The Guardian writes:
Hackers have mounted a “brute force” cyber-attack on the Scottish parliament’s computer systems, weeks after a similar attack on email accounts at Westminster.
MSPs and Holyrood staff were warned on Tuesday that hackers were attempting to access numerous email accounts by systematically and repeatedly trying to crack their passwords.
Holyrood officials said they were not aware of any compromised email accounts, but staff and MSPs were warned the attack could mean some people were locked out of their accounts.
An internal Holyrood bulletin seen by The Guardian says that IT systems remain operational, but that too many members were using weak passwords.
A similar attack targeted the accounts of MPs based in Westminster back in June. In this incident, which some claimed might be state-sponsored, saw weakly-protected email accounts belonging to MPs and peers breached.
The precise number of hacked email accounts was never made public following the Westminster attack, but a statement from the House of Commons press office said that “significantly fewer than 1% of the 9,000 accounts on the parliamentary network have been compromised.”
In both these cases it appears that the attackers are attempting to “brute force” their way into accounts. Such attacks are not sophisticated, they simply fling a large number of possible passwords one-by-one at a login page in the hope that sooner-or-later one might give them access to the account.
Databases of millions of common passwords and dictionary words for use in a brute force attack are freely available, but that doesn’t mean it shouldn’t be easy for email systems to detect that someone is attempting to force themselves in.
Email systems and websites can often frustrate brute force attacks by limiting the number of incorrect logins, blocking IP addresses, or displaying CAPTCHAs. Rate-limiting logins and require two-step verification is pretty much essential these days - if you’re not doing that, you’re effectively encouraging brute force attackers to try their luck.
Here is my advice for all users (not just politicians) when it comes to securing their email accounts:
- Use a unique, hard-to-crack, complicated password to access your email account. Using an easy-to-guess password, or using the same password on different sites is a recipe for disaster.
- Enable two-factor authentication (or two-step verification) to better defend their account, making it harder for a criminal to break in even if they did manage to determine your password. If it’s good enough for the cast of Game of Thrones it should be good enough for you.
- Exercise caution over opening unsolicited email attachments, or entering login credentials without being certain that you were on a legitimate site.
- Listen to our “Smashing Security” podcast about securing webmail , where we describe numerous tips that can be used to better defend your email account from hackers.
For further discussion on the attack on Scottish MPs, make sure to listen to this episode of the “Smashing Security” podcast: