Analysis: the official Houses of Parliament MP/Peers password security advice # I give them B- /ht @pictfor #foia

A contacted forwarded these to me – before you ask: it’s not protected data, these pamphlets were handed out at Portcullis House to all and sundry:

…and my contact observed a variety of issues:

  • no mention of tablets and phones, although apparently one was illustrated somewhere in the pamphlet
  • specifically no mention of thin devices requiring just as good password protection as fat ones
  • from what I received, no mention of the evils of password reuse
  • ditto, no evidence of talking about keeping your phone software up to date
  • ditto, no evidence that this education is extended to personal devices as well as parliamentary

The password advice is essentially the same as I was handing out at the end of the ’90s; they might want to look into upgrading that – especially since Hell0W0rld will fall in a matter of minutes to Hashcat after a hardware attack, and if used (say) to protect the mailbox of the Member’s lover personal assistant a-la Petraeus then things could go rapidly bad.

Also I find this piece of advice a bit peculiarly-placed:

Respect the rights of people to access information in a way provided by the law

…which I presume is a subtle hat-tip towards FOIA and not trying to get around it by using personal e-mail addresses; either that or they are trying to seed a pro-CCDP meme of all access to data is good so long as it is legal amongst the members.

Overall? If I were in charge it would look a lot different, but then MPs and Peers are a mixed bag. They are still mostly not as bad as Traders, though.

The stats in the second image are interesting: 58.4m mails, of which 5.6m spam, 0.34m virus (perhaps overlapping with the spam?) – so a 9% spam rate is pretty low in my estimation.  Next time the Home Office try talking up the massive cyberexpense of spam, these figures should be pointed out to them.

No mention of spearphishing stats?


Leave a Reply

Your email address will not be published. Required fields are marked *