Credential sharing is common, most see it as a way to achieve an end, rather than as a security hole that could screw them over in the future.
If your not very technical, and your intern needs to respond to your emails, schedule your calendar, and handle other tasks I'd be surprised if most don't just fork over their login details rather than go and ask Jerry in IT to make an account with all these special permissions for an Intern or staffer that'll be gone in a few months to a year.
Which would be inadvisable but understandable, were it not for the code of conduct that stipulates that you do not share passwords.
It might be a common thing to do, but this matter needs at a minimum a reiteration of the rules and better documentation of the correct alternatives, and probably also a certain amount of punitive measures.
Biometrics solves this particular sharing problem; the politican can´t easily share their iris or fingerprint
In my experience, 2factorA with cell phones also prevents executives from sharing passwords. They won´t leave their phone behind. However biometrics is faster to use and easier to understand for most people. 2FA can be socially engineered by calling the politican/exec and asking for the code they just got "for support". That won´t fly with a fingerprint.
A gummy bear works just fine to copy a fingerprint. You can only go so far too, piss off a politician or even a lower level boss, and IT may find all their computers in the dumpster, replaced with new PCs that said person bought to get the job done, rather than fight IT to get their work done.
For most people, a computer is a means to an end. If it doesn't accomplish that task, the computer belongs in the trash.
> A gummy bear works just fine to copy a fingerprint.
No longer. You may be pleased to learn that there is new technology that is better than that. Google "liveness detection" to learn more.
> For most people, a computer is a means to an end. If it doesn't accomplish that task, the computer belongs in the trash.
If I interpret your hyperbole nicely, you mean that security which is difficult to use will upset users. Indeed this is so, therefore security needs to be implemented in such a way that it is easy to use in a secure fashion. apple touchID is a good real-life example of which you may be aware. Enforcing complex text passwords which must be changed every N days is a counter-example which does not achieve the desired effect and also upsets users. Biometrics are, when implemented well, very easy to use and far more secure than text passwords. Therefore they should be considered, before "throwing the computer in the dumpster", as you said.
Definitely, but even that won't fix the issue. Fact is, its so painful to get each user the proper access rights via IT, to the point that nearly no one complies with the code of conduct they agree to.
The easier you make things, the more apt people are to properly securing their systems. Saying they didn't follow policy, while true, is ignoring the root cause of why the policy wasn't followed.
We've already established management doesn't care, otherwise we wouldn't have these massive data breaches (practically) every other week and IoT devices with zero security and open access to the world.
At a company I worked at 10+ years ago the IT Dept had a generic VPN username/password that they gave out like candy to use if you needed to VPN in and your account was in the process of being setup. It wasn't like this practice was a secret either. I don't know why it took more than a few minutes (?) to setup VPN access.
Credential sharing is common, most see it as a way to achieve an end
I recently learned a relative, who works at a law practice, shares her login. But, like the MP, there is a business need. In this case, some piece of software that isn't "in the cloud" - it's a local installation. If she's out of the office, somebody has to run the software. It didn't occur to her, or anybody else at the office, that other employees can likely access the software on that PC with their own logins (they never tried). It never occurred to them to request assistance from the software vendor. Sharing credentials was the obvious (and easy) solution.
It's a small-town office, average age of employee is probably well north of 50. I probably shouldn't have been surprised, but I was.
Good points raised and I largely agree, but just look at the article, several pages explaining passwords and security, along with screen shots (which I think must be equivalent to having maths equations in your document in terms of their power to make eyes glaze over), and a call to "reach out to your IT department".
Do MP's even have an IT department? I thought they were responsible for their own offices, and on quite a tight budget.
"Have these people never heard of delegation permission?"
You know what, probably not. Nor have I, and I'm a dev, though I don't use exchange, and of course I do understand the concept.
"But we do need to call out credential sharing in this fashion for what it is and it's precisely what I highlighted in that original tweet - lack of education."
The actual problem here is that security is just too hard for users, the implementations are too complex or onerous, and even perhaps undesirable to them if the intent is just to "track them, make them accountable (in reality, blame them when things go wrong)", etc.
I run an SMB and as such, have a personal access to manage the company's account on the French govt taxes website.
My accounting firm does this for me. The govt website has this perfectly covered, with delegation and dedicated roles for accountants, other company officials, etc.
Yet when we first set this up the first thing my accountant told me was: just give me your credentials so I can log in as you. I said no, I don't think so. Instead, tell me your account # so that I can authorize it on my account. And he said "I don't even have an account. I do this with all my other clients".
In the end he set up his own account and we did it the right way, but it took time, and it was absolutely not obvious to him that sharing personal "admin" login information was a very bad idea.
I don't think there's a technological solution to this problem, unless maybe if delegation can be made to happen automatically (how???) and if there are biometric sensors that make sharing login information impossible (but that would annoy people more, not help them).
You don't need AI. A simple fuzzy string match and some basic rules around it (ie, allow 25% fault across all tests, so your useragent can change 20% and the other strings can change 5% without you needing to reauth).
The simplest defense is to never log the user out and only ask passwords for special things (like Github's Superuser Mode)
I think from most people's perspective all those things do is make login sharing harder. I'm working with a non-profit to set up a website and social media accounts, and I've explained the concept of everyone having their own login to a shared account 3 times, and I think maybe 1 person gets it. (And maybe I suck at explaining it, but I have plenty of teaching experience and usually get compliments on explaining technical stuff in a non-jargony way).
If these same people had the obstacle of having to add another person's phone to 2FA as well as share the password, they still wouldn't look very long at alternatives to the way they log in. There's a fundamental assumption that there's a way to log in, and other people just have to do that. Very hard to help them realize that everyone should authenticate as individuals, and you can authorize individuals to access the group's resources.
The issue here is still culture. What's an IP, and why isn't this alert going to IT instead of me? 2FA can be added to multiple devices still allowing delegation. People will throw a password into anything that prompts them.
I always think about people who say that verification keys in emails is the route to go[0] to stop phishing/fraud attempts. It's a technological method that ensures the message is sent from a specific source, but that doesn't mean that the user will always verify the key.
We've had the technology to stop most commonplace security issues for a while. We've almost always been lacking in culture.
The system is setup not to reveal the secret once it’s set. Technical users can root their phones to extract the secret of course, but most users wont be willing to go that far.
You can of course set up a new secret & share it with multiple phones at that point. Not sure there’s much you can do to stop that using a software 2FA implementation. If it really matters, then a hardware token is the way to go.
It’s not a URI. The google-authenticator pam library generates an image that encodes the secret which gets echoed to the terminal as a QR-code. No internet access required - just a camera on your phone to image the code.
If you can take a photo of the code & re-use it, then you can initialise multiple phones with the same secret.
Is deniability really good for public offices? Politicians surely need some degree confidentiality on certain documents and communications, but they also need be held accountable for their actions (while in office).
Users have no expectation of privacy. That’s IT security policy mantra wherever it is legal. Everything a government official does is public at some level. So that part of Hunt’s argument is bunk.
From a security point of view, An elected official isn’t some clerk. If she decides to delegate duties to her staff, that’s her decision and responsibility.
I’ve had this argument with people before. IT dogma like this makes life more efficient. In the paper world, guess what? Mail was opened by staff. Time sheets were completed by secretaries. Staff were delegated authority to sign off on stuff up to a threshold. When I started working in IT, my director had a protocol where his secretary could sign off on certain transactions up to a high dollar figure without his presence. Problems weren’t very common.
An IT credential isn’t sacrosanct, and for the 90th percentile executive, there’s no reason to not allow this type of behavior where delegation isn’t possible.
I always thought it was funny when Apple did enterprise briefings, one of their success stories was how a major company wrote an iOS app to allow managers to approve routine bullshit. The quote from some SVP at the client was something like “This app took 3 hours off my workday, and I can eat dinner with my kids.” That’s the ultimate illustration of stupid security culture and the micromanagement it brings along for the ride.
I'd argue that's not really brought about by IT security, but by organisational security, e.g. trust. Expense tools were designed for a single, C-Level signatory, because that's what companies requested. "We can't let lower level employees have budget approval". As are a lot of other access arrangements.
If enough companies had that workflow (like the director/secretary one you mention).
This is the issue--delegation absolutely is possible in the use cases brought up by MPs and by bystanders. There's not really an excuse when email accounts can be set to auto-forward, and when email delegation accounts exist. Granted, the IT staff should have solved the problem by going to the MP and explaining that email delegation exists, but that's still not an excuse for the MPs to repeatedly break the law.
IT credentials should be treated as sacrosanct. Your credentials represent you and are, in many cases, indelibly tied to those credentials. Providing those credentials to others is the most coarse grained method of delegating _all_ of your abilities under that credential.
In this case we're talking about pornography and, apparently, rather pedestrian pornography at that. I have no doubt that this will end with people chuckling at each other and that will be the end of it.
Should someone mail out state secrets with these credentials the tone of these stories will be very different. This attitude of "sharing credentials makes my job easier" will meet with far less indulgent attitudes. Heads may very well roll and making it more difficult to pinpoint an individual will not be so easily tolerated.
Bottom line, sharing the credentials represents very real risk. Perhaps members of parliament do nothing of consequence with their email and that is why this has been allowed to go on for so long.
Any competent organization in government protects state secrets with a multi-factor credential that’s protects against reuse, some sort of network isolation, and serious criminal penalties for violation of those rules.
Outside of the enterprise, people do this all of the time with limited powers of attorney and other mechanisms. When I had an assistant, I delegated to her the ability to pay my AMEX. If people are commonly sharing credentials, it’s a sign that IT or the business doesn’t have its shit together, just like most random Visa/MasterCard issuing banks don’t with respect to delegation of access.
“We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.”
So if they didn't know about delegated access, what else do they not know about?
