I've been doing some light digging into the security of UK Schools' websites. As I've written about ad nauseum, the Government takes almost no interest in the way some of its official websites are managed. The Department for Education is particularly inept when it comes to technology which - given that our country's future relies on technological progress - is more than a little depressing.

The UK has a specific second-level domain for schools: .sch.uk. While not all schools use this (more on that later) it provides a handy starting point when looking for hacked websites.

I've been working with journalists from Infosecurity Magazine - let's take a look at what we found.

Pornography

Several schools have been hacked to hide pornographic content on their websites. Two particularly egregious examples are:

The Churchfield CE Primary School which contains hidden pages directing users to extreme content (I've pixelated the rather graphic image). In this case, the sexual content is linked to from the front page of the website:

Portal House School is a small Special School for pupils who experience Social, Emotional and Behavioural Difficulties. Hidden within its pages are reams of sexually explicit content. The hackers are linking to externally hosted sites which then receive an SEO boost when search engines crawl a "trusted" .sch.uk domain.

Drugs

Bishop Challoner is a Catholic Federation of Schools. Several pages on their Tower Hamlets' website have been redirected to online pharmacies. Spam filters are reluctant to block messages which seem to link to legitimate pages. These hacked school sites are an unwitting pawn in the war between pill-pushers and spam software.

Gambling

Notton House is a Residential Special School. Its website is infested with gambling advertising.

Redland Primary School is an otherwise charming educational establishment - which appears to be promoting a variety of gambling activity to its visitors.

Counterfeit Goods

Bristol Metropolitan Academy has a WordPress site which has been severely compromised and now displays links to all manner of fake goods.

Essay Writers

While I hope children at Gosfield Primary are being intellectually stretched, offering them essay writing services may be a little extreme!

Over the last few weeks, journalists from Infosecurity Magazine have attempted to contact all the schools mentioned. Very few of them responded, and the majority of sites are still compromised.

How Endemic Is The Problem?

The Department for Education have a database called EduBase which lists details about every school under its purview. In a wonderful display of Open Data, anyone can download the database (a 36MB CSV) to investigate.

The data aren't all of great quality - there appears to be a lot of duplication, missing or corrupt entries, and some which are simply wrong.

That said, the headline figures are:

• 43,866 schools.
• 25,251 websites.
• 11,249 using .sch.uk.

Over half of schools with a website don't use .sch.uk - instead they're using .eu, .org.uk, .cc etc.

It's simply not possible for any individual to monitor all those domains. Indeed, schools quite often don't have the requisite skills to maintain and protect their websites. The majority of broken sites I've checked have been run by the private sector - who are apparently not paid enough to secure the sites.

As I've said repeatedly, this sort of security needs to be handled centrally. It should be the job of the Local Education Authority to set minimum standards for website security (and usability, reliability, all the ilities!). If individual schools are unable to meet those standards, then the LEA must intervene and directly manage the website. If the LEA is incapable or underfunded, the DfE should ensure that UK schools' websites are not a total embarrassment.

Many thanks to Dan Raywood from Infosecurity Magazine for all his help with this post.

Today's flaw, however, is a particularly basic mistake which simply shouldn't be allowed to happen by any competent site owner.

What Is An Open Redirect?

A redirector is a small web service which takes the user to a new web page. It's a simple enough concept - if you visit: http://www.planningportal.gov.uk/PpWeb/jsp/redirect.jsp?url=http://bbc.co.uk

you'll be taken to the BBC's homepage. It's an older technique which allows a website to track which external links you clicked on.

Unfortunately, this can be abused. Spammers can use links like: http://GoodSite.com/?url=BadSite.com to trick people into visiting illegitimate web pages.

When those links are used in an email, it can help bypass spam filters. The presence of a .gov.uk domain adds the appearance of legitimacy to any phishing attempt.

Abuse of Open Redirects is perfect for phishing, spamming, trolling, and all manner of digital nastiness.

What Does It Look Like?

Here's the NSFW portion of the blog. Google crawls the web - and your emails - looking for links. When it finds them, it adds them to its search index. We can ask Google to give us all the results for the word X on website Y by performing a search for "X site:Y".

This lets us see all the times a UK Government site has been used to spew spam.

As a guess, the spammers have abused the open redirect and pasted those links on forums, in comments, and social media. Google dutifully follows and indexes them.

PlanningPortal.gov.uk is the only UK Government site which I could find which has this vulnerability. The US Government has vastly more sites with this particular problem - many of which seem to link to deeply disturbing content.

How to stop such wickedness?

There's an easy way, a hard way, and a pragmatic way to prevent this sort of vulnerability.

The easy way is - don't use a redirect service. If you want to link to an external website, just use a normal link. There really is limited use for them these days. Tracking can be accomplished by JavaScript analytics libraries without hijacking your user's browser.

The hard way is - create a whitelist of sites which can be linked through your redirect service. This is difficult because someone has to constantly maintain exactly which links are allowed through. You also have to manage which links are broken or are no longer acceptable.

