The lax computer security of British MPs - as detailed in their own tweets

Shared passwords, unlocked PCs, porn everywhere.

The lax computer security of British MPs - as detailed in their own tweets

Kudos to Nadine Dorries, the British MP for Mid-Bedfordshire, who has bravely exposed the appalling computer security practices that she and her fellow politicians have in place.

Now, to be fair, Nadine probably though she was simply supporting First Secretary of State Damian Green after revelations by a retired detective that thousands of legal pornographic images were found on his Dell PC at Portcullis House in 2008.

Damian Green, who is deputy to British Prime Minister Theresa May (not to be confused with British glamour model Teresa May), says he has never watched or downloaded porn on the computer.

And Nadine Dorries attempted to support her colleague by explaining that she allowed her staff and interns to log into her computer with her password "everyday".

When security-minded folks on Twitter began to criticise Nadine's cavalier attitude to security (particularly pertinent in light of recent targeted computer attacks on Westminster) some of her colleagues jumped to *her* defence.

Maybe someone might like to tell Nick Boles, the right honourable member for Grantham, that he is being needlessly reckless. The first rule of passwords is that you don't share them.

As we have explained many times in the past, the solution to not being able to remember complicated, unique passwords is to use a password manager.

Maybe next time Nadine Dorries shouts "What's the password?" across her office floor, she might want to remember that too.

Meanwhile, Will Quince, MP for Colchester, freely admits that he leaves his computer unlocked:

It would perhaps be churlish to suggest that Will Quince is preparing his alibi should porn ever be found on his PC.

And, if Nadine Dorries is to be believed, Damian Green is not the only MP who may have to face awkward questions about porn being found on their PC. No, because over the weekend Nadine claimed that *every* single MP's PC (including hers, presumably) has been used to access porn.

Wow. That's quite a claim. With all that porn swirling around parliamentary systems is it any wonder that the Brexit negotiations are proving to be quite a challenge?

I guess the beauty of letting any member of your staff access your computer with none of that password hassle is that they can easily peruse your porn if they need to in a hurry.

Nadine Dorries, meanwhile, is under the misapprehension that she simply isn't interesting enough to be hacked.

Oh dear... She's wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they'd probably ignore the porn). It's not just the personal information of the people she corresponds with, but also the fact that her PC, email and social media accounts could be used as a launchpad for attacks against others.

And what worries me from the above tweets is that Nadine Dorries doesn't seem to be an isolated case. And it should worry you too if you're a constituent of an MP who has adopted similarly lax IT security measures.

And it should worry us all if the very people who are tasked with legislating on internet privacy and security issues are proving to be so utterly clueless.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , ,

17 Responses

  1. Brian

    December 4, 2017 at 9:19 am #

    Is anyone surprised about *anything* these idiots do (or say!)?

  2. Bob

    December 4, 2017 at 9:23 am #

    Here’s a more comprehensive article citing Parliamentary codes of practice, and how they were breached by password sharing, and teeets from other MPs.

    https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/

  3. Techno

    December 4, 2017 at 9:26 am #

    It's even worse than that – Dorries used to be director of BUPA, the medical insurance company. So you would hope that she knew a thing or to about computer security.

    • Techno in reply to Techno.

      December 4, 2017 at 9:26 am #

      *two

  4. Chris Pugson

    December 4, 2017 at 11:23 am #

    Send the OFFICIAL Teresa May off to negotiate EU trade deal.

  5. EyePeaSea

    December 4, 2017 at 2:22 pm #

    Am I being cynical here – but a stream of MPs lining up to say, in public, that other people have access to their computers, sounds like they are preparing a line of defence for when someone leaks information on what is on their computer (and shouldn’t be).

    No sane person would admit to being that stupid, unless they were trying to hide a bigger problem…

  6. Mike

    December 4, 2017 at 5:02 pm #

    Wow! And these are the ones who say that the likes of the public shouldn't be allowed to use strong encryption.

    Good to see that the Cabinet Office and Home Office spending on Cyber Streetwise has been such a resounding success in Westminster.

