Written by Antoni Sikora, CMO | Head of Growth, Secfense
Leaks of confidential data from email accounts or inappropriately secured applications are increasingly being reported – and the targets are businesses, individuals and politicians. In Poland, hackers recently managed to take over the email account of the Chief of the Chancellery and published the content – official correspondence.
How could politicians and employees be protected against similar attacks?
As their number has been growing, the issue of cyber-attacks on email accounts of employees of crucial national and medical institutions has become a concern for almost every country. In the past 6 months, hackers obtained classified information relating to British aid projects financed by National Security Council intended to counter terrorism and build stability overseas. In February, breach of sensitive data was reported at Oxford University laboratories researching Covid 19.
“Hackers obtain user digital identity through phishing emails. This is why everyone and, especially, people with access to sensitive information, should use the so called additional factor. With hundred per cent accuracy, this solution provides confirmation on user identity. Put simply, it checks whether the person behind the computer is actually the person authorized and not a hacker using a stolen password”, Tomasz Kowalski, Secfense CEO, said.
180 days for the adoption of 2FA in the US
The fact that the multi-factor authentication (MFA) is a must nowadays is strengthened by the Executive Order on Improving Nation’s Cybersecurity issued on May 12th by the American President urging the implementation of 2-factor authentication (2FA) for the Federal Government within 180 days.
This type of security measure was missing in the case of Michal Dworczyk, the Polish Chief of the Chancellery, which, in June of this year, resulted in his private email account (inappropriately used for official correspondence) being hacked. The situation caused quite a stir since strategic and strictly confidential information of state importance was obtained by unauthorized individuals.
“According to the owner of the domain where the Polish politician’s account is hosted, the access to the account was gained as a result of providing correct login and password. It may be assumed that the hackers either extorted the password from the Minister’s wife or took advantage of the fact that she used the same password in other services and obtained it from one of them”, Kowalski added.
State matters on Gmail
The use of private email accounts for official business within state administration is not only Polish flaw. According to Sky News, in 2020 alone, as many as 151 breach incidents were reported in the British Ministry of Defense as a consequence of the transfer of secret information from the government secured network to private email accounts.
“As you can see, it is difficult to discipline even the people who have access to the most confidential information. It is, therefore, imperative that we speak of the vast and comprehensive use of the so called additional factor during the authentication in systems and applications”, Tomasz Kowalski further explains. “The second factor could be both physical keys or biometric scanners built into laptops or smartphones. It is important to secure all applications used by employees and politicians. Fortunately, today there are a number of non-invasive ways to use any method of multi-factor authentication, including cryptographic keys, that does not require changes in application codes “.
After the scandal over the leak of Minister Dworczyk’s emails, talks about the purchase of physical cryptographic keys (U2F) for the government have begun. However, whether the keys will protect all the government applications or the politicians will actually use them remains in question.
Either way, today, multi-factor authentication is considered the most effective protection against information theft, including obtaining sessions from logged-in users, phishing, and man-in-the-middle attacks. All of us and, especially, people holding state positions, should immediately stop using passwords as the only online authentication and security confirmation. It is the passwords, often weak and identical in numerous services, that are prone to easy theft, which may result in not only the owner’s stress but also in a political crisis.
What measures should politicians and officials take to protect themselves against cyberattacks?
- Use different passwords in different services.
- Use password management applications that enable the generation of strong passwords and their storage.
- Implement two-factor authentication whenever and wherever possible.
- Not send sensitive information through private email accounts.
- Allow automatic update of operating system and key applications. This will enable the removal of security bugs.
- Not react when someone asks for immediate provision of data, whether the request comes from an application or through an email demanding immediate reaction, or from a fake bank representative calling with a request for the installation of a phone application.
- Use Signal communicator for important messages. Signal is currently the most secure application. In contrast to WhatsApp, not only does it provide confidentiality but it also maintains privacy of all conversations as it does not collect any connection metadata, i.e. the messages are encrypted therefore the application does not know their content, it also does not know who the participants of a conversation are.