Mobiles, Shakespeare, Politics, Usability, Security.

Posts Tagged: unsecured state

A School For Scandal

churchfield.staffs.sch.uk-fs8

The UK's official web infrastructure is in a shockingly poor state. I've been doing some light digging into the security of UK Schools' websites. As I've written about ad nauseum, the Government takes almost no interest in the way some of its official websites are managed. The Department for Education is particularly inept when it comes to technology which - given that our country's… Read more »

When GOVUK is NSFW

Page of Google results showing pornographic links on a UK Government pages

I don't particularly like picking on the security of Government websites. I do it a lot - but I always feel guilty about besmirching the good name of the many talented people who work in the Civil Service. Today's flaw, however, is a particularly basic mistake which simply shouldn't be allowed to happen by any competent site owner. What Is An Open Redirect? A… Read more »

Another GOV.UK XSS Flaw

HMIC-XSS

Her Majesty’s Inspectorate of Constabulary (HMIC) are the police who police the police. As the Police policers you'd expect their website to be copper-bottomed. That they would detect anything amiss when inspecting their thin blue links. Mind you, some web developers are a law unto themselves. Yeah, yeah, these puns are unbearable. Fine. Whatever. As I was responsibly disclosing the flaw, the HMIC team… Read more »

Secure The Police!

City-Of-London-non-secure-fs8

Imagine, just for a moment, you suspect that a friend of yours is a criminal. Perhaps they are running an illegal proxy, or hosting a search engine, or maybe criticising a dangerous cult, or even taking suspicious photographs. These are all - apparently - within the remit of The City Of London Police. Better report such heinous crimes to them. As a high-tech policing… Read more »

XSS at Food.gov.uk - disclosed and fixed

Food.gov_.uk-XSS-screenshot

A few months ago, I was attending the National Hack The Government event. I was showing off some of the work I had been doing on "The Unsecured State" - looking at *.gov.uk website security. I was chatting to an envoy from the Food Standards Agency who was eager to hear more about what I'd discovered. "Oh," I said, "It's pretty easy. Let's take… Read more »

Reactions to The Unsecured State

Computer-Active-NHS

It has been an intense few months digging through the security failings of the UK Government’s websites and trying to responsibly disclose them. It culminated with a week of blog posts exposing the vulnerabilities - and an award winning hackathon project. So what has been the reaction? The Good Privately, I've been contacted by people within the Civil Service who are working hard to… Read more »

Introducing Corkr at #NHTG14

Corkr-Detail-fs8

What a crazy weekend! I made the last minute decision to attend Rewired State's "National Hack The Government 2014" hackathon. Rather than hack on any of the provided datasets, I wanted to work on an interesting way to present all the security flaws I had found in Government websites. I teamed up with Mark, Marcello, and Orlando - together we created "Corkr - Plugging… Read more »

The Unsecured State Part 5 - Abandoned Inquiries

Climbie-Spam-fs8

This is part 5 of a series of blog posts looking at the security of the UK Government's web infrastructure. The primary cause of the vulnerabilities I've exposed over this series is abandonment. In a flurry of excitement a website is commissioned and created. Then, as time wears on, people begin to drift away from the project. Job titles change, people are reshuffled, and… Read more »

The Unsecured State Part 4 - UK Government Websites Spewing Spam

Hillingdon-Boots

This is part 4 of a series of blog posts looking at the security of the UK Government's web infrastructure. Over the last few days, I've shown that hundreds of websites run by branches of the UK state are in a perilous state of disrepair. There are multiple sites with hugely embarrassing XSS flaws, running ancient and unsecured software, languishing unmaintained and long since… Read more »

The Unsecured State Part 3 - 2,000+ NHS Security Vulnerabilities (Disclosed)

Breast-Milk-Video-XSS-fs8

This is part 3 of a series of blog posts looking at the security of the UK Government's web infrastructure. Britain's National Health Service is riddled with old and insecure WordPress-based websites. Many of these sites have severe flaws including being vulnerable to XSS attacks. There is absolutely no suggestion that patient data or confidentiality has been put at risk. These flaws were discovered… Read more »