    So far as many employers are concerned, possession of pornography on a work-provided computer is case for a disciplinary action up to and including dismissal. Or don't these sort of rules apply to MPs and their staff?

  7. John

    December 4, 2017 at 5:35 pm #

    Graham Cluley said:-
    "Oh dear… She's wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they'd probably ignore the pawn)."

    pawn
    noun
    a chess piece of the smallest size and value, that moves one square forwards along its file if unobstructed (or two on the first move), or one square diagonally forwards when making a capture. Each player begins with eight pawns on the second rank, and can promote a pawn to become any other piece (typically a queen) if it reaches the opponent's end of the board.

    a person used by others for their own purposes.

    Or did you really mean that Graham? in which case I'm laughing out loud :)

    John

    • Graham Cluley in reply to John.

      December 4, 2017 at 5:43 pm #

      Oh my. I spelt it as "pawn" rather than "porn".

      What is *wrong* with me?

      As only who listens to the podcast will know, I'm rather obsessed with chess. In fact, Mrs Cluley has said that she doesn't have to worry about me doing naughty things on the internet as whenever she catches me watching videos in the dead of the night it's almost always one of the chess tournaments on YouTube…

      • Bob in reply to Graham Cluley.

        December 4, 2017 at 11:25 pm #

        I spotted it too but thought it was intentional; i.e. the MP is somewhat inconsequential (i.e. a pawn) in the grand scheme of things.

        All being said I don't believe that a password manager is the solution here. I agree with Troy Hunt: proper access delegation is what's needed.

        • Graham Cluley in reply to Bob.

          December 4, 2017 at 11:27 pm #

          My comment about the need for a password manager was directed at Nick Boles MP who says he can't ever remember what his password is.

          I agree that delegation is the correct approach if you need more than one person to access your email.

          And I apologise again for always having pawn on the brain.

      • Chuck in NY in reply to Graham Cluley.

        December 5, 2017 at 1:04 pm #

        What red-blooded male *isn't* interested in chesst?

  8. Tim Dutton

    December 5, 2017 at 9:32 am #

    What's scarier is that she's actually registered with the ICO as a Data Controller https://ico.org.uk/ESDWebPages/Entry/Z1716668 yet she then admits to using bad infosec security practices. Worse still, she considers that the information she processes has little value as she is not in government. Given the types of data mentioned in the Data Controller registration, I would certainly beg to differ.

  9. Jim

    December 5, 2017 at 2:07 pm #

    Perhaps a hefty fine would help, the money could go to charity as an incentive.

  10. dave

    December 5, 2017 at 8:44 pm #

    Is her daughter still travelling from the Cotswolds to the constituency office each day?
    Just asking,

  11. Per Goetterup

    December 8, 2017 at 1:52 pm #

    Here in Denmark we had a case where sensitive information from a police database were leaked to the press. An investigation revealed that too much security was to blame… read on for an explanation.

    The security was high. Only one or maybe two senior people had access to any kind of sensitive information, but in the course of the daily work other aspects of this information was needed by other officers. As the senior people often were away at meetings or tasks, and their access to information was needed on a daily basis, a culture of logging in early and staying logged in all day developed. The terminal was located near the service counter at most police stations and thus not only everybody working there (officers, office staff etc.) but also visitors coming in from the street, had access. It was left completely unlocked all day and had full access. The blame for the leak was never placed (could be anybody) but security procedures were updated and now everybody with terminal access has access to the sensitive information but it is logged exactly who searches for what and when, and idle users are logged out quickly.

  12. Post-It Note

    December 13, 2017 at 10:28 am #

    None of this is a surprise for anyone that has worked in IT support at local gov or in private business with regulatory obligations and responsibilities. I've seen horrendous practises not just instigated but encouraged with the sole purpose of covering up the fact that staff are clueless (including manager level and beyond). Rather than acknowledge that training or hiring of competent people is required, it seems preferred to cover that fact up with crazy breaches of common sense like this. I have tried to be part of the solution – called it out, suggested / designed secure alternatives but you hear the same rejections – 'too difficult', 'too slow', or, my favourite – 'stop being a negative person'. It'll never change until the quality of staff does.

Leave a Reply