GCHQ - A plaintext offender

dowie said:
like to the organisation that looks after security instead of mailing HR... that would be fairly obvious no?
Click to expand...
No, I think the opposite is true. It's a large organisation and he's not going to be able to get contact details for whoever is in a position to do anything. You send it to the staff dealing with that website, who should then forward it on to whoever is in charge of the site or reply to tell him who to contact.


dowie said:
I think you're also missing the major point in that its not some random company we're talking about - if he actually thought that there was a serious security breach here then publicising it potentially has more serious consequences than simply shaming the organisation.
Click to expand...
I think you should have a read of the blog post that Ev0 posted. It's an almost identical situation, and the chap who posted it on his blog has been widely praised for it, especially since it caused the ICO to launch an investigation into Tesco's website security, which hopefully will lead to them improving it.
 
Last edited:
Redrum said:
No, I think the opposite is true. It's a large organisation and he's not going to be able to get contact details for whoever is in a position to do anything. You send it to the staff dealing with that website, who should then forward it on to whoever is in charge of the site or reply to tell him who to contact.
Click to expand...

This, it's a GCHQ mailbox at the end of the day, and i did explicitly mention to forward it to somebody in the tech field.
 
I don't understand the flaming going on here... As a few posters at least understand the issue isn't that this means the whole of GCHQ is run in this way, but that the vast majority of people don't bother to come up with a unique and strong password for every single online thing they have to register for. In my experience people either just use the same password for everything (which is silly), or have a few different passwords - some stronger than others - which they use for different things (depending on how important protecting said account is, for instance using the same password for an email account as your various shopping accounts is not good). In either case a resourceful person could use one trivial case of poor security storing/sending plaintext passwords and any information they could get to greatly increase their chances of accessing other more important accounts.
 
who's flaming? friendly advice :D

No one is saying that he is wrong about clear text passwords, all im trying to say is

1) you are presuming they don't already know about it
2) you probably didn't email the most useful people to address it
3) if you are looking for a job in IT, its not necessarily the best way to advertise your skill set to employers by "naming and shaming" (certainly not in government / military sectors anyhow)
 
gettothechopper said:
3) if you are looking for a job in IT, its not necessarily the best way to advertise your skill set to employers by "naming and shaming" (certainly not in government / military sectors anyhow)
Click to expand...

There are plenty of security experts who do exactly that and still have their jobs. Being part of the naming and shaming community would likely point to a deeper interest and understanding of the subject and would probably be interesting to non-retarded companies. Of course you don't do it to the company you work for, that'd just be silly.
 
dfarrall said:
Can you find an email of somebody more appropriate? Because i couldn't. Funnily enough they don't seem keen on incoming emails.
Click to expand...

Someone more appropriate that a non-technical HR person who may or may not be from a contracted 3rd party company....

The people who deal with information assurance:

http://www.cesg.gov.uk/

The enquiries address is on the website - I'd suggest that that might have been a more appropriate e-mail to use... amusingly enough there is the following listed under events on their front page:

"Routine planned maintenance 28 Mar - 2 Apr 2013

GCHQ and CESG will be carrying out routine, planned maintenance on their websites over the Easter weekend "

It's more of a look at them exercise actually, pretty standard thing when it comes to security flaws that don't get fixed after being made aware.
It's clearly educated at least a few people here, which will hopefully make for more secure websites in the future, which is surely a good thing!
Click to expand...

Yeah it might well be standard practice on 'teh internets' - the fact that you considered it to be a security risk but didn't even give a thought to the fact that if it were a serious security risk then publicising it could well have more serious consequences doesn't make you look good.
 
Redrum said:
No, I think the opposite is true. It's a large organisation and he's not going to be able to get contact details for whoever is in a position to do anything. You send it to the staff dealing with that website, who should then forward it on to whoever is in charge of the site or reply to tell him who to contact.
Click to expand...

He's trying to apply for a national agency - took me a few seconds to find an address for CESG... Shouldn't candidates for the likes of GCHQ be able to find information easily and demonstrate some common sense.

I think you should have a read of the blog post that Ev0 posted. It's an almost identical situation, and the chap who posted it on his blog has been widely praised for it, especially since it caused the ICO to launch an investigation into Tesco's website security, which hopefully will lead to them improving it.
Click to expand...

