0

Having a professional interest in security, and a personal distrust of politicians and their promises of providing the same, I was not at all surprised by the findings of a BBC TV investigation that has just been broadcast in the UK. Inside Out, a news reporting and investigative documentary series that most often homes in on fairly lightweight consumer stories, decided to send their reporter to the heart of the UK Parliament, the House of Commons, and test the security provided by one of the most heavily guarded buildings in the British Isles. I’ve attended working group committee meetings there and I know only too well of the advanced information that needs to be supplied, the passes issued, the body searches an x-ray machines at the entrances, the small army of fully armed police that patrol.

Now let’s get one thing straight right up front, the successful security compromise was made easier because a Member of Parliament, Anne Milton (MP for Guildford) agreed to take part in the investigation. She was apparently convinced that no harm could be done by accepting the challenge of leaving her computer unattended in here House of Commons office, with just the reporter to keep it company, for a total of 60 seconds and no more. She was, however, visibly shocked when that reporter managed to compromise the computer in less than 20 seconds using a readily available keylogger application. This would have enabled a hacker to record everything that the MP typed into her PC, from confidential documents to passwords. The implications are, well, obvious.

What is surprising is that the reporter used by the BBC was a six year old schoolgirl, making her quite possibly the youngest hacker to succeed in compromising such a high level target.

What is surprising is that she could do so within the confines of such a sensitive place, without ever being searched for something like a USB memory stick device before entering. Perhaps the security procedure is so wrapped up in looking for the big stuff, the guns, the bombs and the men with beards that the James Bond world of small-scale spying devices has passed them by.

What is not surprising is the lack of any official comment from the powers that be at the House of Commons regarding the incident and the huge hole it has driven through the security of the UK Parliament.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

12
Contributors
16
Replies
17
Views
10 Years
Discussion Span
Last Post by Denmbithi
0

This is hardly a "hack". What this article tells me was that a 6yo girl was escorted by someone that has the priviledges to be in a secure area to her office, then intentionally left behind and that this person's screensaver timeout wasn't set to 5 seconds? This isn't anything you can prevent. 1) I'm sure this girl wouldn't have gotten so far had she not been in the company of someone with the elevated priviledges; 2) setting a timeout shorter than a couple of minutes is impractical; 3) mr "1337" up there ^ clearly doesn't realize that the OS has nothing to do with this (given notice anyone can write a script that will install a KL automatically). Ask any real security professional and they'll tell you that if someone gets physical access to your computer, there's jack you can do.

0

An astute observation by "robgmills"; given the details, I think "hacks the UK Parliament" it a bit too strongly stated. Now if this precocious young lady had sat across the street in a drug store with a WiFi handheld and done this, I'd be both impressed and somewhat worried. But given physical access to a security-deficient computer, the only surprising thing is that the kid new how to install the software; I don't know any kids that age who could do that...at least not that I know of.

0

1337_MilkMan is 100% correct, If only the UK parliament used Linux Servers, They wouldn't experience the mess

0

1337_MilkMan is 100% correct, If only the UK parliament used Linux Servers, They wouldn't experience the mess

0

You can install a hardware keylogger device in seconds, no knowledge required other than how to remove keyboard cable and plug into device and device into computer - very small, unless you are looking for it you wouldn't spot it.

OK, hack is putting it strongly, but security was compromised and fairly easily considering the sensitivity of the location. But as I stated in the article, it was made easier by the cooperation of the MP concerned. But to think that this diminishes the importance of the original story or the weakness in the security processes of Parliament is naive. The fact that MP computers are security deificent in the first place is cause for concern enough.

Using a six year old girl to do this was just good TV from the BBC, and makes for a good blog headline of course, mea culpa. :cheesy:

0

> Ask any real security professional and they'll tell
> you that if someone gets physical access to your
> computer, there's jack you can do.

Ask any real security professional and they will tell you that if a six year old girl gets physical access to your computer they should not be able to install an application, they should not be able to use an unauthorised USB device. The computer should be locked down to prevent this, it is not rocket science, espeically whenj you consider the location of the computer concerned.

But perhaps that is just evidence of the weakness of the security protocol of Parliament. Perhaps it is assumed that becuase the physical perimeter security is so strong there is no need for such tight security at a network and local PC level. The BBC report proves how wrong that assumption is.

0

I completely disagree with >shadow< and 1337_MilkMan about Linux. You obviously know very little about it, or else you wouldn't have made those comments.

Keyloggers can be written for any operating system, and there isn't a way that the programmers can prevent one from being written. In fact, they're used in many legitimate cases, so keyloggers are in fact not illegal nor a breach of security. The girl could have just as easily installed a keylogger or some bash script that would have done the same thing.

And I agree with Toulinwoek and robgmills, I think that the title is a little exaggerated. When someone has physical access to a computer, there is nothing that can stop the user. The amazing thing about this is that it's a 6 year-old girl, and that she did this in 20 seconds. But I wouldn't really consider it hacking, especially since she required special privaliges in the first place...

edit - too slow

0

Pull the other one! :rolleyes: Child genii aren't as common as some might think! You sure this wasn't some early April Fool's prank that the BBC made up???

0

Ok, i know you did not intent to do it. And your question, what do you mean by Now where the position on that girl?

0

Hacking doesn't mean to be given previllage of access to the computer,so that girl did just install the software.What is amazing young the girl was to do something like that.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.