If you absolutely need an open redirect and don't have the staffing levels to manage it, the pragmatic solution is this:

Final Thoughts

This isn't a new or innovative attack - Google have been warning about this vulnerability for the last 7 years!

Websites need constant care and maintenance against an evolving threat landscape. If a site contains such basic errors, I think it's reasonable to suspect that it is probably dangerously broken in other ways.

The UK Government should be holding GOV.UK website managers to a higher standard than this.

As the Police policers you'd expect their website to be copper-bottomed. That they would detect anything amiss when inspecting their thin blue links. Mind you, some web developers are a law unto themselves.

Yeah, yeah, these puns are unbearable.

Fine. Whatever.

Amusing photo by kind permission of the inimitable Paul Clarke.

As I was responsibly disclosing the flaw, the HMIC team were busy moving to a shiny new website which is mercifully free of the problem.

If you're running a website - especially a Government one - please take the time to understand the risks involved.

It only remains for me to ask the eternal question: quis custodiet ipsos custodes custos telam?

Evenin' all.

Read more about "The Unsecured State", a series of blog posts examining security mishaps of UK Government websites.

These are all - apparently - within the remit of The City Of London Police. Better report such heinous crimes to them. As a high-tech policing unit, they encourage you to report crimes online.

The more astute of you will have noticed that the form is insecure. There's no https:// at the start of that URL. This means any confidential information that you send is transmitted across the Internet in the clear. Anyone sat between you and the police can intercept the data you send and - potentially - change it.

This is sub-optimal - especially for a police force which is seemingly tasked with protecting us from online meanies.

Being the "helpful" chap that I am, I called them out on it. Only to receive these very disappointing responses.

Terence Eden is on Mastodon

@edent

.@CityPolicePIPCU Do you offer a secure way to report crime? Your form isn't available via https.
cityoflondon.police.uk/advice-and-sup…

---

Police Intellectual Property Crime Unit

@CityPolicePIPCU

Replying to @edent@edent If you would like to report a fraud or internet crime online please visit the @actionfrauduk website actionfraud.police.uk (1/2)

---

Police Intellectual Property Crime Unit

@CityPolicePIPCU

Replying to @edent@edent if you would like to report a crime that took place in the City of London you can report online at: cityoflondon.police.uk/contact-city-p… (2/2)

---

Secure communications between the public and with websites is important. I want to know that all my dealings with the police are treated securely. I want to ensure that the data I send them is unmolested in transit. I want the state to take online security as seriously as they take physical security.

So, let's take a look at every UK Police Force website and see which of them have a secure connection.

I've taken the list of forces from the excellent data.police.uk - along with a few more I found along the way. I've specifically looked at their online crime reporting / contact us pages. Ideally all of the site would be secure - but let's not run before we can walk, eh?

I've tried to be as accurate as possible with these data - corrections and updates gratefully received.

You know what - that's a lot better than I was expecting, but it's still pretty dismal.

Several forces - even small ones - routinely secure their entire site. It's good to see that several make a point of securing the contact / reporting pages. Some larger forces need a bit of a push to get their websites in order.

Depressingly, some sites do use https - but the user needs to manually type it in to their URL bar! Why bother having https if you don't automatically redirect your users to the secure site?

In this day in age, there's no reason to encrypt only certain areas of your site. The technical overhead of secure communications is trivial and reinforces the idea that security is important to the police.

If the police want to be taken seriously as high-tech crime fighters, they need to ensure their websites meet basic security standards.

Update - 15-August-2014 Have just heard back from the City of London

... the City of London Police have fixed the problem and the relevant forms are now secure and live. We’ll continue to test them to ensure they stay that way and this doesn’t happen again. Thanks for taking the time to contact us

Terence Eden is on Mastodon

@edent

My blogging fu is mighty!
Thanks @CityPolicePIPCU for fixing your site.
shkspr.mobi/blog/2014/08/s… pic.x.com/iu0ZA7tnCw

---

I was chatting to an envoy from the Food Standards Agency who was eager to hear more about what I'd discovered.

"Oh," I said, "It's pretty easy. Let's take a look at your website. If I were to type some HTML into your search box, you would expect that the site would recognise it as dangerous content and refuse to display it."

A few clicks later...

"Ah," the FSA lady said, "Let me just make a quick phone call...."

A little while later, it was fixed.

This is not about minor councils and tiny departments. The FSA has a multi-million pound budget and, no doubt, an extensive tender process for its expensive website. How do security flaws like this continue to sneak through?

Is it enough to assume that a large, experienced web designer will be competent?

Should there be standardised products and services used to ensure a bare-minimum level of security?

Does the Government need to produce a thousand page "Compliance And Best Practice" document to ensure every i is crossed and t is dotted?

I honestly don't know the answers to these questions.

Security is like usability - it's not one of those things which can be tacked on at the end of a project once the "real work" is done. It has to permeate every aspect of design and creation.

So what has been the reaction?

The Good

Privately, I've been contacted by people within the Civil Service who are working hard to make things better. I wouldn't exactly say they're overjoyed with what happened - but they're certainly pleased that external people are highlighting the problems.

I've sent highly detailed reports to people who should be responsible for these flaws. On the main, they've been very happy to receive them.

