The lax computer security of British MPs – as detailed in their own tweets

Graham Cluley

The lax computer security of British MPs - as detailed in their own tweets

The lax computer security of British MPs - as detailed in their own tweets

Kudos to Nadine Dorries, the British MP for Mid-Bedfordshire, who has bravely exposed the appalling computer security practices that she and her fellow politicians have in place.

Now, to be fair, Nadine probably though she was simply supporting First Secretary of State Damian Green after revelations by a retired detective that thousands of legal pornographic images were found on his Dell PC at Portcullis House in 2008.

Damian Green, who is deputy to British Prime Minister Theresa May (not to be confused with British glamour model Teresa May), says he has never watched or downloaded porn on the computer.

And Nadine Dorries attempted to support her colleague by explaining that she allowed her staff and interns to log into her computer with her password “everyday”.

When security-minded folks on Twitter began to criticise Nadine’s cavalier attitude to security (particularly pertinent in light of recent targeted computer attacks on Westminster) some of her colleagues jumped to *her* defence.

Maybe someone might like to tell Nick Boles, the right honourable member for Grantham, that he is being needlessly reckless. The first rule of passwords is that you don’t share them.

As we have explained many times in the past, the solution to not being able to remember complicated, unique passwords is to use a password manager.

Maybe next time Nadine Dorries shouts “What’s the password?” across her office floor, she might want to remember that too.

Meanwhile, Will Quince, MP for Colchester, freely admits that he leaves his computer unlocked:

It would perhaps be churlish to suggest that Will Quince is preparing his alibi should porn ever be found on his PC.

And, if Nadine Dorries is to be believed, Damian Green is not the only MP who may have to face awkward questions about porn being found on their PC. No, because over the weekend Nadine claimed that *every* single MP’s PC (including hers, presumably) has been used to access porn.

Wow. That’s quite a claim. With all that porn swirling around parliamentary systems is it any wonder that the Brexit negotiations are proving to be quite a challenge?

I guess the beauty of letting any member of your staff access your computer with none of that password hassle is that they can easily peruse your porn if they need to in a hurry.

Nadine Dorries, meanwhile, is under the misapprehension that she simply isn’t interesting enough to be hacked.

Oh dear… She’s wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they’d probably ignore the porn). It’s not just the personal information of the people she corresponds with, but also the fact that her PC, email and social media accounts could be used as a launchpad for attacks against others.

And what worries me from the above tweets is that Nadine Dorries doesn’t seem to be an isolated case. And it should worry you too if you’re a constituent of an MP who has adopted similarly lax IT security measures.

And it should worry us all if the very people who are tasked with legislating on internet privacy and security issues are proving to be so utterly clueless.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Smashing Security #056: 'Peeping Toms, prison hacks, and parliamentary passwords'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

17 Replies to “The lax computer security of British MPs – as detailed in their own tweets”

  1. Here’s a more comprehensive article citing Parliamentary codes of practice, and how they were breached by password sharing, and teeets from other MPs.

    https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/

  2. It's even worse than that – Dorries used to be director of BUPA, the medical insurance company. So you would hope that she knew a thing or to about computer security.

  3. Am I being cynical here – but a stream of MPs lining up to say, in public, that other people have access to their computers, sounds like they are preparing a line of defence for when someone leaks information on what is on their computer (and shouldn’t be).

    No sane person would admit to being that stupid, unless they were trying to hide a bigger problem…

  4. Wow! And these are the ones who say that the likes of the public shouldn't be allowed to use strong encryption.

    Good to see that the Cabinet Office and Home Office spending on Cyber Streetwise has been such a resounding success in Westminster.

    So far as many employers are concerned, possession of pornography on a work-provided computer is case for a disciplinary action up to and including dismissal. Or don't these sort of rules apply to MPs and their staff?

  5. Graham Cluley said:-
    "Oh dear… She's wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they'd probably ignore the pawn)."

    pawn
    noun
    a chess piece of the smallest size and value, that moves one square forwards along its file if unobstructed (or two on the first move), or one square diagonally forwards when making a capture. Each player begins with eight pawns on the second rank, and can promote a pawn to become any other piece (typically a queen) if it reaches the opponent's end of the board.

    a person used by others for their own purposes.

    Or did you really mean that Graham? in which case I'm laughing out loud :)

    John

    1. Oh my. I spelt it as "pawn" rather than "porn".

      What is *wrong* with me?

      As only who listens to the podcast will know, I'm rather obsessed with chess. In fact, Mrs Cluley has said that she doesn't have to worry about me doing naughty things on the internet as whenever she catches me watching videos in the dead of the night it's almost always one of the chess tournaments on YouTube…

      1. I spotted it too but thought it was intentional; i.e. the MP is somewhat inconsequential (i.e. a pawn) in the grand scheme of things.

        All being said I don't believe that a password manager is the solution here. I agree with Troy Hunt: proper access delegation is what's needed.

        1. My comment about the need for a password manager was directed at Nick Boles MP who says he can't ever remember what his password is.

          I agree that delegation is the correct approach if you need more than one person to access your email.

          And I apologise again for always having pawn on the brain.

  6. What's scarier is that she's actually registered with the ICO as a Data Controller https://ico.org.uk/ESDWebPages/Entry/Z1716668 yet she then admits to using bad infosec security practices. Worse still, she considers that the information she processes has little value as she is not in government. Given the types of data mentioned in the Data Controller registration, I would certainly beg to differ.

  7. Here in Denmark we had a case where sensitive information from a police database were leaked to the press. An investigation revealed that too much security was to blame… read on for an explanation.

    The security was high. Only one or maybe two senior people had access to any kind of sensitive information, but in the course of the daily work other aspects of this information was needed by other officers. As the senior people often were away at meetings or tasks, and their access to information was needed on a daily basis, a culture of logging in early and staying logged in all day developed. The terminal was located near the service counter at most police stations and thus not only everybody working there (officers, office staff etc.) but also visitors coming in from the street, had access. It was left completely unlocked all day and had full access. The blame for the leak was never placed (could be anybody) but security procedures were updated and now everybody with terminal access has access to the sensitive information but it is logged exactly who searches for what and when, and idle users are logged out quickly.

  8. None of this is a surprise for anyone that has worked in IT support at local gov or in private business with regulatory obligations and responsibilities. I've seen horrendous practises not just instigated but encouraged with the sole purpose of covering up the fact that staff are clueless (including manager level and beyond). Rather than acknowledge that training or hiring of competent people is required, it seems preferred to cover that fact up with crazy breaches of common sense like this. I have tried to be part of the solution – called it out, suggested / designed secure alternatives but you hear the same rejections – 'too difficult', 'too slow', or, my favourite – 'stop being a negative person'. It'll never change until the quality of staff does.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.




Stay informed!

Join thousands of others by signing-up for the free “GCHQ” newsletter, containing the latest news and tips from security expert Graham Cluley.

Name:

Email:

Yes, I would like to subscribe to email updates from Graham Cluley. I know it’s easy to unsubscribe if I ever change my mind.