The Unsecured State Part 4 - UK Government Websites Spewing Spam

This is part 4 of a series of blog posts looking at the security of the UK Government's web infrastructure.


Over the last few days, I've shown that hundreds of websites run by branches of the UK state are in a perilous state of disrepair. There are multiple sites with hugely embarrassing XSS flaws, running ancient and unsecured software, languishing unmaintained and long since abandoned.

What are the consequences of failing to invest in security and maintenance? The websites become a haven for cyber-criminals. They exploit weaknesses in the sites and use them to push dodgy pills, fake goods, and all manner of illicit schemes.

The exploits which we are about to see range from the trivial - comment spam - to the extremely serious - complete site takeovers.

All the sites mentioned in this blog were notified on 19th February about the specific flaws found. I've no idea how these sites were compromised, nor whether any citizens' data are at risk. All I know is that a disastrous attitude to "cyber security" is rotting away within the *.gov.uk namespace.

Complete Site Takeover

This looks like the perfect site to by some "Genuine* Fashionable Boots", doesn't it?
Hillingdon Boots
It is seemingly hosted with the endorsement of the Conservative run London Borough of Hillingdon. One of the most prosperous borough in London, and they can't even afford to hire a website security team.

—❦—

The Leadership Centre is funded by the government department for Communities and Local Government. Its mission?

We believe it takes great leadership to create thriving and prosperous communities so we work with and support senior leaders from across the public sector to help them shift their thinking on leadership.

Sadly, that doesn't extend to thinking about leading technology teams. The site has been abandoned for around the last 3 years. In that time, it has become riddled with spam.
LocalLeadership Spam-fs8

—❦—

At the other end of the spectrum, we have the tiny borough of Amble. With a population of barely 6,000, their website plays host to a number of webpages extolling the virtue of knock-off boots.

Amble Spam-fs8

—❦—

The town of Kidwelly is nearly 900 years old. It has a rich history including medieval castles, nature reserves, and an annual festival.

As far as Google is concerned, it also maintains a cottage industry for cut-price "blue pills".

Hacked Gov UK Site in search listings-fs8

Having spoken to the council, they have told me that the local police are currently dealing with the matter.

—❦—

Can we reasonably expect small parish councils under the yoke of austerity to have top-notch web security teams? If they are able to find the resources necessary to fund the protection of their digital assets, that's great - but it's highly unlikely.

Instead, Central Government needs to heavily invest in making sure that all councils - big and small - are able to competently run web sites and services.

Comment Spam

Every blog attracts comment spam. Fraudsters leaving vaguely plausible comments in the hope that publication will see a flurry of extra hits on their site. The bigger and more prestigious the site, the more likely the site is to be targeted. And the .gov.uk name is very prestigious.

Amongst the Government sites playing host to spam is the Foreign and Commonwealth Office's blog page for the British Ambassador to Somalia.

FCO Spam-fs8

—❦—

The Northern Ireland Assembly is the devolved legislature for Northern Ireland. It has hundreds of comments, seemingly all of which promoting dodgy deals.

NIA Spam-fs8

—❦—

A book of condolence in Oldham for a much loved community member now plays host to spammers.

Oldham Condolence Spam-fs8

—❦—

Lewes, and many other councils, have open forums which are overrun with spam messages.

Lewes Spam-fs8

—❦—

Even the UK National Archives have seen fit to save some comment spam for future generations to ponder.
National Archives Spam-fs8

Hidden Links

Finally, we get to the murky world of hidden links. These are spamming messages not designed to be seen by humans. They are hidden within the web pages' source code in the hopes that Google and other search engines will see them and increase the spamming site's popularity.

Gov Spam Source Code-fs8

The spam covers the usual range from pharmaceuticals to knock off designer goods.

Land Registry spam

Again, there are several sites which exhibit this malicious behaviour.

East Devon HTML Spam-fs8

What Can Be Done?

The State needs to take responsibility for the websites run in its name. If site owners are unable or unwilling, then those sites should be removed from the web. It is simply too dangerous to allow them to stay online without decent security measures in place.

It is time that the Government started to treat cyber-security as a serious subject. They love putting out press releases, and making grand sounding plans with shadowy agencies - what they need to do is spend some money on basic front-line services.


5 Responses to “The Unsecured State Part 4 - UK Government Websites Spewing Spam”

  1. loudmouthman Image of loudmouthman

    So I am going to put on my Parish Councillor hat here and hopefully give a little insight. When the council of which I am a member were considering a new website they were offered a product from a private company who provided a bespoke proprietary system which would cost the council a little over £1400 a year to run and that did not include the initial configuration and setup fees. It would have been something like £3k in the first year and the £1.4k each year. Needless to say I knew that NO.10 were using WordPress and there was little reason not to use it in place of a private product. The reasoning was.

    1. We could move our site from host to host.
    2. We could reach out and find a plethora of consultants who could support it for is
    3. We would not be locked into a site requiring possible future bespoke costs.

    Now councils (especially parish) don’t all have IT departments. They either rely on the focus of well meaning volunteers or they buy in external help. The larger the council the bigger the administration the greater the likelihood of people being able to manage the websites. However a council is a pretty busy organisation and if you had to place website security in the queue of issues like Road Repair, Drain clearing, Town Management, Social Services and Community Care, Planning and development, salaries, payroll, daycare and events you will always find it near the bottom of the list.

    So what this leads to is consultancies will step in and try to mitigate the risk and provide services. So when you look at the unsecured state the one aspect you have not been able to extract in the data of your presentation is ... who is actually hosting and being responsible for this .. contractually speaking. I think that would make an interesting answer as it will then lead to the question how much are we paying for these sites to begin with and what level of national organisation can be created to help monitor them.

    It's not beyond the whit of our community, people like you and I Terence, to make a proposal to help manage and reduce these risks for our state.

    One of the reasons I put my name on a ballot paper every election is because I believe that our Local democracy needs people like us with good core technical skills to represent ourselves on the council meetings to help reduce this management issue one site at a time.

    Reply
  2. slipstream Image of slipstream

    Well when you have people selling stuff like Gov Rocket, a list of 10 or so websites with .gov somewhere in the domain name, that host comment sections, (with the intent that buyers will spam the comments section to get backlinks), it's no wonder that some .govs are filled with spam.

    Heck, over 1250 people bought Gov Rocket...

    I should check the sites mentioned in the "review copy" I have, and go see how much comment and trackback spam are on those sites...

    Reply
  3. Matt Image of Matt

    Only when IT security is given the the same or better attention than say occupational health and safety will this kind of nonsense stop. What council would open a public park that was full of scammers trying to flog knock off tat?

    Reply

What Do You Reckon?