It's great that email and Sharepoint has this feature, but what happens when anonymous contractor #028345 is building something and doesn't know how to write delegated access securely into their program? What happens when this contractor solution becomes critical to MP daily work? That's going to make them roll back to credential sharing.
And to turn the viewpoint around, what if you are an IT guy/gal who didn't know about this? Does it mean you should be summarily fired because not being able to offer delegated access as a solution? And because you couldn't offer that solution, MPs ended up sharing creds as a result.
Do politicians deserve the absolute best IT people the world has to offer to minimize the chance of not knowing something or doing something insecurely? If so, why are all of us not immediately tearing down all political IT infrastructure that isn't secure because ultimately this is the security of the country you and your family live in!
Honestly, these replies feel completely unhelfpul. This is exactly how MPs offices have always worked, staff open and respond to letters with little oversight. Now they do the same with email.
Yes, in 2017 we can do a lot better and use delegated access, but adoption of those features doesn't happen overnight. Delegation of access was probably not even a thing when Dorries was first elected?
So the question really is: who is responsible for ensuring that MPs are up to speed with new security measures? Why aren't they dealing with this?
I think we should be lobbying MPs to ensure that they have the support they need to keep up to speed with best security practice, not vilifying them for trying to muddle through the best they can. It sounds like a recipe for disaster to try and get them all to do it themselves.
---
On a tangential note:
> It's alarming to read that Nadine believes criticism of her approach is due to her gender because if ever there was a construct that's entirely gender-unbiased, it's access controls! Giving other people your credentials in a situation such as hers is a bad idea regardless of gender, race, sexuality and any other personal attribute someone may feel discriminated by.
Completely misses the point. Of course security is gender-unbiased, but that doesn't mean she isn't getting a harder time of it simply because she is female. Such bias happens a lot.
To be honest, I think the actual truth is that the papers enjoy reporting on whatever Nadine Dorries says. So yeah, I don't doubt that another MP would have received less flak for saying the same thing, simply because it wouldn't have been reported as widely.
(That doesn't mean we shouldn't talk about security issues, but don't discount the abuse women get just because you happen to disagree with them on a particular point.)
This is exactly how MPs offices have always worked, staff
open and respond to letters with little oversight. Now they
do the same with email.
This isn't just the email password, nor is it just the password to the "letters from the public" email. The original offense was "downloading porn on a work computer", indicating that this is the core network account, AD or LDAP. And that means that it's granting access to everything, every email and every file. These interns don't need access to every email she sends to another MP. These interns don't need access to the drafts of upcoming legislation. These interns don't need to know what kind of cat pictures she likes. What do you want to bet that the whole "Using personal email for official communications" fiasco over here started when someone said "I need an email that the interns can't read and they won't give me two user accounts"?
> What do you want to bet that the whole "Using personal email for official communications" fiasco over here started when someone said "I need an email that the interns can't read and they won't give me two user accounts"?
Possible, but I also guess the reason was along the likes of "I want to be able to send and receive 100MB powerpoint slide decks, but central IT has a 5MB cap"... this one is something I regularly hit with clients back in ye olde freelance time. Record low was a client with 1MB attachment cap and 100MB of quota.
IT is directly responsible for a lot of those things. In some places, it seems like IT departments try to make their own lives easier by ensuring the infrastructure is so ridiculously constrained that nobody wants to use it (no users = no things broken by users that need fixing!). Users instead will make due in creative ways, which make organizations vulnerable (and people unhappy).
Fair enough. Allow me to rephrase, then, since the choice of refutation is enough to support my argument and I don't need to bring the validity of the accusation into it:
The refutation alone, that nobody would know who had downloaded porn even if it had happened, implies that this is a shared network account and it was being used to log in to desktop sessions.
> These interns don't need access to every email she sends to another MP
How do you know this? The Members themselves are best placed to determine the type and scope of this. Not all MPs will share and delegate, and not all interns will have such facilities extended to them.
The prescribed way is to have staff undergo vetting, then be assigned network privileges (with whichever delegated rights are specified). But this is the real world, where we know that trusted individuals in teams share credentials.
None of this precludes MPs (at least, those not on Government payroll) from setting up and using third-party accounts for their sole use - which is exactly what MPs do.
This is also an issue in the medical field. e-prescribe lets doctors order medications directly from the EHR, including—in some states—controlled substances. The software ensures it's the doctor by requiring the password to be entered. The doctor gets tired of typing the same password 50 times a day—compounded by a login sequence that is not most user-friendly—and the result is that the staff enters the order on behalf of the doctor.
(I should note this is being improved, with more and more doctors getting comfortable with documenting things themselves and therefore being logged when they need to order something.)
This is just to say that usability / UX is a very important component to security, or insecure workarounds flourish. As software makers, we need to make it easiest for the user to do the right thing from a security perspective, not just merely possible.