I've had one or two "interesting" conversations with people who think that I should leave well enough alone. They fear giving up power to central government. That's a legitimate concern, but when a site owner has demonstrated their inability to perform basic website security, I think it is reasonable to expect them to surrender responsibility to those who are more capable.

I am convinced that some sections of the state are treating this as a serious problem. They are working hard to make things better - it will take a long time, as is to be expected with a large organisation, but a change has started.

The Press

The coverage has been fairly widespread - although not as I had expected. It's always temping to assume that other people understand the narrative vision you're tyring to accomplish. I thought that the abandoned websites would get more traction than it did - in the end it was the spoof Michael Gove post which really grabbed the public imagination.

Here are a selection of news sites that I've found talking about the stories.

• The Telegraph
• Political Scrapbook
• TES
• PC Pro
• Graham Cluley
• The Independent
• The Drum
• ZDNet

And the Daily Mail. Although I won't be linking to them!

The Political

One frequent comment I got was that I should avoid putting political commentary in my technical blog posts.

• It weakens the argument.
• Some people will be reluctant to share the post.
• My political analysis isn't as well developed as my technical analysis.
• I risk alienating the people who are likely to help.

I see the validity in those arguments. There is certainly a risk that people dismiss the problem because I highlight a specific political opinion. That's a risk I'm happy to take. It is simply impossible to address these issues without exploring the underlying reasons why they have occurred.

I am a political person. The actions our politicians take do affect me. I am aware that my politics are probably not the same as yours, dear reader - but I see no valid reason not to include my political thoughts on blogs which involve politicians and the government.

It's not enough to point out that the Emperor has no clothes - I have to point out that his advisers are in the pay of fraudulent tailors and that his policies have directly lead to this disastrous situation. To do otherwise would do a disservice to the argument. We cannot analyse a problem without determining its cause and, when the government is failing to protect its websites, we must look at the political causes.

Politics is the art of making public choices, and we do not make an issue less political by denying that there are choices involved.

Technology is not neutral. Service design is not neutral. Decisions about priorities and resources are not neutral. There are some important questions facing the future government – any future government – about where digital goes next.

...

[T]hose debates are intrinsically political, because digital is political.

Stefan Czerniawski - PublicStrategist.com

Final Thoughts

I'm sure I will be returning to this subject in the future. For now, I'm happy to leave it in the hands of those fine people within the state who I know are working hard to resolve this situation.

We have an opportunity to fix this mess - and I like to think that I've played a small part in the process.

Thank you for reading, I hope you have found it useful.

Rather than hack on any of the provided datasets, I wanted to work on an interesting way to present all the security flaws I had found in Government websites.

I teamed up with Mark, Marcello, and Orlando - together we created "Corkr - Plugging the Government's Digital Holes"

We were looking for different and interesting ways to visualise the data. Interactive infographics, space-trees, leader boards, top-trumps - all classic staples of hackdays.

In the end, we thought what would be the most visually impressive would be to present the sites on a map. That way we could show the scale of the problems - and let local authorities know where they needed to target.

It's hard to quantify just how bad the bugs are - is a single SQL Injection worse than two XSS flaws, for example - so we settled on just doing a raw count. Marcello and Orlando were able to convert the wpscan results files into JSON - which made doing the calculations a lot easier.

Mark, our graphics / UI guy came up with a really strong design to help showcase just how bad some of the problems are. We decided against revealing the nature of the vulnerabilities and instead went for a traffic light system.

Using OpenStreetMap and LeafletJS meant it was incredibly easy to create lush looking maps which were zoomable. Adding markers to specific locations was also really easy.

Where In The Country Is A Website?

Some websites have a defined geographic location - a tiny Parish Council's website can reasonably be centred on a map.

The WHOIS data for *.gov.uk sites is not standardised. Very few of the sites spat out a Post Code when queried. Going to each website and looking for a "contact us" link was just too much work for a hackday - so we cheated!

Google has a pretty good API for getting the geographic location from a search query. So I manually converted all the domain names into something Google could use. For example "10downingstreet.gov.uk" became "10 downing street" (used as an example - it's not a vulnerable site).

Here's the PHP code:

$location = $argv[1];
$json = file_get_contents('https://maps.googleapis.com/maps/api/geocode/json?address='.$location.',%20uk&sensor=false');
$obj = json_decode($json, true);
echo $obj["results"][0]["geometry"]["location"]["lat"] . ", " . $obj["results"][0]["geometry"]["location"]["lng"];

Now, obviously that requires a lot of copying and pasting. Luckily, Linux makes it very easy to automatically copy the output of a script onto the clipboard:

php -e locate.php West%20Byfleet | xclip -sel clip

And then we created a master JSON file which tallied up the number of flaws, where the sites were, and what they were named.

And then we did the same for the NHS sites!

In the end, due to time constraints, we only managed to get around 200 .gov.uk sites and 150 .nhs.uk sites.

And so, on very little sleep, we demo'd it...