You're still missing the point there - data being compromised at Tesco isn't really comparable.... A bit more discretion might have been more appropriate instead of the whole 'look at me aren't I clever' website which likely only demonstrates that its a good thing they've not hired him.
 
dowie said:
You're still missing the point there - data being compromised at Tesco isn't really comparable.... A bit more discretion might have been more appropriate instead of the whole 'look at me aren't I clever' website which likely only demonstrates that its a good thing they've not hired him.
Click to expand...

I'm not missing your point, I'm simply disagreeing with it if that's OK with you?

You seem to have missed my point about the Tesco incident, or perhaps you didn't actually read the link, because I really don't see how you can claim it's not comparable. It's almost exactly the same situation, but arguably worse because they have a much larger amount of data to be compromised, and that data includes credit card details.
 
Redrum said:
I'm not missing your point, I'm simply disagreeing with it if that's OK with you?

You seem to have missed my point about the Tesco incident, or perhaps you didn't actually read the link, because I really don't see how you can claim it's not comparable. It's almost exactly the same situation, but arguably worse because they have a much larger amount of data to be compromised, and that data includes credit card details.
Click to expand...

We're talking about the implications and you're still missing the point - I doubt any foreign agencies etc... would be interested in Tesco customers and the risks to them are purely financial at worst... Potentially compromising the identities of people who work/go on to work at a national agency is different to data being compromised at some random company.
 
Last edited:
OK, so let me try to understand your point. It's not comparable to Tesco because nobody would like to obtain Tesco's database of hundreds of thousands people's names, addresses, credit card details, passwords and purchase histories. And even if they did, the risks to those people are "only financial", and who cares about having their money stolen at the end of the day?

Before you post again about me not getting your point, I realise you're trying to say there could be a safety risk for staff at GCHQ, which is possible (but in my opinion, unlikely). That only adds to the argument that the GCHQ need to take the security of the site seriously. The volume, detail and sensitivity of information held by Tesco is so great that the need for their site to be secure is, in my opinion, at least as high as with a GCHQ recruitment site and the consequences of that data being leaked, probably much greater than the consequences of a breach of the GCHQ recruitment site.
 
Well yes there are numerous implications that you won't have with a corporate, that is the point - the OP believes he's found a serious security breach so takes the default approach of posting it online. If you genuinely believe that this compromised PERSEC then publishing it is possibly the dumbest thing you could possibly do.

The whole thing is just ridiculous - someone who is interested in security and wants to apply for GCHQ yet is seemingly completely unaware of the existence of their security group and decided instead to report an internet security issue to HR then later publish online for some kudos...

The OP has essentially spotted something that he's learned is bad - he then took the cookie cutter approach to this sort of thing, made a look at me aren't I cleaver web page about it etc... Nothing about what he's done is particularly smart and his replies to some of the posters in the first two pages of this thread are cringe worthy. I really don't quite see what he was trying to achieve other than blatant self promotion and perhaps confirming its a good thing that he's not employed by that sort of organisation.
 
Last edited:
dowie said:
The whole thing is just ridiculous - someone who is interested in security and wants to apply for GCHQ yet is seemingly completely unaware of the existence of their security group and decided instead to report an internet security issue to HR then later publish online for some kudos...

The OP has essentially spotted something that he's learned is bad - he then took the cookie cutter approach to this sort of thing, made a look at me aren't I cleaver web page about it etc... Nothing about what he's done is particularly smart and his replies to some of the posters in the first two pages of this thread are cringe worthy. I really don't quite see what he was trying to achieve other than blatant self promotion and perhaps confirming its a good thing that he's not employed by that sort of organisation.
Click to expand...


Lol, ditto!
 
They should be taking reasonable steps to protect the user data.

Salting passwords is very much a reasonable step in this day and age.

GCHQ clearly failed in their responsibility to protect personal data.

They were given an opportunity to fix it, they failed to fix it and have been "named and shamed" in the same way as just about always happens with this sort of thing. Bringing it to the attention of people that might be considering entering data there who might now reconsider is only a good thing (at least until the site is fixed).
 
DRZ said:
Salting passwords is very much a reasonable step in this day and age.
Click to expand...

It's not just about salting the password, it's about storing the password in a way whereby the original password is recoverable by some function at their end (or worse no function at all if it's just stored in plaintext :p).

Salting is more used to hinder attacks on the hash if it were made available, which makes no odds if the password can be offered up in plain text somehow :)
 
You must log in or register to reply here.
Back
Top Bottom