> The doctor gets tired of typing the same password 50 times a day
Hmmm, I wonder if some of those "is it still you?" tests could be avoided if certain actions could be deferred and batched up. Then approving or committing them would be one extra auth check.
He mentions but does not address one of the main problems: sharing passwords is actually ADVANTAGEOUS to the politicians because it provides plausible deniability. Troy says "this is exactly the problem" (which is true), but provides no proposed recourse.
Looking at other industries, the problem goes away when people are held responsible for activities performed under their credentials even if they DID share them to other users. But it is particularly difficult in politics to hold people accountable for their actions.
I don't think that Troy Hunt can reasonably be expected to address the issue of "plausible deniability". He points out that is an issue, I believe it's on the organization (in this case parliament) to find a solution.
Personally, I'm all for the position that if you shared your password with someone then you are wholly and completely responsible for their actions. That is, the porn downloaded with your account is your porn, regardless of who actually was using your login to view porn.
Of course it's bad security practice. Nobody cares about the security implications. It's a necessary functionality and productivity hack.
Managing access to resources is almost always a joke. Most systems do not give you ACLs to manage access to an account. When they do, the functionality is locked down to admins. When that isn't the case, the user interface is invisible or totally unintuitive.
Basically, if the option is A) spend six months and half a million dollars to upgrade everything and train people, or B) only allow one person to check a single account, or C) share passwords, the choice is simple.
Does Twitter support credential delegation? How about Facebook? Reddit? Instagram? Medium? Other random CMSes the MP might push content to, for op eds, newsletters, etc?
All these systems start with the assumption that the "author" is a single account. Delegation is an edge-case they may or may not support, and they might all support it differently.
Using a single PC, you don't have to use any of the special-case logic. You're back on the happy path: you do everything the same way you always do, and it all just works. There's also a lock on the resource: if someone else is at the PC, you can't be making conflicting responses to the same correspondence.
>Does Twitter support credential delegation? How about Facebook? Reddit? Instagram? Medium? Other random CMSes the MP might push content to, for op eds, newsletters, etc?
Yes, you can find this special delegation by looking up the specific OAuth API. OAuth access usually limits what the other can do, some providers give you access to logs and you can limit and review scopes on each access token.
This isn't delegation of access to other people, this is delegation of identity to applications. Someone with your API token is still you -- just with restricted permissions.
Until one can go into their Twitter account and create completely separate sub-accounts below their own with different emails and passwords people are going to share credentials.
You can delegate to applications which other people are using, I don't see why that should be a problem. Plus an API token is more trackable than just sharing your password.
Tweetdeck is, sorry, crap. At least compared to the web site or the apps. Both in UX and functionality terms.
To make it worse the official Twitter Android/iphone app does not allow delegation at all, and third-party clients can't access lots of the API (media in DMs, polls, all the analytics stuff which is really relevant for e.g. agencies).
In some cases this sharing of passwords has turned out to be rather convenient. Like when you get accused because logs show that you did something wrong, you have this "Oh, I don't recall doing that - must have been one of the 15 people who regularly access the systems with my credentials" defense. We had at least one case where police officer played this card after being accused of checking records he had no legitimate reason to check.
Especially when facing criminal charges (or public scrutiny), this kind of tricks can actually work. Especially if you manage to show that this was widespread in organization and management has not taken steps to stop this bad practice.
> Especially when facing criminal charges (or public scrutiny), this kind of tricks can actually work.
Alternative: the trick might be using someone else’s credentials because you know they, not you, will take the blame.
Without knowledge of the real behaviour of espionage and interfering with foreign governments/other political parties in your own nation/police officers who never take bribes, I would presume there are people who get themselves hired by their opponents specifically to undermine them in this way.
Can you imagine how few people would believe a politician protesting their innocence if it was discovered that someone has used that politician’s email account to chat with a 9-year old? Especially if the person sending the emails claimed to be that politician (bonus points if the politician shares their phone as well as their password, they might have selfies nobody else has seen)? When the 9-year old could never be found (because they never really existed, but again imagine how that will go down as an excuse)?
Those tweets are absolutely terrifying. Not because the persons are practicing bad security, but because they don't understand why it's bad. I work with plenty of people who reuse passwords/have weak passwords, but they acknowledge that it's just because they are too lazy to do the right thing. That's scary. What's scarier is when people in positions where they are responsible for creating policies that impact security, encryption, privacy are fundamentally blind to why you'd even want security, traceability, and privacy.
I very much appreciate Troys approach to criticism. It gives the other party a fair rebuke but also treats them as the fallible humans they are. People make mistakes, and I feel like out society should be a little more lenient sometimes, especially on issues which can be corrected, like this one.
Granted there are definitely times when a person really ought to have known better ahead of time.
In any case I wish we could see more leadership of this nature.
