Sorry, No ads on this site.

H a c k e r N e w s N e t w o r k

Defaced Pages Archive

HNN Affiliates

Affiliate Resources

I Want My HNN

Write For HNN

HNN Privacy Statement

Who Is HNN?











        
































1999 Year In Review






















Freedom of the press is limited to those who own one.

   - A.J. Liebling



 











	

 
	
	








-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1 



Public sector websites vulnerable to InfoWar attacks 
"named and shamed" at Blackpool Conference.


In order to illustrate the need for a UK national InfoWar 
reporting hotline, some public sector websites, belonging to 
the Royal Mail and to the Scottish Executive were publicly 
"named and shamed" as being vulnerable to foreign 
InfoWar attackers.


This announcement was made at Secondary DNS, an 
international Computer Security and Data Protection 
conference which was held at the Norbreck Castle Hotel, 
Blackpool, on Saturday 14th August 1999 


website: http://www.dnscon.org  

encrypted email: infowar@dnscon.org 



A call was made for the establishment of a national UK 
InfoWar Hotline, where patriotic members of the public 
can safely "blow the whistle" on weaknesses in the UK's 
national Internet and Telecomms infrastructure, 24 hours a 
day, 365 days a year. 


These weaknesses will eventually be exploited by 
criminals, terrorists and other enemies of the UK, damaging 
our reputation for excellence in information technology, 
and tarnishing the trustworthiness of the UK brand name in 
the era of e-commerce. 


Both the Royal Mail 



htpp://www.royalmail.co.uk 

(and the alias http://www.viacode.co.uk)



as well as the Scottish Executive (formerly the Scottish 
Office)  


http://www.scotland.gov.uk 



have all or part of their websites hosted on Microsoft IIS4 
web servers, which have not had at least a year's worth of 
freely available security patches applied to them. This 
implies unacceptable failures in management procedures 
under the Data Protection Act. 


Consequently, it was possible for attackers, from anywhere 
on the Internet, to compromise these systems in a number 
of way e.g.


1) Denial of Service attacks (both Post Office and Scottish 
Executive)



2) Compromise of confidential e-commerce information, 
including names, addresses and  credit card details of the 
Post Office on-line stamps & envelopes customers


3) Compromise of confidential telegrams from friends and 
families of our military forces in the Balkans sent to  
BFPO-Kosovo (Post Office)


4) Damage to the trustworthiness of the ViaCode digital 
certification authority brand name (Post Office).


Would you buy Digital Certificates or encryption services 
from a ViaCode which, since its launch is March, cannot 
seem to get its own webserver and instead uses the Royal 
Mail server with a rival South African Thawte digital certificate, 
rather than a ViaCode one ?


5) Issuance of fake Press releases from the official Scottish 
Executive website resulting in political embarrassment (re-
shuffle the Scottish Cabinet ? ) and/or stock market 
manipulation ("leak" of Scottish Budget details ?) 


6) Installation of  Trojan horse remote control software 
such as netbus, to take complete control of these 
webservers, possibly using them as a springboard for 
further InfoWar attacks on the UK internet infrastructure 
and other back office or internal systems within the Royal 
Mail or the Scottish Executive.



Both the web sites were warned about the planned DNS 
Conference announcement, with 48 hours warning by email 
to their webmasters, followed up by special delivery "snail 
mail" to their top management.


To date, only the Royal Mail has responded by fixing the 
blatant security holes, and publishing a Security Statement 
on their website 


http://www.royalmail.co.uk/ISS.htm


The "process and technology to secure such systems and 
data" have obviously failed. Serbian hackers, for example, 
are unlikely to be deterred by threats of civil proceedings.


The senior management of the Royal Mail seems to think that



"Microsoft patches have been applied to the website over the last year 
although some have been omitted where they are not required for our
configuration."


Last Thursday 12th August is technically "over the last year" but the
wwww.royalmail.co.uk systems have been vulnerable for months, so perhaps 
the senior management are not getting the full picture from their
subordinates.


"An external organisation has been contracted to test security on our
website ("penetration testing")."


Presumably this external organisation has only just been hired,
as it is inconceivable that a reputable one would have missed
the vulnerabilities mentioned above.


The Scottish Executive seems to have ignored both the 
email and "snail mail" warnings, and their website still 
remains vulnerable. 


We strongly suggest that any news reports or press
releases published on the Sottish Executive website
should be independently verified via email, fax or 
phone. 


We thank you for your attention


For further details, contact us by encrypted email:


infowar@dnscon.org or infowar@hushmail.com


-----BEGIN PGP SIGNATURE-----

Version: PGPfreeware 6.0.2i



iQA/AwUBN7kFuYOnRwzqxHsCEQLGgQCgxdAAfk
lsMt0cnLBQGh3kReSDAFsAoK1mTvtbQRhDQqb3
JXQNDO0C7Dss=QgcM

-----END PGP SIGNATURE-----








			



	
	
	







buffer overflow








c o n s

a b o u t

p r e s s

s u b m i t

s e a r c h

c o n t a c t





















	
Today
Yesterday
12/15/00
12/14/00
12/13/00
12/12/00
12/11/00
12/10/00
	
			


 






 

	

 





          




        
	
 
	

         












These pages are Copyright © 2000
Hacker News Network All Rights Reserved.