By @edent · schools security Unsecured State · 650 words · read ~980 times.
The UK's official web infrastructure is in a shockingly poor state. I've been doing some light digging into the security of UK Schools' websites. As I've written about ad nauseum, the Government takes almost no interest in the way some of its official websites are managed. The Department for Education is particularly inept when it […]
Continue reading →By @edent · gov.uk security Unsecured State · 550 words · read ~503 times.
I don't particularly like picking on the security of Government websites. I do it a lot - but I always feel guilty about besmirching the good name of the many talented people who work in the Civil Service. Today's flaw, however, is a particularly basic mistake which simply shouldn't be allowed to happen by any […]
Continue reading →By @edent · police security Unsecured State · 200 words · read ~207 times.
Her Majesty’s Inspectorate of Constabulary (HMIC) are the police who police the police. As the Police policers you'd expect their website to be copper-bottomed. That they would detect anything amiss when inspecting their thin blue links. Mind you, some web developers are a law unto themselves. Yeah, yeah, these puns are unbearable. Fine. Whatever. As […]
Continue reading →By @edent · police security Unsecured State · 1 comment · 900 words · read ~1,110 times.
Imagine, just for a moment, you suspect that a friend of yours is a criminal. Perhaps they are running an illegal proxy, or hosting a search engine, or maybe criticising a dangerous cult, or even taking suspicious photographs. These are all - apparently - within the remit of The City Of London Police. Better report […]
Continue reading →By @edent · security Unsecured State · 300 words · read ~434 times.
A few months ago, I was attending the National Hack The Government event. I was showing off some of the work I had been doing on "The Unsecured State" - looking at *.gov.uk website security. I was chatting to an envoy from the Food Standards Agency who was eager to hear more about what I'd […]
Continue reading →By @edent · Unsecured State · 1 comment · 700 words · read ~237 times.
It has been an intense few months digging through the security failings of the UK Government’s websites and trying to responsibly disclose them. It culminated with a week of blog posts exposing the vulnerabilities - and an award winning hackathon project. So what has been the reaction? The Good Privately, I've been contacted by people […]
Continue reading →By @edent · hackathon hackday hacks rewired state Unsecured State · 1,000 words
What a crazy weekend! I made the last minute decision to attend Rewired State's "National Hack The Government 2014" hackathon. Rather than hack on any of the provided datasets, I wanted to work on an interesting way to present all the security flaws I had found in Government websites. I teamed up with Mark, Marcello, […]
Continue reading →By @edent · gov.uk security spam Unsecured State · 6 comments · 1,150 words · read ~1,616 times.
This is part 5 of a series of blog posts looking at the security of the UK Government's web infrastructure. The primary cause of the vulnerabilities I've exposed over this series is abandonment. In a flurry of excitement a website is commissioned and created. Then, as time wears on, people begin to drift away from […]
Continue reading →By @edent · gov.uk government security spam Unsecured State · 5 comments · 800 words · read ~5,132 times.
This is part 4 of a series of blog posts looking at the security of the UK Government's web infrastructure. Over the last few days, I've shown that hundreds of websites run by branches of the UK state are in a perilous state of disrepair. There are multiple sites with hugely embarrassing XSS flaws, running […]
Continue reading →By @edent · nhs security Unsecured State WordPress · 7 comments · 1,900 words · read ~11,194 times.
This is part 3 of a series of blog posts looking at the security of the UK Government's web infrastructure. Britain's National Health Service is riddled with old and insecure WordPress-based websites. Many of these sites have severe flaws including being vulnerable to XSS attacks. There is absolutely no suggestion that patient data or confidentiality […]
Continue reading →