I think this tweet captures my sentiment about the situation pretty well:
> I don't blame her, I blame the I.T dept for not managing this risk adequately. It isn't up to her to have to defend this. She has a valid business need and I.t needs to meet this need and be secure also. I. T is the group that should be explaining themselves, not her
If it were an isolated individual incident then going against the user might be reasonable but in this case sharing passwords seems to be common usage pattern, and imho their IT dept should have certain degree of awareness about what their users are doing and working to proactively correct bad practices. And no, its not enough just to push new versions of software that has some helpful new features; you need also to get your users to use them, which won't happen by itself.
In particular the response of the IT dept (I guess?) seems bit tone deaf:
> We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.
It contains a implication of punishment ("making enquiries to authorities"), and does in no way acknowledge the needs why the users are sharing passwords. A better response would have been something like
"We’re aware of reports that MPs share logins and passwords and are working to improve to systems so that it can be avoided in future. If you have been sharing logins, please contact us so that we can work together to make sure your needs are covered. In the meanwhile, here are some useful tools that can help you [link to delegation and collaboration docs]"
In the defense of IT everywhere, I once was a "sole" IT department at a reasonable size non-profit. I tried hard to force security but if the top of the org chart refuses, there isn't much you can do but just keep trying. A lot of the office even knew the CEO's password which he used for everything.
Google Apps had a nice feature at the time that lets you see the strength of your users' passwords. If you sorted it from weakest to strongest, you literally had our org chart. Talking to other people who work with security, this doesn't seem to be all that uncommon.
I liked the linked document from the NCSC. They give practical advice on password expiry which I would love to adhere to...were I not having to follow PCIDSS that mandates that we set expiry to 90 days and has length and conplexity requirements. PCIDSS is a bad standard
There's the concept of "plausible deniability", which we see on display nearly everyday by a certain member of the US federal government.
Indeed, it happened very recently over the weekend, when his lawyer claimed it was he who was tweeting, not his boss!
Furthermore, we've seen this regularly from his twitter account: Sometimes the tweets will be word salad only slightly more intelligible than "covfefe", other times they'll be much more intelligible (though not necessarily intelligent).
Which has always led me to wonder: Who is actually tweeting?
Is it the person we ostensibly voted for? Or someone completely different?
Because to me, when a person's words high in government are supposed to be their words, they have a inherent responsibility to them. If someone else is using their account to blurt out ideas which could have world changing repercussions, and that someone isn't the person the electorate chose to represent them, then we don't have a true representative government system any longer. At that point, we might as well not have elections any longer, because the people we are trusting to govern aren't doing their damn job. In fact, they are abdicating that responsibility, and one should think that such an act would be subject to sanctions, up to and including being treated as a treasonous act.
This goes well beyond "plausible deniability", in my opinion. In the case of national government, it is something that can easily lead to war, due to misunderstanding or just malfeasance on the part of bad actors. That this is being seen as normal, that "everyone else is doing it", in any other time would have the populace at their doorsteps with pitchforks and torches, demanding change.
The fact that this isn't happening, despite everything we has seen, continue to see, and will see in the future, is both maddening and disheartening.
We are in dangerous times. This may sound like hyperbole, but it isn't. I'm not the only one who thinks or believes this. Many are attempting to scream it from the rooftops, but are derided as being overly dramatic, or crazy, or any number of other epithets. Others continue with the whole "let's way and see, 2018 will be the year, or 2020 - things will change".
I fear that we don't have long to stop this madness if something isn't done soon.
67 comments
[ 4.7 ms ] story [ 127 ms ] threadIf your not very technical, and your intern needs to respond to your emails, schedule your calendar, and handle other tasks I'd be surprised if most don't just fork over their login details rather than go and ask Jerry in IT to make an account with all these special permissions for an Intern or staffer that'll be gone in a few months to a year.
It might be a common thing to do, but this matter needs at a minimum a reiteration of the rules and better documentation of the correct alternatives, and probably also a certain amount of punitive measures.
In my experience, 2factorA with cell phones also prevents executives from sharing passwords. They won´t leave their phone behind. However biometrics is faster to use and easier to understand for most people. 2FA can be socially engineered by calling the politican/exec and asking for the code they just got "for support". That won´t fly with a fingerprint.
For most people, a computer is a means to an end. If it doesn't accomplish that task, the computer belongs in the trash.
No longer. You may be pleased to learn that there is new technology that is better than that. Google "liveness detection" to learn more.
> For most people, a computer is a means to an end. If it doesn't accomplish that task, the computer belongs in the trash.
If I interpret your hyperbole nicely, you mean that security which is difficult to use will upset users. Indeed this is so, therefore security needs to be implemented in such a way that it is easy to use in a secure fashion. apple touchID is a good real-life example of which you may be aware. Enforcing complex text passwords which must be changed every N days is a counter-example which does not achieve the desired effect and also upsets users. Biometrics are, when implemented well, very easy to use and far more secure than text passwords. Therefore they should be considered, before "throwing the computer in the dumpster", as you said.
The easier you make things, the more apt people are to properly securing their systems. Saying they didn't follow policy, while true, is ignoring the root cause of why the policy wasn't followed.
Your organisation has a problem which could lead to financial or reputation loss. Is management aware?