The Competition

As ever with Rewired State, the standard of hacks was incredibly high. They ranged from the silly (dating MPs) to the serious (statistical comparisons of local areas). We presented towards the end, and were painfully aware of just how tough this was going to be. When you're up against a physicist using LIDAR calculated height data to infer shadow mapping and Pseudo-facial recognition using photoresistors, you know you're competing against the very best in the UK.

I am delighted to say that we were one of the four winners!

Rewired State

@rewiredstate

And the winners are corkr, alertin time, dataforce and shadow mapping!

---

Elliot Hughes

@ElliotJH

#nhtg14 Corkr was one truly awesome hack, final winner

---

Dan Palmer

@danpalmer

Last but not least, Corkr, the government web security audit, was great. Really good to highlight security! #NHTG14

---

Steve U

@Steve_Upton

.@edent, @marcelloseri, @M6_D6 and @orliesaurus built a leaderboard of .gov vulnerabilities hacks.rewiredstate.org/events/nationa… pic.x.com/kry2iz0td8

---

Julia Higginbottom

@gabysslave

And the final winner is Corkr #nhtg14

---

Some Thoughts On The Day

It was an absolutely amazing weekend. The food was good - and healthy - there was a wide range of people and some top notch government people there to talk with.

It might have been nice to have a bit more of a formal "what are people working on" session at the start. With 80ish hackers it may have taken some time, but it would have helped people introduce themselves and recruit for teams. All in all, a minor concern.

Prizes. I've written before about the corrupting influence of big money prizes. Luckily, the prizes on offer at #NHTG14 weren't jewel encrusted! About £30 - £40 worth of tech - plus some O’Reilly books. Just the right sort of level - not so extravagant that people would be gutted to lose, but expensive enough to make you go "Ooooh! What a lovely treat!".

Of course, the real value is in the taking part. And that's not just hokum; it really is.

Stef

@stef

Such polished, thought through hacks. Hack-for-the-prize-money hackathons? Ha! I’d take a book and a cheer from my peers every time! #nhtg14

---

Terence Eden is on Mastodon

@edent

Replying to @stef@stef damn straight. It's not about the prizes - it's about being around & taking inspiration from people doing *their* best.

---

For me, I think the real prize is making the government take notice and fix their broken sites. I think that is slowly happening - but a bit more on that later.

Congratulations to all the teams who took part - and many thanks to the judges for their impeccable taste.

The primary cause of the vulnerabilities I've exposed over this series is abandonment.

In a flurry of excitement a website is commissioned and created. Then, as time wears on, people begin to drift away from the project. Job titles change, people are reshuffled, and senior management's gaze focuses elsewhere.

Who is now responsible for updating and maintaining the software? No one. Like an unwanted puppy, it has been abandoned on the street and proceeds to pick up all manner of diseases in its malnourished state.

So we move on to the tragic fate of the abandoned Public Inquiry website. Long after "lessons have been learned" these sites stand in monument to the vast human undertaking required to make sense of a tragedy.

Not so much.

Leveson

The Leveson Inquiry last updated its website in November 2012. Since then, it has been left to rot. Much like the Noble Lord's proposals on regulating Britain's feral media.

• The admin page is freely available - although "protected" by an expired SSL certificate.
• The search functionality is broken. Reducing its usefulness.
• The outdated WordPress 3.7.1 powers the site.

That's fairly mild. As weeks turn into years, we can expect the site to decay further.

What about Inquiries which ended many years ago? The National Archives maintains a list of all previous inquiries and an archive of their original websites.

Taking a look through some of the more high profile site reveals a very sorry state.

Victoria Climbié

Victoria Climbié was tortured and murdered by her guardians. The public inquiry, headed by Lord Laming, had a hugely positive effect on the way child protection works in the UK.

The official report - along with hundreds of news sites - still link to this long abandoned site.

Rather than keeping the website running, keeping all the documents in public view, the domain was allowed to lapse.

Where upon a "Mr Benedict Sykes" bought the domain, and it became stuffed full of barely related keywords and adverts.

Benedict is a "creative, innovative and extremely credible Online Marketing Manager".

I'm not sure how credible it is to take a report into a murdered child and then use it to sell links to investment guides and addiction councelling. But then I don't have the same well defined set of ethics as Mr Sykes...

At Benedict we adopt a simple ethical code for all online activities taken on behalf of our clients. Our ethics are based around our belief that the internet's true purpose is to supply users with the right information at the right time. We abide by Google's rules and go further in being guided by our own philosophy on what the internet should and could be one day.

Benedict's Ethical Philosophy

A fine way to profit from a child's senseless death.

Harold Shipman

The serial killer Harold Shipman murdered around 250 people. The inquiry into his activities found serious failings in the way the state controls doctors, pharmacists, and coroners. The total cost of the inquiry was £21 million.

That wasn't enough money to keep the site registered in perpetuity, apparently.

It has now been taken over by Gary Taylor - an affiliate marketer - who has redirected it to a spam site full of loan adverts.

Both the Shipman Inquiry website and the new spam site are registered to Gary. He links to the personal loans site in his Google+ profile. On his personal website he boasts about his SEO prowess.

