffic will no doubt have been alerted to help them block attacks at the source.
"If it is created by an anonymous source or from randomly generated IP addresses, then the team need to create whitelists of trusted IP addresses for accessing email system," he says. "These might relate to well-defined, U.K.-based ISPs and IP addresses which have previously been logged against government officials."
But he says the best long-term fix would be to only enable access to email servers from whitelisted IP address, as well as to require multi-factor authentication to access email accounts, potentially backed by biometrics. "It's amazing in this technology-driven age with smartphones that we are still using usernames and passwords as our main method to identify ourselves," he says.
The attack against the Scottish Parliament email accounts follows a similar effort against members of the two houses of Parliament in London, at Westminster - the House of Commons and the House of Lords, as well as their staff - in June. Parliament officials said about 90 accounts were compromised in those attacks (see British Parliament Targeted by Brute-Force Email Hackers).
It's unclear if the attack against the Scottish Parliament was launched by the same individual or group.
"I suspect this is hackers on a hunting trip. They are effectively rattling door handles to see if any are open," Alan Woodward, a professor of computer science at the University of Surrey's Center for Cyber Security, tells ISMG. "Westminster probably gave the hackers the idea, and it might even be the same group."
While concerns continue to mount about the ability of foreign governments to disrupt democracies, Woodward says brute-force email password hack-attack attempts would likely be too blunt an instrument for state-backed efforts.
"I doubt it will be a nation-state attack or even state-sponsored," he says. "If an intelligence service wanted to access emails to gather information they would do it a lot more subtly. They wouldn't want users or those that run the systems to know they were being attacked."
British lawmakers are not the only ones to be so targeted, according to Matt Tait, a former information security specialist for GCHQ, now senior fellow at the Robert Strauss Center for International Security and Law in Austin, Texas. On Friday, Tait - who tweets as @pwnallthethings - warned U.S. lawmakers that hacktivists have been targeting their email accounts to attempt to access and dump - or dox - their contents online.
PSA for Senators & congressmen: Anonymous is trying to dox you. Be esp careful of attachments & links. If you haven't enabled 2FA, do it now— Pwn All The Things (@pwnallthethings) August 18, 2017
Public Service Announcement
While there are no silver bullets in cybersecurity, there is one approach that can be counted on to quickly and reliably repel unsophisticated, brute-force attempts to guess passwords and access accounts. "The answer is 2FA," says Woodward, referring to two-factor authentication.
Like Buchanan, he questions why more parliamentarians, who have the ability to track and shape government policy at the most secret levels, are not using this security tool.
"Personally I think if you have an important function, such as communicating with our representatives, it would be much better to have 2FA," Woodward says. "I'm sure those affected will complain as it makes their life a little more difficult, but I really hope that these attacks show that it can happen to you - and in fact it probably will happen to you."
A Question of Convenience
While any organization - including parliaments' IT operations teams - could mandate that users employ two-factor authentication, users would not necessarily comply - or comply in an expected manner.
Indeed, ongoing research conducted under the auspices of the NCSC continues to produce results that, at times, lead to existing cybersecurity assumptions - or superstitions - being overturned.
For example, the NCSC has warned that forcing passwords to expire every 90 days makes passwords less effective, because it found that doing so leads users to pick ultra-simple passwords (see Successful Security? Stop Blaming Users).
That's part of the reason why the NCSC recommends that organizations no longer force passwords to expire on a regular basis. Office 365, however, requires passwords to be changed every 90 days.
The NCSC has also advised all organizations to allow users to paste passwords, which many sites block outright. Allowing pasting, NCSC says, supports users who employ password managers to help them create and manage long, strong and unique passwords for every site they use.
Such guidance, however, is relatively new and has yet to be absorbed by many organizations, even in Britain. But Woodward says he hopes such guidance will lead more organizations to rethink their information security assumptions, and find better ways to put usable security in the hands of their users.
"No security is convenient," he says. "But I'm rather hoping that the updated advice from NCSC and others about the frequency of change of passwords, and so on, will have filtered through to organizations and that policies can be developed that are both secure and not inconvenient."