At a company I worked at 10+ years ago the IT Dept had a generic VPN username/password that they gave out like candy to use if you needed to VPN in and your account was in the process of being setup. It wasn't like this practice was a secret either. I don't know why it took more than a few minutes (?) to setup VPN access.
I recently learned a relative, who works at a law practice, shares her login. But, like the MP, there is a business need. In this case, some piece of software that isn't "in the cloud" - it's a local installation. If she's out of the office, somebody has to run the software. It didn't occur to her, or anybody else at the office, that other employees can likely access the software on that PC with their own logins (they never tried). It never occurred to them to request assistance from the software vendor. Sharing credentials was the obvious (and easy) solution.
It's a small-town office, average age of employee is probably well north of 50. I probably shouldn't have been surprised, but I was.
Do MP's even have an IT department? I thought they were responsible for their own offices, and on quite a tight budget.
"Have these people never heard of delegation permission?"
You know what, probably not. Nor have I, and I'm a dev, though I don't use exchange, and of course I do understand the concept.
"But we do need to call out credential sharing in this fashion for what it is and it's precisely what I highlighted in that original tweet - lack of education."
The actual problem here is that security is just too hard for users, the implementations are too complex or onerous, and even perhaps undesirable to them if the intent is just to "track them, make them accountable (in reality, blame them when things go wrong)", etc.
I run an SMB and as such, have a personal access to manage the company's account on the French govt taxes website.
My accounting firm does this for me. The govt website has this perfectly covered, with delegation and dedicated roles for accountants, other company officials, etc.
Yet when we first set this up the first thing my accountant told me was: just give me your credentials so I can log in as you. I said no, I don't think so. Instead, tell me your account # so that I can authorize it on my account. And he said "I don't even have an account. I do this with all my other clients".
In the end he set up his own account and we did it the right way, but it took time, and it was absolutely not obvious to him that sharing personal "admin" login information was a very bad idea.
I don't think there's a technological solution to this problem, unless maybe if delegation can be made to happen automatically (how???) and if there are biometric sensors that make sharing login information impossible (but that would annoy people more, not help them).
E.G. I'll never giveaway my credentials again if last time that happened it caused a leak.
Lol of course there is.
1: IP alerts - new IP? email alert.
2: 2FA - should be standard, requiring a physical device to login
3: Deterrents; seems slightly fishy? You need to login to the account by proving you are the owner.
With AI it's not so difficult to detect if it's a genuine login (browser fingerprinting, UA strings, version numbers, OS versions etc).
The simplest defense is to never log the user out and only ask passwords for special things (like Github's Superuser Mode)
If these same people had the obstacle of having to add another person's phone to 2FA as well as share the password, they still wouldn't look very long at alternatives to the way they log in. There's a fundamental assumption that there's a way to log in, and other people just have to do that. Very hard to help them realize that everyone should authenticate as individuals, and you can authorize individuals to access the group's resources.
I always think about people who say that verification keys in emails is the route to go[0] to stop phishing/fraud attempts. It's a technological method that ensures the message is sent from a specific source, but that doesn't mean that the user will always verify the key.
We've had the technology to stop most commonplace security issues for a while. We've almost always been lacking in culture.
[0]: https://news.ycombinator.com/item?id=14219272
You can of course set up a new secret & share it with multiple phones at that point. Not sure there’s much you can do to stop that using a software 2FA implementation. If it really matters, then a hardware token is the way to go.
If you can take a photo of the code & re-use it, then you can initialise multiple phones with the same secret.
IT security practices would get better very fast if that was the case.
* If you think your account was hacked then report it and it can be checked.
From a security point of view, An elected official isn’t some clerk. If she decides to delegate duties to her staff, that’s her decision and responsibility.
I’ve had this argument with people before. IT dogma like this makes life more efficient. In the paper world, guess what? Mail was opened by staff. Time sheets were completed by secretaries. Staff were delegated authority to sign off on stuff up to a threshold. When I started working in IT, my director had a protocol where his secretary could sign off on certain transactions up to a high dollar figure without his presence. Problems weren’t very common.
An IT credential isn’t sacrosanct, and for the 90th percentile executive, there’s no reason to not allow this type of behavior where delegation isn’t possible.
I always thought it was funny when Apple did enterprise briefings, one of their success stories was how a major company wrote an iOS app to allow managers to approve routine bullshit. The quote from some SVP at the client was something like “This app took 3 hours off my workday, and I can eat dinner with my kids.” That’s the ultimate illustration of stupid security culture and the micromanagement it brings along for the ride.
If enough companies had that workflow (like the director/secretary one you mention).
This is the issue--delegation absolutely is possible in the use cases brought up by MPs and by bystanders. There's not really an excuse when email accounts can be set to auto-forward, and when email delegation accounts exist. Granted, the IT staff should have solved the problem by going to the MP and explaining that email delegation exists, but that's still not an excuse for the MPs to repeatedly break the law.
