-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Public sector websites vulnerable to InfoWar attacks
"named and shamed" at Blackpool Conference.
In order to illustrate the need for a UK national InfoWar
reporting hotline, some public sector websites, belonging to
the Royal Mail and to the Scottish Executive were publicly
"named and shamed" as being vulnerable to foreign
InfoWar attackers.
This announcement was made at Secondary DNS, an
international Computer Security and Data Protection
conference which was held at the Norbreck Castle Hotel,
Blackpool, on Saturday 14th August 1999
website: http://www.dnscon.org
encrypted email: infowar@dnscon.org
A call was made for the establishment of a national UK
InfoWar Hotline, where patriotic members of the public
can safely "blow the whistle" on weaknesses in the UK's
national Internet and Telecomms infrastructure, 24 hours a
day, 365 days a year.
These weaknesses will eventually be exploited by
criminals, terrorists and other enemies of the UK, damaging
our reputation for excellence in information technology,
and tarnishing the trustworthiness of the UK brand name in
the era of e-commerce.
Both the Royal Mail
htpp://www.royalmail.co.uk
(and the alias http://www.viacode.co.uk)
as well as the Scottish Executive (formerly the Scottish
Office)
http://www.scotland.gov.uk
have all or part of their websites hosted on Microsoft IIS4
web servers, which have not had at least a year's worth of
freely available security patches applied to them. This
implies unacceptable failures in management procedures
under the Data Protection Act.
Consequently, it was possible for attackers, from anywhere
on the Internet, to compromise these systems in a number
of way e.g.
1) Denial of Service attacks (both Post Office and Scottish
Executive)
2) Compromise of confidential e-commerce information,
including names, addresses and credit card details of the
Post Office on-line stamps & envelopes customers
3) Compromise of confidential telegrams from friends and
families of our military forces in the Balkans sent to
BFPO-Kosovo (Post Office)
4) Damage to the trustworthiness of the ViaCode digital
certification authority brand name (Post Office).
Would you buy Digital Certificates or encryption services
from a ViaCode which, since its launch is March, cannot
seem to get its own webserver and instead uses the Royal
Mail server with a rival South African Thawte digital certificate,
rather than a ViaCode one ?
5) Issuance of fake Press releases from the official Scottish
Executive website resulting in political embarrassment (re-
shuffle the Scottish Cabinet ? ) and/or stock market
manipulation ("leak" of Scottish Budget details ?)
6) Installation of Trojan horse remote control software
such as netbus, to take complete control of these
webservers, possibly using them as a springboard for
further InfoWar attacks on the UK internet infrastructure
and other back office or internal systems within the Royal
Mail or the Scottish Executive.
Both the web sites were warned about the planned DNS
Conference announcement, with 48 hours warning by email
to their webmasters, followed up by special delivery "snail
mail" to their top management.
To date, only the Royal Mail has responded by fixing the
blatant security holes, and publishing a Security Statement
on their website
http://www.royalmail.co.uk/ISS.htm
The "process and technology to secure such systems and
data" have obviously failed. Serbian hackers, for example,
are unlikely to be deterred by threats of civil proceedings.
The senior management of the Royal Mail seems to think that
"Microsoft patches have been applied to the website over the last year
although some have been omitted where they are not required for our
configuration."
Last Thursday 12th August is technically "over the last year" but the
wwww.royalmail.co.uk systems have been vulnerable for months, so perhaps
the senior management are not getting the full picture from their
subordinates.
"An external organisation has been contracted to test security on our
website ("penetration testing")."
Presumably this external organisation has only just been hired,
as it is inconceivable that a reputable one would have missed
the vulnerabilities mentioned above.
The Scottish Executive seems to have ignored both the
email and "snail mail" warnings, and their website still
remains vulnerable.
We strongly suggest that any news reports or press
releases published on the Sottish Executive website
should be independently verified via email, fax or
phone.
We thank you for your attention
For further details, contact us by encrypted email:
infowar@dnscon.org or infowar@hushmail.com
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i
iQA/AwUBN7kFuYOnRwzqxHsCEQLGgQCgxdAAfk
lsMt0cnLBQGh3kReSDAFsAoK1mTvtbQRhDQqb3
JXQNDO0C7Dss=QgcM
-----END PGP SIGNATURE-----