Soldato
- Joined
- 22 Feb 2010
- Posts
- 5,280
- Location
- Southampton
i promise you at least one person will have lol
GCHQ - A plaintext offender
- Thread starter dfarrall
- Start date
i promise you at least one person will have lol
If you're that bothered perhaps drop a polite mail to CESG - I doubt some HR chick at GCHQ is going to give a ****
While your website itself might draw attention to the issue if you were still a candidate then I'd have assumed that attempting to show off as a result of finding something trivial isn't really emphasising a good trait as far as this type of employer is concerned.
While your website itself might draw attention to the issue if you were still a candidate then I'd have assumed that attempting to show off as a result of finding something trivial isn't really emphasising a good trait as far as this type of employer is concerned.
Would call it more than trivial, and they did have 2 months to rectify it.
Unfortunately that was the only email i could really find, but i did mention to pass it on to somebody in tech support.
Certainly not trying to show off, just highlight these issues.
Either way as long as it gets fixed, and more people are aware this is bad practice ill be a happy man.
Well that's not a good start for someone who wants to work for an organisation who's main aim is to collate and analyse information. I mean there is this related organisation whose sole role is IA and you couldn't find a way to drop them a quick e-mail?
Why create a website then? I mean if you thought it was genuinely a serious security failure on their part then broadcasting it is a good idea because....?
To be honest, you'll come across as a smartarse, and they'll disregard it on principle. I doubt it got more than a cursory skim read then got deleted.
Whilst I agree it's not a major issue, it is a little bit of a doh moment for GCHQ.
Yes their recruitment site is hosted/run by another entity (well I know it used to be!), it's good practice to do due diligence on services you buy in and offload to someone else for this sort of thing.
In a previous role I worked for a big high street finance co and it was standard practice that before going live with any external service that would process in any way PI or SPI it was pen tested before hand and only once everyone was satisfied it would then be allowed to go live.
For people saying what's the problem with this data, having seen the application process as has been mentioned there's a lot of information that is classed as personal information under the DPA, and likely also sensitive personal information.
It's been said plenty of times here, but best practice is to store passwords in a non reversible hashed format. The person doing the authenticating should not know what your actual password is, just that the hash you send them matches the hash of your password that they keep.
Having them stored in a reversible encrypted format isn't necessarily a bad thing, but as has also been said if it's reversible then you are putting faith in the strength of the keys/mechanism for doing so plus the people that hold those keys.
Have a read of Troy Hunt's blog as he writes some nice articles around this sort of thing if you're interested, his rant at Tesco was rather amusing.
http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html
Assuming someone could get into the account, somehow, then they'd have access to a lot of PI and possibly SPI that could be used for identity theft rather nicely.
All info about previous applications used to be viewable which included all the info that you had submitted.
Ultimately it's not the end of the world at all, and isn't a reflection on how GCHQ would handle their 'business' data
But it's just a bit of an oops moment, low risk at best.
Sadly the top security guys are probably already put off before applying when they see the salaries being offered and realise they can easily get double that working elsewhere
Yes their recruitment site is hosted/run by another entity (well I know it used to be!), it's good practice to do due diligence on services you buy in and offload to someone else for this sort of thing.
In a previous role I worked for a big high street finance co and it was standard practice that before going live with any external service that would process in any way PI or SPI it was pen tested before hand and only once everyone was satisfied it would then be allowed to go live.
For people saying what's the problem with this data, having seen the application process as has been mentioned there's a lot of information that is classed as personal information under the DPA, and likely also sensitive personal information.
It's been said plenty of times here, but best practice is to store passwords in a non reversible hashed format. The person doing the authenticating should not know what your actual password is, just that the hash you send them matches the hash of your password that they keep.
Having them stored in a reversible encrypted format isn't necessarily a bad thing, but as has also been said if it's reversible then you are putting faith in the strength of the keys/mechanism for doing so plus the people that hold those keys.
Have a read of Troy Hunt's blog as he writes some nice articles around this sort of thing if you're interested, his rant at Tesco was rather amusing.
http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html
Assuming someone could get into the account, somehow, then they'd have access to a lot of PI and possibly SPI that could be used for identity theft rather nicely.
All info about previous applications used to be viewable which included all the info that you had submitted.