In this case we're talking about pornography and, apparently, rather pedestrian pornography at that. I have no doubt that this will end with people chuckling at each other and that will be the end of it.
Should someone mail out state secrets with these credentials the tone of these stories will be very different. This attitude of "sharing credentials makes my job easier" will meet with far less indulgent attitudes. Heads may very well roll and making it more difficult to pinpoint an individual will not be so easily tolerated.
Bottom line, sharing the credentials represents very real risk. Perhaps members of parliament do nothing of consequence with their email and that is why this has been allowed to go on for so long.
Any competent organization in government protects state secrets with a multi-factor credential that’s protects against reuse, some sort of network isolation, and serious criminal penalties for violation of those rules.
Outside of the enterprise, people do this all of the time with limited powers of attorney and other mechanisms. When I had an assistant, I delegated to her the ability to pay my AMEX. If people are commonly sharing credentials, it’s a sign that IT or the business doesn’t have its shit together, just like most random Visa/MasterCard issuing banks don’t with respect to delegation of access.
“We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.”
It's great that email and Sharepoint has this feature, but what happens when anonymous contractor #028345 is building something and doesn't know how to write delegated access securely into their program? What happens when this contractor solution becomes critical to MP daily work? That's going to make them roll back to credential sharing.
And to turn the viewpoint around, what if you are an IT guy/gal who didn't know about this? Does it mean you should be summarily fired because not being able to offer delegated access as a solution? And because you couldn't offer that solution, MPs ended up sharing creds as a result.
Do politicians deserve the absolute best IT people the world has to offer to minimize the chance of not knowing something or doing something insecurely? If so, why are all of us not immediately tearing down all political IT infrastructure that isn't secure because ultimately this is the security of the country you and your family live in!
Yes, in 2017 we can do a lot better and use delegated access, but adoption of those features doesn't happen overnight. Delegation of access was probably not even a thing when Dorries was first elected?
So the question really is: who is responsible for ensuring that MPs are up to speed with new security measures? Why aren't they dealing with this?
I think we should be lobbying MPs to ensure that they have the support they need to keep up to speed with best security practice, not vilifying them for trying to muddle through the best they can. It sounds like a recipe for disaster to try and get them all to do it themselves.
---
On a tangential note:
> It's alarming to read that Nadine believes criticism of her approach is due to her gender because if ever there was a construct that's entirely gender-unbiased, it's access controls! Giving other people your credentials in a situation such as hers is a bad idea regardless of gender, race, sexuality and any other personal attribute someone may feel discriminated by.
Completely misses the point. Of course security is gender-unbiased, but that doesn't mean she isn't getting a harder time of it simply because she is female. Such bias happens a lot.
To be honest, I think the actual truth is that the papers enjoy reporting on whatever Nadine Dorries says. So yeah, I don't doubt that another MP would have received less flak for saying the same thing, simply because it wouldn't have been reported as widely.
(That doesn't mean we shouldn't talk about security issues, but don't discount the abuse women get just because you happen to disagree with them on a particular point.)
Possible, but I also guess the reason was along the likes of "I want to be able to send and receive 100MB powerpoint slide decks, but central IT has a 5MB cap"... this one is something I regularly hit with clients back in ye olde freelance time. Record low was a client with 1MB attachment cap and 100MB of quota.
There wasn't an original offence, there has been an allegation which has been strongly denied.
The refutation alone, that nobody would know who had downloaded porn even if it had happened, implies that this is a shared network account and it was being used to log in to desktop sessions.
How do you know this? The Members themselves are best placed to determine the type and scope of this. Not all MPs will share and delegate, and not all interns will have such facilities extended to them.
The prescribed way is to have staff undergo vetting, then be assigned network privileges (with whichever delegated rights are specified). But this is the real world, where we know that trusted individuals in teams share credentials.
None of this precludes MPs (at least, those not on Government payroll) from setting up and using third-party accounts for their sole use - which is exactly what MPs do.
(I should note this is being improved, with more and more doctors getting comfortable with documenting things themselves and therefore being logged when they need to order something.)
This is just to say that usability / UX is a very important component to security, or insecure workarounds flourish. As software makers, we need to make it easiest for the user to do the right thing from a security perspective, not just merely possible.
[0]https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pra...
Hmmm, I wonder if some of those "is it still you?" tests could be avoided if certain actions could be deferred and batched up. Then approving or committing them would be one extra auth check.
Looking at other industries, the problem goes away when people are held responsible for activities performed under their credentials even if they DID share them to other users. But it is particularly difficult in politics to hold people accountable for their actions.
Personally, I'm all for the position that if you shared your password with someone then you are wholly and completely responsible for their actions. That is, the porn downloaded with your account is your porn, regardless of who actually was using your login to view porn.
Managing access to resources is almost always a joke. Most systems do not give you ACLs to manage access to an account. When they do, the functionality is locked down to admins. When that isn't the case, the user interface is invisible or totally unintuitive.
