
British Parliament Hit by Cyberattack, Affecting Email Access - joegosse
https://www.nytimes.com/2017/06/24/world/europe/british-parliament-cyberattack-hacking-london.html
======
nikcub
Based on the names mentioned I searched for their email addresses in password
dumps and they all match the large 500M+ lists (anti public and exploit.in -
covered here[0]) that have been available on some of the credential-stuffing
and hacking forums since late last year. They are aggregate lists composed of
MySpace, LinkedIn and other breaches.

It appears someone has grepped out parliament.uk emails from those leaks and
then published it separately, the earliest mention of such a list that I can
find online is from mid-May.

The credential stuffing and darkweb markets are full of such lists as the
scammers attempt to make a dollar or two from content that is otherwise
publicly available by slicing it in interesting or appealing ways.

I doubt any of the credentials would have worked against the parliament Office
365 login[1] as either the IT admins would have noticed, and/or the list is
old enough where it would have been noticed far earlier plus Office 365 even
without MFA enabled or enforced will usually require an email or SMS
confirmation for a new device login or a login that doesn't match user
pattern.

The story mentions they disabled logins, but it appears to still work. This is
likely just a precaution from the IT department over what is a relatively
minor issue since it is easier to pretend you're doing something rather than
having to explain to the media that this is an old issue and not that big a
deal.

[0] [https://www.cert.govt.nz/businesses-and-
individuals/recent-t...](https://www.cert.govt.nz/businesses-and-
individuals/recent-threats/anti-public-and-exploit-in-release/)

[1] [https://intranet.parliament.uk](https://intranet.parliament.uk)

~~~
ryanlol
[http://sprunge.us/HIYa](http://sprunge.us/HIYa)

It must be total chaos in the UK now! 110748 super secret government emails
and passwords leaked on a hacker forum :P

------
NotSammyHagar
Why don't these people use 2 factor auth like a yubikey? And not sms because
it can be hacked and redirected. I know the reason, they are not wanting these
non-technical foofaws to be slightly inconvenienced. And they'd lose their
second factors even if they had them - too bad, you shouldn't be able to get
an official email without it. Give everyone a couple of those keys, put one on
their keychain, one in their computer at home, one in their work computer.
They'd be so much safer.

------
krona
In what way have they been 'hacked'?

Constituents can email their MPs and I'd imagine they all share the same few
email servers. It's not hard to imagine that someone thought they'd 'have a
go' (as was the case during the election period), and the reaction by
Parliament has so far been a precautionary one.

~~~
djrogers
FTA: > stolen data revealed the private login details of 1,000 British members
of Parliament and parliamentary staff, 7,000 police employees and more than
1,000 Foreign Office officials.

Not sure how that wouldn’t be treated as a cyberattack. Note, the word used
was not ‘hack’ - not all cyberattacks are hacks.

~~~
krona
Seems the NYT changed the title to remove the 'hack' insinuation.

 _> stolen data revealed the private login details of 1,000 British members of
Parliament and parliamentary staff, 7,000 police employees and more than 1,000
Foreign Office officials._

That was reported last week. The attacks happened months ago. (Why do I even
bother?)

------
anigbrowl
To what extent are our security problems the result of feature creep and an
inability to lock down simple protocols? For all the bloviating about national
borders and so on, if a country can't secure its own legislature then its
institutions are broken.

~~~
sillysaurus3
Not sure why this is downvoted. The main reason systems aren't secure is lack
of simplicity.

To put it another way, pentesting is almost always the art of exploiting
complexity. It's true that you can have a system that's both simple and
broken, but that's the exception.

~~~
dpwm
Some of the most effective security measures actually increase complexity.

Two-factor authentication increases complexity in every measurable way but
mitigates against a number of softer attacks.

Adding encryption adds a ton of complexity but effectively removes all man-in-
the-middle attacks.

The simplest way of storing passwords is in plaintext.

Privelege separation is far from the simplest way of structuring a daemon, but
it effectively prevents exploits in the complex parts from allowing an
attacker to gain remote root access.

Perhaps it is more that superfluous complexity is the problem.

~~~
sillysaurus3
I think we're talking past each other. Complexity probably refers to anything
beyond essential complexity. In the systems you mention, they all lack
complexity by that definition.

------
akerro
They should ban encryption to catch those hackers!

~~~
type0
Off course they will

------
rasmafazi
National institutions have indeed begun their long slide into irrelevance. Ray
Kurzweil, a big shot at Google, already wrote about that. Anything that
existed before the widespread commercialization of the internet cannot remain
the same, after. I am waiting for news of the inevitable to break loose. A
group of disgruntled people setting up internet infrastructure to literally
organize the decimation of state officials. They will end up dying like flies.
As soon as the first guys do that, there will be no stopping it. The national
state uses force to enforce its views, while they no longer have a credible
monopoly on the use of force.

------
petre
They've just got hacked, yet the NYT is already blaming the Russians.

------
jacquesm
Real title:

> British Parliament Hit by Cyberattack, Affecting Email Access

Clickbait title. Access to email has been disabled as a precaution because
passwords were being trafficked and there were attempts to access accounts.

~~~
sctb
Thanks! We've updated the title from “British Parliament Email Hacked”.
Submitters, please use the original title when possible:
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html).

------
ourmandave
"Bugger! My hard drive is encrypted and they're demanding bitcoins! Do any of
you blokes know the pounds to bitcoins rate?"

