A lot of members of the British Houses of Parliament are under fire this week for some pretty terrifying information security practices. And by terrifying I mean that when I first read this I couldn’t believe that someone in a position of power could be so lax with their security. For those that haven’t seen, Conservative Party First Secretary Damian Green was accused of downloading explicit media to his government computer. That in itself is a violation of security since all the websites that host the inappropriate content are like playgrounds for all kinds of malware.
The real kicker is when MP Nadine Dorries tweeted her defense saying that her staff log onto her computer, using her login, every day. She even went as far as including that interns also had that access.
It got even worse when MP Nick Boles came to her defense for this practice, saying that he often has to ask his staff for his own password because he forgets.
This is horrendous for a number of reasons, and basic information security is just the beginning. These are the leaders that will eventually attempt to make laws regarding information security without fully understanding what it is, what the best practices are, and without the slightest regard for following it themselves. If I was part of the security team for the British Parliament, I would probably be an alcoholic for having users that carry this blatant disregard for security. I would not be remotely surprised if some of our congressmen followed this same horribly insecure practice with their staff.
MP Nadine Dorries clarified on her tweet by saying that no one could possibly interested in her email accounts since there was no classified information or government documents.
THAT’S NOT THE POINT NADINE. The people who communicate with you through that email address probably trust you, they trust the attachments you send. What is to stop someone from compromising your account and sending malicious files? What if those malicious files contained an email trojan that compromised other email addresses and kept spreading itself? What if that trojan dropped ransomware, stole other credentials, or ran DDoS attacks on internet infrastructure? Your email account has suddenly become patient zero in a very dangerous attack vector, all because you didn’t want to be inconvenienced with having to type in your own passwords every time your staff needed to access your computer.
It gives me anxiety just thinking about it…