Applying for a job at GCHQ? Here’s your plain-text password
The website of the Government Communications Headquarters (GCHQ) greets you with the proclamation that “GCHQ provides intelligence, protects information and informs relevant UK policy to keep our society safe and successful in the internet age”.
Oh, really? The experience of Dan Farrall, who recently applied for a job at GCHQ, suggests the British intelligence agency has much to learn about information protection.
Farrall – a student – was looking for a job, and spotted one going at GCHQ that sounded interesting. Having registered on the website several months before, he used the “Forgotten Your Password?” box to log in and view the job application data. Now, you might think he’d be required to enter some personal data to identify himself, and then to follow a link sent to his email, via which he could continue the password reset process. But no.
This mistake is all the harder to swallow given the asymmetric key algorithm was invented by GCHQ employee Clifford Cocks in 1973
Instead, his password appeared in his browser in plain text; all it took was his email address. Farrall contacted GCHQ to let it know its system was insecure. Imagine his surprise when, two months later, he retrieved his password in plain text again.
This mistake is all the harder to swallow given the asymmetric key algorithm, an essential part of public-key cryptography, was invented by GCHQ employee Clifford Cocks in 1973.
The official GCHQ line on this embarrassing slip-up is that the system is a legacy one that’s in the process of being replaced. Well, the “legacy system” excuse might wash for a small business – perhaps even a large one – but not for a government security agency tasked with information security duties.
I appreciate that it’s so commonplace there’s even a website – Plaintextoffenders.com – that publishes password-revealing emails in order to shame offenders into fixing their security holes, but, as Varonis technical director Rob Sobers says, “password encryption is [not] beyond the grasp of the partner of an intelligence agency such as GCHQ”. It appears it was beyond the wit of GCHQ to maintain proper visibility of something that’s almost certainly being farmed out to a third-party provider, however.
This is something South Oxfordshire District Council might like to think about, too. PC Pro reader Jules Marshall contacted me when he received his council tax bill by email and discovered security isn’t as tight as it at first appears. The council outsources the delivery of the digital bills to a third-party company called Capita, and the bill itself came attached to the email as an encrypted PDF document that requires a password – his postcode – to open it.
All well and good if you open the file on your laptop, but not if you do so on your iPad. I know this because Jules sent me the PDF, which did indeed require a password to open on a desktop PC. However, a single click on my iPad opened the document to reveal the full bill, and Jules’ personal details.
The risk of this information being used for criminal gain is minimal, but the council evidently considers it sensitive enough to merit encryption in the first place. Neither South Oxfordshire District Council nor Capita responded to my requests for comment in time for publication, but it’s another reminder that information shared can become a liability when it falls into the wrong hands.