Malware infested MPs' PCs inflate leak risk

Four in five Parliamentary machines pwned in last year


Comment "That's one of those irregular verbs, isn't it? I give confidential security briefings. You leak. He has been charged under section 2a of the Official Secrets Act." (Bernard Woolley, Yes Minister)

The ongoing MPs' expenses row has brought public opinion of politics and politicians in the UK, never very high, towards unplumbed depths.

Embarrassing disclosures about how politicians across the political spectrum subsidised their living expense from the public purse follow hard on the heels of leaked emails regarding a proposed New Labour smear campaign against senior Tories, cobbled together by spin doctors Derek Draper and Brown aide Damian McBride in the style of In the Loop's Malcolm Tucker.

In both cases the emails and leaked files were probably obtained by someone with access to the information, who subsequently attempted to auction it off to national newspapers. The incidents illustrate the fact that all manner of sensitive and potentially embarrassing information is held on the PCs of MPs, ministers and their advisers.

Given the career-threatening implications of data leaks, it's therefore surprising how lax politicians and their advisors are when it comes to data security.

We know that parliamentary computers were infected with the Conficker superworm in March. Conficker hasn't been activated to do anything but it remains of concern that Parliament can be so easily compromised in the first place, something that's happened numerous times in the last twelve months. In March, for example, we reported that police failed to record a crime, still less investigate, when Alun Michael MP discovered a malware infection on his office PC. Michael was able to detect and remove the unidentified malware himself.

These incidents are far from isolated. In response to questions in parliament on Wednesday, Nick Harvey, a Lib Dem member of the House of Commons Commission said that the vast majority of the 5,000 PCs in use around the Palace of Westminster had been hit by malware over the last year.

In the past 12 months 86 per cent of computers on the estate have been attacked by malware, 78 per cent of which were cleaned automatically by Parliament's anti-virus software, with 8 per cent needing a visit by an engineer. There are 4,991 computers on the estate.

The security of parliamentary PCs ought to be more important than those of a regular office system, because of the confidentiality of MPs' work with their constituents, not to mention the potential for leaks of embarrassing information. Malware-infected computers are certainly no help to the general smooth running of parliamentary business, either.

In fairness, staff running the House of Commons IT systems have their work cut out for them. One security expert compared the system to a University campus network in terms of the institutional lack of control. It's probably even worse than that, because of the sensitivity of the data in question, not to mention the bolshieness - if not arrogance - of some of our elected representatives and their advisors.

The Conficker infection prompted a temporary ban on mass storage devices, including MP3 players, on parliamentary systems. Security experts we've spoken to reckon that more needs to be done, such as the introduction of access controls and encryption across parliamentary systems. The possible application of data loss prevention technology also comes to mind.

Wider use of PGP by politicians might be a good start, except for the fact the parliamentary BOFHs recently told users that PGP is incompatible with its remote access software, for reasons even PGP has been unable to fathom thus far.

The lamentable state of PC security in the mother of parliaments creates a real risk of leaks of sensitive information in the future, even if this has not happened already. MPs ignore such possibilities at their peril.

Politicians - typically lawyers or lecturers by trade, with little awareness of computers much less information security - need to get up to speed with the internet or else risk looking as hapless as fictional politicians like Hugh Abbot and Jim Hacker. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021