mailing list archives
UK intelligence agency stores passwords in plain text
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Tue, 26 Mar 2013 13:08:56 -0400
There are some government agencies that most would expect to have a
fair grasp of security, even for those systems that are not core to
their operations. That's what we thought with the Australian Tax
Office's Publication Ordering System, but sadly, we were proven wrong.
University student Dan Farrall discovered that his UK government's
communication headquarters (GCHQ) careers site has been sending back
passwords in complete plain text. For those of us outside of the UK,
GCHQ is one of Britain's intelligence agencies, dealing primarily with
signals intelligence and charged with "safeguarding Britain's
electronic communications and digital space".
It works with the nation's security services and secret intelligence
services MI5 and MI6, and is thought of as the counterpart to the US
National Security Agency or Australia's Defence Signals Directorate.
As Farrall pointed out on his blog, apart from the harm to its
reputation, the sort of information that would be held within these
systems would be significant.
We double-checked Farrall's claim and confirmed that the passwords
were in fact being sent in plain text, and while we were at it, we
started an application for a malware reverse engineer.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
- UK intelligence agency stores passwords in plain text Erica Absetz (Mar 27)