Basically, if the option is A) spend six months and half a million dollars to upgrade everything and train people, or B) only allow one person to check a single account, or C) share passwords, the choice is simple.
Assuming he's innocent for a moment, I'm going to bet Damian Green cares...
All these systems start with the assumption that the "author" is a single account. Delegation is an edge-case they may or may not support, and they might all support it differently.
Using a single PC, you don't have to use any of the special-case logic. You're back on the happy path: you do everything the same way you always do, and it all just works. There's also a lock on the resource: if someone else is at the PC, you can't be making conflicting responses to the same correspondence.
Yes, you can find this special delegation by looking up the specific OAuth API. OAuth access usually limits what the other can do, some providers give you access to logs and you can limit and review scopes on each access token.
Until one can go into their Twitter account and create completely separate sub-accounts below their own with different emails and passwords people are going to share credentials.
It would be an improvement over current.
Tweetdeck is, sorry, crap. At least compared to the web site or the apps. Both in UX and functionality terms.
To make it worse the official Twitter Android/iphone app does not allow delegation at all, and third-party clients can't access lots of the API (media in DMs, polls, all the analytics stuff which is really relevant for e.g. agencies).
Especially when facing criminal charges (or public scrutiny), this kind of tricks can actually work. Especially if you manage to show that this was widespread in organization and management has not taken steps to stop this bad practice.
Alternative: the trick might be using someone else’s credentials because you know they, not you, will take the blame.
Without knowledge of the real behaviour of espionage and interfering with foreign governments/other political parties in your own nation/police officers who never take bribes, I would presume there are people who get themselves hired by their opponents specifically to undermine them in this way.
Can you imagine how few people would believe a politician protesting their innocence if it was discovered that someone has used that politician’s email account to chat with a 9-year old? Especially if the person sending the emails claimed to be that politician (bonus points if the politician shares their phone as well as their password, they might have selfies nobody else has seen)? When the 9-year old could never be found (because they never really existed, but again imagine how that will go down as an excuse)?
Granted there are definitely times when a person really ought to have known better ahead of time.
In any case I wish we could see more leadership of this nature.
> I don't blame her, I blame the I.T dept for not managing this risk adequately. It isn't up to her to have to defend this. She has a valid business need and I.t needs to meet this need and be secure also. I. T is the group that should be explaining themselves, not her
If it were an isolated individual incident then going against the user might be reasonable but in this case sharing passwords seems to be common usage pattern, and imho their IT dept should have certain degree of awareness about what their users are doing and working to proactively correct bad practices. And no, its not enough just to push new versions of software that has some helpful new features; you need also to get your users to use them, which won't happen by itself.
In particular the response of the IT dept (I guess?) seems bit tone deaf:
> We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.
It contains a implication of punishment ("making enquiries to authorities"), and does in no way acknowledge the needs why the users are sharing passwords. A better response would have been something like
"We’re aware of reports that MPs share logins and passwords and are working to improve to systems so that it can be avoided in future. If you have been sharing logins, please contact us so that we can work together to make sure your needs are covered. In the meanwhile, here are some useful tools that can help you [link to delegation and collaboration docs]"
Google Apps had a nice feature at the time that lets you see the strength of your users' passwords. If you sorted it from weakest to strongest, you literally had our org chart. Talking to other people who work with security, this doesn't seem to be all that uncommon.
Indeed, it happened very recently over the weekend, when his lawyer claimed it was he who was tweeting, not his boss!
Furthermore, we've seen this regularly from his twitter account: Sometimes the tweets will be word salad only slightly more intelligible than "covfefe", other times they'll be much more intelligible (though not necessarily intelligent).
Which has always led me to wonder: Who is actually tweeting?
Is it the person we ostensibly voted for? Or someone completely different?
Because to me, when a person's words high in government are supposed to be their words, they have a inherent responsibility to them. If someone else is using their account to blurt out ideas which could have world changing repercussions, and that someone isn't the person the electorate chose to represent them, then we don't have a true representative government system any longer. At that point, we might as well not have elections any longer, because the people we are trusting to govern aren't doing their damn job. In fact, they are abdicating that responsibility, and one should think that such an act would be subject to sanctions, up to and including being treated as a treasonous act.
This goes well beyond "plausible deniability", in my opinion. In the case of national government, it is something that can easily lead to war, due to misunderstanding or just malfeasance on the part of bad actors. That this is being seen as normal, that "everyone else is doing it", in any other time would have the populace at their doorsteps with pitchforks and torches, demanding change.
The fact that this isn't happening, despite everything we has seen, continue to see, and will see in the future, is both maddening and disheartening.
We are in dangerous times. This may sound like hyperbole, but it isn't. I'm not the only one who thinks or believes this. Many are attempting to scream it from the rooftops, but are derided as being overly dramatic, or crazy, or any number of other epithets. Others continue with the whole "let's way and see, 2018 will be the year, or 2020 - things will change".
I fear that we don't have long to stop this madness if something isn't done soon.