According to a report in the Daily Telegraph, British cabinet ministers' emails have been hacked by Jihadists in Syria, leaving cyber-security professionals wondering what really happened and speculating on how it could have been prevented.
The newspaper said that the intelligence agency GCHQ had discovered that “extremists linked to the Islamic State of Iraq and the Levant (Isil) have been targeting information held by some of David Cameron's most senior ministers, including Theresa May, the Home Secretary”.
Hacking emails and diaries of senior ministers could have revealed details of events being attended by ministers and members of the Royal family.
Nigel Inkster, an expert with the International Institute for Strategic Studies (IISS), told the Daily Telegraph that jihadist groups want to acquire cyber-attack capabilities.
A British citizen, Junaid Hussain, described as a computer hacker from Birmingham and thought to be involved in the attack on cabinet ministers' IT systems, was killed recently by US forces. He is thought to have been a member of the “Cyber-Caliphate”, a jihadist hacking group.
Whitehall security officials were apparently warned in May about the hacking campaign.
From what little information has emerged about the attack, it's difficult to determine exactly what happened, but GCHQ has said that no security breaches occurred. Meanwhile, though, the Daily Telegraph said it has been told that emails were hacked and officials have been told to tighten security including changing passwords.
Security experts were not impressed with the lack of clarity around the situation. “If no security breaches occurred then how where emails compromised? There are a lot of weasely words used in these stories. Things like ‘targeting' which doesn't necessarily mean the attacks where successful,” said Cris Thomas, strategist at Tenable Network Security.
Norman Shaw, Founder and CEO at ExactTrak commented: “The ‘was it' or ‘wasn't it' a breach surrounding this ‘episode' suggests that those involved are being a little economical with the truth to say the least and possibly trying to cover up a potential disaster. Could an insider have provided information to ISIL that enabled them to make this penetration? Regardless of what actually happened, if data was accessed, it was a breach.”
Whatever happened, cyber-security experts expressed concern about what the incident said about security around individuals at the top of government.
Gary Newe, technical director at F5 Networks commented: “I would assume that any really high value information would not be stored in an easily read email, but this is clearly a blunder. It is important that the government establishes how this happened and maybe even re-evaluates its email security.”
Robert Holmes, general manager of email fraud protection at Return Path, told SCMagazineUK.com in an email: “Government bodies have a tendency to lag behind when it comes to heightened security postures versus the private sector.”
Keith Poyser, managing director EMEA at Accellion said: “It is alarming that such high level government officials can be hacked by a terrorist organisation, but we have to recognise that malicious cyber threats, from whichever quarter, are agile, diverse, connected and use appropriate technologies to carry out targeted attacks.
“If public cloud based services are being used, as I suspect they are, then this is an inherently insecure approach that presents a soft target for attacks. Hacks like this are often less sophisticated than they seem.”
Norman Shaw at ExactTrak said: “Whatever the real situation, you have to ask if the ministers themselves should be blamed? They are, after all, only users and would/ should be using the data security that they were given by the combined forces of GCHQ, security contractors and government-appointed security professionals… I would have expected the reaction to a breach of the highest levels of government to be slightly more involved than ‘change your password'.”
Tony Marques, cyber security consultant at Encode UK told SC: “Exploiting trust relationships is the most common and most successful of cyber-attacks. System and human trust relationships are at the core of any digital service. Cyber-attack skills, tactics, techniques and procedures are tending to evade (rather than penetrate) perimeter defences and end-point security by socially engineering users into executing malware under trust.”
The experts we spoke to advised the government to employ various methods to improve security.
Robert Holmes at Return Path advised: “With the government dealing with highly sensitive information at all times, government bodies should look to implement the highest levels of cyber-defences when it comes to securing the email channel, including two-factor authentication, password policies, data encryption and IP address validation as well as leveraging email authentication protocols such as SPF, DKIM and DMARC.”
Guy Bunker, senior vice president of products and information at Clearswift agreed that two-factor authentication is essential: “Many organisations have two-factor authentication today, which is made much easier with soft tokens delivered by smart phone and this should be made a standard for those who have access to state secrets, state security – not just in government, but also in areas such as critical national infrastructure.”
Paul Donovan, EMEA sales director for Pulse Secure said: “Systems need to be put in place that make sure users are only given access to the things they need – whether they're in the office or working from home. All devices connecting to the corporate network, both company and personal ones, should pass a security assessment before being allowed on. It's best practice to check for up-to-date anti-virus software as well as security vulnerabilities like jailbroken phones.”
Brian Chappell, director of technical services EMEAI at BeyondTrust, said: “We need to continue to educate our users in the good password practice, providing tools such as LastPass or 1Password to help them manage the accounts they access outside of the controlled office environment.”
Robert Holmes at Return Path commented: “Over the last few years, there have been reported stories of government officials losing briefcases on public transport and taxis, exposing highly confidential information to the general public. Today, we are no longer talking about physical briefcases, but virtual ones, using cloud technology.”