It's not Gary's fault that the Government couldn't be bothered to keep the site running - indeed, he appears to have bought it from some other 3rd party.

The site should have been left standing in memorial to the victims. A tribute to let their families know that the state recognises their loss and will do everything in its power to stop such horrors from being inflicted on other people.

But now it's just a sordid way for the Midlands Young Entrepreneur Of The Year (2008) to make a few quid.

Bloody Sunday

After £190 million and 10 years, the Saville Report into Bloody Sunday was published in 2010.

Despite all that time and money, the site is now a haven for spammers. Thousands of news websites point there, countless newspapers will have made reference to the site, all now unwitting pawns in an anonymous spammer's SEO Expert's game.

The Iraq War

Hey, remember when the Security Services said Iraq had Weapons of Mass Destruction which could be launched within 45 minutes? Yeah, turns out they lied.

The Butler Review came to the conclusion that the "intelligence" which used to justify the war with Iraq was unreliable.

The Hutton Inquiry investigated the apparent suicide of Dr David Kelly. Prior to his death, he had been exposed as the person behind claims that the Government "sexed up" the intelligence relating to Weapons of Mass Destruction.

Both Inquiry websites are now used by spammers. Profiting from the bloody consequences of war - all because the British state cannot pay for the upkeep of a few websites.

&c.

And so it goes on. There are around a dozen Public Inquiry Sites which have been allowed to lapse and are now in the hands of spammers.

Even when the government has managed to keep hold of the domain - they aren't managing their portfolio properly. Zahid Mubarek was murdered by a violent racist after the prison service placed them in a cell together. The Home Office spent year resisting calls for an inquiry until the Law Lords ordered David Blunkett to set one up.

Today www.ZahidMubarekInquiry.org.uk is still owned by the Home Office - but no longer has a working website behind it. It's as if they want to flush the reports of an institutional racist prison service down the memory hole.

This is our digital heritage - and it is being squandered.

Legacy

Over the last week I've exposed how Parliament's website was open to attack, how a key Department for Education database could be hijacked, that the NHS is riddled with insecure websites, and that local government websites don't fare much better.

There needs to be a radical re-think in the way that the state approaches digital infrastructure. This means long term legacy planning - not just thinking in terms of election cycles. It means employing people who know what they are talking about - not just the heads of "Think Tanks". It means no longer being afraid of technology - but rather embracing the promise it brings of a better world for all.

Sadly, for now, when dealing with the UK Government's attitude to their websites, I think it best to hang a large banner above your browser reading "Lasciate ogne speranza, voi ch'entrate"

Over the last few days, I've shown that hundreds of websites run by branches of the UK state are in a perilous state of disrepair. There are multiple sites with hugely embarrassing XSS flaws, running ancient and unsecured software, languishing unmaintained and long since abandoned.

What are the consequences of failing to invest in security and maintenance? The websites become a haven for cyber-criminals. They exploit weaknesses in the sites and use them to push dodgy pills, fake goods, and all manner of illicit schemes.

The exploits which we are about to see range from the trivial - comment spam - to the extremely serious - complete site takeovers.

All the sites mentioned in this blog were notified on 19th February about the specific flaws found. I've no idea how these sites were compromised, nor whether any citizens' data are at risk. All I know is that a disastrous attitude to "cyber security" is rotting away within the *.gov.uk namespace.

Complete Site Takeover

This looks like the perfect site to by some "Genuine* Fashionable Boots", doesn't it? It is seemingly hosted with the endorsement of the Conservative run London Borough of Hillingdon. One of the most prosperous borough in London, and they can't even afford to hire a website security team.

—❦—

The Leadership Centre is funded by the government department for Communities and Local Government. Its mission?

We believe it takes great leadership to create thriving and prosperous communities so we work with and support senior leaders from across the public sector to help them shift their thinking on leadership.

Sadly, that doesn't extend to thinking about leading technology teams. The site has been abandoned for around the last 3 years. In that time, it has become riddled with spam.

—❦—

At the other end of the spectrum, we have the tiny borough of Amble. With a population of barely 6,000, their website plays host to a number of webpages extolling the virtue of knock-off boots.

—❦—

The town of Kidwelly is nearly 900 years old. It has a rich history including medieval castles, nature reserves, and an annual festival.

As far as Google is concerned, it also maintains a cottage industry for cut-price "blue pills".

Having spoken to the council, they have told me that the local police are currently dealing with the matter.

—❦—

Can we reasonably expect small parish councils under the yoke of austerity to have top-notch web security teams? If they are able to find the resources necessary to fund the protection of their digital assets, that's great - but it's highly unlikely.

Instead, Central Government needs to heavily invest in making sure that all councils - big and small - are able to competently run web sites and services.

Comment Spam

Every blog attracts comment spam. Fraudsters leaving vaguely plausible comments in the hope that publication will see a flurry of extra hits on their site. The bigger and more prestigious the site, the more likely the site is to be targeted. And the .gov.uk name is very prestigious.

Amongst the Government sites playing host to spam is the Foreign and Commonwealth Office's blog page for the British Ambassador to Somalia.

—❦—

The Northern Ireland Assembly is the devolved legislature for Northern Ireland. It has hundreds of comments, seemingly all of which promoting dodgy deals.

—❦—

A book of condolence in Oldham for a much loved community member now plays host to spammers.

—❦—

Lewes, and many other councils, have open forums which are overrun with spam messages.

—❦—

Even the UK National Archives have seen fit to save some comment spam for future generations to ponder.

Hidden Links

Finally, we get to the murky world of hidden links. These are spamming messages not designed to be seen by humans. They are hidden within the web pages' source code in the hopes that Google and other search engines will see them and increase the spamming site's popularity.

The spam covers the usual range from pharmaceuticals to knock off designer goods.

Again, there are several sites which exhibit this malicious behaviour.

What Can Be Done?

The State needs to take responsibility for the websites run in its name. If site owners are unable or unwilling, then those sites should be removed from the web. It is simply too dangerous to allow them to stay online without decent security measures in place.

It is time that the Government started to treat cyber-security as a serious subject. They love putting out press releases, and making grand sounding plans with shadowy agencies - what they need to do is spend some money on basic front-line services.

Britain's National Health Service is riddled with old and insecure WordPress-based websites. Many of these sites have severe flaws including being vulnerable to XSS attacks.

There is absolutely no suggestion that patient data or confidentiality has been put at risk.

These flaws were discovered passively using the information which was returned by the web server following a normal request. I have not exploited any of the holes found.

All these flaws were responsibly disclosed to Department of Health Officials in January 2014. Throughout February I was repeatedly in contact with various NHS officials trying to get them to do something about these problems.

This is a technical look at how I found these flaws. Please buy the latest edition of Computer Active to read the full story.

Step 0 - Was This A Problem In The Past?

In 2009, a security researcher discovered a severe security flaw in one of the NHS's websites. I wondered if the NHS had improved its web security practices in the last 5 years.

Step 1 - Get All NHS Domain Names

I initially thought there would be a public list of all the NHS's websites. There isn't. Thankfully, Rob Aley had made a Freedom of Information request a year ago which I was able to use.

The list dates from January 2013 - so it doesn't contain any of the more recent domains. However, as any WordPress site created in the last 12 months is (hopefully) free of vulnerabilities, that's not too big an issue.

So, with 5,000 domains in hand, it's on to....

Step 2 - Look for Vulnerabilities

There were five main classes of vulnerabilities I was looking for.

1. Old WordPress versions.
2. Server Information.
3. Directory listings.
4. Unsecured login pages.
5. XSS Flaws.

Finding the WordPress version is simple enough. Most sites will spit out a header in the HTML which says:

<meta name="generator" content="WordPress 3.5.2" />

If the administrator is sensible enough to have hidden that header, we can still infer which WordPress release is running by looking at which JavaScript libraries are bundled with the site.

Server information means we can see if the website is running on old, unpatched software. Directory listings allow us to see all the files on the server. Better hope there's nothing confidential on there!

Unsecured login pages means that anyone can guess the address of the login page. Without suitable protection, repeated login attempts can be made until. Unless the site is running SSL (and most aren't) the username and password are sent unencrypted. Better hope no one is logging on over public WiFi!

Finally, on to XSS. The easiest way to test is to search for an HTML string and see if it is returned.

Testing each one of these manually is possible - although a right pain in the arse - so I turned to...

Step 3 - wpscan

The Open Source software wpscan is a simple tool - you give it a URL and it finds every single WordPress vulnerability on the site. It tells you the version, what bugs are present, whether the site is likely vulnerable the XSS, and all sorts of other interesting details.

Right, time to get started!

Step 4 - Scanning

Sadly, wpscan doesn't have a batch mode. Nor does it play well with parallel processing. That means running it in serial.

Taking a list of NHS domains in a .txt file, it's relatively easy to extract each one, scan it, then dump the result to a text file with the same name as the domain.

cat nhs.txt |
xargs -iURL sh -c './wpscan.rb --follow-redirection --url URL > URL.txt'

In order to stop wpscan asking me every time it couldn't find plugin directory, I patched the wpscan.rb file.

unless wp_target.wp_plugins_dir_exists?
  puts "The plugins directory '#{wp_target.wp_plugins_dir}' does not exist."
  puts 'You can specify one per command line option (don't forget to include the wp-content directory if needed)'
  print 'Continue? [y/n] '
  #unless Readline.readline =~ /^y/i
  #  exit(0)
  #end
end

With 5,000 records to check, it was bound to take some time. Thankfully, not all the sites run WordPress and wpscan only takes a second to ignore a site it can't scan.

The scan ran at about 7 URLs per minute. Meaning the whole thing was done in less than half a day.

Step 5 - Parsing The Results

Out of the 5,000 domains, 358 were identified as running WordPress.

5 were identified as running the extremely old WordPress 2.X!

How many potential XSS vulnerabilities were found? 597. Several of the sites were identified with multiple potential exploits (I say "potential" because they were not all manually checked).

After running the reports, parsing the data, summing the number of XSS, privilege escalation, open redirects, and other miscellaneous bugs - I came up with the linkbait conservative total that over 2,000 security bug were identified.

Step 6 - Calm Down

It's important to note that these are suspected vulnerabilities. The wpscan software isn't perfect - some of the flaws it detects may be mitigated by other measures.

Many of the problems are "Privilege Escalation" vulnerabilities. This means that the secretary who updates the opening times, may be able to assume the role of an administrator and do some serious damage. This makes it unlikely that an external malicious user could exploit these flaws.

Ok, so what about the ~4,500 sites which aren't running WordPress? Are they secure? No!

Step 7 - Look for Non-WordPress Vulnerabilities

There are a number of sites which don't run WordPress which are still vulnerable to XSS attacks.

Nearly every single site built by a particular Norfolk based company had a confirmed XSS vulnerability.

These were found by manually searching for an HTML string and seeing if it was returned unescaped.

After repeated contact, and some hand-holding, they were able to fix dozens of vulnerable sites.

Step 8 - Responsibly Disclose the Problems

It's really hard to contact the Department of Health to report these issues to them. I'm lucky enough to have some friends in the Civil Service who were able to escalate my concerns - but even then I seemed to hit a brick wall.

I tried contacting individual website owners - who mostly forwarded me on to other people who then ignored me.

I contacted the Department of Health directly and provided screenshots of the problems - no reply was forthcoming.

Finally, I contacted James Temperton, the award winning journalist from Computer Active. James was the only journalist who responded to my request for a PGP key in order to communicate securely. In the age of Snowden, it seems bizarre that computing journalists don't take the minimum amount of effort to provide a secure contact channel.

With James' help, I was able to craft this story and he was able to contact the PR people at the Department of Health. You can read James' story in the latest issue of Computer Active.

What I Learned

Many Doctors' Surgeries in an area will all use the same cheap, private sector contractors to built their site. If there's a bug in one - that bug is present in hundreds of other sites.

On 12th February, I finally heard back from someone senior within the NHS. They explained that the Department of Health has no central control over NHS websites. As a result, sites fall through the cracks as local teams change. Consequently, in many cases there is simply no way to contact the website owners.

Abandoned Sites

I've tried to disclose the flaws to the site owners and directly to the Department of Health. In some cases - such as the following - no one is responsible for the site!

I contacted the designer - he passed me on to the agency commissioned to design the website. The agency passed me on to the NHS group they did the work for - which has since been re-organised. They passed me on to the local government contact who is meant to be responsible. She cannot find out who currently controls the site.

The Department of Health, HSCIC, local government, and NHS Care Commissioning Groups are all abdicating responsibility.

So now we have a situation where the NHS has lost control of its websites. They can be used to host spam and malware, hijack their usernames and passwords, or scam patients into giving up confidential information.

Recommendations

I love WordPress - this blog runs it, as do many more sites I administer. Like any software, it needs to be kept updated and maintained.

It's clear that many NHS websites are not being actively maintained. That's a serious failing. I don't think it's an exaggeration to say that looking after a website is as important as cleaning a hospital.

Ok, maybe a bit of an exaggeration. But XSS flaws are especially pernicious when they're on a trusted domain like nhs.uk. It's clear that the fractured nature of the NHS means that private companies are free to exploit small NHS practices. Many of these vulnerable sites have been delivered by private companies with no thought of the public harm they are doing.

Earlier this year, Sam Smith asked a very important question:

Sam

@smithsam

Why isn’t there an NHS Digital Service yet? (as in #GDS)

---

It's clear that neither tiny NHS practices nor megalithic Trusts have the experience to commission and run simple websites. The ideological desire for "competition" has lead to a waste of millions of pounds of taxpayers' money and resulted in horrendous security flaws throughout the NHS.

Public health is too important to leave to the "invisible hand" of capitalism's free market. We need a strong, centralised management which can produce and enforce best-practice across the NHS's web portfolio.

It's time that the Secretary of State for Health, Jeremy Hunt, stopped trying to undermine the public sector ethos of the NHS and, instead, concentrated on making it stronger. Rather than setting the NHS up to fail via phoney "competition", he should be ensuring it works together as a community to ensure the security of the NHS's digital portfolio.

The Official Response

After raising this through multiple channels - including directly to some of the site involved and to GovCertUK - this is the official reply we got from HSCIC on 18th February.

In relation to nhs.uk sites, the HSCIC's role is to process applications to use the domain name from NHS organisations and provide permission for its use, where appropriate. However, responsibility for the maintenance and security of sites using the nhs.uk domain sits with the organisation running each website or service.

The HSCIC is currently drafting some additional guidance, in support of our existing technical guidance, to be issued to all applicants receiving permission to use the nhs.uk domain. We are grateful to the individuals who have alerted us to these issues so that we can take them into account when drawing up this document.

A Special Message To Tim Kelsey about care.data

If the NHS can't be trusted to secure their websites - why should I trust them to secure my confidential medical details?

That's why I've opted-out of care.data and you should too.

Many XSS flaws rely on altering the GET parameters of a request. Some webmasters seem to think that if their forms only use POST they will be immune from the XSS. This is not the case.