Ultimately it's not the end of the world at all, and isn't a reflection on how GCHQ would handle their 'business' data
But it's just a bit of an oops moment, low risk at best.Sadly the top security guys are probably already put off before applying when they see the salaries being offered and realise they can easily get double that working elsewhere
Last edited:
Permabanned
- Joined
- 28 Dec 2009
- Posts
- 13,052
- Location
- london
gchq = noobs
I think the morally correct thing to do when you find a security flaw with a system is to let the company in question know about it and give them time to fix it, then if they don't, go public so they are shamed into fixing it and people know not to give their details to that company, and that's exactly what he did. I guess you have a different view on how to handle a situation like this though.
That was a very interesting read! It's shocking to know a company as big as Tesco, who deal with millions of people's personal and payment details can be that incompetant, and worse still not fix it for years after they've been told about it.
And apparently they are on the PCI-DSS board, who make other online retailers jump through ridiculous hoops in the name of security. I guess it's do as I say, not as I do...
Its not really what he did though is it... I mean it wouldn't have taken much of his time to find a more appropriate person to write a sensible e-mail to than someone working in HR.
As for going public - given who we're talking about here - if he genuinely believed he had discovered a serious security flaw then can you not see how it might be a bit silly to highlight it publicly... not really exercising great judgement.
The whole exercise of creating a webpage to highlight some mundane flaw like this comes across as just a big *look at me* exercise. I think overall its probably better that the OP isn't working for them.
True, he could have persisted and tried to find someone else to report it to, but I personally don't think he was obliged to.
As for going public, it can easily be argued either way that it was good and bad for security. Obviously you're looking at it in terms of making it public paints a target for people try to hit, which of course it does, so I think your reasoning is perfectly valid.
However, I would argue that making it public after they've refused to fix it is good for security if embarrassment or public pressure forces them to fix it, and in this case, they're guilty of bad practice that anyone can see anyway, rather than a bug that only someone trying to hack the site would find.
no not persisted - but simply reported it in a sensible way in the first place... like to the organisation that looks after security instead of mailing HR... that would be fairly obvious no?
They've not refused to fix it... he mailed some random person in HR who likely gets regular mail from all the random crazy James Bond fantasists-conspiracy nuts who likely send in applications to that place every day.... given the sort of inane queries they likely deal with it wouldn't be too surprising if some non-technical HR person ignored an e-mail waffling about plain text passwords.
I think you're also missing the major point in that its not some random company we're talking about - if he actually thought that there was a serious security breach here then publicising it potentially has more serious consequences than simply shaming the organisation.
Soldato
- Joined
- 29 Dec 2009
- Posts
- 7,320
I'm sure it's an external recruitment company in which passwords being stored in plaintext is quite common with what I've experienced.
It's common, but it's still awful.
Though to be all matter of fact of it, the he's not proven the passwords are actually stored in plaintext, only that they're stored in a way that they can be trivially coverted and are being emailed in plaintext.
They should also fix it. Given that the password are sent to an email address, any mail servers this passes through should be able to pickup potential credentials that somebody might actually use. While you should theortically use different passwords for every site, most people cannot be bothered, and would normally trust a Government ran (as far as they know) website to actually do a decent job of security.
Not sure why people are jumping on the OP. Most of the folks around here are fairly IT literate but for the uninitiated, using email is like sending a letter without sealing the envelope. Everybody that handles it can have a good ol' read and will know who it's addressed to.
Last edited:
Can you find an email of somebody more appropriate? Because i couldn't. Funnily enough they don't seem keen on incoming emails.
It's more of a look at them exercise actually, pretty standard thing when it comes to security flaws that don't get fixed after being made aware.
It's clearly educated at least a few people here, which will hopefully make for more secure websites in the future, which is surely a good thing!
Soldato
- Joined
- 22 Feb 2010
- Posts
- 5,280
- Location
- Southampton
That isn't actually on GCHQ site AFAIK.
Soldato
- Joined
- 22 Feb 2010
- Posts
- 5,280
- Location
- Southampton
I'm sure its not, but they are the people who deal with security for all military and government IT (including websites). An HR department or recruitment agency would even know what you are on about
as my boss just said when I mentioned this thread to him:
"I would hope no future employer sees that as no one would ever employ him!"
Last edited: