Please support our Tech Talk advertiser:
Featured Entry 
Mar 27th, 2007, 6:21 am
Having a professional interest in security, and a personal distrust of politicians and their promises of providing the same, I was not at all surprised by the findings of a BBC TV investigation that has just been broadcast in the UK. Inside Out, a news reporting and investigative documentary series that most often homes in on fairly lightweight consumer stories, decided to send their reporter to the heart of the UK Parliament, the House of Commons, and test the security provided by one of the most heavily guarded buildings in the British Isles. I’ve attended working group committee meetings there and I know only too well of the advanced information that needs to be supplied, the passes issued, the body searches an x-ray machines at the entrances, the small army of fully armed police that patrol.
Now let’s get one thing straight right up front, the successful security compromise was made easier because a Member of Parliament, Anne Milton (MP for Guildford) agreed to take part in the investigation. She was apparently convinced that no harm could be done by accepting the challenge of leaving her computer unattended in here House of Commons office, with just the reporter to keep it company, for a total of 60 seconds and no more. She was, however, visibly shocked when that reporter managed to compromise the computer in less than 20 seconds using a readily available keylogger application. This would have enabled a hacker to record everything that the MP typed into her PC, from confidential documents to passwords. The implications are, well, obvious.
What is surprising is that the reporter used by the BBC was a six year old schoolgirl, making her quite possibly the youngest hacker to succeed in compromising such a high level target.
What is surprising is that she could do so within the confines of such a sensitive place, without ever being searched for something like a USB memory stick device before entering. Perhaps the security procedure is so wrapped up in looking for the big stuff, the guns, the bombs and the men with beards that the James Bond world of small-scale spying devices has passed them by.
What is not surprising is the lack of any official comment from the powers that be at the House of Commons regarding the incident and the huge hole it has driven through the security of the UK Parliament.
Now let’s get one thing straight right up front, the successful security compromise was made easier because a Member of Parliament, Anne Milton (MP for Guildford) agreed to take part in the investigation. She was apparently convinced that no harm could be done by accepting the challenge of leaving her computer unattended in here House of Commons office, with just the reporter to keep it company, for a total of 60 seconds and no more. She was, however, visibly shocked when that reporter managed to compromise the computer in less than 20 seconds using a readily available keylogger application. This would have enabled a hacker to record everything that the MP typed into her PC, from confidential documents to passwords. The implications are, well, obvious.
What is surprising is that the reporter used by the BBC was a six year old schoolgirl, making her quite possibly the youngest hacker to succeed in compromising such a high level target.
What is surprising is that she could do so within the confines of such a sensitive place, without ever being searched for something like a USB memory stick device before entering. Perhaps the security procedure is so wrapped up in looking for the big stuff, the guns, the bombs and the men with beards that the James Bond world of small-scale spying devices has passed them by.
What is not surprising is the lack of any official comment from the powers that be at the House of Commons regarding the incident and the huge hole it has driven through the security of the UK Parliament.
This blog entry was written by Davey Winder, staff writer aka happygeek. It has received 4,253 views, 9 comments, and 39 linkbacks. 3 voters have rated this entry an average of 5 out of 5 stars. It was promoted to featured status Mar 27th, 2007.
•
•
•
•
advertising apple browser business crime data development email environment europe facebook firefox forensic gaming google government hacking hardware help ibm internet iphone ipod it law legal linux malware microsoft mobile mozilla news privacy research search security social networking software spam survey technology trends trojan video virus vista web windows yahoo youtube
All Recent Tags Comments (Newest First)
venomlash | Junior Poster | Mar 30th, 2007
•
•
•
•
Pull the other one! :rolleyes: Child genii aren't as common as some might think! You sure this wasn't some early April Fool's prank that the BBC made up???
John A | Vampire Moderator | Mar 27th, 2007
•
•
•
•
I completely disagree with >shadow< and 1337_MilkMan about Linux. You obviously know very little about it, or else you wouldn't have made those comments.
Keyloggers can be written for any operating system, and there isn't a way that the programmers can prevent one from being written. In fact, they're used in many legitimate cases, so keyloggers are in fact not illegal nor a breach of security. The girl could have just as easily installed a keylogger or some bash script that would have done the same thing.
And I agree with Toulinwoek and robgmills, I think that the title is a little exaggerated. When someone has physical access to a computer, there is nothing that can stop the user. The amazing thing about this is that it's a 6 year-old girl, and that she did this in 20 seconds. But I wouldn't really consider it hacking, especially since she required special privaliges in the first place...
edit - too slow
Keyloggers can be written for any operating system, and there isn't a way that the programmers can prevent one from being written. In fact, they're used in many legitimate cases, so keyloggers are in fact not illegal nor a breach of security. The girl could have just as easily installed a keylogger or some bash script that would have done the same thing.
And I agree with Toulinwoek and robgmills, I think that the title is a little exaggerated. When someone has physical access to a computer, there is nothing that can stop the user. The amazing thing about this is that it's a 6 year-old girl, and that she did this in 20 seconds. But I wouldn't really consider it hacking, especially since she required special privaliges in the first place...
edit - too slow
happygeek | He's The Daddy | Mar 27th, 2007
happygeek | He's The Daddy | Mar 27th, 2007
>shadow< | Posting Pro | Mar 27th, 2007
•
•
•
•
1337_MilkMan is 100% correct, If only the UK parliament used Linux Servers, They wouldn't experience the mess
>shadow< | Posting Pro | Mar 27th, 2007
•
•
•
•
1337_MilkMan is 100% correct, If only the UK parliament used Linux Servers, They wouldn't experience the mess
Toulinwoek | Junior Poster | Mar 27th, 2007
•
•
•
•
An astute observation by "robgmills"; given the details, I think "hacks the UK Parliament" it a bit too strongly stated. Now if this precocious young lady had sat across the street in a drug store with a WiFi handheld and done this, I'd be both impressed and somewhat worried. But given physical access to a security-deficient computer, the only surprising thing is that the kid new how to install the software; I don't know any kids that age who could do that...at least not that I know of.
robgmills | Newbie Poster | Mar 27th, 2007
•
•
•
•
This is hardly a "hack". What this article tells me was that a 6yo girl was escorted by someone that has the priviledges to be in a secure area to her office, then intentionally left behind and that this person's screensaver timeout wasn't set to 5 seconds? This isn't anything you can prevent. 1) I'm sure this girl wouldn't have gotten so far had she not been in the company of someone with the elevated priviledges; 2) setting a timeout shorter than a couple of minutes is impractical; 3) mr "1337" up there ^ clearly doesn't realize that the OS has nothing to do with this (given notice anyone can write a script that will install a KL automatically). Ask any real security professional and they'll tell you that if someone gets physical access to your computer, there's jack you can do.
1337_MilkMan | Newbie Poster | Mar 27th, 2007
•
•
•
•
That's why you NEED to use Linux.
Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Tech Talk Marketplace
Related Blog Entries
- Viacom defends itself over YouTube data log disclosure (23 Hours Ago)
- Apple slow to patch iPhone security holes (1 Day Ago)
- Microsoft 'Equipt' to Battle Free Software (1 Day Ago)
- 12,000 laptops lost in US airports EVERY WEEK (2 Days Ago)
- Ballmer Again Chomping At The Bit for Yahoo (3 Days Ago)
- Apple iPhone 3G creates shortage of flash memory chips (3 Days Ago)
- Seeing double, twice, with Matrox M-Series QuadHead GPU (4 Days Ago)
- Good-bye Windows XP, Hello Open Source? (4 Days Ago)
- Tux, Please Pass The Packets. (5 Days Ago)
- Googlebot gets to grip with Flash (5 Days Ago)
Related Forum Threads
- Closeknit community or professional corporate site? (Promotion and Marketing Plans)
- Querying database records (Visual Basic 4 / 5 / 6)
- Happy new Year to All (Geeks' Lounge)
- what is "dani" (Geeks' Lounge)
- FS: HP LaserJet 4100N with 5 Year Extended Warranty (Peripherals)
- Merry Christmas & Happy New Year!!! (Geeks' Lounge)
> you that if someone gets physical access to your
> computer, there's jack you can do.
Ask any real security professional and they will tell you that if a six year old girl gets physical access to your computer they should not be able to install an application, they should not be able to use an unauthorised USB device. The computer should be locked down to prevent this, it is not rocket science, espeically whenj you consider the location of the computer concerned.
But perhaps that is just evidence of the weakness of the security protocol of Parliament. Perhaps it is assumed that becuase the physical perimeter security is so strong there is no need for such tight security at a network and local PC level. The BBC report proves how wrong that assumption is.