This is part 4 of a series of blog posts looking at the security of the UK Government’s web infrastructure.
Over the last few days, I’ve shown that hundreds of websites run by branches of the UK state are in a perilous state of disrepair. There are multiple sites with hugely embarrassing XSS flaws, running ancient and unsecured software, languishing unmaintained and long since abandoned.
What are the consequences of failing to invest in security and maintenance? The websites become a haven for cyber-criminals. They exploit weaknesses in the sites and use them to push dodgy pills, fake goods, and all manner of illicit schemes.
The exploits which we are about to see range from the trivial – comment spam – to the extremely serious – complete site takeovers.
All the sites mentioned in this blog were notified on 19th February about the specific flaws found. I’ve no idea how these sites were compromised, nor whether any citizens’ data are at risk. All I know is that a disastrous attitude to “cyber security” is rotting away within the *.gov.uk namespace.
Complete Site Takeover
This looks like the perfect site to by some “Genuine* Fashionable Boots”, doesn’t it?
It is seemingly hosted with the endorsement of the Conservative run London Borough of Hillingdon. One of the most prosperous borough in London, and they can’t even afford to hire a website security team.
The Leadership Centre is funded by the government department for Communities and Local Government. Its mission?
We believe it takes great leadership to create thriving and prosperous communities so we work with and support senior leaders from across the public sector to help them shift their thinking on leadership.
Sadly, that doesn’t extend to thinking about leading technology teams. The site has been abandoned for around the last 3 years. In that time, it has become riddled with spam.
At the other end of the spectrum, we have the tiny borough of Amble. With a population of barely 6,000, their website plays host to a number of webpages extolling the virtue of knock-off boots.
The town of Kidwelly is nearly 900 years old. It has a rich history including medieval castles, nature reserves, and an annual festival.
As far as Google is concerned, it also maintains a cottage industry for cut-price “blue pills”.
Having spoken to the council, they have told me that the local police are currently dealing with the matter.
Can we reasonably expect small parish councils under the yoke of austerity to have top-notch web security teams? If they are able to find the resources necessary to fund the protection of their digital assets, that’s great – but it’s highly unlikely.
Instead, Central Government needs to heavily invest in making sure that all councils – big and small – are able to competently run web sites and services.
Every blog attracts comment spam. Fraudsters leaving vaguely plausible comments in the hope that publication will see a flurry of extra hits on their site. The bigger and more prestigious the site, the more likely the site is to be targeted. And the .gov.uk name is very prestigious.
Amongst the Government sites playing host to spam is the Foreign and Commonwealth Office’s blog page for the British Ambassador to Somalia.
The Northern Ireland Assembly is the devolved legislature for Northern Ireland. It has hundreds of comments, seemingly all of which promoting dodgy deals.
A book of condolence in Oldham for a much loved community member now plays host to spammers.
Lewes, and many other councils, have open forums which are overrun with spam messages.
Even the UK National Archives have seen fit to save some comment spam for future generations to ponder.
Finally, we get to the murky world of hidden links. These are spamming messages not designed to be seen by humans. They are hidden within the web pages’ source code in the hopes that Google and other search engines will see them and increase the spamming site’s popularity.
The spam covers the usual range from pharmaceuticals to knock off designer goods.
Again, there are several sites which exhibit this malicious behaviour.
What Can Be Done?
The State needs to take responsibility for the websites run in its name. If site owners are unable or unwilling, then those sites should be removed from the web. It is simply too dangerous to allow them to stay online without decent security measures in place.
It is time that the Government started to treat cyber-security as a serious subject. They love putting out press releases, and making grand sounding plans with shadowy agencies – what they need to do is spend some money on basic front-line services.