The UK's official web infrastructure is in a shockingly poor state.
I've been doing some light digging into the security of UK Schools' websites. As I've written about ad nauseum, the Government takes almost no interest in the way some of its official websites are managed. The Department for Education is particularly inept when it comes to technology which - given that our country's future relies on technological progress - is more than a little depressing.
The UK has a specific second-level domain for schools:
<a href="https://en.wikipedia.org/wiki/.uk#sch.uk">.sch.uk</a>. While not all schools use this (more on that later) it provides a handy starting point when looking for hacked websites.
I've been working with journalists from Infosecurity Magazine - let's take a look at what we found.
Several schools have been hacked to hide pornographic content on their websites. Two particularly egregious examples are:
The Churchfield CE Primary School which contains hidden pages directing users to extreme content (I've pixelated the rather graphic image).
In this case, the sexual content is linked to from the front page of the website:
Portal House School is a small Special School for pupils who experience Social, Emotional and Behavioural Difficulties. Hidden within its pages are reams of sexually explicit content.
The hackers are linking to externally hosted sites which then receive an SEO boost when search engines crawl a "trusted" .sch.uk domain.
Bishop Challoner is a Catholic Federation of Schools. Several pages on their Tower Hamlets' website have been redirected to online pharmacies.
Spam filters are reluctant to block messages which seem to link to legitimate pages. These hacked school sites are an unwitting pawn in the war between pill-pushers and spam software.
Notton House is a Residential Special School. Its website is infested with gambling advertising.
Redland Primary School is an otherwise charming educational establishment - which appears to be promoting a variety of gambling activity to its visitors.
Bristol Metropolitan Academy has a WordPress site which has been severely compromised and now displays links to all manner of fake goods.
While I hope children at Gosfield Primary are being intellectually stretched, offering them essay writing services may be a little extreme!
Over the last few weeks, journalists from Infosecurity Magazine have attempted to contact all the schools mentioned. Very few of them responded, and the majority of sites are still compromised.
The Department for Education have a database called EduBase which lists details about every school under its purview. In a wonderful display of Open Data, anyone can download the database (a 36MB CSV) to investigate.
The data aren't all of great quality - there appears to be a lot of duplication, missing or corrupt entries, and some which are simply wrong.
That said, the headline figures are:
- 43,866 schools.
- 25,251 websites.
- 11,249 using
Over half of schools with a website don't use
.sch.uk - instead they're using
It's simply not possible for any individual to monitor all those domains. Indeed, schools quite often don't have the requisite skills to maintain and protect their websites. The majority of broken sites I've checked have been run by the private sector - who are apparently not paid enough to secure the sites.
As I've said repeatedly, this sort of security needs to be handled centrally. It should be the job of the Local Education Authority to set minimum standards for website security (and usability, reliability, all the ilities!). If individual schools are unable to meet those standards, then the LEA must intervene and directly manage the website. If the LEA is incapable or underfunded, the DfE should ensure that UK schools' websites are not a total embarrassment.
Many thanks to Dan Raywood from Infosecurity Magazine for all his help with this post.