British MPs have shown that they are so bad at basic cybersecurity (including password security) that it is hilarious. A number of them have been sharing their password and cybersecurity practices on Twitter, and I’m still giggling. Keep reading and have a laugh.
British MPs share passwords with everyone
This all started last week when Nadine Dorries shared the following tweet on her excellent password practices:
https://twitter.com/NadineDorries/status/937019367572803590
The InfoSec community on Twitter was not having it. People seriously questioned her, and she seriously thought that what she was doing was okay:
Really? Have you heard of cyber security? Russians & Chinese hackers and accessing U.K. government computer systems?
— chris phillips (@cphillips_ippso) December 3, 2017
As above – this would be a sackable offence in any normal organisation, for exactly this reason.
How could you determine the source of a breach if 8 people are using the same login?
Do MPs operate on a different planet?https://t.co/pR6J0zXyQD— tony nog #FBPE (@tony_nog) December 2, 2017
Seriously, she is this bad at basic password security and understanding the importance that some communications are supposed to be private. Especially those communications which are directed towards members of Parliament. The interns don’t need to be able to read every single thing that comes to her. They probably shouldn’t be allowed to read anything unless you explicitly send it to them.
https://twitter.com/NadineDorries/status/937043585454796801
Yes, it just keeps getting dumber.
But she’s not the only one. Check out James Clayton and Nick Boles trying to defend her stupidity:
I certainly do. In fact I often forget my password and have to ask my staff what it is.
— Nick Boles MP (@NickBoles) December 3, 2017
It is extremely common for MPs to share their parliamentary login details with their staff. Seems slightly unfair to vilify @NadineDorries for what is common practice
— James Clayton (@JamesClayton5) December 3, 2017
James Clayton is a reporter for the BBC. See what happens if you walk into his office and just start using his computer, it’s probably not locked. At this point, it may stop being funny and start being painful. Nick is an elected government official with password practices no better than the local kindergarten.
This guy, isn’t that nice? He trusts his team:
Less login sharing and more that I leave my machine unlocked so they can use it if needs be. My office manager does know my login though. Ultimately I trust my team.
— Will Quince MP ?? (@willquince) December 3, 2017
Until the day that his team breaks that trust. And when that trust is broken, anyone from the team can steal information. But what the hell? He trusts his team…
The funniest bad cybersecurity of all
Okay, so someone openly sharing their password to their government parliamentary computer is pretty bad cybersecurity. This was in defense of Damian Green, another conservative politician who is getting the public backrub from other stupid politicians. This is over allegations that he accessed porn on his parliamentary issued computer.
He's either lied about the porn or broken the computer misuse act by letting someone else use his login details and email account
— Damo (@Dirty_Dog04) December 2, 2017
His argument is what led to the stupidity you see above. He claims that it may not have been him accessing all these porn stuff because other people have access to his public government-issued computer. It truly is a race to the bottom.
Correct these bad cybersecurity and password practices
These bad security practices could’ve been easily fixed if the members of Parliament simply used Microsoft office 365 features which allow delegation and authorized third parties to specific mailboxes. There would be no need for password sharing, computer sharing, or account sharing.
These are basic password and account protection strategies that every member of Parliament, and more importantly every small business owner, should be undertaking. You don’t even need a fancy hacker to get into data that is within emails; you can simply bribe an intern. $20 could sell out your entire business or political career.