Don't Press This Button

Pressing this button will send a POST request to the Department of Education's EduBase website.

Up until yesterday, the site would blindly echo back anything that was sent to it. Which resulted in the page looking something like this:

Code

HTML forms can direct your browser to POST information to any site. It's even possible to hide the data from the user - so all they see is a big button to press.

<form method="post"
   id="quickSearch"
   action="http://www.education.gov.uk/edubase/home.xhtml" >
   <input id="establishmentName.value"
          name="establishmentName.value"
          type="hidden"
          value="<h1>XSS Demonstration</h1>
                 <h2><a href='http://www.teachers.org.uk/campaigns/protect-teachers'>Demo link</a></h2>
                 <img src='https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/tumblr_m811uzuyp91rcq3oko1_500.jpg'/><br />
                 <script>alert('JavaScript XSS');</script>"
   />
   <button>Demonstrate XSS</button>
</form>

Mitigation

Always escape untrusted data! Read the OWASP cheat sheet for more information.

When such a flaw is discovered and then reported, it is imperative that you have a plan to rapidly secure it. It took 27 days to get the fix into production. I've no idea how long it was open for - or how many people exploited it in that time.

In this case, the Department for Education have outsourced EduBase to Texuna - a technology partner. Texuna don't have any secure way for people to report flaws to them and, when notified, struggled to find someone who could take responsibility.

Texuna seemed to me unable to convey the urgency of the situation to the DfE. A complicated public/private partnership with multiple stakeholders seems to mean that there is no way to escalate security issues.

While it is vitally important to thoroughly test security patches, there's also a very real risk involved in leaving a system unpatched.

This is a textbook example of where outsourcing fails. The ideological agenda which promotes the lowest bidder is doomed to failure when a crisis occurs. Responsibility is diffused, no one is empowered to make decisions, and without proper management oversight critical bugs are left unfixed.

Compare and contrast to yesterday's bug. An identical XSS bug in the Parliament.uk website was fixed over a weekend. Because the Parliament team was centralised and highly motivated they were able to accomplish something a "highly trusted partner" could not.

It is not known how many more of Texuna's client's sites are in a similarly unsecured state.

Timeline

• 5th February. Disclosed to Department of Education and their technology partner Texuna.
• 7th February. Disclosed to GovCertUK.
• 12th February. Contacted the TES Newspaper to allow them to report on the story.
• 26th February. According to Texuna a fix released - to be scheduled for production "soon".
• 28th February. Informed Texuna of publication date.
• 3rd March. Fixed.
• 4th March. Published.

A Special Message For Michael Gove

The UK Parliament website is pretty great. It houses a huge amount of historical information, lets people easily see what's happening in the Commons and the Lords, and is run by some really clever people.

That's why it's so depressing to see such a basic error as this XSS flaw in their search engine.

What Is XSS?

Briefly, some websites will let you display or run arbitrary code on them if you input that code in their search box. (It's a bit more complicated than that - but it'll do for an executive summary.)

By searching for the text

<em>test

We can make the rest of the page display in italics.

This is because the page sees the <em> tag and echoes it back as part of the HTML.

What else can we do?

If we want to be cheeky - we can add iframes and YouTube videos onto the page.

So, if the page will display any code we tell it, can we make it run JavaScript? Yes.

Searching for a string like

<script>alert("hello");</script>

Hey presto, we can "decorate" this page with text, images, video, run JavaScript on there - using Firefox.

Now, what's interesting is that the iframe and JavaScript attacks don't work in the Chrome web browser.

Chrome has a reasonably good Anti XSS filter which strips out most JavaScript and iFrames (although it can be bypassed).

However, Chrome and Firefox both let through seemingly benign text formatting tags, as well as the more dangerous image and HTML5 video tags.

Putting It All Together

OK, so we can have a bit of mischief - but is that all that the bad guys can do? No! Even if they can't run JavaScript, they can still run pretty convincing adverts, or direct people to install malware, or a whole host of other nasty things. Because the domain is parliament.uk it carries with it a significant level of trust.

Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound - everything they need for a scam.

Or, perhaps they are evil. They can send an email to every MP saying:

Please Reset your password - visit http://....

Before you know it, they've gathered the Minister for Administrative Affairs' private details and are plundering Sir Humphrey's vaults.

Yeah, the above doesn't look brilliantly convincing - but would you trust your MP to notice the discrepancies?

Mitigating

The simple rule is that you should never ever print out the content that the user has searched for. If you have to, make absolutely sure that you escape all the characters and enforce strict limits on the number of characters returned.

Browsers should get better at detecting this. While Chrome rightly blocks the iFrame and JavaScript - it thinks text, images, and videos are safe. They're not. In the above examples, the XSS code is echoed in the HTML Title, as well as the URL bar. It should be fairly obvious to the browser that this is an unusual state of affairs.

Disclosure

• This XSS flaw was responsibly disclosed to the UK Parliament on Friday 7th February 2014.
• On Tuesday 11th of February they confirmed that a fix had been put in place.
• The UK Government bug bounty was paid on.... Oh... my mistake...

BONUS SATIRE